BOOK THIS SPACE FOR AD
ARTICLE ADFirst let’s start with what is Comodo?
Comodo Security Solutions, Inc. is a cybersecurity company headquartered in Clifton, New Jersey in the United States.
The firm operates a certificate authority that issues SSL certificates, and offers information security products for both enterprises and consumers.
The company also helped on setting standards by contributing to the IETF (Internet Engineering Task Force) DNS Certification Authority Authorization (CAA) Resource Record. “Wikipedia”
Now that you know what is Comodo, let’s move to the next part.
On Comodo’s website, I found 6 vulnerabilities, 2 Stored XSS and 4 Reflected XSS
Where did i find these vulnerabilities?
https://support.comodo.com — Stored XSS that can be used against the help desk employeeshttps://servicedesk.comodo.com/ — Stored XSS that can be used against the help desk employeeshttps://blog.comodo.com — Reflected XSShttps://verdict.valkyrie.comodo.com — Reflected XSShttps://verdict-devops.valkyrie.comodo.com — Reflected XSShttps://www.comodosecuritycouncil.com — Reflected XSSI believe that most of you know what is XSS and the types of XSS, but i’ll give a short explanation for those who don’t know:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. In 2017, XSS attacks were still considered a major threat vector. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner network. “Wikipedia”
Types of XSS found in Comodo.com:
Reflected XSS — Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim’s browser.The script is activated through a link, which sends a request to a website with. a vulnerability that enables execution of malicious scripts. “imperva”
Stored XSS — Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. “imperva”_________________________________________________________________
Reflected XSS at https://blog.comodo.comVulnerable Parameters:
trackafthose parameters are used to track users around the website and in any page in the code those parameters are encoded but in the blog section of the website Comodo just put a simple defence, every time someone enter “ or “>< the system automatically added \ to the start and blocked this code from been executed, how did i bypassed it? with a simple apostrophe: ‘ like:
‘“><svg onload=alert(1)>
Yeah that simple…
Attacker can use it to redirect the ‘victim’ from Comodo’s website to a phishing page.Automatic malware downloadAttacker can use it to execute js code at the ‘victim’ browser to steal cookies,steal information etc…_________________________________________________________________
2. Reflected XSS at https://verdict.valkyrie.comodo.com
Vulnerable Parameter:
urlAttacker can use it to redirect the ‘victim’ from Comodo’s website to a phishing page.Automatic malware downloadAttacker can use it to execute js code at the ‘victim’ browser to steal cookies,steal information etc…_________________________________________________________________
3. Reflected XSS at https://verdict-devops.valkyrie.comodo.com
Vulnerable Parameter:
domainAttacker can use it to redirect the ‘victim’ from Comodo’s website to a phishing page.Automatic malware downloadAttacker can use it to execute js code at the ‘victim’ browser to steal cookies,steal information etc…_________________________________________________________________
4. Reflected XSS at https://www.comodosecuritycouncil.com
Vulnerable Parameter:
sAttacker can use it to redirect the ‘victim’ from Comodo’s website to a phishing page.Automatic malware downloadAttacker can use it to execute js code at the ‘victim’ browser to steal cookies,steal information etc…_________________________________________________________________
5. Stored XSS at https://support.comodo.com
This Stored XSS can be used against the company(and other companies that use their service) help desk workers from https://support.comodo.com if a js script will be executed at the side of the workers it can be very dangerous to the company! another thing is after the ticket submission the attacker can take the link and just send it to anyone this link is public and can be access without an account !! (in the next Stored XSS i proved that it can be used against the workers)
_________________________________________________________________
6. Stored XSS at https://servicedesk.comodo.com/
if you know Comodo you know they have a service desk service (they probably using it themself for their Support center), but think what can happen if this support center has Stored XSS vulnerability that can be used against your company, this is what happens here and below, you will see the POC video that proves that this can be used against the company employees
In this POC i created my own account and started a help desk service to prove they have Stored XSS vulnerability at the help desk workers side.
This Stored XSS can be used against the company(and other 200+ companies that use their service) help desk workers from https://servicedesk.comodo.com, if a js script will be executed at the side of the workers it can be very dangerous to the company! another thing is after the ticket submission the attacker can take the link and just send it to anyone this link is public and can be access without an account !! (in the next Stored XSS i proved that it can be used against the workers)
_________________________________________________________________
Maor Dayan.