Category Archives: Open Redirect

Daily Mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem

Daily mail Registration Page Unvalidated Redirects and Forwards & XSS Web Security Problem

 

Website Description:
“The Daily Mail is a British daily middle-market tabloid newspaper owned by the Daily Mail and General Trust. First published in 1896 by Lord Northcliffe, it is the United Kingdom’s second biggest-selling daily newspaper after The Sun. Its sister paper The Mail on Sunday was launched in 1982. Scottish and Irish editions of the daily paper were launched in 1947 and 2006 respectively. The Daily Mail was Britain’s first daily newspaper aimed at the newly-literate “lower-middle class market resulting from mass education, combining a low retail price with plenty of competitions, prizes and promotional gimmicks”, and was the first British paper to sell a million copies a day. It was at the outset a newspaper for women, the first to provide features especially for them, and as of the second-half of 2013 had a 54.77% female readership, the only British newspaper whose female readers constitute more than 50% of its demographic. It had an average daily circulation of 1,708,006 copies in March 2014. Between July and December 2013 it had an average daily readership of approximately 3.951 million, of whom approximately 2.503 million were in the ABC1 demographic and 1.448 million in the C2DE demographic. Its website has more than 100 million unique visitors per month.” (Wikipedia)

One of its website’s Alexa rank is 93 on January 01 2015. The website is one of the most popular websites in the United Kingdom.

The Unvalidated Redirects and Forwards problem has not been patched, while the XSS problem has been patched.

 

 

 

(1) Daily mail Registration Page Unvalidated Redirects and Forwards Web Security Problem

 

(1.1) Vulnerability Description:
Daily online websites have a cyber security problem. Hacker can exploit it by Open Redirect (Unvalidated Redirects and Forwards) attacks. During the tests, all Daily mail websites (Daily Mail, Mail on Sunday & Metro media group) use the same mechanism. These websites include dailymail.co.uk, thisismoney.co.uk, and mailonsunday.co.uk.

 

 

dailymail_1

thisismoney_1

 

 

 

Google Dork:
“Part of the Daily Mail, The Mail on Sunday & Metro Media Group”

 

 

The vulnerability occurs at “&targetUrl” parameter in “logout.html?” page, i.e.
http://www.dailymail.co.uk/registration/logout.html?targetUrl=http%3A%2F%2Fgoogle.com

 

 

 

(1.2.1) Use the following tests to illustrate the scenario painted above.

The redirected webpage address is “http://diebiyi.com/articles“. Can suppose that this webpage is malicious.

 

 

 

(1.2.2) The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 8, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),and Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

These bugs were found by using URFDS (Unvalidated Redirects and Forwards Detection System).

 

 

 

(1.2) Description of Open Redirect:
Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)

 

 

 

(1.3) Vulnerability Disclosure:
These vulnerabilities have not been patched.

 

 

 

 

(2) Daily Mail Website XSS Cyber Security Zero-Day Vulnerability

(2.1) Vulnerability description:
DailyMail has a security problem. Criminals can exploit it by XSS attacks.

The vulnerability occurs at “reportAbuseInComment.html?” page with “&commentId” parameter, i.e.
http://www.dailymail.co.uk/home/reportAbuseInComment.html?articleId=346288&commentId=877038

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (34.0) in Ubuntu (14.04) and Microsoft IE (9.0.15) in Windows 7.

dailymail_uk_xss




(2.2) What is XSS?
“Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.” (Wikipedia)

 

 

 

(2.3) Vulnerability Disclosure:
This vulnerability has been patched.

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

 

 

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

fc2_com_2

 

FC2 Online Web Service Open Redirect (Unvalidated Redirects and Forwards) Cyber Security Vulnerabilities

 

Domain:
fc2.com

“FC2 (founded July 20, 1999) is a popular Japanese blogging host, the third most popular video hosting service in Japan (after YouTube and Niconico), and a web hosting company headquartered in Las Vegas, Nevada. It is the sixth most popular website in Japan overall (as of January 2014). FC2 is an abbreviation of “Fantastic Kupi-Kupi (クピクピ)”. It is known to allow controversial adult content such as pornography and hate speech (unlike many of its competitors). The company uses rented office space for its headquarters which it shares with many other U.S.-based businesses. It also pays taxes in the United States. The physical servers are located in the United States. However, it is believed that the majority of the company and its users (including employees) are located within Japan” (Wikipedia)

 

The Alexa rank of fc2.com is 52 on February 18 2015. It is the toppest Japanese local website sevice.

 

 

 

(1) Vulnerability Description:

FC2 online web service has a computer cyber security bug problem. It can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.” One consequences of it is Phishing. (OWASP)

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

 

In fact, during the test, it is not hard to find URL Redirection bugs in FC2. Maybe fc2.com pays little attention to mitigate these Vulnerabilities. These bugs were found by using URFDS.

 

 

 

(2) Use one of webpages for the following tests. The webpage address is “http://securitypost.tumblr.com/“. Can suppose that this webpage is malicious.

 

 

Vulnerability Disclosure:
Those vulnerabilities were reported to Rakuten, they are still unpatched.

 

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

==================

 

 

 

FC2オンラインWebサービスオープンリダイレクト(未検証のリダイレクトとフォワード)サイバー·セキュリティの脆弱性

 

ドメイン:
fc2.com

(1999年7月20日に設立)」FC2は、日本の人気ブログのホスト、(YouTubeやニコニコ後)は、日本で3番目に人気のビデオホスティングサービス、およびラスベガス、ネバダ州に本社を置くウェブホスティング会社です。それは第六最も人気のあります日本のウェブサイトは、全体的な。(2014年1月のように)FC2はの略で、「ファンタスティックKupi-Kupi(クピクピ)」。このようなポルノのような論争のアダルトコンテンツを許可し、(競合他社の多くとは異なり)スピーチを憎むことが知られています。」 (ウィキペディア)

 

fc2.comのAlexaのランクはそれがtoppest日本のローカルウェブサイトの流通サービスである2月18日2015年52あります。

 

 

 

(1)脆弱性の説明:

FC2オンラインWebサービスは、コンピュータのサイバーセキュリティバグの問題があります。それは、オープンリダイレクト(未検証のリダイレクトとフォワード)攻撃によって悪用される可能性があります。ここでオープンリダイレクトの説明は次のとおりです。「オープンリダイレクトがパラメータを受け取り、何の検証も行わずにパラメータ値にユーザーをリダイレクトするアプリケーションです。この脆弱性は、それを実現することなく、悪質なサイトを訪問するユーザーを取得するためにフィッシング攻撃で使用されています。。 “それの一つの結果はフィッシングで​​す。 (OWASP)

 

プログラムコードの欠陥は、ユーザのログインなしで攻撃される可能性があります。テストは、Windows 7のMicrosoftのIE(9 9.0.8112.16421)で行われた、Mozilla Firefoxの(37.0.2)&グーグルクロム42.0.2311のUbuntuの(64ビット)(14.04.2)はMac OSのアップルのSafari 6.1.6 X v10.9マーベリックス。

 

実際には、テスト時には、FC2内のURLリダイレクトのバグを見つけることは難しいことではありません。多分fc2.comは、これらの脆弱性を軽減するためにはほとんど注意を払っています。

 

 

 

(2)以下の試験のためのWebページのいずれかを使用します。ウェブページアドレスは「http://securitypost.tumblr.com/」です。このウェブページに悪意であるとすることができます。

 

 

脆弱性の公開:
これらの脆弱性は楽天に報告された、彼らはまだパッチを適用していないです。

 

 

発見し、レポーター:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (@justqdjing
http://www.tetraph.com/wangjing

Attachments area
Preview YouTube video FC2 Online Web Service Unvalidated Redirects and Forwards Cyber Security Vulnerabilities

Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities

rakuten_jp_1

 

Rakuten Online Website Open Redirect (URL Redirection) Cyber Security Vulnerabilities

 

Domain:
rakuten.com




“Rakuten, Inc. (楽天株式会社 Rakuten Kabushiki-gaisha?) is a Japanese electronic commerce and Internet company based in Tokyo, Japan. Its B2B2C e-commerce platform Rakuten Ichiba is the largest e-commerce site in Japan and among the world’s largest by sales. Hiroshi Mikitani founded the company in February 1997 as MDM, Inc., and is still its chief executive. Rakuten Shopping Mall (楽天市場 Rakuten Ichiba?) started operations in May 1997. In June 1999, the company changed its name to Rakuten, Inc. The Japanese word rakuten means optimism. In 2012, the company’s revenues totaled US$4.6 billion with operating profits of about US$244 million. In June 2013, Rakuten, Inc. reported it had a total of 10,351 employees worldwide. In 2005, Rakuten started expanding outside Japan, mainly through acquisitions and joint ventures. Its acquisitions include Buy.com (now Rakuten.com Shopping in the US), Priceminister (France), Ikeda (now Rakuten Brasil), Tradoria (now Rakuten Deutschland), Play.com (UK), Wuaki.tv (Spain), and Kobo Inc. (Canada). The company has investments in Pinterest, Ozon.ru, AHA Life, and Daily Grommet.” (Wikipedia)

 

The Alexa rank of rakuten.co.jp is 64 on May 29 2015. It is the second toppest Japanese local sevice website.




(1) Vulnerability Description:

Rakuten online website has a computer cyber security bug problem. It can be exploited by Open Redirect (Unvalidated Redirects and Forwards) attacks. Here is the description of Open Redirect: “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.” (From CWE)

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

 

Since know only a little Japanese, not sure whether Rakuten pays much attention to Open Redirect Vulnerabilities or not. These bugs were found by using URFDS.

 

 

 

(2) Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. Can suppose that this webpage is malicious.

 

Vulnerable URL 1:

POC Code:

 

Vulnerable URL 2:

POC Code:

 

Vulnerable URL 3:

POC Code:

 

 

Vulnerability Disclosure:

Those vulnerabilities are not patched now.

 

 

 

Bug Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

 

============

 

 

 

楽天オンラインサイトオープンリダイレクト(URLリダイレクション)サイバー·セキュリティの脆弱性

 

ドメイン:
rakuten.com




「楽天株式会社は、(楽天株式会社楽天株式会社-gaisha?)東京、日本に拠点を置く日本の電子商取引やインターネット企業です。そのB2B2Cの電子商取引プラットフォーム楽天市場は、日本最大の電子商取引サイトで、世界の中で販売による最大。三木谷浩史は、MDM、株式会社として1997年2月で会社を設立し、さらにその最高経営責任者(CEO)である。楽天ショッピングモール(楽天市場楽天市場?)1999年6月1997年5月で事業を開始し、同社は社名変更楽天株式会社に日本語ワード楽天楽観を意味している。2012年には、同社の売上高は、米国約US2.44億ドルの営業利益との46億ドルとなりました。2013年6月には、楽天株式会社は、それが世界中の10351名の従業員を有していたと報告した。で2005年、楽天は、主に買収や合弁事業を通じて、日本国外で拡大し始めた。その買収は、Buy.com(米国で今Rakuten.comショッピング)、Priceminister(フランス)、池田(現楽天ブラジル)、Tradoria(今楽天ドイツ)が挙げられます、Play.com(英国)、Wuaki.tv(スペイン)、およびコボ(カナダ)。同社はPinterest、Ozon.ru、AHA生活、毎日のグロメットで投資を行っている。」(ウィキペディア)

 

rakuten.co.jpのAlexaのランクは、第2 toppest日本の地方流通サービスのウェブサイトである5月29日2015年64あります。





(1)脆弱性の説明:

楽天のオンラインウェブサイトは、コンピュータのサイバーセキュリティバグの問題があります。それは、オープンリダイレクト(未検証のリダイレクトとフォワード)攻撃によって悪用される可能性があります。ここでオープンリダイレクトの説明は次のとおりです。「Webアプリケーションは外部サイトへのリンクを指定するユーザ制御入力を受け付け、リダイレクトでそのリンクを使用しています。これは、フィッシング攻撃を簡素化HTTPパラメータがURL値が含まれており、可能性があります。。指定されたURLに要求をリダイレクトするようにWebアプリケーションを引き起こす。悪質なサイトへのURLの値を変更することにより、攻撃者がフィッシング詐欺を起動し、ユーザーの資格情報を盗むことができる。変更されたリンク内のサーバー名が、元のサイトと同じであるため、フィッシングの試みは、より信頼性の高い外観を持っています。」 (CWEから)

 

プログラムコードの欠陥は、ユーザのログインなしで攻撃される可能性があります。テストは、Windows 7のMicrosoftのIE(9 9.0.8112.16421)で行われた、Mozilla Firefoxの(37.0.2)&グーグルクロム42.0.2311のUbuntuの(64ビット)(14.04.2)はMac OSのアップルのSafari 6.1.6 X v10.9マーベリックス。

 

楽天リダイレクトの脆弱性かどうかを開くために多くの注意を払っているかどうかわからない、少しだけ日本語を知っているので。

 




 

 

 

(2)以下の試験のためのWebページのいずれかを使用します。ウェブページアドレスは「http://itinfotech.tumblr.com/」です。このウェブページに悪意であるとすることができます。

 

脆弱URL 1:

POCコード:

 

脆弱URL 2:

POCコード:

 

脆弱URL 3:

POCコード:

 

 

脆弱性の公開:

これらの脆弱性は、現在パッチが適用されていません。

 

 

 

バグを発見:
王ジン (Wang Jing)、数理科学研究部門(MAS)、物理的および数理科学科(SPMS)、南洋理工大学(NTU)、シンガポール。 (@justqdjing
http://www.tetraph.com/wangjing



Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities

A computer circuit board.


Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities



Domains Basics:

Alibaba Taobao, AliExpress, Tmall are the top three online shopping websites belonging to Alibaba.





Vulnerability Discover:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/




(1) Domains Descriptions:

“Taobao is a Chinese website for online shopping similar to eBay and Amazon that is operated in China by Alibaba Group.” (Wikipedia)

“With around 760 million product listings as of March 2013, Taobao Marketplace is one of the world’s top 10 most visited websites according to Alexa. For the year ended March 31, 2013, the combined gross merchandise volume (GMV) of Taobao Marketplace and Tmall.com exceeded 1 trillion yuan.” (Wikipedia)

Alexa ranking 9 at 10:40 am Thursday, 22 January 2015 (GMT+8).



“Launched in 2010, AliExpress.com is an online retail service made up of mostly small Chinese businesses offering products to international online buyers. It is the most visited e-commerce website in Russia” (Wikipedia)



“Taobao Mall, is a Chinese-language website for business-to-consumer (B2C) online retail, spun off from Taobao, operated in the People’s Republic of China by Alibaba Group. It is a platform for local Chinese and international businesses to sell brand name goods to consumers in mainland China, Hong Kong, Macau and Taiwan.” (Wikipedia)

 

 

(2) Vulnerability descriptions:

Alibaba Taobao AliExpress Tmall online electronic shopping website has a cyber security bug problem. It can be exploited by XSS and Covert Redirect attacks.

 

 

(3) Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS

The vulnerability can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (8.0.7601) in Windows 7.

 

 

(3.1) Alibaba Taobao Online Electronic Shopping Website (Taobao.com ) XSS (cross site scripting) Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/justqdjing/ )-‘”;&redirect=0

POC Video:

Blog Details:




(3.2)Alibaba AliExpress Online Electronic Shopping Website (Aliexpress.com) XSS Security Vulnerabilities

The vulnerabilities occur at “landing.php?” page with “cateid” “fromapp” parameters, e.g

POC Code:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

POC Video:

Blog Details:




(3.3) Alibaba Tmall Online Electronic Shopping Website (Tmall.com) XSS Security Vulnerability

The vulnerabilities occur at “writecookie.php?” page with “ck” parameter, e.g

POC Code:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

POC Video:

Blog Details:

 

This vulnerabilities were disclosed at Full Disclosure. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” All the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards.

 

 

(4) Alibaba Taobao(taobao.com)Covert Redirect Security Vulnerability Based on Apple.com



(4.1) Vulnerability description:

Alibaba Taobao has a security problem. It can be exploited by Covert Redirect attacks. Taobao will check whether the redirected URL belongs to domains in Taobao’s whitelist, e.g.

If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Taobao to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Taobao directly.

In fact, Apple.com was found can be exploited by Open Redirect vulnerabilities. Those vulnerabilities details will be published in the near future.



(4.2) The vulnerability occurs at “redirect.htm?” page, with parameter “&url”, i.e.

The vulnerabilities can be attacked without user login. Tests were performed on IE (10.0) of Windows 8, Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Safari 6.1.6 of Mac OS X Lion 10.7.

 

 

(4.3) Use a website for the tests,the redirected webpage is “http://www.tetraph.com/blog“. Just suppose it is malicious.

Vulnerable URL:

POC Code:

Poc Video:

Blog Detail:

 

 

Those vulnerablities were reported to Alibaba in 2014 and have been patched by the security team (just checked). Name was listed in the hall of fame by Alibaba.
http://security.alibaba.com/people.htm?id=2048213134

 

 

 

 

https://www.facebook.com/websecuritiesnews/posts/802525526534286

https://www.facebook.com/permalink.php?story_fbid=841091885926189&id=767438873291491

https://infoswift.wordpress.com/2015/01/27/alibaba-xss-open-redirect/

http://tetraph.blog.163.com/blog/static/2346030512015545132356/

 

 



========================================================







阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞

 

 

域名:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 是阿里巴巴集团最大的前三家网上购物电子商务网站.

 

 

(1) 漏洞描述:

阿里巴巴 淘宝, 天猫, 全球苏卖通 线上电子购物网 有一个安全问题. 它容易遭受 跨站脚本攻击 (XSS) & 公开重定向 (Open Redirect) 安全漏洞攻击.

漏洞不需要用户登录,测试是基于Windows 7 的 IE (8.0. 7601) 和 Ubuntu (14.04) 的 Firefox (34.0)。

 

 

(1.1) 阿里巴巴 淘宝 线上电子购物网 (Taobao.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.taobao.com/go/rgn/tw/writecookie.php?ck=tw“–>’-alert(/tetraph/ )-‘”;&redirect=0

 

 

(1.2) 阿里巴巴 全球速卖通 在线交易平台 (aliexpress.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “mobile_325_promotion_landing.php”, 参数 “cateid” 和 “fromapp” e.g.

POC:

/’ “><img src=x onerror=prompt(/tetraph/)>

http://activities.aliexpress.com/mobile_325_promotion_landing.php?cateid=6</script>/’ “><img src=x onerror=prompt(/tetraph/)><!–&fromapp=

 

 

(1.3) 阿里巴巴 天猫 线上电子购物网 (Tmall.com) XSS (跨站脚本攻击) 安全漏洞

漏洞链接地点 “writecookie.php?”, 参数 “ck” e.g.

POC:

http://www.tmall.com/go/app/sea/writecookie.php?ck=cn“–>’-alert(/tetraph/ )-‘”;&redirect=1

 

 

(2) 阿里巴巴淘宝线上电子购物网(taobao.com)Covert Redirect(隐蔽重定向跳转)安全漏洞基于 苹果网站

 

 

(2.1) 漏洞描述:

阿里巴巴 淘宝购物网 有一个安全问题. 它容易遭受 Covert Redirect (Open Redirect 公开重定向) 漏洞攻击. 所有 属于 Apple.com 的 链接都在白名单内。故而如果 苹果的 网站 本身有 公开重定向问题。那么受害者相当于首先被导向到 苹果官网然后 到 有害网站。 事实上苹果网站被发现有公开重定向问题,过段时间会公布细节。

有漏洞的文件是 “redirect.htm?”, 参数 “&url”, i.e.

这个漏洞不需要用户登录。测试是基于Windows 8 的 IE (10.0) 和 Ubuntu (14.04) 的 Firefox (34.0) 及 Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit),Mac OS X Lion 10.7 的 Safari 6.1.6。

 

 

(2.2) 用一个创建的网页进行测试,这个网页是“http://www.tetraph.com/blog“。可以假定这个页面是有害的。

漏洞网址:

POC 代码:

 

这些漏洞在2014年被报告给阿里巴巴安全应急中心,到今天已被修补 (刚刚检查), 名字被列在了白帽子名单感谢表里。
http://security.alibaba.com/people.htm?id=2048213134

 

漏洞发现者:
王晶, 数学科学系 (MAS), 物理与数学科学学院 (SPMS), 南洋理工大学 (NTU), 新加坡.
http://www.tetraph.com/wangjing/

 

 

 

Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs

pentest


Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A New Open Redirect Web Security Bugs




Domain:
http://www.facebook.com



“Facebook is an online social networking service headquartered in Menlo Park, California. Its website was launched on February 4, 2004, by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The founders had initially limited the website’s membership to Harvard students, but later expanded it to colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities and later to high-school students. Since 2006, anyone who is at least 13 years old is allowed to become a registered user of the website, though the age requirement may be higher depending on applicable local laws. Its name comes from a colloquialism for the directory given to it by American universities students.” (Wikipedia)



“Facebook had over 1.44 billion monthly active users as of March 2015.Because of the large volume of data users submit to the service, Facebook has come under scrutiny for their privacy policies. Facebook, Inc. held its initial public offering in February 2012 and began selling stock to the public three months later, reaching an original peak market capitalization of $104 billion. As of February 2015 Facebook reached a market capitalization of $212 Billion.” (Wikipedia)





Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 



(1) General Vulnerabilities Description:

(1.1) Two Facebook vulnerabilities are introduced in this article.

Facebook has a computer cyber security bug problem. It can be exploited by Open Redirect attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.


Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect” to other websites such as Amazon, eBay, Go-daddy, Yahoo, 163, Mail.ru etc.

 

(1.1.1)

One Facebook Open Redirect vulnerability was reported to Facebook. Facebook adopted a new mechanism to patch it. Though the reported URL redirection vulnerabilities are patched. However, all old generated URLs are still vulnerable to the attacks. Section (2) gives detail of it.

The reason may be related to Facebook’s third-party interaction system or database management system or both. Another reason may be related to Facebook’s design for different kind of browsers.

 

(1.1.2) Another new Open Redirect vulnerability related to Facebook is introduced, too. For reference, please read section (3).

The vulnerabilities can be attacked without user login. Tests were performed on IE (9.0) of Windows 8, Firefox (24.0) & Google Chromium 30.0.1599.114 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (12.10),Safari 6.1.6 of Mac OS X Lion 10.7.



(1.2) Facebook’s URL Redirection System Related to “*.php” Files

All URLs’ redirection are based on several files, such l.php, a.php, landing.php and so on.

The main redirection are based on file “l.php” (Almost all redirection links are using it right now).

For file “l.php”, one parameter “h” is used for authentication. When it mentions to file “a.php”, parameter “eid” is used for authentication. All those two files use parameter “u” for the url redirected to. In some other files such as “landing.php”, parameters such as “url”, “next” are used.

<1>For parameter “h”, two forms of authentication are used.

<a>h=HAQHyinFq

<b>h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA

<2>For parameter “eid”, one form of authentication is used.

<a>eid=AQLP8sRq6lbU0jz0lARx9A9uetB6FIF1N2-Yjj_ePj0d_ezubjstZeDo6qDsalKVJwy6uDb_hQ-9tBsA2dVoQRq0lniOu0os_gPe3gY5l8lYblhQSwBtdvgjXjNqaxLZMYoasr3vv46tFsh1fL7q4kjT2LFw52dnJWd4SE8qc0YuPWfgPeQywgM2wl0CoW-lftWkr2dX0dLcytyHjXnvhKfVS_pQBllszUzsPENxE6EuZ-53Lh188o56idnfyyk2L58pE7C94PF-za4ZVB0qbuA2EnPcSJI-7oIiIJmIhifHe0CYTzG512-Z_heN44VlyJHevhS9auAR8-lFCAIlYymnT_Qiwp92RxjNOfBypBvszQUrvB6PH3fANn1prfMBVm4RD_GFel14KVDS5USswbTOTkL3sZNhHUqqPHwBwU3JFePMMuwsfesigH85B_AxCsXUIWN7klKGSq8bPPsKSHttsa9hkkMpSfRKL7D_xwW4dU2xlmfGWil7jYRJmwfbOeF0zujk1FRBuM757tbfFMav-J-K9npbdrDrCuUVqV__Tf7CGZ89nPl-M2d09pE9enJj0OBXOaSXZX16LKaYnv1Wh4GKme7C-EOunITxyQtp1zy-48Uaz9mxO2x4bw7sBDfzDStF_Al8_0SMjWNTh-J38rBHAgT96X-dPFI43HU3x3fVymE9szrclBpvTaSfYezatgMzf77s3lQrQAMSlwSSRIzRuoFvQBmWKT0T5ZFgH5ykhYKhNMiKj577UO5g2Ojm-_-KKF4N_DBuG5R-I6EOSlhok2xUkpKVDnDcxZFTLxGmx5xc56J5kZLjJ96wnF2fH09Q19Qc2aU3xYFlEFrKjrlLpwGyOyCDx7_z7y1O4Efqew3Fa0Cb9s6Kk2jpLF5XEIaYzzXOLAffxXG6icBJVovb9RPmiZ5s9dKYYotLol68_X04O05bEvVccPEh-IQwX_VTMt3f23be2MECEqR2l1A1ZkJx4qP00GI1pZhU_CXAnjSaTNmtaINRUeSsLNEZZsPwpWJMfeeGSwuof9krC05eSWjO0jH9tua0KteMYhj8i-3dwSBp4f7nMcFwH5ltfCLhMCYNB8rxgzcAczyhLIo2UY-3FSaJXBZ0lvuZBvnj7myUnyc2lCcy-fWh93MRRaJrrinjtfr9fDSMHM9Cja5xi0eG3Vs0aClnWbeJZA79TvmYt7E53HfwGuv5-EJOqRh3cwZF-53uPHA73ikUk3xTApjQunJM4uIBhpy7iBIgn_OXXo3X03YUJtJcDuC20ocJbZ310VHliox5tYZF2oiMaOfgo9Y9KeqgsrJgwPCJeif4aB0Ne4g_oM_Tuqt2pXbdgoCawHIApF087eFKJqejp0jpEkJerXPyK-IqsD_SQfIm_2WJSkzwzATwQKs

 

 

 


(2) Vulnerability Description 1:

(2.1) A security researcher reported two Open Redirect vulnerabilities to Facebook in 2013. The following are the two links reported.

Though a new mechanism was adopted. However, all old generated redirections still work by parameter “h” and “eid”.

 

 

(2.2) A website was used for the following tests. The website is “http://www.tetraph.com/“. Suppose this website is malicious.

(2.2.1)

<1>First test

<a>file: “l.php”

<b>URL parameter: “u”

<c>authentication parameter: “h”

<d>form: “h=HAQHyinFq”.

<e>The authentication has no relation with all other parameters, such as “s”.

Examples:

URL 1:

Redirect Forbidden:

Redirect Works:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

(2.2.2)

<2>Second test. It is the same situation as above.

<a>file: “l.php”,

<b>url parameter “u”

<c>authentication parameter: “h”

<d>form: “h=hAQHalW1CAQHrkVIQNNqgwhxRWLNsFVeH3auuImlbR1CgKA”.

<e>The authentication has no relation to all other parameters, such as “env”, “s”.

 

Examples:

URL 1:

Redirect Forbidden:

 

URL 2:

Redirect Forbidden:

Redirect Works:

 

 

 

(3) Facebook File “a.php” Open Redirect Security Vulnerability

 

(3.1)

<a>file: “a.php”

<b>parameter “u”

<c> authentication parameter: “eid”

<d> form: “eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w”.

<e>The authentication has no relation to all other parameters, such as “mac”, “_tn_”.

Examples:

Vulnerable URL:

https://www.facebook.com/a.php?u=http%3A%2F%2Ffb-nym.adnxs.com%2Ffclick%3Fclickenc%3Dhttp%253A%252F%252Fbs.serving-sys.com%252FBurstingPipe%252FadServer.bs%253Fcn%253Dtf%2526c%253D20%2526mc%253Dclick%2526pli%253D8782431%2526PluID%253D0%2526ord%253D%257BCACHEBUSTER%257D%26cp%3D%253Fdi%253DzGxX6INl-T9QvRSibN_3P5qZmZmZmfk_UL0Uomzf9z_ObFfog2X5P_WPPCuD-to_CKEeLew3cQIQkc9SAAAAAHQcDQB2BQAAKAcAAAIAAAD4iq8AanMCAAAAAQBVU0QAVVNEAGMASABq4DoFka4BAgUCAQUAAIgAkinLswAAAAA.%252Fcnd%253D%252521qQYdPgjeqqYBEPiVvgUY6uYJIAA.%252Freferrer%253Dfacebook.com%252F&mac=AQJllyaGzLYoRoQz&__tn__=%2AB&eid=5967147530925355409.6013336879369.AQKBG5nt468YgKeiSdgExZQRjwGb9r6EOu-Uc5WPvi-EVHEzadq8YSrgSvUzbMmxKPPfTgM-JrPff7tN38luc-8h16lxL0Gj_4qs1-58yWgXirMH4AEf8sOEsZc5DTx7yFndgODvD5NrC-314BIj4pZvMhlljXv89lHRH6pBgyGGVm-oWBDIF8CuRER1f5ZGbKdsiUcBISdWTninVzvBdW1mZY0SWzqT21fZmhgVKtdkRf5l_pag7hAmotFK9HI5XHfGicWVqzRyTNiDIYjyVjTv4km2FOEp7WP3w65aVUKP_w

POC:

 

(3.2) Facebook Login Page Covert Redirect Security Vulnerability

Vulnerable URL Related to Login.php Based on a.php:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.rp.edu.sg%252Fopenhouse2014%252F%253Futm_source%253Dfacebook%2526utm_medium%253Dcpc%2526utm_campaign%253Dopenhouse2014%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs

POC:

https://www.facebook.com/login.php?next=https%3A%2F%2Fwww.facebook.com%2Fa.php%3Fu%3Dhttp%253A%252F%252Fwww.stackoverflow.com%26mac%3DAQKyRHClixA20iGL%26__tn__%3D%252AB%26eid%3DAQLAHC7szSXhT3FaEBXe5YFsOC0kEM4nN9PlVovdilvuzROStFXoYqptlKpcJAzHNTLpxWAIrmJYsR6RVG_Htk6pgT7Iol6lWHDJvn7Cg5sqigvE_eVS895Eh6fSwxH3fgfWcNDrEl5_lFgRbrJtC71R68rW_VXS9QCN7Po9wTWDnbyZTaXawdrdQyibryvA56Spr5GcUDUboRFxy8YSr2ahUV_goDAQA3OKmCACEn8CmyMrOT5gZq3iwusysdchRxLIv5N82-GMTiDxXXgkDYf1P7XwvklWpfy_cEItZzV5v0P7fRZB3qiq_RDx9jhEzndlJhUJL2aWE0ldPmGKGz9xWyvPaPLOwzBo23GQbpj2ZN_tw9B9tz2l3tGIN1yegd_Wf6PSFIZOuBXfZILvmILcxg3qz4dHx1fmgPZBpf_34mPnMEkgZqbT2WeV_GZKz8RDIg88D3vrmwyMwWxeh3xyGuddjZUjOUjPCUwrgSrWZK3XHRA7TA7tWIsQ4X1bsjx9c72mm8bZmmRBRJwqOcjsW0QEVETs_Cs9pS9QBkgX8yVPJCHuk1v_xkj4EHHH9sNP7a4GRs8olklBTKhCcJ908sVrQVT2I-cQYw2SVU9hWaWWjX2AGt3WpdT2kx6SIPoPQpX5cIC4Lcfaa7EcZFBnoQPv3mR5BNHRFTh_6Qvr01BrCG3Fv5VeDeXhM8cHk6VuBtj5smz0ZeGT5JWvub5ORJ4xzVN0zAW8V4qiKiVFKTEFMZASaZFon41VFCbhxkX0Bi62Ko64PY6uP64tCMWh6yX2o0JMc0mJWFJRp1695OCKgLXf0udRyWDESTyYgJXIlxecCmlwCEbleAsE-wtDXNOfDTXOzApr1sZO_58FBRaw-K4Z2VRXLir5mrdXTKnM1Y4rDDqGZur9G7LfuXrCr5oR1J5LJ8sVupHqsiN7-UqdakiEEIBq750KxVjaAdCyqJp_5EJ-yVMK3f2pMX7cQ2Lw6u434hHimuLN9VDPLkpSiMlPOa8RkarDSred73IfQiv-PluegYDfunZFxj1KvcAlzhVZsL-a52hJmXrOrzKuV0hyZaBLtAIo6AEoXXV30D-6iraSUphkOFzYt3ah6oRrmXLQZKm2E8Cuag5d_rAnwvIr98dn4OSa8Z4MCZemI3uH8cjxr86aE046uTA_Hm1GjYM5l7wkpHknHI8QR2q5Cioo2h6WiUO-jsIFkQ4XFgAd5IUCcAbQukXdC4GJzl18iaN8wkylsTk8aVBn6G1xZadSL0b5R3NgsYfQUVtV0g9slnOLNkgq0NLMAk0kWFs





Those vulnerabilities were reported to Facebook in 2014 and they have been patched.





Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Facebook has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” All the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. Large number of Facebook bugs were published here. FD also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.








(4) Amazon Covert Redirect Security Vulnerability Based on Facebook

Since Facebook is trusted by large numbers of other websites. Those vulnerabilities can be used to do “Covert Redirect” to other websites such as Amazon.


Domain:
http://www.amazon.com


“American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

 

The vulnerability exists at “redirect.html?” page with “&location” parameter, e.g.

 

(4.1) When a user is redirected from Amazon to another site, Amazon will check parameters “&token”. If the redirected URL’s domain is OK, Amazon will allow the reidrection.

However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Amazon to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Amazon directly.

One of the vulnerable domain is,
http://www.facebook.com

 

(4.2) Use one of webpages for the following tests. The webpage address is “http://www.inzeed.com/kaleidoscope“. Suppose it is malicious.

Vulnerable URL:

POC:

 

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/22
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1428
http://lists.openwall.net/full-disclosure/2015/01/12/1
http://marc.info/?l=full-disclosure&m=142104333521454&w=4
http://diebiyi.com/articles/security/facebook-open-redirect/
https://www.facebook.com/essaybeans/posts/570476126427191
http://germancast.blogspot.de/2015/06/facebook-web-security-0day-bug.html
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://essaybeans.lofter.com/post/1cc77d20_7300027
http://qianqiuxue.tumblr.com/post/120750458855/itinfotech-facebook-web-security-0day-bug
https://www.facebook.com/permalink.php?story_fbid=472994806188548&id=405943696226993
https://mathfas.wordpress.com/2015/01/11/facebook-open-redirect/
http://www.tetraph.com/blog/phishing/facebook-open-redirect/
http://itinfotech.tumblr.com/post/120750347586/facebook-web-security-0day-bug
http://ittechnology.lofter.com/post/1cfbf60d_72fd108
http://russiapost.blogspot.ru/2015/06/facebook-web-security-0day-bug.html
https://twitter.com/tetraphibious/status/606676645265567744
https://plus.google.com/u/0/110001022997295385049/posts/hb6seddG561
http://whitehatpost.blog.163.com/blog/static/24223205420155501020837/
http://www.inzeed.com/kaleidoscope/computer-security/facebook-open-redirect/







CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

new-type-of-phishing-attack-goes-after-your-browser-tabs-86b683f537

 

CNN Travel.cnn.com XSS and Ads.cnn.com Open Redirect Web Security Vulnerabilities

 

Domain:
http://cnn.com

 

“The Cable News Network (CNN) is an American basic cable and satellite television channel that is owned by the Turner Broadcasting System division of Time Warner. The 24-hour cable news channel was founded in 1980 by American media proprietor Ted Turner. Upon its launch, CNN was the first television channel to provide 24-hour news coverage, and was the first all-news television channel in the United States. While the news channel has numerous affiliates, CNN primarily broadcasts from the Time Warner Center in New York City, and studios in Washington, D.C. and Los Angeles, its headquarters at the CNN Center in Atlanta is only used for weekend programming. CNN is sometimes referred to as CNN/U.S. to distinguish the American channel from its international sister network, CNN International. As of August 2010, CNN is available in over 100 million U.S. households. Broadcast coverage of the U.S. channel extends to over 890,000 American hotel rooms, as well as carriage on cable and satellite providers throughout Canada. Globally, CNN programming airs through CNN International, which can be seen by viewers in over 212 countries and territories. As of February 2015, CNN is available to approximately 96,289,000 cable, satellite and, telco television households (82.7% of households with at least one television set) in the United States.” (Wikipedia)

 

Discovered and Reported by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

Vulnerability Description:
CNN has a cyber security bug problem. It cab be exploited by XSS (Cross Site Scripting) and Open Redirect (Unvalidated Redirects and Forwards) attacks.

 

Based on news published, CNN users were hacked based on both Open Redirect and XSS vulnerabilities.

 

According to E Hacker News on June 06, 2013, (@BreakTheSec) came across a diet spam campaign that leverages the open redirect vulnerability in one of the top News organization CNN.

 

After the attack, CNN takes measures to detect Open Redirect vulnerabilities. The measure is quite good during the tests. Almost no links are vulnerable to Open Redirect attack on CNN’s website, now. It takes long time to find a new Open Redirect vulnerability that is un-patched on its website.

 

CNN.com was hacked by Open Redirect in 2013. While the XSS attacks happened in 2007.

 

 

<1> “The tweet apparently shows cyber criminals managed to leverage the open redirect security flaw in the CNN to redirect twitter users to the Diet spam websites.”

 

cnn_open_redirect_complain_meitu_1

Figure from ehackingnews.com

 

At the same time, the cybercriminals have also leveraged a similar vulnerability in a Yahoo domain to trick users into thinking that the links point to a trusted website.

 

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. CNN has patched some of them. BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. It also publishes suggestions, advisories, solutions details related to XSS and URL Redirection vulnerabilities and cyber intelligence recommendations.

 

 

(1) CNN (cnn.com) Travel-City Related Links XSS (cross site scripting) Web Security Bugs

 

Domain:
travel.cnn.com/

 

Vulnerability Description:
The programming bug flaws occur at “/city/all” pages. All links under this URL are vulnerable to XSS attacks, e.g

 

XSS may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. Base on Acunetix, exploited XSS is commonly used to achieve the following malicious results

  • Identity theft
  • Accessing sensitive or restricted information
  • Gaining free access to otherwise paid for content
  • Spying on user’s web browsing habits
  • Altering browser functionality
  • Public defamation of an individual or corporation
  • Web application defacement
  • Denial of Service attacks

 

The code programming flaw can be exploited without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 7.

 

cnn_travel_xss

 

PoC:

http://travel.cnn.com/city/all/all/tokyo/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

http://travel.cnn.com/city/all/all/bangkok/all‘ /”><img src=x onerror=prompt(/justqdjing/)>

 

 

(2) CNN cnn.com ADS Open Redirect Web Security Bug

 

Domain:
ads.cnn.com

 

Vulnerability Description:
The programming code flaw occurs at “event.ng” page with “&Redirect” parameter, i.e.

 

From OWASP, an open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

(2.1) Use the following tests to illustrate the scenario painted above.

 

The redirected webpage address is “http://webcabinet.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

 

POC:

 

Since CNN is well-known worldwide, this vulnerability can be used to do “Covert Redirect” attacks to other websites.

 

Those vulnerabilities were reported to CNN in early July by Contact from Here. But they are still not been patched yet.
http://edition.cnn.com/feedback/#cnn_FBKCNN_com

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Dec/128
http://lists.openwall.net/full-disclosure/2014/12/29/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1395
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
http://securitypost.tumblr.com/post/107868680057/ithut-cnn-cnn-com-travel
http://ittechnology.lofter.com/post/1cfbf60d_5500df0
http://ithut.tumblr.com/post/120833062743/cnn-xss-url-redirection-bug
http://www.tetraph.com/blog/it-news/cnn-xss-url-redirect-bug/
https://biyiniao.wordpress.com/2015/01/08/cnn-xss-open-redirect-bug/
http://whitehatpost.blog.163.com/blog/static/24223205420155613753998/
https://plus.google.com/u/0/+wangfeiblackcookie/posts/bFkukxiUfXK
https://www.facebook.com/permalink.php?story_fbid=674936469318135
http://tetraph.blogspot.com/2015/06/cnn-xss-redirect-bug.html
http://diebiyi.com/articles/news/cnn-xss-url-redirect-bug/
https://twitter.com/yangziyou/status/607060937309159425
https://redysnowfox.wordpress.com/2014/12/31/cnn-xss-url-redirect-bug/
https://www.facebook.com/permalink.php?story_fbid=1043534509019886
http://whitehatpost.lofter.com/post/1cc773c8_7338196
http://securityrelated.blogspot.com/2014/12/cnn-cnncom-travel-xss-and

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

3d illustration of laptop computer with binary code stream

 

Yahoo Yahoo.com Yahoo.co.jp Open Redirect (Unvalidated Redirects and Forwards) Web Security Bugs

 

Though Yahoo lists open redirect vulnerability on its bug bounty program. However, it seems Yahoo do not take this vulnerability seriously at all.

 

Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “It is working as designed”. However, these vulnerabilities were patched later.

 

Several other security researcher complained about getting similar treatment, too.
http://seclists.org/fulldisclosure/2014/Jan/51
http://seclists.org/fulldisclosure/2014/Feb/119

 

All Open Redirect Vulnerabilities are intended behavior? If so, why patch them later?

yahoo_wont_fix_meitu_1

 


From report of CNET, Yahoo’s users were attacked by redirection vulnerabilities. “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ”
http://www.cnet.com/news/yahoo-users-exposed-to-malware-attack/

 

Moreover, since Yahoo is well-known worldwide. these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, Amazon, Godaddy, Alibaba, Netease, e.g. by bypassing their Open Redirect filters (Covert Redirect). These cyber security bug problems have not been patched. Other similar web and computer flaws will be published in the near future.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.

 

Disclosed by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing

 

Both Yahoo and Yahoo Japan online web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

 

BugTraq is a full disclosure moderated mailing list for the *detailed* discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them. The below things be posted to the Bugtraq list: (a) Information on computer or network related security vulnerabilities (UNIX, Windows NT, or any other). (b) Exploit programs, scripts or detailed processes about the above. (c) Patches, workarounds, fixes. (d) Announcements, advisories or warnings. (e) Ideas, future plans or current works dealing with computer/network security. (f) Information material regarding vendor contacts and procedures. (g) Individual experiences in dealing with above vendors or security organizations. (h) Incident advisories or informational reporting. (i) New or updated security tools. A large number of the fllowing web securities have been published here, Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security Misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, Cross-Site Request Forgery (CSRF), Using Components with Known Vulnerabilities, Unvalidated Redirects and Forwards. It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

 

(1) Yahoo.com Open Redirect

 

Domain:
yahoo.com

 

“Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known for its Web portal, search engine Yahoo Search, and related services, including Yahoo Directory, Yahoo Mail, Yahoo News, Yahoo Finance, Yahoo Groups, Yahoo Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most popular sites in the United States. According to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts more than half a billion consumers every month in more than 30 languages. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa Mayer, a former Google executive, serves as CEO and President of the company.” (Wikipedia)

 

Vulnerable URLs:

 

 

(2) Yahoo.co.jp Open Redirect

 

Domain:
yahoo.co.jp

 

“Yahoo! JAPAN Corporation (ヤフージャパン株式会社 Yafū Japan Kabushiki-gaisha?) is a Japanese internet company formed as a joint venture between the American internet company Yahoo! and the Japanese internet company SoftBank. It is headquartered at Midtown Tower in the Tokyo Midtown complex in Akasaka, Minato, Tokyo. Yahoo! Japan was listed on JASDAQ in November 1997. In January 2000, it became the first stock in Japanese history to trade for more than ¥100 million per share. The company was listed on the Tokyo Stock Exchange in October 2003 and became part of the Nikkei 225 stock market index in 2005. Yahoo! Japan acquired the naming rights for the Fukuoka Dome in 2005, renaming the dome as the “Fukuoka Yahoo! Japan Dome”. The “Yahoo Dome” is the home field for the Fukuoka SoftBank Hawks, a professional baseball team majority owned by SoftBank.” (Wikipedia)

Use one of webpages for the following tests. The webpage address is “http://itinfotech.tumblr.com/“. Suppose that this webpage is malicious.

 

Vulnerable URL:

POC:

 

 

 

 

More Articles:
http://seclists.org/fulldisclosure/2014/Dec/88
http://marc.info/?l=full-disclosure&m=141897158416178&w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01467.html
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html
https://hackertopic.wordpress.com/2015/01/15/yahoo-yahoo-japan-vulnerable-to-spams/
https://plus.google.com/110001022997295385049/posts/4GTENtJY9XE
https://twitter.com/justqdjing/status/546910373169741825
https://www.facebook.com/pcwebsecurities/posts/701648936647693
http://homehut.lofter.com/post/1d226c81_6e6884f
https://tetraph.wordpress.com/2014/12/28/yahoo-open-redirect/
http://itinfotech.tumblr.com/post/118511508076/securitypost-yahooyahoo-japan-may-be
https://computerpitch.wordpress.com/2015/01/27/yahoo-vulnerable-to-spams/
http://testingcode.lofter.com/post/1cd26eb9_73096b9
http://lifegrey.tumblr.com/post/120767572004/yahoo-url-redirection-bug
http://blog.163.com/greensun_2006/blog/static/1112211220155565419870/
http://aibiyi.blogspot.com/2015/06/yahoo-open-redirect.html
https://www.facebook.com/tetraph/posts/1659455054274454
http://www.inzeed.com/kaleidoscope/computer-web-security/yahoo-to-spams/
http://www.tetraph.com/blog/spamming/yahoo-url-redirection/