Welcome to Defencely, I’m Rony, part of the red teaming operations at Defencely Cloud Security Pvt. Ltd. & we conduct security operations for prestigious organizations in India & Abroad. We would like to throw security concerns related to a trending application named ‘Sarahah’ & I hope my viewers would love this detailed security inspection of the application & learn from developers mistakes.
We have kept the content very specific & simple to understand for your viewers as we understand our efforts to achieve a continuous conscious security are necessary to help developers fix their security loopholes timely. Defencely has already reported the Code Injection concern to the developers with a proper timeline & as per it’s policy of a full disclosure.
We’re yet awaiting for a fix which has expired since then. In order to help users, we’re attempting at a full disclosure.
- Application Overview.
- The Workflow.
- Exploiting the Trend.
Application Overview –
What is Sarahah?
Sarahah is an application, which let you help get feedbacks anonymously from your friends and coworkers. Atleast that’s what Sarahah says & plans to extend the features.
How it works?
First of all, Sarahah would let you register to their website, and once done Sarahah offers you a personal dashboard with a link with your name which you can share in Social networks and you will receive anonymous feedbacks.
As a Penetration Tester, Before attempting any exploitation into the target one needs to enumerate very well in order for a quality assessment. So here comes a Technical Understanding of the Application.
The WorkFlow –
Everything starts after we sign up for Sarahah.com. Let’s understand the WorkFlow from the point of view of a Penetration Tester.
As a Penetration Tester, one needs to know Users inputs can take you from zero to a successful security audit real quick.
That’s where we started fuzzing around the user inputs, which is basically in this case are your friends and co-workers who will be sending you anonymous feedbacks & this nature isn’t possible if the application was not allowing taking inputs from the audience.
- You are creating a account.
- Your friends are sending you feedbacks through a form publicly available.
- The feedbacks are getting displayed in your dashboard.
- Which means the Feedbacks are getting saved to the database and later on echo’ed off to your dashboard.
What if Sarahah is not sanitizing the user inputs? Can we initiate code injections
Exploit the Trend –
Nope, we didn’t got any pop-up right? The code we tried injecting to the application, just echos off back to dashboard rather than getting injected right?
So what we did is, We enumerated around the application & noted an AJAX request going into the server and calling the next contents in JSON format and parses them back to the dashboard which means we have got our second attack surface.
One can look at our payload in the JSON Request:
But there’s a twist. The event gets called every time when you scroll down, then an AJAX request is made through the URL,
and then the Contents from JSON result gets parsed and echos off them back to the dashboard.
Sarahah Developers messed up when they are parsing contents from the JSON result, and that is the point they are not filtrating the special characters anymore.
So how we are going to trigger the XSS?
- The first thing you need to keep in mind that, you need to make the user scroll down so that AJAX request is made.
- Send the payload to user.
- And then flood the users dashboard with some random messages(Approximately around 20-30). This is how you will make the user scroll down to see the messages where your payload is included too.
- Once the user scrolls down, the AJAX request is made, all the contents of the next page gets parsed(which includes your XSS payload) and Sarahah echos them back to the dashboard.
Your XSS gets immediately triggered –
This pop-up “Hello, You got hacked” will keep poping into the user’s dashboard until and unless the user deletes that particular feedback.
Here an attacker can easily irritate the users just by changing their payload to something –
alert(“You are getting hacked!”)
This is a continuous loop, because 1 is always true. Hence the pop-up will be continuous. We recommend Sarahah Developer to fix this nature & have already attempted sending them the cure for the itch.