In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability.
You can sign in into Parse by inserting your email and password or signing in with your Facebook account.
If we click on the “Log in with Facebook” button, a GET request is generated at this URL:
The parameters that we have to consider are:
So i started to create a forged URL that redirects the victim to a malicious site which saves the Parse token in a file.To do this,i started playing with the redirect_uri parameter to see if it allows access to subdomains or subfolders,and this was the result.
- xxx.parse.com (Allow redirect to subdomains)
- xxx.parse.com/xxx/ (Allow redirect to subfolders)
I noticed that the redirect_uri allow access to subdomains and subfolders, so i looked for open redirect vulnerability in Parse’s domain and subdomains but i coulnd’t find anything.
I realized that Parse’s subdomains files.parse.com allows me to upload an html file, so i uploaded an html file which has some html code which redirects me to a malicious URL.The output URL to see the content of the page was:
Final POC (Facebook already fix this issue)
(Facebook Already fixed this issue):
In this Write-Up i’ll explain how i was able to find an Unrestricted File Upload in https://reports-as.web.analytics.yahoo.com/
This is the PoC i sent to Yahoo! Security.
These are the steps to reproduce the issue:
1)Login at yahoo.com
2)Once logged in we have to go to https://reports-as.web.analytics.yahoo.com/Login.vm and subsequently click on “Manage Scheduled Reports”
3)Now we have to click on the “Do you want to change your company logo that appears on HTML and PDF reports?” button.This section allows only the upload of images that have .gif, .jpg, .png extensions.I’ve found a way to bypass this restriction uploading a TXT file which is a.txt that contains the following content “Yahoo Server Unrestricted File Upload by Andrea Santese” and renaming it with a.txt.jpg
So we have to upload this file and subsequently click on the “Upload” button.Once we uploaded it a message like this “Image file is uploaded successfully!” will appear,so the file is uploaded.I notice that the file we have uploaded is located at https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer
But when we go to this link an error like the following will appear ” The image “https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer” cannot be displayed because it contains errors.”
This error is due to the “Content-Type:image/jpeg” that the Yahoo Server send to the client that makes a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer ,so now we have to change it into “Content-Type:text/html”.We can do this using a proxy like Burpsuite intercepting the response that the Yahoo Server send to the client and modifying on the fly the Content-Type into text/html.So we have to configure our browser to use the bursuite proxy.Once configured we have to make a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer.Before deciding if we have to click on the “Forward” or “Drop” button,we have to right click on the Raw request and subsequently select “Do Intercept”—->”Response to this request”.Now we have to click on the “Forward” button.Once clicked on it we will have a response like the following:
HTTP/1.1 200 OK
Date: Wed, 26 Mar 2014 10:32:01 GMT
P3P: policyref=”http://info.yahoo.com/w3c/p3p.xml“, CP=”CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV”
Last-Modified: Wed, 26 Mar 2014 10:32:02 GMT
Expires: Wed, 26 Mar 2014 10:32:02 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, prPragma: no-cache, private
Yahoo Server Unrestricted File Upload by Andrea Santese
Now we have to change the Content-Type: image/jpg into Content-Type: text/html and subsequently click on the “Forward” button
Now the content of the a.txt.jpg file will come up!