lunes, 5 de julio de 2010

:::SPAS3C-WV-004:::Session Hijacking in Steam WebSite




About two months ago, my little girl gave me a great present for my birthday and i got Call of Duty Modern WarFare 2 (I <3 C0D).
Lots of minutes of game later, I decided to check security in Steam Website and i got very interesting results.

WebSite was vulnerable to XSS/HTML Injection and it could be exploited to steal cookies of users. I made a PoC showing how to launch the vulnerabilities using any browser (where xss was allowed) or "steam" schema uri (steam://openurl/) due to steam used its own internal browser.

The "steam browser" had/has some limitations:
  • This browser didn't/doesn't allow to change the url -> Solution was schema uri.
  • This browser had/has an url length restriction -> Solution was to use an evil JS file hosted anywhere.

Fig.1: Triggering one simple PoC.


Fig. 2: Session Hijacking PoC.

I also recorded a video showing how the issue could be exploited.
Watch in youtube: here

I made my game more secure but they (steam-website security team) didn't give me a present like a new nice game.

Be safe ;)

3 comentarios:

María José López Lara dijo...

Sometimes big companies are so ungrateful ... do not give up, you're very good at what you do

Anónimo dijo...

you're the incredible monster of the ciberworld!!!

Anónimo dijo...

you're a "xusta" ;)