The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 
 

GTY_email_hacker_dm_130718_16x9_608

 

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

 

 

Domain Description:
http://www.weather.com/

 

“The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather. Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather.”

 

“As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives.” (Wikipedia)

 

 

 

 

Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.

 

Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel’s URLs. Then the scripts will be executed.

 

10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.

 

The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes.

 

The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

 

 

 

 

weather_1_xss

 
 

weather_2_xx

 

 

POC Codes, e.g.

http://www.weather.com/slideshows/main/“–/>”><img src=x onerror=prompt(‘justqdjing’)>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22–/“–/>”><img src=x onerror=prompt(‘justqdjing’)>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/“><img src=x onerror=prompt(‘justqdjing’)>

 

 

The Weather Channel has patched this Vulnerability in late November, 2014 (last Week). “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.

 

 

 

Discovered by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 

 

More Details:
http://seclists.org/fulldisclosure/2014/Nov/89
http://lists.openwall.net/full-disclosure/2014/11/27/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1253
https://progressive-comp.com/?l=full-disclosure&m=141705578527909&w=1
http://whitehatview.tumblr.com/post/104313615841/the-weather-channel-flaw
http://www.inzeed.com/kaleidoscope/xss-vulnerability/the-weather-channel-exploit
http://diebiyi.com/articles/security/the-weather-channel-bug
http://whitehatpost.lofter.com/post/1cc773c8_6f2d4a8
https://vulnerabilitypost.wordpress.com/2014/12/04/the-weather-channel-flaw
http://tetraph.blog.163.com/blog/static/234603051201411475314523/
http://tetraph.blogspot.com/2014/12/the-weather-channel-xss.html
http://ithut.tumblr.com/post/121916595448/weather-channel-xss
https://mathfas.wordpress.com/2014/12/04/the-weather-channel-weather-bug
http://computerobsess.blogspot.com/2014/12/the-weather-channel-xss.html
http://www.tetraph.com/blog/xss-vulnerability/the-weather-channel-bug

 

 

 

Advertisements

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (Cross Site Scripting) Attacks

 
 
Secure website



(1) Domain Description:
http://www.indiatimes.com

“The Times of India (TOI) is an Indian English-language daily newspaper. It is the third-largest newspaper in India by circulation and largest selling English-language daily in the world according to Audit Bureau of Circulations (India). According to the Indian Readership Survey (IRS) 2012, the Times of India is the most widely read English newspaper in India with a readership of 7.643 million. This ranks the Times of India as the top English daily in India by readership. It is owned and published by Bennett, Coleman & Co. Ltd. which is owned by the Sahu Jain family. In the Brand Trust Report 2012, Times of India was ranked 88th among India’s most trusted brands and subsequently, according to the Brand Trust Report 2013, Times of India was ranked 100th among India’s most trusted brands. In 2014 however, Times of India was ranked 174th among India’s most trusted brands according to the Brand Trust Report 2014, a study conducted by Trust Research Advisory.” (en.Wikipedia.org)

 

 

 

(2) Vulnerability description:

The web application indiatimes.com online website has a security problem. Hacker can exploit it by XSS bugs.

 

The code flaw occurs at Indiatimes’s URL links. Indiatimes only filter part of the filenames in its website. All URLs under Indiatimes’s “photogallery” and “top-llists” topics are affected.

Indiatimes uses part of the links under “photogallery” and “top-llists” topics to construct its website content without any checking of those links at all. This mistake is very popular in nowaday websites. Developer is not security expert.

The vulnerability can be attacked without user login. Tests were performed on Mozilla Firefox (26.0) in Ubuntu (12.04) and Microsoft IE (9.0.15) in Windows 7.

 

 

indiatimes_xss_2

 

indiatimes_xss1

 

 

POC Codes:

http://www.indiatimes.com/photogallery/“>homeqingdao<img src=x onerror=prompt(‘justqdjing’)>

http://www.indiatimes.com/top-lists/“>singaporemanagementuniversity<img src=x onerror=prompt(‘justqdjing’)>

http://www.indiatimes.com/photogallery/lifestyle/“>astar<img src=x onerror=prompt(‘justqdjing’)>

http://www.indiatimes.com/top-lists/technology/“>nationaluniversityofsingapore<img src=x onerror=prompt(‘justqdjing’)>

 

 

 

 

What is XSS?

“Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.” (OWASP)

 

 

 

(3) Vulnerability Disclosure:

The vulnerabilities were reported to Indiatimes in early September, 2014. However they are still unpatched.

Discovered and Reported by:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)
http://www.tetraph.com/wangjing/

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2014/Nov/91
http://lists.openwall.net/full-disclosure/2014/11/27/6
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1256
https://progressive-comp.com/?l=full-disclosure&m=141705615327961&w=1
http://tetraph.blog.163.com/blog/static/234603051201501352218524/
https://cxsecurity.com/issue/WLB-2014120004
https://mathfas.wordpress.com/2014/12/04/all-links-in-two-topics-of-indiatimes
http://diebiyi.com/articles/security/all-links-in-two-topics-of-indiatimes
http://www.inzeed.com/kaleidoscope/computer-security/all-links-in-two-topics
http://itsecurity.lofter.com/post/1cfbf9e7_54fc6c9
http://computerobsess.blogspot.com/2014/12/all-links-in-two-topics-of-indiatimes.html
https://vulnerabilitypost.wordpress.com/2014/12/04/indiatimes-xss
http://whitehatview.tumblr.com/post/104310651681/times-of-india-website
http://www.tetraph.com/blog/computer-security/all-links-in-two-topics-xss

Attachments area
Preview YouTube video All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS Attacks

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS Attacks

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

Anonymous-hackers

 

Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

— Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & kindlepost.com omnivoracious.com carlustblog.com Open Redirect Web Security Vulnerabilities

“Amazon.com, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. Amazon.com started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)

 

All kindlepost.com, omnivoracious.com, carlustblog.com are websites belonging to Amazon.

“The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more.”

“Omnivoracious is a blog run by the books editors at Amazon.com. We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information.”

“Car Lust is, very simply, where interesting cars meet irrational emotion. It’s a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut’s mind; and a quirky look at the broader automotive universe – a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines.”

 

 

Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.

 

When a user is redirected from amazon to another site, amazon will check a variable named “token”. Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.

 

The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is “http://www.diebiyi.com/articles“. Suppose this website is malicious,

 

 


(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on kindlepost.com

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:

Poc:

 

 

(1.2) Amazon Covert Redirect Based on kindlepost.com

Vulnerable URL of Amazon:

POC:

 

 

kindlepost_com

 

 

 

(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on omnivoracious.com

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(2.2) Amazon Covert Redirect Based on omnivoracious.com

Vulnerable URL:

POC:

 

 

omnivoracious_com

 

 

 

(3) Car Lust Open Redirect & Amazon Covert Redirect Based on carlustblog.com

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:

POC:

 

 

(3.2) Amazon Covert Redirect Based on carlustblog.com

Vulnerable URL:

POC:

 

 

carlustblog_com

 

 

 

Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.

 

 

 

 

Related Articles:
http://seclists.org/fulldisclosure/2015/Jan/23
http://lists.openwall.net/full-disclosure/2015/01/12/2
http://www.tetraph.com/blog/computer-security/amazon-covert-redirect/
https://progressive-comp.com/?l=full-disclosure&m=142104346821481&w=1
http://computerobsess.blogspot.com/2015/06/amazon-covert-redirect_17.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1429
http://tetraph.blog.163.com/blog/static/23460305120155176411897/
http://diebiyi.com/articles/security/amazon-covert-redirect/
https://itswift.wordpress.com/2015/01/17/amazon-covert-redirect/
http://marc.info/?l=full-disclosure&m=142104346821481&w=4
http://securityrelated.blogspot.com/2015/01/amazon-covert-redirec
http://www.inzeed.com/kaleidoscope/computer-web-security/amazon-covert-redirect/

Attachments area
Preview YouTube video Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Security

Alibaba Alipay Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

Alipay-Wallet-Reaches-190-Mn-Annual-Active-Users

 

Alibaba Alipay Online Website OAuth 2.0 Covert Redirect Web Security Bugs (Information Leakage & Open Redirect)

 

 

(1) Domain:
alipay.com

 

“Alipay.com is a third-party online payment platform with no transaction fees. It was launched in China in 2004 by Alibaba Group and its founder Jack Ma. According to analyst research report, Alipay has the biggest market share in China with 300 million users and control of just under half of China’s online payment market in February 2014. According to Credit Suisse, the total value of online transactions in China grew from an insignificant size in 2008 to around RMB 4 trillion (US$660 billion) in 2012. Alipay provides an escrow service, in which consumers can verify whether they are happy with goods they have bought before releasing money to the seller. This service was offered for what the company says are China’s weak consumer protection laws, which have reduced consumer confidence in C2C and even B2C quality control.” (Wikipedia)

 

 

 

(2) Vulnerability Description:

Alipay web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.

 

The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.


 
 
 
(2.1) Vulnerability Detail:

Alipay’s OAuth 2.0 system is susceptible to Attacks. More specifically, the authentication of parameter “&goto” in OAuth 2.0 system is insufficient. It can be misused to design Open Redirect Attacks to Alipay.

At the same time, it can be used to collect sensitive information of both third-party app and users (sensitive information is contained in HTTP header.).

It increases the likelihood of successful Open Redirect Attacks to third-party websites, too.

Before acceptance of third-party application:

When a logged-in Alipay user clicks the URL ([1]) above, he/she will be asked for consent as in whether to allow a third-party website to receive his/her information. If the user clicks OK, he/she will be then redirected to the URL assigned to the parameter “&goto”.

If a user has not logged onto Alipay and clicks the URL ([1]) above, the same situation will happen upon login.

After acceptance of third-party application:

A logged-in Alipay user would no longer be asked for consent and could be redirected to a webpage controlled by the attacker when he/she clicks the URL ([1]).

For a user who has not logged in, the attack could still be completed after a pop-up page that prompts him/her to log in.

 
 
 

(2.1.1) Before acceptance of the third-party application, Alipay’s OAuth 2.0 system makes the redirects appear more trustworthy and could potentially increase the likelihood of successful Open Redirect Attacks of third-party website.

Once the user accepts the application, the attackers could completely bypass Alipay’s authentication system and attack more easily.

Used one of webpages for the following tests. The webpage is “http://lifegreen.lofter.com/“. Can suppose it is malicious and contains code that collect sensitive information of both third-party app and users.

 

Below is an example of a vulnerable third-party domain:
cjcp.com.cn

If users click URL [2], attacks happen.




POC Video:
https://www.youtube.com/watch?v=lhqwC9RQl44


Blog Detail:
http://tetraph.blogspot.com/2014/05/alibaba-alipays-oauth-20-covert.html






 

(3) What is Covert Redirect?

Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.

Covert Redirect is also related to single sign-on. It is known by its influence on OAuth and OpenID. Hacker may use it to steal users’ sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. After Covert Redirect was published, it is kept in some common databases such as SCIP, OSVDB, Bugtraq, and X-Force. Its scipID is 13185, while OSVDB reference number is 106567. Bugtraq ID: 67196. X-Force reference number is 93031.



Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore.
(@justqdjing)
http://tetraph.com/wangjing/










Related Articles:
http://tetraph.com/security/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
http://securityrelated.blogspot.com/2014/07/alibaba-alipay-bug.html
http://whitehatpost.lofter.com/post/1cc773c8_72e71f9
https://vulnerabilitypost.wordpress.com/2014/06/02/alibaba-alipay-exploit/
https://twitter.com/yangziyou/status/614368472705818624
blog.163.com/tetraph/blog/static/2346030512014471384217
http://whitehatview.tumblr.com/post/119488487851/securitypost-itinfotech-falha-de-seguranca#notes
http://computerobsess.blogspot.com/2014/07/alibaba-alipay-bug.html
https://computertechhut.wordpress.com/2014/06/06/alibaba-alipay-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/

 

 

 


=============

 

阿里巴巴 支付宝 网站 OAuth 2.0 隐蔽重定向 (Covert Redirect) 网络安全漏洞 (信息泄漏 & 公开重定向)





(1) 域名:
alipay.com


” 支付宝(中国)网络技术有限公司是国内领先的第三方支付平台,致力于提供“简单、安全、快速”的支付解决方案。支付宝公司从2004年建立开始,始终以 “信任”作为产品和服务的核心。旗下有“支付宝”与“支付宝钱包”两个独立品牌。自2014年第二季度开始成为当前全球最大的移动支付厂商。支付宝主要提 供支付及理财服务。包括网购担保交易、网络支付、转账、信用卡还款、手机充值、水电煤缴费、个人理财等多个领域。在进入移动支付领域后,为零售百货、电影 院线、连锁商超和出租车等多个行业提供服务。还推出了余额宝等理财服务。支付宝与国内外180多家银行以及VISA、MasterCard国际组织等机构 建立战略合作关系,成为金融机构在电子支付领域最为信任的合作伙伴。” (百度百科)







(2) 漏洞描述:

阿里巴巴 支付宝网站有有一个计算机安全问题,黑客可以对它进行隐蔽重定向 (Covert Redirect) 网络攻击。



这 个漏洞不需要用户登录,测试是基于微软 Windows 8 的 IE (10.0.9200.16750); Ubuntu (14.04) 的 Mozilla 火狐 (Firefox 34.0) 和 谷歌 Chromium 39.0.2171.65-0; 以及苹果 OS X Lion 10.7 的 Safari 6.16。

 

 

 

 

(2.1) 漏洞细节:

Alipay 的 OAuth 2.0 系统可能遭到攻击。更确切地说, Alipay 对 OAuth 2.0 系统的 parameter “&goto“ 验证不够充分。可以用来构造对 Alipay 的 URL跳转 攻击。

 

 

与此同时,这个漏洞可以用来收集第三方 App 和 用户 的敏感信息(敏感信息包含在 HTTP header里),

它也增加了对第三方网站 URL跳转 攻击的成功率。

 

漏洞地点 “login/express.htm?”,参数”&goto”, e.g.

https://auth.alipay.com/login/express.htm?goto=https%3A%2F%2Fmemberexprod.alipay.com%2Fauthorize%2FuserAuthQuickLoginAction.htm%3Fe_i_i_d%3D41da904223e68d291bfb0eecbff264e1 [1]

 

同意三方 App 前:

 

当一个已经登录的 Alipay 用户点击上面的 URL ([1]), 对话框会询问他是否接受第三方 App 接收他的信息。如果同意,他会被跳转到 参数 “&goto” 的 URL。

 

如果没有登录的Alipay 用户点击 URL ([1]), 他登录后会发生同样的事情。

 

同意三方 App 后:

 

已经登录的 Alipay 用户 不会再被询问是否接受 三方 App。当他点击 URL ([1]) 时,他会被直接跳转到攻击者控制的页面。

 

如果 Alipay 用户没有登录,攻击依然可以在要求他登录的Alipay的对话框被确认后完成(这个过程不会提示任何和三方 App 有关的内容)

 

 

 

(2.1.1) 因为 Alipay 的 OAuth 2.0 客户很多,这样的攻击可以很常见。

 

在同意三方 App 之前,Alipay 的 OAuth 2.0 让用户更容易相信被跳转的页面是安全的。这增加了三方 App 被 URL跳转 攻击的成功率。

 

同意三方 App 后, 攻击者可以完全绕过 Alipay 的 URL跳转 验证系统。

 

用了一个页面进行了测试, 页面是 “http://canghaixiao.tumblr.com/“. 可以假定它是有害的,并且含有收集三方 App 和用户敏感信息的 code。

 

下面是一个有漏洞的三方 domain:
cjcp.com.cn

 

这个 domain 有漏洞的 URL:
http://uc.cjcp.com.cn/?m=pay&a=login&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Foutings%2F%25E5%2590%25AC%25E6%25B5%25B7.html

 

攻击者在浏览器输入 URL,
http://uc.cjcp.com.cn/?m=pay&a=login&furl=http%3A%2F%2Ftetraph.com%2Fessayjeans%2Foutings%2F%25E5%2590%25AC%25E6%25B5%25B7.html

 

 

然后,攻击者可以得到 URL,

https://auth.alipay.com/login/express.htm?goto=https%3A%2F%2Fmemberexprod.alipay.com%2Fauthorize%2FuserAuthQuickLoginAction.htm%3Fe_i_i_d%3D41da904223e68d291bfb0eecbff264e1 [2]

 

如果用户点击 URL [2], 攻击发生。

 


POC 视频:
https://www.youtube.com/watch?v=lhqwC9RQl44

 

 

 

博客细节:
http://tetraph.blogspot.com/2014/05/alibaba-alipays-oauth-20-covert.html

 

 





(3) 什么是隐蔽重定向?

隐蔽重定向 (Covert Redirect) 是一个计算机网络安全漏洞。这个漏洞发布于 2014年5月。漏洞成因是网络应用软件对跳转到合作者的跳转没有充分过滤。这个漏洞经常利用第三方网站 (包括合作网站) 的公开重定向 (Open Redirect) 或者 跨站脚本漏洞 (XSS – Cross-site Scripting) 问题。

隐蔽重定向也对单点登录 (single sign-on) 有影响。最初发布的是对两款常用登录软件 OAuth 2.0 和 OpenID 的影响。黑客可以利用真实的网站进行网络钓鱼,从而窃取用户敏感信息。几乎所用提供 OAuth 2.0 和 OpenID 服务的网站都被影响。隐蔽重定向还可以和 跨站请求伪造 (CSRF – Cross-site Request Forgery) 一起利用。它的 scipID ID 是 13185; OSVDB ID 是 106567; Bugtraq ID 是 67196; X-Force ID 是 93031。





 

相关文章:
http://tetraph.com/security/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/
http://securityrelated.blogspot.com/2014/07/alibaba-alipay-bug.html
http://whitehatpost.lofter.com/post/1cc773c8_72e71f9
https://vulnerabilitypost.wordpress.com/2014/06/02/alibaba-alipay-exploit/
https://twitter.com/yangziyou/status/614368472705818624
blog.163.com/tetraph/blog/static/2346030512014471384217
http://whitehatview.tumblr.com/post/119488487851/securitypost-itinfotech-falha-de-seguranca#notes
http://computerobsess.blogspot.com/2014/07/alibaba-alipay-bug.html
https://computertechhut.wordpress.com/2014/06/06/alibaba-alipay-exploit/
http://www.inzeed.com/kaleidoscope/covert-redirect/alibaba-alipays-oauth-2-0-covert-redirect-vulnerability-information-leakage-open-redirect/

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

pocket_2

 

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

 

Domain:
getpocket.com

“Pocket was founded in 2007 by Nate Weiner to help people save interesting articles, videos and more from the web for later enjoyment. Once saved to Pocket, the list of content is visible on any device — phone, tablet or computer. It can be viewed while waiting in line, on the couch, during commutes or travel — even offline. The world’s leading save-for-later service currently has more than 17 million registered users and is integrated into more than 1500 apps including Flipboard, Twitter and Zite. It is available for major devices and platforms including iPad, iPhone, Android, Mac, Kindle Fire, Kobo, Google Chrome, Safari, Firefox, Opera and Windows.” (From: https://getpocket.com/about)

 

 

Vulnerability Description:
Pocket has a computer cyber security bug problem. Hacker can exploit it by CSRF attacks.
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.” (OWSAP)
Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

 

 

Vulnerability Details:

 

Vulnerable URL:
https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

 

Use a website created by me for the following tests. The website is “http://itinfotech.tumblr.com/“. Suppose that this website is malicious. If it contains the following link, attackers can post any message as they like.

 

<a href=”https://getpocket.com/edit?url=http%3A%2F%2Fmake.wordpress.org%2Fcore%2F2014%2F01%2F15%2Fgit-mirrors-for-wordpress&title=csrf test”>getpocket csrf test</a> [1]

 

When a logged victim clicks the link ([1]), a new item will be successfully saved to his/her “Pocket” without his/her notice. An attack happens.

 

Attachments area
Preview YouTube video GetPocket Online Website CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

GetPocket Online Website CSRF (Cross-Site Request Forgery ) Web Security Vulnerability