OAuth 2.0 and the Road to XSS: attacking Facebook Platform. Andrey Labunets @isciurus

Similar documents
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

OAuth: Where are we going?

A Tale of the Weaknesses of Current Client-Side XSS Filtering

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Login with Amazon. Developer Guide for Websites

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

The Prevalence of Flash Vulnerabilities on the Web

The Top Web Application Attacks: Are you vulnerable?

IBM WebSphere Application Server

Web Application Security

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

Where every interaction matters.

Project 2: Web Security Pitfalls

OWASP Top Ten Tools and Tactics

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Login with Amazon. Getting Started Guide for Websites. Version 1.0

OAuth 2.0. Weina Ma

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Security features of ZK Framework

A Tale of the Weaknesses of Current Client-side XSS Filtering

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Web-Application Security

Magento Security and Vulnerabilities. Roman Stepanov

Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks

Web Application Worms & Browser Insecurity

Gateway Apps - Security Summary SECURITY SUMMARY

Complete Cross-site Scripting Walkthrough

Hack Proof Your Webapps

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

What is Web Security? Motivation

Cross-site site Scripting Attacks on Android WebView

Ruby on Rails Secure Coding Recommendations

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Testnet Summerschool. Web Application Security Testing. Dave van Stein

EECS 398 Project 2: Classic Web Vulnerabilities

Web Security Testing Cookbook*

Application security testing: Protecting your application and data

Cross-Site Scripting

Intrusion detection for web applications

CTF Web Security Training. Engin Kirda

Axway API Gateway. Version 7.4.1

AIRTEL INDIA OPEN API. Application Developer Guide for OAuth2 Authentication and Authorization. Document Version 1.1

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Relax Everybody: HTML5 Is Securer Than You Think

Web Application Security Considerations

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Security Model for the Client-Side Web Application Environments

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

Thomas Röthlisberger IT Security Analyst

Enterprise Application Security Workshop Series

How To Fix A Web Application Security Vulnerability

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Onegini Token server / Web API Platform

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Hack Yourself First. Troy troyhunt.com

ACR Connect Authentication Service Developers Guide

Research on the Security of OAuth-Based Single Sign-On Service

Network Security Exercise #8

Traitware Authentication Service Integration Document

Cross Site Scripting Prevention

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Application Security Testing. Generic Test Strategy

Fairsail REST API: Guide for Developers

EHR OAuth 2.0 Security

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

SAMSUNG SMARTTV: HOW-TO TO CREATING INSECURE DEVICE IN TODAY S WORLD. Sergey Belov

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web Application Scan. Document Revision Initial Report Prepared By: AppCheck-NG Version: 1.0

Secure development and the SDLC. Presented By Jerry

Building Secure Applications. James Tedrick

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Simple But Not Secure: An Empirical Security Analysis of OAuth 2.0-Based Single Sign-On Systems

Testing the OWASP Top 10 Security Issues

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

A Survey on Security and Vulnerabilities of Web Application

(WAPT) Web Application Penetration Testing

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Common Criteria Web Application Security Scoring CCWAPSS

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Transcription:

OAuth 2.0 and the Road to XSS: attacking Facebook Platform Andrey Labunets @isciurus

Who is @isciurus Security researcher, occasional reverse-engineer Student at the Tyumen State University Frequent guest to Facebook vulnerability submission form 1

OAuth An open framework for web authorization Resource owner authorizes Client to access owner s data on Resource server Password never given to a client Known attacks on OAuth variations Facebook JS SDK bugs by K. Bhargavan, C. Bansal in 2012 Flash bug on Facebook by R. Wang, S. Chen, L. Xing, X. Wang in 2012 Fundamental problems Session fixation for OAuth 1.0 in 2009 Bearer tokens for OAuth 2.0 2

OAuth 2.0 in 60 seconds Resource Owner Resource Owner A A. Client Identifier & Redirection URI B A. Client Identifier & Redirection URI User- Agent A Client B. User Authenticates C. Redirection URI with Access Token in Fragment D. Redirection URI Without Fragment E. Script G. Access Token Authorization Server Web-Hosted Client Resource User- Agent A Client C B. User Authenticates C. Authorization Code D. Authorization Code & Redirection URI E. Access Token (w/ Optional Refresh Token) Authorization Server Implicit Grant Flow Authorization Code Flow 3

OAuth 2.0 Case Study: Facebook Platform Motivation: OAuth 2.0 proposed RFC standard Facebook largest platform for web-developers (1b users, 9m apps) Poorly explored, huge attack surface 4

Assumptions and threat model A victim has an account on Facebook, and he uses some apps An attacker is able create a malicious web site and a malicious Facebook app An attacker can convince a victim to click a specially crafted malicious link Attacker wants to: Access victim s private data Invoke some actions on behalf of a victim Sign into his account on a third-party web site (authentication bypass) Execute its code on facebook.com client-side (XSS) 5

Legacy authorization flow

Legacy authorization flow extern/login_status.php returns token in query string Exploitation: Insert a picture from your server somewhere inside the Client site Tamper redirect_uri to point this page Let the user click the link Resource owner s access token leaked via HTTP Referrer 7

Legacy authorization flow http://facebook.com/extern/login_status.php?api_key=111239619098&ok_session=http%3a%2f %2Fwww.bing.com%2Fcommunity%2Fwebmaster%2Ff%2F12251%2Fp%2F675833%2F... HTTP 302 8

Legacy authorization flow Lots of external developers depend on this flow, not easy to patch Still works for some apps (bing, etc) Impact: Access token stealing Lessons: Design it carefully If not, don t mix legacy/latest auth flows 9

Javascript SDK issues

Normal JS SDK workflow Trusted Client JS SDK postmessage() Facebook proxy iframe proxymessage() xd_arbiter.php?version=18#...origin=app.com... Facebook auth window xd_arbiter.php?version=18#...origin=client.com...&signed_request=...&token=... 11

Flaw in JS SDK proxy Evil Facebook Client JS SDK postmessage() Facebook proxy iframe xd_arbiter.php#...origin=evil.com... proxymessage() dst/src origins were never compared Facebook auth window xd_arbiter.php#...origin=client.com...&signed_request=...&token=... 12

Flaw in JS SDK proxy Exploited by setting redirect_uri to an old-versioned xd_proxy without origin checks Impact: Code, access token, signed_request stealing Lessons: If this is out of specs, implement in twice carefully Suggestion: Make JS SDK xd_arbiter open-source 13

URL fragment tricks

Hash-bang (#!) + Referrer exploitation Facebook QuicklingPrelude (or hash-bang feature): Fills location with value from location.hash Redirect: facebook.com/#!/whatever > facebook.com/whatever Abused to pull sensitive data from URL fragment Generic idea of all hash-bang + Referrer exploits: Redirect to a permitted page at facebook.com Pull access token from fragment and redirect to another facebook page Redirect to your own domain Pick the Referrer from the request and extract the token 15

App RPC gethash trick Facebook app controller implemented a special gethash method (possibly, for app navigation or parameter passing) top.location.hash could be disclosed to a malicious app iframe No need to authorize the malicious app Exploitation: Utilize hash-bang feature to bypass filters on redirect_uri Redirect to your app canvas page Invoke FB_RPC call gethash from your app Get a full URL fragment with access token 16

App RPC gethash trick Facebook.com 3. proxymessage( FB_RPC: result: access_token=aaa,...) 2. XdArbiter.handleMessage() App.com Canvas iframe 1. postmessage( FB_RPC method:gethash,..) 4. postmessage( FB_RPC: result: access_token=aaa,...) Facebook proxy iframe 17

URL fragment tricks Fragment-based navigation is an excellent vector for OAuth 2.0 Impact: code, access token, signed_request stealing Lessons: Avoid navigation with URL fragment on your authorization endpoint domain If not, deny any redirect_uri containing URL fragment If not, think twice how you integrate your fragment navigation with OAuth 2.0 18

PHP SDK issues

PHP SDK issues OAuth 2.0: stealing code via redirect_uri tampering gives nothing Facebook JS/PHP SDK: code is issued with an empty redirect_uri: src/base_facebook.php#l426 protected function getuseraccesstoken() { // the JS SDK puts a code in with the redirect_uri of '' if (array_key_exists('code', $signed_request)) { $code = $signed_request['code']; $access_token = $this->getaccesstokenfromcode($code, ''); redirect_uri tampering-based attacks are invisible 20

PHP SDK issues signed_request takes priority over code-based authentication: src/base_facebook.php#l525 protected function getuserfromavailabledata() { // if a signed request is supplied, then it solely determines // who the user is. $signed_request = $this->getsignedrequest(); if ($signed_request) { if (array_key_exists('user_id', $signed_request)) { $user = $signed_request['user_id']; signed_request parsed also from $_REQUEST, no CSRF checks: src/base_facebook.php#l489 public function getsignedrequest() { if (!$this->signedrequest) { if (!empty($_request['signed_request'])) { $this->signedrequest = $this->parsesignedrequest( $_REQUEST['signed_request']); 21

PHP SDK issues PHP SDK compromises OAuth 2.0 authorization code grant flow Still not patched Impact: Downgrade attack (from code grant to signed_request -based flow) Session fixation (CSRF) with signed_request redirect_uri tampering and stolen signed_request means authentication bypass Lessons: Facebook PHP SDK is not for secure authentication Don t trust code from external SDK 22

RPC issues

Facebook RPC showdialog workflow App communicate with Facebook RPC controller through FB_RPC messages App can invoke a special RPC method showdialog To render the dialog, Facebook controller makes an XHR request and parses the JSON payload XHR endpoint uiserver.php also serves as OAuth 2.0 endpoint We control most of query parameters for uiserver.php (redirect_uri) 24

Facebook RPC showdialog workflow uiserver.php Facebook.com 4. XHR handler 2. XdArbiter.handleMessage() 3. XHR app.com canvas iframe 1. postmessage() / Flash Facebook proxy iframe 25

Facebook RPC showdialog workflow Guess, how is JSON payload parsed? 26

Facebook RPC showdialog workflow We could trick the Facebook app controller with OAuth 2.0 redirects and submit malicious payload to the XHR handler: _handlexhrresponse: function(ka) { var la; if (this.getoption('suppressevaluation')) { la = {asyncresponse: new h(this, ka)}; } else { var ma = ka.responsetext, na = null; try { var pa = this._unshieldresponsetext(ma); try { var qa = (eval)('(' + pa + ')'); Disabled by default Removes the first 9 bytes Yes, just eval XHR cross-domain redirects are not permitted, but let's knock it down up to cross-site scripting anyway 27

Yet another JS SDK issue: Flash XD transport redirect_uri parameter of showdialog method must belong to app s own domain, which is defined in xd_arbiter proxy url Two flaws in Flash cross-domain transport allowed to hijack the origin and to send FB_RPC messages on behalf of facebook.com: Controllable Flash channel names Absense of secret nonce validation Exploitation: Inject two xd_arbiter proxies with transport=flash Connect them by setting the same Flash channel name Inject the third xd_arbiter and let him initiate the flow with proxymessage() 28

Yet another JS SDK issue: Flash XD transport Facebook App Secret nonce validation insufficient, another nonce check here is missing JS SDK Facebook proxy iframe Proxy swf Proxy swf Adobe LocalConnection() channel names are controlled by xd_arbiter url proxymessage() Facebook auth window 29

XSS with OAuth 2.0 Now we send FB_RPC message on behalf of facebook.com and invoke showdialog method _unshieldresponsetext cuts the prefix redirect_uri parameter in FB_RPC message is http:/facebook.com/ something, and it passes all checks Wrapping a small stage-0 malicious payload inside a picture Proxying the picture from our site through facebook.com/safe_image.php 30

XSS with OAuth 2.0 uiserver.php Facebook.com 4. eval() 3. XdArbiter.handleMessage() App.com Canvas iframe 3. redirect_uri = gif FB proxy iframe Proxy swf 2..connection.send() FB proxy iframe Proxy swf FB proxy iframe 1. proxymessage() 31

XSS with OAuth 2.0 Lessons: XSS is not only about?q=<script>alert(, design flaws are unique eval is still evil, nothing new OAuth redirects can be abused for taint propagation in your javascript apps 32

Conclusion

Endless attack vectors for Facebook OAuth redirect_uri tampering Sensitive data leakage through Referrer Token transport (JS SDK and xd_arbiter.php) #! (hash-bang) and redirect_uri filtering bypasses SDK authentication (PHP SDK, SDK) App RPC exploiting 34

Endless attack vectors for Facebook OAuth redirect_uri tampering Sensitive data leakage through Referrer #! (hash-bang) and redirect_uri filtering bypasses Token transport (JS SDK and xd_arbiter.php) SDK authentication (PHP SDK, SDK) App RPC exploiting 35

Q&A Thanks! 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information