Gallup, the leading survey company, quickly addressed security vulnerabilities that could be exploited to facilitate the dissemination of false information and compromise the personal data of users.
Intro
In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles. The Checkmarx research team recently identified two Cross-site scripting (XSS) vulnerabilities on Gallup’s website. XSS is a vulnerability that might enable attackers to bypass the same origin policy, impersonate users (and perform actions on their behalf), and access their data. This vulnerability can potentially allow attackers to gain full control over an application’s functionality and data, especially if the affected user has privileged access.
The types of XSS vulnerabilities found are:
- Reflected XSS – type of cross-site scripting that occurs when an application unsafely includes data from an HTTP request directly in its response.
- DOM-based XSS – this type of cross-site scripting occurs when client-side JavaScript unsafely processes data from an untrusted source, often writing it back to the DOM, as was the case in Gallup’s systems.
This blog examines these vulnerabilities, their potential impact, and the broader implications for digital security in the field of public opinion research.
Reflected Cross Scripting – gx.gallup.com
CVSS Score: 6.5 Medium CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
The /kiosk.gx endpoint did not properly sanitize or encode the query string ALIAS parameter value before including it on the page.
Figure 1: Exploiting the issue to display the document’s domain
Figure 1 shows the execution of JavaScript code included in the vulnerable parameter. This endpoint doesn’t require the victim to be authenticated.
If left unaddressed and exploited by malicious actors, these vulnerabilities could lead to the execution of arbitrary code in the victims’ navigation session context. This could result in unauthorized actions being performed on their behalf. It’s important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation. This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions.
In this proof of concept (PoC) video, we show how this vulnerability could be exploited to manipulate the victim’s shopping cart. The victim innocently visits a specially crafted URL to participate in a “work-life balance” survey. Unbeknownst to them, the malicious URL triggers the browser to load a JavaScript file from a remote location controlled by the attacker. This script leverages a JSONP endpoint (https://buy.gallup.com/store/gallup/SessionToken) to retrieve and exfiltrate Digital River API access tokens to a server controlled by the attacker. With these tokens, the attacker gains access to the victim’s PII and can add a new product to the shopping cart, illustrating the potential risks of this vulnerability.
The JSONP endpoint plays an important role in this attack scenario. The gallup-session-token cookie is required to get the access tokens. Nevertheless, it is not accessible to JavaScript (httpOnly), and the browser refuses to include it in cross-site requests. SameSite attribute is set to None, and the server has Access-Control-Allow-Origin set to *.Exploit methodology
The following URL would pop a dialog box like the one shown in Figure 1:
https://gx.gallup[.]com/kiosk.gx?ALIAS=%22);alert(document.domain)//&TYPE=q12
DOM-Based Cross-Site Scripting – my.gallup.com
CVSS Score: 5.4 Medium CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
The /_Portal/ApplicationAsync endpoint did not properly sanitize nor encode query string searchTerm parameter value before including it into the page.
Figure 2: Exploiting the issue to display the document’s domain
Figure 2 shows the execution of JavaScript code included in the vulnerable parameter. The vulnerable endpoint requires authentication.
Malicious actors might exploit this issue to execute arbitrary code in the victims’ navigation session context and perform actions on their behalf.
In the above PoC video, this issue is exploited to take over a victim’s account (account takeover). The victim visits a specially crafted URL that includes a payload to pull a JavaScript file from a remote location controlled by the attacker. That script is responsible for 1) rendering my.gallup.com inside an iframe, 2) automating the required workflow to change the victim’s email, and 3) pinging the attacker’s remote server with the new email address associated with the victim’s account. From here, all the attacker needs to do is recover the account password, and set a new one.
Exploit methodology
The following URL, after logging in, will pop dialog box like the one shown in Figure 2:
https://my.gallup[.]com/_Portal/ApplicationAsync?gssClientId=dduOMXW7d71AS3U _2BFMiMY8EiRX0WxJVn_2FHNUkaHb4okdayR4Pz6_2BetryXCC5aLQ2&dashbo ardWidgetId=AQICAHgcAgLcqG_2BjL48JMeAx11Kd4K4khEMoYzbmIpOoa9wRw QHwBn_2B2jOYRmEThy2bBjhebAAAAeDB2BgkqhkiG9w0BBwagaTBnAgEAMGI GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMwOTTYIEr2OY_2B8xLiAgEQ gDW9L_2B9lkGghNQqrG7K_2BQ36lyXdiSZZEDX3JBsqfhN3ST3LlZ_2FgMDzhuz_2BrcRxStCcFpuhu5Zw_3D_3D&eCode=LEARN#/search?searchTerm=%3Cimg%20src=x%20onerror=alert(document.domain)%3E
After validation to avoid these vulnerabilities, we recommended:
- Properly encode data according to the output context it will be included before appending it to the response markup (HTML) or page DOM – Document Object Model.
- Consider adding/adjusting the Content Security Policy (CSP) to restrict locations where the browser can fetch and execute scripts.
References
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site
- A03:2021 – Injection, OWASP Top 10 2021
- Cross Site Scripting Prevention Cheat Sheet, OWASP Cheat Sheet Series
- Testing for Reflected Cross Site Scripting, OWASP Web Security Testing Guide
- Content Security Policy (CSP), Mozilla Developer Network Scripting’)
Timeline
- 23-June-2024 Full findings reported to Gallup’s incident response team
- 25-June-2024 Gallup confirmed receiving the report
- 11-July-2024 vulnerabilities were reviewed and found to be fixed.
