Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to use the XSS loophole of the Oculus website to hijack the accounts of Facebook and Oculus users. Many people may not know much about it. In order to make you understand better, the editor summarized the following content for you. I hope you can get something according to this article.

Details of the vulnerability

The main reason for the vulnerability is that the Oculus Forum forums.oculusvr.com uses oculus.com 's authentication mechanism, which uses the path https://graph.oculus.com/authenticate_web_application/ to authenticate the login user, and then redirects the user to https://forums.oculusvr.com/entry/oculus. After the jump, the user carries an oculus access token (access_token), and the access token can be used to access graph.oculus.com/graphql. And implement GraphQL query. Therefore, based on the GraphQL query, malicious users can use this function to hijack the accounts of other users.

Because the forum forums.oculus.com is based on the open source website application Vanilla Forum, it is not in the Facebook vulnerability reward program. However, because the vulnerability exists in the authentication mechanism of the Facebook forum, and the attacker can exploit the vulnerability without creating a new forum account, Facebook later recognized the vulnerability as important and effective.

You can see from the source code in the page https://forums.oculusvr.com/entry/oculus arguments that debug mode is turned on and the following JS script file-https://forums.oculusvr.com/plugins/oculus/js/oculus-oauth.js is embedded. By understanding the JS file, we can see that the [xss_clean] method is used in reading state parameters. Will there be security problems if the attack PAYLOAD is assigned to state (# state=PAYLOAD)?

Note that although _ document.location is also passed to [xss_clean], here we can use the "state" parameter in its URL to load the attack test payload Payload, because _ document.location will eventually encode the URL with payload Payload, and then "state" will be decoded when the decodeURIComponent method decodes the hash fragment to extract "response".

Var oculusConnect = function (params) {if (typeof params = "undefined") {return;} if (typeof params.connect = "undefined") {return;} var response = decodeURIComponent_ (document.location.hash); var hash = response.substring (response.indexOf ("#") + 1, response.indexOf ("&"); var queryString = response.replace ("#" + hash, "); var queryStringSplit = queryString.split (" & ") Var state = getParam (queryStringSplit, "state"); var savedState = params.connect.savedState; var hashSplit = hash.split ("="); var hashKey = hashSplit [0]; var hashValue = hashSplit [1]; var loginType = this.frameElement.id; if (params.connect.debug) {[xss_clean] ("login type:" + loginType + "; document location:" + _ document.location + "; Saved State:" + savedState + "; State:" + state + "; Hash Key:" + hashKey) }. # Passing parameters to oculusConnect function# document.addEventListener ("DOMContentLoaded", function () {var params = {"connect": {"debug": "1", "savedState": "G1H7LE7UOJ", "authorizeUrl": "https://graph.oculus.com/authenticate_web_application"" "oculusHash": "X", "associationKey": "OC | 1238816349468370 |", "webAddress": "https://forums.oculusvr.com"}} oculusConnect (params)

At this point, at the end of the code analysis, the initial feeling is that it can be constructed into a XSS from Payload, but if you look carefully at the code in it, you can see that there is code var loginType = this.frameElement.id before the [xss_clean] method call. So this is not what we expected, here, if we follow our previous structure will return the error message "TypeError: Cannot read property 'id' of null", only if the current page is framed and is homologous to its parent page can be called correctly. To do this, you need to frame the page https://forums.oculusvr.com/entry/oculus#state=payload in the forum website forums.oculusvr.com, and then send its framed URL link to the victim in order to trigger the vulnerability.

Embedding and Utilization in Open Source website Application Vanilla Forums

After analysis, it is found that a whitelist website list is embedded in the Vanilla Forums source code of the open source website application, as follows:

Public function unembedContent (string $content): string {if ($this- > embedConfig- > isYoutubuEnabled ()) {$content = preg_replace ('`)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.