Researchers uncover how fake news could be created on Gallup’s website
September 2024 by Checkmarx
In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles. The Checkmarx research team recently identified critical Cross-site scripting (XSS) vulnerabilities on Gallup’s website. XSS is a vulnerability that might enable attackers to bypass the same origin policy, impersonate users (and perform actions on their behalf), and access their data. This vulnerability can potentially allow attackers to gain full control over an application’s functionality and data, especially if the affected user has privileged access.
The types of XSS vulnerabilities found are:
Reflected XSS - type of cross-site scripting that occurs when an application unsafely includes data from an HTTP request directly in its response.
DOM-based XSS occurs when client-side JavaScript unsafely processes data from an untrusted source, often writing it back to the DOM , as was the case in Gallup’s systems.
This blog examines these vulnerabilities, their potential impact, and the broader implications for digital security in the field of public opinion research.
Reflected Cross Scripting – gx.gallup.com CVSS Score: 6.5 Medium CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
The /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page.
If left unaddressed and exploited by malicious actors, these vulnerabilities could lead to the execution of arbitrary code in the victims’ navigation session context. This could result in unauthorized actions being performed on their behalf. It’s important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation. This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions.
In the shopping-cart-hijacking.mp4 proof of concept (PoC) video, we show how this vulnerability could be exploited to manipulate the victim’s shopping cart. The victim innocently visits a specially crafted URL to participate in a “work-life balance” survey. Unbeknownst to them, the malicious URL triggers the browser to load a JavaScript file from a remote location controlled by the attacker. This script leverages a JSONP endpoint (https://buy.gallup.com/store/gallup/SessionToken) to retrieve and exfiltrate Digital River API access tokens to a server controlled by the attacker. With these tokens, the attacker gains access to the victim’s PII and can add a new product to the shopping cart, illustrating the potential risks of this vulnerability.
The JSONP endpoint plays an important role in this attack scenario. The gallup-session-token cookie is required to get the access tokens. Nevertheless, it is not accessible to JavaScript (httpOnly), and the browser refuses to include it in cross-site requests. SameSite attribute is set to None, and the server has Access-Control-Allow-Origin set to *.
Exploit methodology
The following suggested instructions can guide you on how to validate and self-check your web assets:
1. Copy the following URL into your browser’s address bar and press ENTER:
https://gx.gallup.com/kiosk.gx?ALIAS=%22);alert(document.domain)//&TYPE=q12
A dialog like the one shown in Figure 1 should have popped up.
2. Close the dialog box by clicking the “OK” button.
DOM-Based Cross-Site Scripting - my.gallup.com (5.4 Medium)
CVSS Score: 5.4 Medium CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
The /_Portal/ApplicationAsync endpoint does not properly sanitize nor encode query string searchTerm parameter value before including it into the page.
Malicious actors might exploit this issue to execute arbitrary code in the victims’ navigation session context and perform actions on their behalf.
In the provided account-takeover.mp4 PoC video, this issue is exploited to take over a victim’s account (account takeover). The victim visits a specially crafted URL that includes a payload to pull a JavaScript file from a remote location controlled by the attacker. That script is responsible for 1) rendering my.gallup.com inside an iframe, 2) automating the required workflow to change the victim’s email, and 3) pinging the attacker’s remote server with the new email address associated with the victim’s account. From here, all the attacker needs to do is recover the account password, and set a new one.
Exploit methodology
The following suggested instructions can guide you on how to validate and self check your web assets :
1. Copy the following URL into your browser’s address bar and press ENTER:
https://my.gallup.com/
If required, sign in using a testing user account.
2. Copy the following URL into your browser’s address bar and press ENTER:
https://my.gallup.com/_Portal/ApplicationAsync?gssClientId=dduOMXW7d71AS3U _2BFMiMY8EiRX0WxJVn_2FHNUkaHb4okdayR4Pz6_2BetryXCC5aLQ2&dashbo ardWidgetId=AQICAHgcAgLcqG_2BjL48JMeAx11Kd4K4khEMoYzbmIpOoa9wRw QHwBn_2B2jOYRmEThy2bBjhebAAAAeDB2BgkqhkiG9w0BBwagaTBnAgEAMGI GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMwOTTYIEr2OY_2B8xLiAgEQ gDW9L_2B9lkGghNQqrG7K_2BQ36lyXdiSZZEDX3JBsqfhN3ST3LlZ_2FgMDzhuz
_2BrcRxStCcFpuhu5Zw_3D_3D&eCode=LEARN#/search?searchTerm=%3Cimg
%20src=x%20onerror=alert(document.domain)%3E
A dialog like the one shown in Figure 2 should have popped up.
3. Close the dialog box by clicking the “OK” button.
After validation to avoid these vulnerabilities, we recommend:
• Properly encode data according to the output context it will be included before appending it to the response markup (HTML) or page DOM - Document Object Model.
• Consider adding/adjusting the Content Security Policy (CSP) to restrict locations where the browser can fetch and execute scripts.
References
● CWE-79: Improper Neutralization of Input During Web Page Generation (’Cross-site
Scripting’)
● A03:2021 – Injection, OWASP Top 10 2021
● Cross Site Scripting Prevention Cheat Sheet, OWASP Cheat Sheet Series
● Testing for Reflected Cross Site Scripting, OWASP Web Security Testing Guide
● Content Security Policy (CSP), Mozilla Developer Network