Bind email CSRF vulnerability + email verification link logic vulnerability in Tudou new message reminder

Source: Internet
Author: User

By this http://www.bkjia.com/Article/201308/239719.html to see if there are other problems, found that the new message reminder bound mailbox CSRF there is not filtered, or not strict filtering. In addition, there may be logic problems with the email verification link. By combining these two points, the user's private messages, new comments, and system message reminders can be sent to the attacker's mailbox.

Page renewal

In normal status, many message reminders are selected: (you can select the sending frequency and email address to be reminded)



A sample of a normal form request is as follows:


GET http://message.tudou.com/updateEmailSetting.html? Callback = jQuery16405471757907992225_1375018012075 & isSend = 1 & frequency = 14 & email = XXX % 40email.com & _ = 1375018012464 HTTP/1.1
Accept :*/*
Referer: http://www.tudou.com/my/setting/notifyMe.action
Accept-Language: zh-cn
User-Agent :...
Accept-Encoding: gzip, deflate
Host: message.tudou.com
Connection: Keep-Alive
Cookie :...

The input values of isSend, frequency, and email respectively.

 

Based on this request, possible CSRF Defense points are in the refer field or jQuery parameter section (is this possible? Cainiao said there was no research ).

1. Defense against possible referers

Find a <form> Blog system, wordpress or blogbus? Or GAE, SAE

If these third-party hosting websites do not work, you can use the hacker's own blog website.

I tested the following two referers:

Http://richardwiseman.wordpress.com/2013/07/22/answer-to-the-friday-puzzle-215/

Http://www.squarefree.com/2012/04/16/car-free-apps/

All attacks are successful.

2. for possible jQuery Random Parameters

I tried a few mappings that normally generate:

Callback = jQuery16405471757907992225_1375018012073

& _ = 1375018012154

Callback = jQuery16405471757907992225_1375018012075

& _ = 1375018012464

Callback = jQuery16408171587823084333_1375017781479

& _ = 1375017829130

Therefore, we try to randomly construct the following attack vector:

Callback = jQuery16408171587823084512_1375017782512

& _ = 1375017849124
Vulnerability proof: Make attack.html by combining the 2nd point and the table form input( write hacker-controlled parameters in the email parameter), put it on wordpress, or hacker's own website (similar to squarefree.com)

Then, the address will be sent to Weibo. Once a user clicks attack.html (in the logon status), the following emails will be sent to the hacker's mailbox.


 


Then, when a hacker clicks this email without logging on to Tudou, it will also remind you that the mailbox is successfully bound (so the more serious vulnerability may be here ), although it will jump to the login page again (http://login.tudou.com/login.do? Noreg = OK & service = http://www.tudou.com/my/tui/got ).

3 seconds jump, too late ..

However, at this time, the user's email reminder for the potato account has been bound with the hacker's reminder email.


Solution:


1. CSRF defense over there you know more clearly (for example, limiting refer can only be a http://www.tudou.com/my/setting/notifyMe.action )... Please let me know which one is not complete.

2. Remind the email address to bind the authentication. The authentication takes effect only when the user logs on.

Http://message.tudou.com/checkEmail.html? Uid = XXX & token = XXXX

This reminder binding takes effect only when the user logs on ..

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.