標籤 attack prevention 下的所有文章

Google Covert Redirect Web Security Bugs Based on Googleads.g.doubleclick.net

go

 

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

— Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net

 

 

 

(1) WebSite:
google.com

 

“Google is an American multinational technology company specializing in Internet-related services and products. These include online advertising technologies, search, cloud computing, and software. Most of its profits are derived from AdWords, an online advertising service that places advertising near the list of search results.

 

The corporation has been estimated to run more than one million servers in data centers around the world (as of 2007). It processes over one billion search requests and about 24 petabytes of user-generated data each day (as of 2009). In December 2013, Alexa listed google.com as the most visited website in the world. Numerous Google sites in other languages figure in the top one hundred, as do several other Google-owned sites such as YouTube and Blogger. Its market dominance has led to prominent media coverage, including criticism of the company over issues such as search neutrality, copyright, censorship, and privacy." (Wikipedia)

 

 

 

 

(2) Vulnerability Description:

Google web application has a computer cyber security problem. Hacker can exploit it by Covert Redirect attacks.

The vulnerability exists at “Logout?" page with “&continue" parameter, i.e.


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

(2.1) When a user is redirected from Google to another site, Google will check whether the redirected URL belongs to domains in Google’s whitelist (The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net

 

If this is true, the redirection will be allowed.

 

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Google to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Google directly.

 

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google’s Ad System)

 

 

 

(2.2) Use one webpage for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. We can suppose that this webpage is malicious.

Blog Detail:
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html

 

 

 

 

 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS vulnerabilities in third-party applications.

 

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect was found and dubbed by a Mathematics PhD student Wang Jing from School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore.

 

After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://tetraph.com/wangjing/

 

 

 

 

More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html
http://seclists.org/fulldisclosure/2014/Nov/29
http://cxsecurity.com/issue/WLB-2014110106
http://tetraph.blog.163.com/blog/static/23460305120141145350181/
https://infoswift.wordpress.com/2014/05/25/google-web-security/
http://tetraph.tumblr.com/post/119490394042/securitypost#notes
http://securityrelated.blogspot.com/2014/11/covert-redirect-vulnerability-based-on.html
http://webtech.lofter.com/post/1cd3e0d3_706af10
https://twitter.com/tetraphibious/status/559165319575371776
http://tetraph.com/security/covert-redirect/google-based-on-googleads-g-doubleclick-net/
http://www.inzeed.com/kaleidoscope/computer-security/google-covert-g-doubleclick-net/
https://hackertopic.wordpress.com/2014/05/25/google-web-security/

Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security Vulnerabilities

gconts_xss1

 

Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security Vulnerabilities

 

Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter XSS Security Vulnerabilities

Product: Gcon Tech Solutions

Vendor: Gcon Tech Solutions

Vulnerable Versions: v1.0

Tested Version: v1.0

Advisory Publication: May 23, 2015

Latest Update: May 23, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

 

Recommendation Details:

 

(1) Vendor & Product Description:

Vendor:

Gcon Tech Solutions

 

Product & Vulnerable Versions:

Gcon Tech Solutions

v1.0

 

Vendor URL & Download:

Gcon Tech Solutions can be obtained from here,

http://www.gconts.com/Development.htm

 

Google Dork:

“Developed and maintained by Gcon Tech Solutions"

 

Product Introduction Overview:

“Over the years we have developed business domain knowledge various business areas. We provide Development Services either on time and material or turn-key fixed prices basis, depending on the nature of the project. Application Development Services offered by Gcon Tech Solutions help streamline business processes, systems and information. Gcon Tech Solutions has a well-defined and mature application development process, which comprises the complete System Development Life Cycle (SDLC) from defining the technology strategy formulation to deploying, production operations and support. We fulfill our client’s requirement firstly from our existing database of highly skilled professionals or by recruiting the finest candidates locally. We analyze your business requirements and taking into account any constraints and preferred development tools, prepare a fixed price quote. This offers our customers a guaranteed price who have a single point contact for easy administration. We adopt Rapid Application Development technique where possible for a speedy delivery of the Solutions. Salient Features of Gcon Tech Solutions Application Development Services: (a) Flexible and Customizable. (b) Industry driven best practices. (c) Knowledgebase and reusable components repository. (d) Ensure process integration with customers at project initiation"

 

 

 

(2) Vulnerability Details:

Gcon Tech Solutions web application has a computer cyber security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Gcon Tech Solutions has patched some of them. The Mail Archive automatically detects when it receives mail from a new list. Thus, you are encouraged, although certainly not required, to send a test message to the newly archived list. If you are adding several lists to the archive, send a separate and distinct test message to each one. It also publishes suggestions, advisories, solutions details related to XSS vulnerabilities and cyber intelligence recommendations.

 

(2.1) The first programming code flaw occurs at “&id" parameter in “content.php?" page.

 

 

 

 

 

References:

http://www.tetraph.com/security/xss-vulnerability/gcon-tech-solutions-v1-0-xss/

http://securityrelated.blogspot.com/2015/05/gcon-tech-solutions-v10-xss-cross-site.html

http://www.inzeed.com/kaleidoscope/computer-web-security/gcon-tech-solutions-v1-0-xss/

http://diebiyi.com/articles/security/gcon-tech-solutions-v1-0-xss/

https://webtechwire.wordpress.com/2015/05/23/gcon-tech-solutions-v1-0-xss/

http://computerobsess.blogspot.com/2015/05/gcon-tech-solutions-v10-xss.html

http://whitehatpost.blog.163.com/blog/static/24223205420154245138791/

https://itswift.wordpress.com/2015/05/24/gcon-tech-solutions-v1-0-xss/

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02028.html

http://cxsecurity.com/issue/WLB-2015050068

http://seclists.org/fulldisclosure/2015/May/34

https://www.bugscan.net/#!/x/21839

http://www.openwall.com/lists/oss-security/2015/05/22/6

http://lists.openwall.net/full-disclosure/2015/04/05/8

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1957

Web Technology Wire

gconts_xss1

Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security Vulnerabilities

Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter XSS Security Vulnerabilities

Product: Gcon Tech Solutions

Vendor: Gcon Tech Solutions

Vulnerable Versions: v1.0

Tested Version: v1.0

Advisory Publication: May 23, 2015

Latest Update: May 23, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)

Recommendation Details:

(1) Vendor & Product Description:

Vendor:

Gcon Tech Solutions

Product & Vulnerable Versions:

Gcon Tech Solutions

v1.0

Vendor URL & Download:

Gcon Tech Solutions can be obtained from here,

http://www.gconts.com/Development.htm

Google Dork:

“Developed and maintained by Gcon Tech Solutions"

Product Introduction Overview:

“Over the years we have developed business domain knowledge various business areas. We provide…

View original post 詳見內文:約344字

Gcon Tech Solutions v1.0 SQL Injection Web Security Vulnerabilities

gconts_sql2

 

Gcon Tech Solutions v1.0 SQL Injection Web Security Vulnerabilities

 

Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter SQL Injection Security Vulnerabilities

Product: Gcon Tech Solutions

Vendor: Gcon Tech Solutions

Vulnerable Versions: v1.0

Tested Version: v1.0

Advisory Publication: May 24, 2015

Latest Update: May 24, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

Recommendation Details:

 

(1) Vendor & Product Description:

Vendor:

Gcon Tech Solutions

 

Product & Vulnerable Versions:

Gcon Tech Solutions

v1.0

 

Vendor URL & Download:

Gcon Tech Solutions can be obtained from here,

http://www.gconts.com/Development.htm

 

Google Dork:

“Developed and maintained by Gcon Tech Solutions"

 

Product Introduction Overview:

“Over the years we have developed business domain knowledge various business areas. We provide Development Services either on time and material or turn-key fixed prices basis, depending on the nature of the project. Application Development Services offered by Gcon Tech Solutions help streamline business processes, systems and information. Gcon Tech Solutions has a well-defined and mature application development process, which comprises the complete System Development Life Cycle (SDLC) from defining the technology strategy formulation to deploying, production operations and support. We fulfill our client’s requirement firstly from our existing database of highly skilled professionals or by recruiting the finest candidates locally. We analyze your business requirements and taking into account any constraints and preferred development tools, prepare a fixed price quote. This offers our customers a guaranteed price who have a single point contact for easy administration. We adopt Rapid Application Development technique where possible for a speedy delivery of the Solutions. Salient Features of Gcon Tech Solutions Application Development Services: (a) Flexible and Customizable. (b) Industry driven best practices. (c) Knowledgebase and reusable components repository. (d) Ensure process integration with customers at project initiation"

 

 

 

(2) Vulnerability Details:

Gcon Tech Solutions web application has a computer cyber security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Gcon Tech Solutions has patched some of them. CXSECurity is a huge collection of information on data communications safety. Its main objective is to inform about errors in various applications. It also publishes suggestions, advisories, solutions details related to SQL Injection vulnerabilities and cyber intelligence recommendations.

 

(2.1) The first programming code flaw occurs at “content.php?" page with “&id" parameter.

 

 

 

 

 

References:

http://www.tetraph.com/security/sql-injection-vulnerability/gcon-tech-solutions-v1-0-sql/

http://securityrelated.blogspot.com/2015/05/gcon-tech-solutions-v10-sql.html

http://www.diebiyi.com/articles/security/gcon-tech-solutions-v1-0-sql/

http://www.inzeed.com/kaleidoscope/computer-web-security/gcon-tech-solutions-v1-0-sql/

http://computerobsess.blogspot.com/2015/05/gcon-tech-solutions-v10-sql.html

https://itswift.wordpress.com/2015/05/23/gcon-tech-solutions-v1-0-sql/

http://whitehatpost.blog.163.com/blog/static/242232054201542455422939/

https://webtechwire.wordpress.com/2015/05/24/gcon-tech-solutions-v1-0-sql/

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html

http://cxsecurity.com/issue/WLB-2015040036

http://seclists.org/fulldisclosure/2015/May/32

https://www.bugscan.net/#!/x/21454

http://lists.openwall.net/full-disclosure/2015/05/08/8

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1955

 

Web Technology Wire

gconts_sql2

Gcon Tech Solutions v1.0 SQL Injection Web Security Vulnerabilities

Exploit Title: Gcon Tech Solutions v1.0 content.php? &id Parameter SQL Injection Security Vulnerabilities

Product: Gcon Tech Solutions

Vendor: Gcon Tech Solutions

Vulnerable Versions: v1.0

Tested Version: v1.0

Advisory Publication: May 24, 2015

Latest Update: May 24, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

Writer and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Recommendation Details:

(1) Vendor & Product Description:

Vendor:

Gcon Tech Solutions

Product & Vulnerable Versions:

Gcon Tech Solutions

v1.0

Vendor URL & Download:

Gcon Tech Solutions can be obtained from here,

http://www.gconts.com/Development.htm

Google Dork:

“Developed and maintained by Gcon Tech Solutions"

Product Introduction Overview:

“Over the years…

View original post 詳見內文:約319字

Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs

facebook_4


Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs




Domain:
http://www.facebook.com



“Facebook is an online social networking service headquartered in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the website’s membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old is allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from a colloquialism for the directory given to it by American universities students." (Wikipedia)



“Facebook had over 1.44 billion monthly active users as of March 2015.Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering in February 2012 and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. As of February 2015 Facebook reached a market capitalization of $212 Billion." (Wikipedia)





Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 



(1) General Vulnerabilities Description:

(1.1) Two Facebook vulnerabilities are introduced in this article.

Facebook has a computer cyber security bug problem. It can be exploited by Open Redirect attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.


Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect" to other websites such as Amazon, eBay, Go-daddy, Yahoo, 163, Mail.ru etc.

 

(1.1.1)

One Facebook Open Redirect vulnerability was reported to Facebook. Facebook adopted a new mechanism to patch it. Though the reported URL redirection vulnerabilities are patched. However, all old generated URLs are still vulnerable to the attacks. Section (2) gives detail of it.

The reason may be related to Facebook’s third-party interaction system or database management system or both. Another reason may be related to Facebook’s design for different kind of browsers.

 

(1.1.2) Another new Open Redirect vulnerability related to Facebook is introduced, too. For reference, please read section (3).

The vulnerabilities can be attacked without user login. Tests were performed on IE (9.0) of Windows 8, Firefox (24.0) & Google Chromium 30.0.1599.114 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (12.10),Safari 6.1.6 of Mac OS X Lion 10.7.



(1.2) Facebook’s URL Redirection System Related to “*.php" Files

All URLs’ redirection are based on several files, such l.php, a.php, landing.php and so on.

The main redirection are based on file “l.php" (Almost all redirection links are using it right now).

For file “l.php", one parameter “h" is used for authentication. When it mentions to file “a.php", parameter “eid" is used for authentication. All those two files use parameter “u" for the url redirected to. In some other files such as “landing.php", parameters such as “url", “next" are used.

<1>For parameter “h", two forms of authentication are used.

<a>h=HAQHyinFq

<b>h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA

<2>For parameter “eid", one form of authentication is used.

<a>eid=AQLP8sRq6lbU0jz0lARx9A9uetB6FIF1N2-Yjj_ePj0d_ezubjstZeDo6qDsalKVJwy6uDb_hQ-9tBsA2dVoQRq0lniOu0os_gPe3gY5l8lYblhQSwBtdvgjXjNqaxLZMYoasr3vv46tFsh1fL7q4kjT2LFw52dnJWd4SE8qc0YuPWfgPeQywgM2wl0CoW-lftWkr2dX0dLcytyHjXnvhKfVS_pQBllszUzsPENxE6EuZ-53Lh188o56idnfyyk2L58pE7C94PF-za4ZVB0qbuA2EnPcSJI-7oIiIJmIhifHe0CYTzG512-Z_heN44VlyJHevhS9auAR8-lFCAIlYymnT_Qiwp92RxjNOfBypBvszQUrvB6PH3fANn1prfMBVm4RD_GFel14KVDS5USswbTOTkL3sZNhHUqqPHwBwU3JFePMMuwsfesigH85B_AxCsXUIWN7klKGSq8bPPsKSHttsa9hkkMpSfRKL7D_xwW4dU2xlmfGWil7jYRJmwfbOeF0zujk1FRBuM757tbfFMav-J-K9npbdrDrCuUVqV__Tf7CGZ89nPl-M2d09pE9enJj0OBXOaSXZX16LKaYnv1Wh4GKme7C-EOunITxyQtp1zy-48Uaz9mxO2x4bw7sBDfzDStF_Al8_0SMjWNTh-J38rBHAgT96X-dPFI43HU3x3fVymE9szrclBpvTaSfYezatgMzf77s3lQrQAMSlwSSRIzRuoFvQBmWKT0T5ZFgH5ykhYKhNMiKj577UO5g2Ojm-_-KKF4N_DBuG5R-I6EOSlhok2xUkpKVDnDcxZFTLxGmx5xc56J5kZLjJ96wnF2fH09Q19Qc2aU3xYFlEFrKjrlLpwGyOyCDx7_z7y1O4Efqew3Fa0Cb9s6Kk2jpLF5XEIaYzzXOLAffxXG6icBJVovb9RPmiZ5s9dKYYotLol68_X04O05bEvVccPEh-IQwX_VTMt3f23be2MECEqR2l1A1ZkJx4qP00GI1pZhU_CXAnjSaTNmtaINRUeSsLNEZZsPwpWJMfeeGSwuof9krC05eSWjO0jH9tua0KteMYhj8i-3dwSBp4f7nMcFwH5ltfCLhMCYNB8rxgzcAczyhLIo2UY-3FSaJXBZ0lvuZBvnj7myUnyc2lCcy-fWh93MRRaJrrinjtfr9fDSMHM9Cja5xi0eG3Vs0aClnWbeJZA79TvmYt7E53HfwGuv5-EJOqRh3cwZF-53uPHA73ikUk3xTApjQunJM4uIBhpy7iBIgn_OXXo3X03YUJtJcDuC20ocJbZ310VHliox5tYZF2oiMaOfgo9Y9KeqgsrJgwPCJeif4aB0Ne4g_oM_Tuqt2pXbdgoCawHIApF087eFKJqejp0jpEkJerXPyK-IqsD_SQfIm_2WJSkzwzATwQKs

 

 

 


(2) Vulnerability Description 1:

(2.1) A security researcher reported two Open Redirect vulnerabilities to Facebook in 2013. The following are the two links reported.

Though a new mechanism was adopted. However, all old generated redirections still work by parameter “h" and “eid".

 

 

(2.2) A website was used for the following tests. The website is “http://www.tetraph.com/“. Suppose this website is malicious.

(2.2.1)

<1>First test

<a>file: “l.php"

<b>URL parameter: “u"

<c>authentication parameter: “h"

<d>form: “h=HAQHyinFq".

<e>The authentication has no relation with all other parameters, such as “s".

Examples:

URL 1:

Redirect Forbidden:

Redirect Works:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

(2.2.2)

<2>Second test. It is the same situation as above.

<a>file: “l.php",

<b>url parameter “u"

<c>authentication parameter: “h"

<d>form: “h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA".

<e>The authentication has no relation to all other parameters, such as “env", “s".

 

Examples:

URL 1:

Redirect Forbidden:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

 

(3) Facebook File “a.php" Open Redirect Security Vulnerability

 

(3.1)

<a>file: “a.php"

<b>parameter “u"

<c> authentication parameter: “eid"

<d> form: “eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w".

<e>The authentication has no relation to all other parameters, such as “mac", “_tn_".

Examples:

Vulnerable URL:

https://www.facebook.com/a.php?u=http%3A%2F%2Ffb-nym.adnxs.com%2Ffclick%3Fclickenc%3Dhttp%253A%252F%252Fbs.serving-sys.com%252FBurstingPipe%252FadServer.bs%253Fcn%253Dtf%2526c%253D20%2526mc%253Dclick%2526pli%253D8782431%2526PluID%253D0%2526ord%253D%257BCACHEBUSTER%257D%26cp%3D%253Fdi%253DzGxX6INl-T9QvRSibN_3P5qZmZmZmfk_UL0Uomzf9z_ObFfog2X5P_WPPCuD-to_CKEeLew3cQIQkc9SAAAAAHQcDQB2BQAAKAcAAAIAAAD4iq8AanMCAAAAAQBVU0QAVVNEAGMASABq4DoFka4BAgUCAQUAAIgAkinLswAAAAA.%252Fcnd%253D%252521qQYdPgjeqqYBEPiVvgUY6uYJIAA.%252Freferrer%253Dfacebook.com%252F&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w

POC:

 

(3.2) Facebook Login Page Covert Redirect Security Vulnerability

Vulnerable URL Related to Login.php Based on a.php:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.rp.edu.sg%252Fopenhouse2014%252F%253Futm_source%253Dfacebook%2526utm_medium%253Dcpc%2526utm_campaign%253Dopenhouse2014%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs

POC:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.stackoverflow.com%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs





Those vulnerabilities were reported to Facebook in 2014 and they have been patched.





Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Facebook has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" All the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. Large number of Facebook bugs were published here. FD also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.








(4) Amazon Covert Redirect Security Vulnerability Based on Facebook

Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect" to other websites such as Amazon.


Domain:
http://www.amazon.com


“American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden." (Wikipedia)

 

 

The vulnerability exists at “redirect.html?" page with “&location" parameter, e.g.

 

(4.1) When a user is redirected from Amazon to another site, Amazon will check parameters “&token". If the redirected URL’s domain is OK, Amazon will allow the reidrection.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

One of the vulnerable domain is,
http://www.facebook.com

 

(4.2) Use one of webpages for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. Suppose it is malicious.

Vulnerable URL:

POC:

 

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/22
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1428
http://lists.openwall.net/full-disclosure/2015/01/12/1
http://marc.info/?l=full-disclosure&m=142104333521454&w=4
http://diebiyi.com/articles/security/facebook-open-redirect/
https://www.facebook.com/essaybeans/posts/570476126427191
http://germancast.blogspot.de/2015/06/facebook-web-security-0day-bug.html
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://essaybeans.lofter.com/post/1cc77d20_7300027
http://qianqiuxue.tumblr.com/post/120750458855/itinfotech-facebook-web-security-0day-bug
https://www.facebook.com/permalink.php?story_fbid=472994806188548&id=405943696226993
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://www.tetraph.com/blog/phishing/facebook-open-redirect/
http://itinfotech.tumblr.com/post/120750347586/facebook-web-security-0day-bug
http://ittechnology.lofter.com/post/1cfbf60d_72fd108
http://russiapost.blogspot.ru/2015/06/facebook-web-security-0day-bug.html
https://twitter.com/tetraphibious/status/606676645265567744
https://plus.google.com/u/0/110001022997295385049/posts/hb6seddG561
http://whitehatpost.blog.163.com/blog/static/24223205420155501020837/
http://www.inzeed.com/kaleidoscope/computer-security/facebook-open-redirect/