Website, web services or web apps continuously evolves to add new features for customers/users. That’s why a good hunter comes back and restart searching. That’s what happened when I noticed a new features on Vimeo (maybe it’s and old one for you but I’m not Vimeo addicted so it was the first time I saw it).
The feature
It’s possible to upload video from Google Drive, Dropbox, OneDrive and Box. I knew how Google Drive and Dropbox work so I decided to focus on OneDrive first and then Box. Vimeo’s dev self-hosted a so called OneDrive.min.js library subjected to a XSS attack. Written a poc, submitted the bug to Vimeo and then quitted.
Something I missed
Have you ever had that feeling? That’s why I reopened my laptop once back and googled these words: onedrive, microsoft, js. As first result I got this page:
It was late, as I said, and I was a bit tired so I didn’t noticed that Microsoft hosts different version of OneDrive library so I picked up the v7, and after few changes to vimeo poc the famous alert(document.domain) was executed on dev.onedrive.com.
How does it works?
And now, the interesting stuffs:
Once initialized, the code get params from GET query calling the readCurrentUrlParameters method and parse the content of window.name calling getWindowState:
We can control both GET params and window.name so we can pass to next step and see what the code does:
The n param control the switch jump and there’s an interesting case (STATE_AAD_LOGIN).
handleAADLogin call _redirectToTenant that call a(l) which falls into redirect method. Wow! There’s no check before _window.location.replace(e). We can trig a XSS with a simple payload.
All in one(drive)
And here you’re a simple poc:
Easter egg
While writing this post I noticed that Microsoft hosts other two OneDrive libraries (v5 and v6). After some checks I reported another XSS in v6 and discovered that v5 (the oldest one) is not affected.