exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

3DSecure 2.0 3DS Authorization Challenge Cross Site Scripting

3DSecure 2.0 3DS Authorization Challenge Cross Site Scripting
Posted Sep 12, 2024
Authored by Rubén López Herrera

Multiple reflected cross site scripting vulnerabilities exist in the 3DS Authorization Challenge of 3DSecure version 2.0. These flaws allow attackers to inject arbitrary web scripts, CSS, or HTML through the manipulation of the params parameter in the request URL.

tags | exploit, web, arbitrary, vulnerability, xss
advisories | CVE-2024-25283
SHA-256 | 5c49c8e7ecdf6ea8c0ca9ef4838d0136aa0e0903e7e668c089948442cca4d4d4

3DSecure 2.0 3DS Authorization Challenge Cross Site Scripting

Change Mirror Download
Product: 3DSecure 2.0
Manufacturer: Redsys
Affected Version(s): 3DSecure 2.0 3DS Authorization Challenge
Tested Version(s): 3DSecure 2.0 3DS Authorization Challenge
Vulnerability Type: Cross-Site Scripting (XSS)
Risk Level: Medium
Solution Status: Not yet fixed
Manufacturer Notification: 2024-01-17
Solution Date: N/A
Public Disclosure: 2024-09-17
CVE Reference: CVE-2024-25283

Overview:
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities exist in the 3DS Authorization Challenge of 3DSecure 2.0. These flaws allow attackers to inject arbitrary web scripts, CSS, or HTML through the manipulation of the params parameter in the request URL.

Vulnerability Details:
The params parameter in the 3DS Authorization Challenge is vulnerable to code injection. This flaw occurs because the value entered into the parameter is not sanitized, allowing attackers to create new HTML elements in the DOM and execute malicious code in the victim's browser.

Proof of Concept (PoC):
An attacker can alter the base64-encoded params parameter in the request URL to inject arbitrary code. Example:

https://[REDACTED]/[REDACTED]/rest/online/[REDACTED]/redirect?action=challenge&txn=[REDACTED]&params=[REDACTED]"

References:
OWASP Web Security Testing Guide: Reflected Cross-Site Scripting

Discoverer:
Reported by Rubén López Herrera

________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close