Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: Jonathan@Protozoan.nl

Background

As we learned from previous reports, XSS attacks can have a high impact; you are able to steal cookies, attack the browser of a visitor or use it to phish for login credentials.

Today we will learn more about a reflected XSS attack in Adobe Experience Manager (AEM) that bypasses the Web Application Firewall (WAF), it results in a fully working phishing login.

Philips

As always, we need to find a proper target for our attack. What about Philips? This year they won an award for being “The most reputable company in the Netherlands”. Customers trust their brand and this makes them a high profile target for phishers.

Winning the award for the eleventh year in a row

Furthermore they’ve got a proper Responsible Disclosure, so we’re safe to help them. It’s time to claim our Hall of Honors mention!

Reconnaissance, finding attack vectors

Where do we start if we want to find a XSS bug? No strict rules. I always start with Aquatone in order to discover interesting subdomains, see this report for details. After that I start Burp Suite, see this report, and I start looking around for bugs!

Add philips to the target scope, use .* as a joker to capture every philips hostname

Example of a site map, you may send a request to the repeater to test it for XSS

While clicking around the website, Burp Suite captures all the requests and responses. Burp Suite has a nice feature that creates a site map out of this data. This gives us a quick insight in how the website is structured, it also allows us to easily repeat specific requests and check if a page is vulnerable to XSS attacks.

The principle of XSS is that we manipulate input variables (i.e. the website url or form fields) so we are able to inject our own HTML code into our targets website. Due to that we are able to inject some javascript code that changes the layout; for example into a phishing login.

The URL is an important attack vector. If parts of the URL got reflected in the page response, without being escaped, we have a potential reflected XSS bug.

Another important thing is to check if we are able to add HTML data to the website that persists in some database; a stored XSS.

OWASP XSS Prevention cheat sheet, Rule #1: escape everything.

Long story short, after a few hours of trying I did not find any reflective or stored attack vectors. I probed all the different parameters in the URLs captured by the Burp Suite; all of them were properly escaped. Good job Philips :-).