lunes, 5 de julio de 2010

:::SPAS3C-WV-004:::Session Hijacking in Steam WebSite

About two months ago, my little girl gave me a great present for my birthday and i got Call of Duty Modern WarFare 2 (I <3 C0D).
Lots of minutes of game later, I decided to check security in Steam Website and i got very interesting results.

WebSite was vulnerable to XSS/HTML Injection and it could be exploited to steal cookies of users. I made a PoC showing how to launch the vulnerabilities using any browser (where xss was allowed) or "steam" schema uri (steam://openurl/) due to steam used its own internal browser.

The "steam browser" had/has some limitations:
  • This browser didn't/doesn't allow to change the url -> Solution was schema uri.
  • This browser had/has an url length restriction -> Solution was to use an evil JS file hosted anywhere.

Fig.1: Triggering one simple PoC.

Fig. 2: Session Hijacking PoC.

I also recorded a video showing how the issue could be exploited.
Watch in youtube: here

I made my game more secure but they (steam-website security team) didn't give me a present like a new nice game.

Be safe ;)