Vulnerability-Lab, a Germany-based security research company, recently identified an application-side validation web vulnerability, which allows an attacker to inject code in his user profile. The injected code gets executed when a PayPal employee loads the user’s details on PayPal’s backend system. This type of vulnerability is better known as Blind Cross-Site Scripting (Blind XSS) vulnerability - since the attacker blindly injects code hoping that it is executed at a later stage. This type of attack often targets backend systems, as is the case here.
The vulnerability is considered to be a critical vulnerability as it could have been remotely exploited by a low-privilege PayPal account, allowing the hijacking of sessions and giving access to PayPal’s backend system. This would allow the attacker to act as a PayPal employee. Depending on the employee’s privileges, he would gain access to user account data, with the possibility to alter user details, and various other admin options available to PayPal employees.
Luckily, the code injected by the researchers only produced a message box greeting PayPal’s employees with “Hi”. A technical analysis of the vulnerability is available here.
Due to the fact that the injected code may execute after some time, or not at all, this type of vulnerability is rather difficult to detect automatically. Through the use of its AcuMonitor service, Acunetix is able to detect and report on Blind XSS vulnerabilities and other similar vulnerabilities. AcuMonitor is available to all Acunetix Web Vulnerability Scanner customers, and will soon be available in Acunetix Online Vulnerability Scanner.