Operation and Maintenance
Safety
Exploiting CSRF token verification mechanism vulnerability to authenticate victim accounts
Exploiting CSRF token verification mechanism vulnerability to authenticate victim accounts
本文分享的是一个Facebook CSRF漏洞,用Gmail或G-Suite账户来验证新创建Facebook账户时存在的CSRF令牌验证机制漏洞,攻击者利用该漏洞,可在验证新创建Facebook账户时,以最小用户交互方式用受害者邮箱验证其注册的Facebook账户,实现间接CSRF攻击。
OAuth登录机制对CSRF token验证不足
当用户用Gmail或G-Suite账号来创建一个新的Facebook账户时,存在以下两种身份验证机制:
1、从Gmail中接收5位数的验证码,然后在Facebook网页中输入以确认。
2、从Gmail或G-Suite账号的第三方进行OAuth授权跳转登录。
要绕过第一种方法估计很难了,Facebook后端部署的Checkpoint安防设备和强大的速率限制条件,会毫不客气地阻断任何暴力破解和可疑行为。所以,我们来观察一下第二种方法,经过一番测试,我在其中发现了一个CSRF漏洞,原因在于,在OAuth授权跳转登录过程中缺少必要的CSRF令牌验证机制。
OAuth Login链接如下:
https://accounts.google.com/signin/oauth/identifier?client_id=15057814354-80cg059cn49j6kmhhkjam4b00on1gb2n.apps.googleusercontent.com&as=dOwxqXYIm0eQvYuxmp-ODA&destination=https%3A%2F%2Fwww.facebook.com&approval_state=!ChRLcHh5R0tQVzRXUWJSOFRIbG85ZRIfb19Dd1BsY0tpbGtYd0ktM2lWMU9TaWNIbzUyOTlCWQ%E2%88%99AJDr988AAAAAXghyvi5iRjgT2N1tdaquUxqUTQOYK4V4&oauthgdpr=1&xsrfsig=ChkAeAh8T8oLnsrNQd99XQIe69KD7-njhen9Eg5hcHByb3ZhbF9zdGF0ZRILZGVzdGluYXRpb24SBXNvYWN1Eg9vYXV0aHJpc2t5c2NvcGU&flowName=GeneralOAuthFlow
请注意,其中的state参数为一个CSRF令牌,该令牌用于在一些跨站点的请求响应中,去验证那些经身份验证过的用户,以此来防止攻击者蓄意的CSRF攻击。
通常来说,如果在上述OAuth Login过程中,该state参数由客户端的 Firefox 浏览器生成,那么,该参数令牌也仅限于在该Firefox浏览器中验证有效。但是,这里的问题是,该OAuth Login机制还缺乏必要的验证措施,也就是,这里的这个state参数(CSRF token)可用在任何其他客户端浏览器中实现有效验证。
所以,对攻击者来说,可以简单地把上述URL链接进行嵌入构造到一个网页中,只要受害者点击到该网页,攻击者就能以受害者身份(如注册邮箱victim_email@gmail.com)完成Facebook账户的身份验证,实现间接的CSRF攻击。
但是,这里还有一个问题,那就是受害者在点击攻击者构造的页面之前,攻击者Facebook账户需要在受害者浏览器中实现登录,而这里,刚好可用Facebook的一键式登录(Log In With One Click)来完成这个动作。
把以下Facebook的一键式登录链接嵌入到恶意网页的IFrame中,当受害者点击网页后,攻击者Facebook账户就可在受害者浏览器中完成登录加载。
https://www.facebook.com/recover/password/?u=100008421723582&n=232323&ars=one_click_login&fl=one_click_login&spc=1&ocl=1&sih=0
之后,当OAuth Login按钮被受害者点击后,受害者邮箱被攻击者用来确认登录了Facebook,之后,再用以下链接来退出攻击者的Facebook账户:
https://m.facebook.com/logout.php?h=17AfealsadvYomDS
结合以上方法构造出一个恶意页面,攻击者就能用受害者邮箱(如以下视频中的Gmail)完成新创建Facebook账户的验证了。
(需要视频嵌入)
https://www.youtube.com/watch?time_continue=8&v=SmRVIip_ySE
总结
总体来说,该漏洞危害确实有限,原因在于Facebook的第三方OAuth Login过程中缺乏对CSRF token的有效验证,导致攻击者可以利用不变的CSRF token来做文章。但随着Web应用的不断发展,各种场景下的第三方OAuth机制越来越多,其存在的问题和漏洞将会非常值得注意。
漏洞上报进程
2019.5.10 : 漏洞初报 2019.5.17 : Facebook跟进调查 2019.5.31 : Facebook修复 2019.6.19 : Facebook奖励我$3,000
相关文章教程推荐:服务器安全教程
The above is the detailed content of Exploiting CSRF token verification mechanism vulnerability to authenticate victim accounts. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
How to verify signature in PDF
Feb 18, 2024 pm 05:33 PM
We usually receive PDF files from the government or other agencies, some with digital signatures. After verifying the signature, we see the SignatureValid message and a green check mark. If the signature is not verified, the validity is unknown. Verifying signatures is important, let’s see how to do it in PDF. How to Verify Signatures in PDF Verifying signatures in PDF format makes it more trustworthy and the document more likely to be accepted. You can verify signatures in PDF documents in the following ways. Open the PDF in Adobe Reader Right-click the signature and select Show Signature Properties Click the Show Signer Certificate button Add the signature to the Trusted Certificates list from the Trust tab Click Verify Signature to complete the verification Let
Detailed method to unblock using WeChat friend-assisted verification
Mar 25, 2024 pm 01:26 PM
1. After opening WeChat, click the search icon, enter WeChat team, and click the service below to enter. 2. After entering, click the self-service tool option in the lower left corner. 3. After clicking, in the options above, click the option of unblocking/appealing for auxiliary verification.
New features in PHP 8: Added verification and signing
Mar 27, 2024 am 08:21 AM
PHP8 is the latest version of PHP, bringing more convenience and functionality to programmers. This version has a special focus on security and performance, and one of the noteworthy new features is the addition of verification and signing capabilities. In this article, we'll take a closer look at these new features and their uses. Verification and signing are very important security concepts in computer science. They are often used to ensure that the data transmitted is complete and authentic. Verification and signatures become even more important when dealing with online transactions and sensitive information because if someone is able to tamper with the data, it could potentially
How to validate IFSC code using regular expressions?
Aug 26, 2023 pm 10:17 PM
Indian Financial System Code is the abbreviation. Indian bank branches participating in the electronic funds transfer system are identified by a special 11-character code. The Reserve Bank of India uses this code in internet transactions to transfer funds between banks. IFSC code is divided into two parts. Banks are identified by the first four characters, while branches are identified by the last six characters. NEFT (National Electronic Funds Transfer), RTGS (Real Time Gross Settlement) and IMPS (Immediate Payment Service) are some of the electronic transactions that require IFSC codes. Method Some common ways to validate IFSC codes using regular expressions are: Check if the length is correct. Check the first four characters. Checkthefifthcharacter.Che
Jailbreak any large model in 20 steps! More 'grandma loopholes' are discovered automatically
Nov 05, 2023 pm 08:13 PM
In less than a minute and no more than 20 steps, you can bypass security restrictions and successfully jailbreak a large model! And there is no need to know the internal details of the model - only two black box models need to interact, and the AI can fully automatically defeat the AI and speak dangerous content. I heard that the once-popular "Grandma Loophole" has been fixed: Now, facing the "Detective Loophole", "Adventurer Loophole" and "Writer Loophole", what response strategy should artificial intelligence adopt? After a wave of onslaught, GPT-4 couldn't stand it anymore, and directly said that it would poison the water supply system as long as... this or that. The key point is that this is just a small wave of vulnerabilities exposed by the University of Pennsylvania research team, and using their newly developed algorithm, AI can automatically generate various attack prompts. Researchers say this method is better than existing
How to change account name and avatar in Win10 - Detailed step-by-step guide
Jan 14, 2024 pm 01:45 PM
After registering a win10 account, many friends feel that their default avatars are not very good-looking. For this reason, they want to change their avatars. Here is a tutorial on how to change their avatars. If you want to know, you can come and take a look. . How to change the win10 account name and avatar: 1. First click on the lower left corner to start. 2. Then click the avatar above in the pop-up menu. 3. After entering, click "Change Account Settings". 4. Then click "Browse" under the avatar. 5. Find the photo you want to use as your avatar and select it. 6. Finally, the modification is completed successfully.
Buffer overflow vulnerability in Java and its harm
Aug 09, 2023 pm 05:57 PM
Buffer overflow vulnerabilities in Java and their harm Buffer overflow means that when we write more data to a buffer than its capacity, it will cause data to overflow to other memory areas. This overflow behavior is often exploited by hackers, which can lead to serious consequences such as abnormal code execution and system crash. This article will introduce buffer overflow vulnerabilities and their harm in Java, and give code examples to help readers better understand. The buffer classes widely used in Java include ByteBuffer, CharBuffer, and ShortB
Cross-site scripting (XSS) and cross-site request forgery (CSRF) protection in Laravel
Aug 13, 2023 pm 04:43 PM
Cross-site scripting (XSS) and cross-site request forgery (CSRF) protection in Laravel With the development of the Internet, network security issues have become more and more serious. Among them, Cross-SiteScripting (XSS) and Cross-SiteRequestForgery (CSRF) are one of the most common attack methods. Laravel, as a popular PHP development framework, provides users with a variety of security mechanisms
