*ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Security Vulnerabilities* *Domain:* http://espn.go.com/ *"*As of August 2013, ESPN is available to approximately 97,736,000 pay television households (85.58% of households with at least one television set) in the United States.[2] In addition to the flagship channel and its seven related channels in the United States, ESPN broadcasts in more than 200 countries,[3] operating regional channels in Australia , Brasil , Latin America and the United Kingdom , and owning a 20% interest in The Sports Network (TSN) as well as its five sister networks and NHL Network in Canada ." (Wikipedia) *Vulnerability description:* Espn.go.com has a security problem. It is vulnerable to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open Redirect) attacks. Those vulnerabilities are very dangerous. Since they happen at ESPN's "login" & "register" pages that are credible. Attackers can abuse those links to mislead ESPN's users. The success rate of attacks may be high. During the tests, besides the links given above, large number of ESPN's links are vulnerable to those attacks. The vulnerability occurs at "espn.go.com"'s "login?" & "register" pages with "redirect" parameter, i.e. http://streak.espn.go.com/en/login?redirect= https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect= https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/ Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 8. *(1) XSS Vulnerability* *Vulnerable URLs:* http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459 http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn®FormId=reddit https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login *POC:* http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459"> https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn®FormId=espn"> http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate"> https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login"> *Poc Video:* https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be *Blog Detail:* http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html *(2) Dest Redirect Privilege Escalation Vulnerability* Use one of webpages for the following tests. The webpage address is " http://www.diebiyi.com/". Suppose that this webpage is malicious. *(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability* *Vulnerable URL 1:* https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial *POC:* https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com *Vulnerable URL 2:* http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828 *POC:* http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com *(2.2) Vulnerabilities Attacked without User Login* *Vulnerable URL 1:* http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112 *POC:* http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=http%3A%2F%2Fdiebiyi.com ? This vulnerability was used to demonstrate "Covert Redirect" of Facebook, Poc Video: https://www.youtube.com/watch?v=HUE8VbbwUms Blog Detail: http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/ *Vulnerable URL 2:* http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Freddit%2Fbing%2Ftmallstatus%2Ftmall541002332331606017 *POC:* http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=http%3A%2F%2Fgoogle.com *Vulnerable URL 3:* http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=https%3A%2F%2Ftwitter.com%2FYahoo%2Fhao123%2Fstatus%2Fyandex%2F%2Fru%2F541950359917580289 POC: http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=http%3A%2F%2Fgoogle.com *Poc Video:* https://www.youtube.com/watch?v=lCvBt8Elj9w&feature=youtu.be *Blog Detail:* http://securityrelated.blogspot.com/2014/12/espn-espn.html *(3) *Those security problems were reported to ESPN in early May. However, they are still unpatched. Reported by: Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. http://www.tetraph.com/wangjing/ *Blog Details:* http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss_9.html