By this http://www.bkjia.com/Article/201308/239719.html to see if there are other problems, found that the new message reminder bound mailbox CSRF there is not filtered, or not strict filtering. In addition, there may be logic problems with the email verification link. By combining these two points, the user's private messages, new comments, and system message reminders can be sent to the attacker's mailbox.
Page renewal
In normal status, many message reminders are selected: (you can select the sending frequency and email address to be reminded)
A sample of a normal form request is as follows:
GET http://message.tudou.com/updateEmailSetting.html? Callback = jQuery16405471757907992225_1375018012075 & isSend = 1 & frequency = 14 & email = XXX % 40email.com & _ = 1375018012464 HTTP/1.1
Accept :*/*
Referer: http://www.tudou.com/my/setting/notifyMe.action
Accept-Language: zh-cn
User-Agent :...
Accept-Encoding: gzip, deflate
Host: message.tudou.com
Connection: Keep-Alive
Cookie :...
The input values of isSend, frequency, and email respectively.
Based on this request, possible CSRF Defense points are in the refer field or jQuery parameter section (is this possible? Cainiao said there was no research ).
1. Defense against possible referers
Find a <form> Blog system, wordpress or blogbus? Or GAE, SAE
If these third-party hosting websites do not work, you can use the hacker's own blog website.
I tested the following two referers:
Http://richardwiseman.wordpress.com/2013/07/22/answer-to-the-friday-puzzle-215/
Http://www.squarefree.com/2012/04/16/car-free-apps/
All attacks are successful.
2. for possible jQuery Random Parameters
I tried a few mappings that normally generate:
Callback = jQuery16405471757907992225_1375018012073
& _ = 1375018012154
Callback = jQuery16405471757907992225_1375018012075
& _ = 1375018012464
Callback = jQuery16408171587823084333_1375017781479
& _ = 1375017829130
Therefore, we try to randomly construct the following attack vector:
Callback = jQuery16408171587823084512_1375017782512
& _ = 1375017849124
Vulnerability proof: Make attack.html by combining the 2nd point and the table form input( write hacker-controlled parameters in the email parameter), put it on wordpress, or hacker's own website (similar to squarefree.com)
Then, the address will be sent to Weibo. Once a user clicks attack.html (in the logon status), the following emails will be sent to the hacker's mailbox.
Then, when a hacker clicks this email without logging on to Tudou, it will also remind you that the mailbox is successfully bound (so the more serious vulnerability may be here ), although it will jump to the login page again (http://login.tudou.com/login.do? Noreg = OK & service = http://www.tudou.com/my/tui/got ).
3 seconds jump, too late ..
However, at this time, the user's email reminder for the potato account has been bound with the hacker's reminder email.
Solution:
1. CSRF defense over there you know more clearly (for example, limiting refer can only be a http://www.tudou.com/my/setting/notifyMe.action )... Please let me know which one is not complete.
2. Remind the email address to bind the authentication. The authentication takes effect only when the user logs on.
Http://message.tudou.com/checkEmail.html? Uid = XXX & token = XXXX
This reminder binding takes effect only when the user logs on ..