Shulou(Shulou.com)06/01 Report--

How to analyze the serious loopholes caused by Token leakage, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

Vulnerability information discoverer: Alex Birsan

Types of vulnerabilities: information disclosure

Hazard level: serious

Vulnerability status: fixed

Foreword

Alex Birsan found the token identity credential information for the JS file used by the Recaptcha implementation. The XSS attack is used to obtain the token identity credentials of other users, and when the user visits their malicious login link to enter the credentials, it will trigger authentication to obtain the user's password.

Loophole reappearance

In the login form of the website, Alex Birsan found a javascript file that seemed to contain CSRF token and session ID information.

Then through some simple and fast tests and exploiting xss vulnerabilities, the valid identity credentials of the victim can be obtained.

However, a good way to attack depends on how you use it. So I was more than satisfied with that, and decided to take the contents of the _ csrf and _ sessionID parameters to see if they could be used in practice.

Then I did a lot of testing, constantly replacing the _ csrf and _ sessionID parameters. Unfortunately, the bypass attack has not been successfully carried out.

Then I returned to our test statement and found that PayPal originally existed this authentication mechanism to prevent brute force cracking attacks.

And I continue to dig deeper and see that if we crack it violently, the website will return an authentication page containing the above Goole verification code, and when the user successfully enters the verification code, the POST request will be made to the / auth/validatacaptcha page.

The information returned later contains the auto-submit form with all the parameters of the user's login request (including email and plain text passwords).

You can use this means to construct a new login request, get the reCAPTCHA parameter token, retrieve the data on / auth/validatacaptcha, and display it on the page.

Vulnerability impact

Get sensitive information such as user mailbox account number and password.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.