Re: Facebook Url Redirection Vuln.

看板Bugtraq作者時間12年前 (2013/07/12 02:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串3/3 (看更多)
Isn't it a MitM situation ? if you can intercept that value you can = intercept more than a simple parameter no ?=20 Le 11 juil. 2013 =C3=A0 13:32, CANSIN YILDIRIM <canyildirim@ku.edu.tr> a = =C3=A9crit : > ----------------------------------------------------- > #Title: Facebook Url Redirection Vulnerability > #Discovery Date: 10/July/2013 > #Author: Cans=C4=B1n Y=C4=B1ld=C4=B1r=C4=B1m > #Twitter: @YildirimCansin > #Website: www.cansinyildirim.com > ----------------------------------------------------- >=20 > Introduction: >=20 > The vulnerability reported on 10th July however Facebook Security Team > replied that it is an expected behaviour. That is why I don't see any > reason not to publish the vulnerability. More detailed background > information can be found on their website: > = http://www.facebook.com/notes/facebook-security/link-shim-protecting-the-p= eople-who-use-facebook-from-malicious-urls/10150492832835766 >=20 > Decription: >=20 > By obtaining user-specific hash value, an attacker redirect the user > to a malicious website without asking for verification. The hash value > can be found from the link that the user send to his/her wall. After > clicking on user's link,by setting BurpSuite Proxy, the attacker > intercept the parameters in the methods. >=20 > Example url: = http://www.facebook.com/l.php?u=3Dhttp%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv= %3DSvWjWEyTLkg&h=3D3AQGbk0Cf&s=3D1 >=20 > However we don't need s parameter, for the attacker most important > part of the url is the h paramater. >=20 > Example h paramater =3D h=3D3AQGbk0Cf >=20 > Now it is time to change the u paramater to a malicious site and send > it to user with the same h paramater >=20 > Example malicious url: > http://www.facebook.com/l.php?u=3Dcansinyildirim.com&h=3D3AQGbk0Cf >=20 > Example malicious encoded url: > = http://www.facebook.com/l.php?u=3D%63%61%6e%73%69%6e%79%69%6c%64%69%72%69%= 6d%2e%63%6f%6d&h=3D3AQGbk0Cf >=20 > After the victim clicks on the link, Facebook redirects the victim to > a page specified by the attacker. >=20 > Important note: I tried while the attacker and the victim were = friends. >=20 >=20 > Proof of Concept: >=20 > http://vimeo.com/70087250 >=20 > = http://www.cansinyildirim.com/facebook-url-redirection-vulnerability-2013/=
更多 anthony. 的文章
文章代碼(AID): #1HtlBVze (Bugtraq)
更多 anthony. 的文章
文章代碼(AID): #1HtlBVze (Bugtraq)