Document Title: =============== HomeAdvisor Bug Bounty #1 - Filter Bypass & Client Side Exception Handling Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1452 Release Date: ============= 2015-04-21 Vulnerability Laboratory ID (VL-ID): ==================================== 1452 Common Vulnerability Scoring System: ==================================== 3.6 Product & Service Introduction: =============================== HomeAdvisor is a website that lists pre-screened and customer-rated service professionals. The website also has tools, products, and resources for home improvement, maintenance, and repair. HomeAdvisor is a subsidiary of IAC. Professionals in the HomeAdvisor network are pre-screened for criminal records, bankruptcy issues, bad reviews, sex offenses, and cases of malpractice. Homeowners choose a category that matches their home improvement needs, enter their full address or adjacent cross-streets and contact information and answer three pages of questions about their project. (Copy of the Homepage: http://en.wikipedia.org/wiki/HomeAdvisor ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass and issue and client-side cross site scripting web vulnerability in the official homeadvisor web-application. Vulnerability Disclosure Timeline: ================================== 2015-03-10: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-03-11: Vendor Notification (HomeAdvisor Inc - Security Research Team) 2015-03-26: Vendor Response/Feedback (HomeAdvisor Inc - Security Research Team) 2015-04-20: Vendor Fix/Patch (HomeAdvisor Inc - Developer Team) 2015-04-21: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== HomeAdvisor Inc Product: HomeAdvisor - Web Application (Online Service) 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A non-persistent cross site scripting web vulnerability (client-side) and filter bypass issue has been discovered in the official HomeAdvisor web-application. The security vulnerability allows remote attackers to execute client-side script code that compromises the homeadvisor web-application. The client-side cross site scripting web vulnerability is located in the exception-handling comments context. Remote attackers are able to inject client-side script code that executes in the web-application exception-handling. The request method to execute is GET and the attack vector is client-side. Remote attackers are able to prepare special crafted urls with own script codes to compromise homeadvisor user session data in connection with client-side attacks. The security risk of the client-side cross site scripting web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the non-persistent web vulnerability requires a low privileged web-application user account and low or medium user interaction. Successful exploitation of the vulnerabilities result in persistent phishing, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] GET Vulnerable Module(s): [+] rated.VipElectric.11975047.html#profile Affected Parameter(s): [+] sm/security/login/isLoggedInOrRecognized Proof of Concept (PoC): ======================= The client-side cross site scripting vulnerability and filter bypass issue can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login to the service 2. Surf to for example (http://www.homeadvisor.com/rated.VipElectric.11975047.html#profile) 3. Inject splitted char payload to the input of the comments 4. Send the comment 5. An exception occurs with an error (An error has occurred, please try again later (400124) 6. Under the exception is the injected code 7. Now click to embed the stuff or use the share function 8. Successful reproduce of the vulnerability! PoC: Payload(s) %20%20%20">