Today I am going to make a public disclosure of a critical vulnerability I have found during my research in PayPal Core Application, This vulnerability allowed me to completely bypass the CSRF Prevention System, which lead to account hijacking and issue privileged actions on target user through a series of flaws.
I – IDENTIFICATION PHASE
II – CSRF AUTH SYSTEM BYPASS
III – PROOF OF CONCEPT
IV – IMPACTS & RISK FACTORS
I – Discovery Phase :
After analyzing the web application I took a look at the Customer Profile (My Selling Tools) Settings module (classic view), after intercepting some requests I’ve identified a reflected XSS issue via customerprofile settings. The finding resides in the request made after clicking on the expand/collapse option on the page.
[+]Getting paid and managing my risk
[+]Shipping my items
While testing I intercepted this request which is sent with these parameters :
- “group” parameter : represent the option ( shippingItems, paymentAndRisk, sellingItems)
- “state” parameter : represent the state (0 ==> Collapsed , 1 ==> Expanded )