December 12, 2014

Curious case of Yammer XSS

Microsoft recently (finally!!) started with their bug bounty program for some of the online services. Yammer is part of its scope. Noticing this I jumped on to find bugs in Yammer because it looked to be the easier of the targets. This post is about a strange stored XSS I found in Yammer apps which would have allowed non-admin users to steal cookies from admin users and also do other nasty stuff.

To begin with, Yammer is a private social network that helps employees collaborate across departments, locations and business apps. 

Once logged in to Yammer, any user can create and publish apps to the organization's Apps directory. This process does not require authorizations or approvals. Apps are published to the app directory some time after it is created.

Apps can be created from https://www.yammer.com/client_applications.
When registering the app, Yammer takes in Redirect URI value which is "the URL to redirect the user's browser to after the user has linked the application to their Yammer account"

I put javascript:alert(document.cookie)// as the redirect URI.

In such cases, browser does a 302 redirect to this Redirect URI. Due of security measures in browsers, it is not generally possible to abuse 302 redirects for XSS by redirecting to javascript or data URIs. Browsers won't redirect to javascript URIs even if it is in the Location header of the response. 

In case of Yammer, something strange was happening. When a user tried to use the app in Internet Explorer, browser was properly doing a 302 redirect hence blocking my javascript but in Chrome and Firefox, a 200 OK response was returned with my redirect URI in response body. The browser would then try to load that URI and BINGO!! Javascript executed successfully!

Watch the video below for complete demonstration of attack.



(I originally recorded the video in swf and now I couldn't find a decent swf to video converter so I recorded the video of the video :-D)

Microsoft fixed this issue pretty quickly and also added my name to the Bounty Honor Roll. Thats all for now. Over n out.

2 comments:

  1. Awesome..You have clearly explained ...Its very useful for me to know about new things..Keep on blogging..
    Dotnet training in chennai

    ReplyDelete
  2. Excellent incredible blog layout! How long have you been blogging for? you make running a blog look easy. The overall glance of your website is magnificent, let alone the content!

    Web development company in Chennai

    ReplyDelete