Shulou(Shulou.com)05/31 Report--

This article introduces you how to use CSRF loopholes to hijack the notification message of Youtube users, the content is very detailed, interested friends can refer to, hope to be helpful to you.

The writeup shared today is about the CSRF vulnerability of YouTube Notification Service (Notification). The author can hijack the notification service of other YouTube users (victims) and receive the latest notifications of their subscription channels or videos as victim users. The vulnerability finally received an official reward of $3133.7 from Google. The following is the author's share.

Find a clue from the POST request

One night, I tested the vulnerability on the YouTube official website to see what I could find. Before I knew it, it was already 00:30 in the morning, and I was extremely tired. I just clicked on YouTube's notification service (Notification), and the POST request in it caught my attention:

POST / notifications_ajax?action_register_device=1 HTTP/1.1Host: www.youtube.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0Accept: * / * Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://www.youtube.com/sw.jsContent-Type: multipart/form-data Boundary=--41184676334Origin: https://www.youtube.comContent-Length: 1459Connection: closeCookie: duh, cookies Murray 41184676334 Contentmuri disposition: form-data Name= "endpoint" https://updates.push.services.mozilla.com/wpush/v1/gAAA...-----------------------------41184676334Content-Disposition: form-data; name= "device_id" dbe8453d99714c6160994fdf5bb3c59332df04278a...--41184676334Content-Disposition: form-data Name= "p256dh_key" BBNVkVOt6tpY1KvJJqtLvqt...--41184676334Content-Disposition: form-data; name= "auth_key" V5-_lh7nYT2zoY...--41184676334Content-Disposition: form-data Name= "permission" granted--41184676334--

At first glance, in order to prevent CSRF, auth_key, p256dh_key, endpoint, device_id and other parameters appear to be encoded strings, but after careful analysis, we know that all these parameters are generated by the Mozilla notification push service of updates.push.services.mozilla.com. Therefore, at first glance, there is no CSRF vulnerability on this API.

Analyze Service Worker service worker threads

In-depth analysis shows that the value of the referrer field in the above POST request is "https://www.youtube.com/sw.js", which is obviously a service worker thread script (Service Worker)."

Service Worker is a script that runs in the browser background process independent of the current page. Service Worker does not require users to open web pages or other interactions and runs asynchronously in a completely independent context without blocking the main thread. Based on Service Worker, message push, offline cache and background synchronization API can be realized. In essence, Service Worker acts as a proxy between Web applications and browsers.

That is, the sw.js in the referrer field initiates the POST request, so that the content of this request is different from other YouTube requests with CSRF defense mechanism.

Construct CSRF attack framework

At this point, from these parameters, I vaguely think that there should be a loophole here, but it is always necessary to construct a PoC to try. Therefore, by studying the generation mechanism of the above parameters, I use the principle of sw.js to write the following three code files and build a local server to generate each parameter.

Index.html:

Push Demo Hello World

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.