Wrenren WAP Verification Vulnerability and defense

Someone posted this vulnerability on the Phantom brigade today:

Html> http://xeyeteam.appspot.com/2010/07/22/renren-wap-authentication-token-steal.html

This vulnerability is actually mentioned on my blog. See this for details:

Http://riusksk.blogbus.com/logs/66056956.html

Or here: http://bbs.pediy.com/showthread.php? T = 115128

It was an accident to discover this vulnerability because the token was stolen by referer. For example, the following code can obtain the referer:

<? Php

$ Referer = (! Empty ($ _ SERVER [HTTP_REFERER])? $ _ SERVER [HTTP_REFERER]: Unspecified;

Echo htmlspecialchars ("$ referer ");

?>

In addition, trojancyborg browsed the wap homepage of Renren. It is estimated that he used a mobile phone and then forwarded it to my blog, in this way, his referer is not recorded in the access source in the Management Center of the blog bus, including the authentication token, which can be submitted directly through the url to bypass authentication, that is, url authentication token. The URL format is as follows:

Http://3g.renren.com/profile.do? Id = 263, * 63, ** 2 & sid = 5437ce *** 3c0d5d1457 ***** 85f6f3e32 & 9 agldk & htf = 2 (for security reasons, use the "*" sign to filter out)

This can also be used with XSS to steal referer. Just like cookie Stealing, it is more convenient than cookie. After all, it can directly obtain the management permission of the home page of the other party through the URL. But it also requires some luck. The other party must jump from the wap page of the human network. If you have any better way to steal data, please let us know! At that time, I posted a log on the trojancyborg homepage to spoof it. Fortunately, he has a large number of adults and is not in trouble ......

The defense method for such vulnerabilities is as described by cosine Daniel in paper: Using cookie authentication (unfortunately, brother's broken mobile phone N3100 does not support cookies ), or filter all objects that can obtain referer, such:

▪Html tags: img/iframe/a/area /...
▪Css styles: background: url ()/@ import/moz-binding /...