Lab: Parameter cloaking

The website excludes a certain UTM analytics parameter.

1. Identify that the utm_content parameter is supported. Observe that it is also excluded from the cache key.
2. Notice that if you use a semicolon (;) to append another parameter to utm_content, the cache treats this as a single parameter. This means that the extra parameter is also excluded from the cache key. Alternatively, with Param Miner loaded, right-click on the request and select "Bulk scan" > "Rails parameter cloaking scan" to identify the vulnerability automatically.
3. Observe that every page imports the script /js/geolocate.js, executing the callback function setCountryCookie(). Send the request GET /js/geolocate.js?callback=setCountryCookie to Burp Repeater.
4. Notice that you can control the name of the function that is called on the returned data by editing the callback parameter. However, you can't poison the cache for other users in this way because the parameter is keyed.

5. Study the cache behavior. Observe that if you add duplicate callback parameters, only the final one is reflected in the response, but both are still keyed. However, if you append the second callback parameter to the utm_content parameter using a semicolon, it is excluded from the cache key and still overwrites the callback function in the response:

   GET /js/geolocate.js?callback=setCountryCookie&utm_content=foo;callback=arbitraryFunction HTTP/1.1 200 OK X-Cache-Key: /js/geolocate.js?callback=setCountryCookie … arbitraryFunction({"country" : "United Kingdom"})

6. Send the request again, but this time pass in alert(1) as the callback function:

   GET /js/geolocate.js?callback=setCountryCookie&utm_content=foo;callback=alert(1)
7. Get the response cached, then load the home page in the browser. Check that the alert() is triggered.
8. Replay the request to keep the cache poisoned. The lab will solve when the victim user visits any page containing this resource import URL.

Jarno Timmermans

Intigriti