gupta Reporter
	Description • 7 years ago

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.
This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user's trust.

Content spoofing is an attack that is closely related to Cross-site Scripting (XSS). While XSS uses <script> and other techniques to run JavaScript, content spoofing uses other techniques to modify the page for malicious reasons.
Even if XSS mitigation techniques are used within the web application, such as proper output encoding, the application can still be vulnerable to text based content spoofing attacks.


** 1. In buzilla.mozilla.org application, The given URL "https://bugzilla.mozilla.org/show_bug.cgi?id="  accept value of parameter "id" as only numeric value but here an attacker can pass any string of any length.

2. The attacker-supplied string reflected in the response body (inside the anchor tag, inside form action url etc ).

3. The application is protected by XSS but the attacker can supply payload as simple text. 

4. The simple text injection (spoofing ) can perform any phishing type of attacker because of user trust on bugzilla.mozilla.org  application.

5. The attacker can inject these type of text : 

i. The Site is temporary down, please visite victim web site.
ii. The website contains virus and malware. 
iii. any phishing message that asks to visit any third party site and enter Mozilla credential. 

6. The text injection is possible using get parameter so possibility and impact become high.

7. parameter also accept CRLF (%0a & %0d) inside text injection and also use it.

8. Use this vulnerability attacker can also perform denial of service (DOS) at BMO server because application performs operation on attacker supplied data.



So It is best practices to validate user-supplied data before use.

	Jonathan Claudius [:claudijd] (use NEEDINFO)
	Comment 1 • 7 years ago

gutpa: thanks for your report.  In many application this is possible with the default Apache 404 page, but in this case the application is attempting to handle things a bit more cleanly adding a bit of legitimacy to such an attack.  I will raise with the bugzilla team and I suspect it's reasonable actionable to contrain the input to valid bug IDs and not support text...

An example PoC, that an attacker might actually use could look something like this, to force the error text off the users screen...

https://bugzilla.mozilla.org/show_bug.cgi?id=Warning%20we%27ve%20moved%20to%20JIRA%20instead%20of%20bugzilla,%20please%20use%20evil.com%20instead,%20please%20also%20read%20our%20really%20long%20terms%20of%20service%20to%20wipe%20the%20bug%20is%20no%20longer%20valid%20off%20the%20screen%20The%20standard%20Lorem%20Ipsum%20passage,%20used%20since%20the%201500s%22Lorem%20ipsum%20dolor%20sit%20amet,%20consectetur%20adipiscing%20elit,%20sed%20do%20eiusmod%20tempor%20incididunt%20ut%20labore%20et%20dolore%20magna%20aliqua.%20Ut%20enim%20ad%20minim%20veniam,%20quis%20nostrud%20exercitation%20ullamco%20laboris%20nisi%20ut%20aliquip%20ex%20ea%20commodo%20consequat.%20Duis%20aute%20irure%20dolor%20in%20reprehenderit%20in%20voluptate%20velit%20esse%20cillum%20dolore%20eu%20fugiat%20nulla%20pariatur.%20Excepteur%20sint%20occaecat%20cupidatat%20non%20proident,%20sunt%20in%20culpa%20qui%20officia%20deserunt%20mollit%20anim%20id%20est%20laborum.%22Section%201.10.32%20of%20%22de%20Finibus%20Bonorum%20et%20Malorum%22,%20written%20by%20Cicero%20in%2045%20BC%22Sed%20ut%20perspiciatis%20unde%20omnis%20iste%20natus%20error%20sit%20voluptatem%20accusantium%20doloremque%20laudantium,%20totam%20rem%20aperiam,%20eaque%20ipsa%20quae%20ab%20illo%20inventore%20veritatis%20et%20quasi%20architecto%20beatae%20vitae%20dicta%20sunt%20explicabo.%20Nemo%20enim%20ipsam%20voluptatem%20quia%20voluptas%20sit%20aspernatur%20aut%20odit%20aut%20fugit,%20sed%20quia%20consequuntur%20magni%20dolores%20eos%20qui%20ratione%20voluptatem%20sequi%20nesciunt.%20Neque%20porro%20quisquam%20est,%20qui%20dolorem%20ipsum%20quia%20dolor%20sit%20amet,%20consectetur,%20adipisci%20velit,%20sed%20quia%20non%20numquam%20eius%20modi%20tempora%20incidunt%20ut%20labore%20et%20dolore%20magnam%20aliquam%20quaerat%20voluptatem.%20Ut%20enim%20ad%20minima%20veniam,%20quis%20nostrum%20exercitationem%20ullam%20corporis%20suscipit%20laboriosam,%20nisi%20ut%20aliquid%20ex%20ea%20commodi%20consequatur?%20Quis%20autem%20vel%20eum%20iure%20reprehenderit%20qui%20in%20ea%20voluptate%20velit%20esse%20quam%20nihil%20molestiae%20consequatur,%20vel%20illum%20qui%20dolorem%20eum%20fugiat%20quo%20voluptas%20nulla%20pariatur?%221914%20translation%20by%20H.%20Rackham%22But%20I%20must%20explain%20to%20you%20how%20all%20this%20mistaken%20idea%20of%20denouncing%20pleasure%20and%20praising%20pain%20was%20born%20and%20I%20will%20give%20you%20a%20complete%20account%20of%20the%20system,%20and%20expound%20the%20actual%20teachings%20of%20the%20great%20explorer%20of%20the%20truth,%20the%20master-builder%20of%20human%20happiness.%20No%20one%20rejects,%20dislikes,%20or%20avoids%20pleasure%20itself,%20because%20it%20is%20pleasure,%20but%20because%20those%20who%20do%20not%20know%20how%20to%20pursue%20pleasure%20rationally%20encounter%20consequences%20that%20are%20extremely%20painful.%20Nor%20again%20is%20there%20anyone%20who%20loves%20or%20pursues%20or%20desires%20to%20obtain%20pain%20of%20itself,%20because%20it%20is%20pain,%20but%20because%20occasionally%20circumstances%20occur%20in%20which%20toil%20and%20pain%20can%20procure%20him%20some%20great%20pleasure.%20To%20take%20a%20trivial%20example,%20which%20of%20us%20ever%20undertakes%20laborious%20physical%20exercise,%20except%20to%20obtain%20some%20advantage%20from%20it?%20But%20who%20has%20any%20right%20to%20find%20fault%20with%20a%20man%20who%20chooses%20to%20enjoy%20a%20pleasure%20that%20has%20no%20annoying%20consequences,%20or%20one%20who%20avoids%20a%20pain%20that%20produces%20no%20resultant%20pleasure?%22Section%201.10.33%20of%20%22de%20Finibus%20Bonorum%20et%20Malorum%22,%20written%20by%20Cicero%20in%2045%20BC%22At%20vero%20eos%20et%20accusamus%20et%20iusto%20odio%20dignissimos%20ducimus%20qui%20blanditiis%20praesentium%20voluptatum%20deleniti%20atque%20corrupti%20quos%20dolores%20et%20quas%20molestias%20excepturi%20sint%20occaecati%20cupiditate%20non%20provident,%20similique%20sunt%20in%20culpa%20qui%20officia%20deserunt%20mollitia%20animi,%20id%20est%20laborum%20et%20dolorum%20fuga.%20Et%20harum%20quidem%20rerum%20facilis%20est%20et%20expedita%20distinctio.%20Nam%20libero%20tempore,%20cum%20soluta%20nobis%20est%20eligendi%20optio%20cumque%20nihil%20impedit%20quo%20minus%20id%20quod%20maxime%20placeat%20facere%20possimus,%20omnis%20voluptas%20assumenda%20est,%20omnis%20dolor%20repellendus.%20Temporibus%20autem%20quibusdam%20et%20aut%20officiis%20debitis%20aut%20rerum%20necessitatibus%20saepe%20eveniet%20ut%20et%20voluptates%20repudiandae%20sint%20et%20molestiae%20non%20recusandae.%20Itaque%20earum%20rerum%20hic%20tenetur%20a%20sapiente%20delectus,%20ut%20aut%20reiciendis%20voluptatibus%20maiores%20alias%20consequatur%20aut%20perferendis%20doloribus%20asperiores%20repellat.%221914%20translation%20by%20H.%20Rackham%22On%20the%20other%20hand,%20we%20denounce%20with%20righteous%20indignation%20and%20dislike%20men%20who%20are%20so%20beguiled%20and%20demoralized%20by%20the%20charms%20of%20pleasure%20of%20the%20moment,%20so%20blinded%20by%20desire,%20that%20they%20cannot%20foresee%20the%20pain%20and%20trouble%20that%20are%20bound%20to%20ensue;%20and%20equal%20blame%20belongs%20to%20those%20who%20fail%20in%20their%20duty%20through%20weakness%20of%20will,%20which%20is%20the%20same%20as%20saying%20through%20shrinking%20from%20toil%20and%20pain.%20These%20cases%20are%20perfectly%20simple%20and%20easy%20to%20distinguish.%20In%20a%20free%20hour,%20when%20our%20power%20of%20choice%20is%20untrammelled%20and%20when%20nothing%20prevents%20our%20being%20able%20to%20do%20what%20we%20like%20best,%20every%20pleasure%20is%20to%20be%20welcomed%20and%20every%20pain%20avoided.%20But%20in%20certain%20circumstances%20and%20owing%20to%20the%20claims%20of%20duty%20or%20the%20obligations%20of%20business%20it%20will%20frequently%20occur%20that%20pleasures%20have%20to%20be%20repudiated%20and%20annoyances%20accepted.%20The%20wise%20man%20therefore%20always%20holds%20in%20these%20matters%20to%20this%20principle%20of%20selection:%20he%20rejects%20pleasures%20to%20secure%20other%20greater%20pleasures,%20or%20else%20he%20endures%20pains%20to%20avoid%20worse%20pains.

	Jonathan Claudius [:claudijd] (use NEEDINFO)
	Comment 2 • 7 years ago

:dylan - what's your take on this?

	Dylan Hardison [:dylan] (he/him) Assignee
	Comment 3 • 7 years ago

I'm going to take this only because it is trivial to fix.

	Dylan Hardison [:dylan] (he/him) Assignee
	Comment 4 • 7 years ago

Incoming patch, makes it look like this

	April King [:April]
	Comment 6 • 7 years ago

I would personally only have it say that it doesn't look like a valid bug number. No need to reflect any text back at all, since there is no reason for the id to be anything but a number.

	Dylan Hardison [:dylan] (he/him) Assignee
	Comment 7 • 7 years ago

(In reply to April King [:April] from comment #6)
> I would personally only have it say that it doesn't look like a valid bug
> number. No need to reflect any text back at all, since there is no reason
> for the id to be anything but a number.

Bugs can be words. https://bugzilla.mozilla.org/show_bug.cgi?id=bmo-emoji

	gupta Reporter
	Comment 8 • 7 years ago

Thanks Dylan.

Generally 'id' should be only numeric value but here may be some business requirements that's why Mozilla use 'id' as words(text).

But actually problem is that application accept 'id' as string(numeric,text and special character) and perform operation on it. ie, if 'id' is not valid then it reflect same user supplied text in response body. 

So it is not best practices to reflect back user supplied data.But we can mitigate this issue by simple showing message that "User Supply id is not valid" instead of showing 'id' name. (As we already done in '404 Not Found page').

Thanks  Bugzilla team

	Dylan Hardison [:dylan] (he/him) Assignee
	Comment 9 • 7 years ago

Did anyone here actually look at the screenshot I attached?

	Dylan Hardison [:dylan] (he/him) Assignee
	Comment 10 • 7 years ago

In short in this patch the string is canonicalized and the missing title is added. Also the wording of the error is changed to be more like the examples given in the photon design document.

	Jonathan Claudius [:claudijd] (use NEEDINFO)
	Comment 11 • 7 years ago

:dylan - I saw the screenshot and it looks like a net improvement to me (ie. harder to hide spoof content).  I think April/gupta are simply saying "it could be better if" and would ideally remove all doubt of content spoofing if we didn't reflect the input, but ultimately this is your call.

	April King [:April]
	Comment 12 • 7 years ago

Indeed. It's certainly a big improvement over what we currently have. My comment was merely that there's no real valid reason for somebody to have an invalid id aside from content spoofing, so perhaps it doesn't make sense to reflect it at all.

But if you prefer having some indication of what the ID was set to, then you've totally got my r+.

	Dylan Hardison [:dylan] (he/him) Assignee
	Comment 13 • 7 years ago

Invalid ones happen all the time, as aliases are very mutable, and typos are possible. I have analytics backing that the errors happen pretty frequently. And not just when the bug reporter was testing this.

	David Lawrence [:dkl]
	Comment 14 • 6 years ago

Comment on attachment 8938139 [details] [diff] [review]
1426475_1.patch

Review of attachment 8938139 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

	Dylan Hardison [:dylan] (he/him) Assignee
	Comment 15 • 6 years ago

This will go out tomorrow morning.

	gupta Reporter
	Comment 16 • 6 years ago

Hi jonathan, this new find is eligible for bounty or Hof ?

Thanks

	Jonathan Claudius [:claudijd] (use NEEDINFO)
	Comment 17 • 6 years ago

gupta: The impact isn't high enough to warrant paid bounty based on our guidelines (https://www.mozilla.org/en-US/security/web-bug-bounty/).  However, we did talk about this a bit on Monday and decided that this is worth a hall of fame mention because of how the application was handling the content injection, which is fundamentally different than most content injections we see due to the application trying to handle the error condition more elegantly.  The hall of fame list is updated on a quarterly basis, so expect some time before your name is posted here (https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/)

	April King [:April]
	Comment 18 • 6 years ago

Gupta, can you let us how how you would like to be credited on the HoF? If you have a link, we can include that as well.

	gupta Reporter
	Comment 19 • 6 years ago

Thanks April, 

Can you please include given below information for HOF : 

Manish Gupta ( https://www.linkedin.com/in/cehmanish/ )

Thanks Mozilla