Facebook’s Parse OAuth2 Bug

In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability.
You can sign in into Parse by inserting your email and password or signing in with your Facebook account.

 

 

If we click on the “Log in with Facebook” button, a GET request is generated at this URL:

https://www.facebook.com/dialog/oauth?response_type=code&client_id=506576959379594&redirect_uri=https%3A%2F%2Fwww.parse.com%2Fauth%2Ffacebook%2Fcallback&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

 

The parameters that we have to consider are:

  • response_type
  • client_id 
  • redirect_uri 
  • scope 

So i started to create a forged URL that redirects the victim to a malicious site which saves the Parse token in a file.To do this,i started playing with the redirect_uri parameter to see if it allows access to subdomains or subfolders,and this was the result.



Allow request: 

  • xxx.parse.com                                   (Allow redirect to subdomains)
  • xxx.parse.com/xxx/                            (Allow redirect to subfolders)

 

I noticed that the redirect_uri allow access to subdomains and subfolders, so i looked for open redirect vulnerability in Parse’s domain and subdomains but i coulnd’t find anything.

I realized that Parse’s subdomains files.parse.com allows me to upload an html file, so i uploaded an html file which has some html code which redirects me to a malicious URL.The output URL to see the content of the page was:
http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html

Final POC (Facebook already fix this issue)

(Facebook Already fixed this issue):
https://www.facebook.com/dialog/oauth?response_type=token&client_id=506576959379594&redirect_uri=http://files.parse.com/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email

This URL will redirect the user to the site which has a script that takes the token and will save it in a file.

Yahoo! Unrestricted File Upload Vulnerability

 

 

 

Hi all,

In this Write-Up i’ll explain how i was able to find an Unrestricted File Upload in https://reports-as.web.analytics.yahoo.com/

This is the PoC i sent to Yahoo! Security.

These are the steps to reproduce the issue:
1)Login at yahoo.com
2)Once logged in we have to go to https://reports-as.web.analytics.yahoo.com/Login.vm and subsequently click on “Manage Scheduled Reports”
3)Now we have to click on the “Do you want to change your company logo that appears on HTML and PDF reports?” button.This section allows only the upload of images that have .gif, .jpg, .png extensions.I’ve found a way to bypass this restriction uploading a TXT file which is a.txt that contains the following content “Yahoo Server Unrestricted File Upload by Andrea Santese” and renaming it with a.txt.jpg
So we have to upload this file and subsequently click on the “Upload” button.Once we uploaded it a message like this “Image file is uploaded successfully!” will appear,so the file is uploaded.I notice that the file we have uploaded is located at https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer
But when we go to this link an error like the following will appear ” The image “https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer” cannot be displayed because it contains errors.”
This error is due to the “Content-Type:image/jpeg” that the Yahoo Server send to the client that makes a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer  ,so now we have to change it into “Content-Type:text/html”.We can do this using a proxy like Burpsuite intercepting the response that the Yahoo Server send to the client and modifying on the fly the Content-Type into text/html.So we have to configure our browser to use the bursuite proxy.Once configured we have to make a GET request to https://reports-as.web.analytics.yahoo.com/servlet/template/LogoServer.Before deciding if we have to click on the “Forward” or “Drop” button,we have to right click on the Raw request and subsequently select “Do Intercept”—->”Response to this request”.Now we have to click on the “Forward” button.Once clicked on it we will have a response like the following:

HTTP/1.1 200 OK
Date: Wed, 26 Mar 2014 10:32:01 GMT
P3P: policyref=”http://info.yahoo.com/w3c/p3p.xml“, CP=”CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV”
Last-Modified: Wed, 26 Mar 2014 10:32:02 GMT
Expires: Wed, 26 Mar 2014 10:32:02 GMT
Accept-Ranges: bytes
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, prPragma: no-cache, private
Connection: close
Content-Type: image/jpg
Content-Length: 57

Yahoo Server Unrestricted File Upload by Andrea Santese

Now we have to change the Content-Type: image/jpg into Content-Type: text/html and subsequently click on the “Forward” button

Now the content of the a.txt.jpg file will come up!