SSRF/XSPA bug on Facebook | Writeup by Paul OS
Labels:
Facebook Bugs,
Paul OS
Hello friends, Today we gonna post POC of SSRF/XSPA Vulnerablity on Facebook This bug has been submitted to Pentesting Lab by Paul Os.
According to him,
An application is vulnerable to Cross Site Port Attacks (SSRF/XSPA) if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client.
An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.
XSPA allows attackers to target the server infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. This Vulnerability can be used for:
1) Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.
2) Exploiting vulnerable programs running on the Intranet or on the local web server.
when sending a message to a user in the chat section it is possible to add websites... and Facebook will go check the link to get favicon and title.
If we for example give it, http://target.com:80/ it will print out the contents of the site since http/80 runs there. but if we gave it closed ports like http:// target.com:31337/ , it will suffer to get output thus, reaveling if port is open or closed.
Now the issue has been fixed and Facebook have put mitigation strategies for possible abuse to scan internal servers or so... :-)
According to him,
An application is vulnerable to Cross Site Port Attacks (SSRF/XSPA) if the application processes user supplied URLs and does not verify/sanitize the backend response received from remote servers before sending it back to the client.
An attacker can send crafted queries to a vulnerable web application to proxy attacks to external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.
XSPA allows attackers to target the server infrastructure, mostly the intranet of the web server, the web server itself and any public Internet facing server as well. This Vulnerability can be used for:
1) Port Scanning remote Internet facing servers, intranet devices and the local web server itself. Banner grabbing is also possible in some cases.
2) Exploiting vulnerable programs running on the Intranet or on the local web server.
when sending a message to a user in the chat section it is possible to add websites... and Facebook will go check the link to get favicon and title.
If we for example give it, http://target.com:80/ it will print out the contents of the site since http/80 runs there. but if we gave it closed ports like http:// target.com:31337/ , it will suffer to get output thus, reaveling if port is open or closed.
Now the issue has been fixed and Facebook have put mitigation strategies for possible abuse to scan internal servers or so... :-)
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment