Shulou(Shulou.com)05/31 Report--

This article will explain in detail how your Twitter fans can not refresh your moments, and the content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Hello, everyone. The writeup shared today is a Dos loophole about Twitter. To take advantage of this vulnerability, you only need to send a Twitter moments to trigger a resolution error on the Twitter backend server, causing you and your fan account to fail to refresh your Twitter moments.

Open the incision from XSS

DoS attacks generally refer to specific request attacks against a certain type of resource (such as a website, application, or server), which can cause service failure or even functional paralysis of the resource.

At first, I was going to try to find a XSS vulnerability on Twitter Mobile's official website (mobile.twitter.com), but I found nothing. But later, I logged on to Twitter Mobile's official website and opened a dialog box for testing, in which I repeatedly sent various Payload to get some valid XSS parsing responses. The following is a general process of my thinking:

I noticed that when a user sends any URL link in Twitter, Twitter will use its own short URL service to change the user's sending URL link to the "t.co" prefix domain name style, which is normal. The short URL service was introduced by Twitter to protect users from malicious links, similar to Facebook's redirect protection service Linkshim. However, when you send a URL link using a "twitter.com" subdomain name or a "mobile.twitter.com" website, it does not generate a "t.co" prefix domain name style. Oh, this.

This is interesting, because most modern Web technology websites aim at users' continuous operation requests, in order to increase user experience and response efficiency, they will not reload the entire page through the server, but execute the request in the background through asynchronous communication AJAX or XMLHttpRequests to achieve lightweight request interaction. For example, when you try to access the https://mobile.twitter.com/notifications link from outside the Twitter website system, the Twitter back-end server does need to load the page completely; but if you access the link from within the Twitter network system, the Twitter back-end server can render load only through some javascript scripts, rather than performing the entire page load.

So, from this point of view, my original idea of XSS vulnerability discovery is to send a message that belongs to Twitter's own website URL and contains the XSS Payload variable within the Twitter website system.

Discovery of XSS vulnerabilities to Dos vulnerabilities

The XSS Payload link I constructed at the beginning looks like this:

Https://mobile.twitter.com/?'">

My guess is that it may not work outside the Twitter site system, but if it is inside the Twitter site system, something different may be triggered depending on how it is loaded. So, I repeatedly send tests around this type of XSS Payload.

Later, I found that a XSS payload with "% u003e" in it actually caused a Twitter service error! And this error will prevent me from seeing any Twitter session messages! This is even more interesting! Why?

This hexadecimal% u003e is obviously larger than the symbol > after Urldecode, but Twitter cannot parse it! After that, I tried to send URL links with styles such as "% xx", which was simply like https://mobile.twitter.com/%xx, and here we go again, with the same error!

My guess is that% xx is not a valid hexadecimal value, and maybe the Twitter backend wants to try to match and parse it, but cannot find the corresponding parsed value of% xx in its internal service, so the Twitter backend throws this error whenever a user requests a URL link that contains% xx and belongs to a Twitter site.

Based on this, I think I use this link https://mobile.twitter.com/%xx which contains% xx to post a Twitter moments. Maybe you can't imagine, it scares me off my chin! As soon as the moments containing this link were posted, my moments could not be brushed out, and even the fans in my Twitter account could not refresh them! Note that this is the case with the Twitter Mobile official website (mobile.twitter.com), so will this happen to the Twitter master station?

Wait and see, however, after testing, the Twitter master station does not have the above situation, what should we do now? Is there any other workaround? Haha, after some research, I found that we can forcibly convert the computer display interface to the mobile display interface through the following link-https://twitter.com/i/onboarding/verify! The steps are:

1. Log in to the Twitter account on the computer

2. Paste https://twitter.com/i/onboarding/verify into the current browser page and visit

3. Click the "Got it" button that appears in the pop-up box.

4. Now, you are in the mobile phone display interface.

According to the test method of Twitter Mobile official website, after the test, after posting the moments with the link https://twitter.com/%xx, the moments of my own account and fans in my account can not be refreshed!

About how your Twitter fans can not refresh the moments to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.