Heroku the latest vulnerability to cause the hackers can take control of their accounts-vulnerability warning-the black bar safety net

ID MYHACK58:62201675645
Type myhack58
Reporter 佚名
Modified 2016-06-08T00:00:00


Premise Description: 5 month 2 6 day, the vulnerability has been fixed. Environment Heroku(https://www.heroku.com/there is one called“one click deployment”feature, when you click, it is possible to achieve a bond of the configuration and deployment of third-party components, libraries and applications. For example you can in the following page see this sign ! https://github.com/ParsePlatform/parse-server-example Click on this icon, you will be redirected to here https://dashboard.heroku.com/new?button-url=https%3A%2F%2Fgithub.com%2FParsePlatform%2Fparse-server-example&template=https%3A%2F%2Fgithub. com%2FParsePlatform%2Fparse-server-example Each developer can create like the one above the“click to deploy”button, you can from the link below to see more instructions. https://devcenter.heroku.com/articles/heroku-button I created a“click to deploy”button, it only contains one file, app. json, and Heroku will be from this file is read into the button of the relevant information. For a start, I try in the app. json to insert HTML tags, and attributes to achieveXSS, and found that the JavaScript will special characters be escaped. Later I found a URL in the“logo”can be set to any value, then when the https://dashboard. heroku. com/the new page is loaded, the URL will be set to img tag src value. When the img tag is loaded, the browser to the server to initiate the acquisition of the picture request, this time will bring the Referer value, this time only need the server listening to the request, you can get the Referer value. Related to HTTP lead to leakage of information, you can refer to cure53 of the collection. Vulnerability So far, when I'm on the following this is loaded when https://dashboard.heroku.com/new?template=https%3A%2F%2Fgithub.com%2FParsePlatform%2Fparse-server-example&other_parameter=with_value The following img tag will be created "https://avatars0.githubusercontent.com/u/1294580?v=3&s=2 0 0" class=""> (Translator's note: here the author in the app. json in the logo the value set as the src value !

Then the browser will send the following link to initiate the request: https://avatars0.githubusercontent.com/u/1294580?v=3&s=2 0 0 This time the HTTP header with the Referer value, as follows: https://dashboard.heroku.com/new?template=https%3A%2F%2Fgithub.com%2FParsePlatform%2Fparse-server-example&other_parameter=with_value You can also see here and there is nothing useful data. Next I went to test it Heroku OAuth authentication process https://devcenter.heroku.com/articles/oauth when I will redirect_uri set to the following: https://dashboard.heroku.com/new?template=https%3A%2F%2Fgithub.com%2FParsePlatform%2Fparse-server-example&other_parameter=with_value This thought can be successful from the Referer get to the useful data, but without success. Later don't know when, I noticed that the authentication is successful https://dashboard. heroku. com/[path_requested]will bring a parameter of the code, The value of this parameter in the transmission of the time and there is no protection CSRF attacks, and then will be in JSON format returns a permission for“global”“access_token”, this“global”permissions to allow you to through the API https://api.heroku.com/perform all the operations! But I cannot modify the account password or the binding of the mailbox... Attack Only when the user logs in after the attack to take effect. 1, first let the user access the following links: https://longboard.heroku.com/loginstate=https%3A%2F%2Fdashboard.heroku.com%2Fnew%3Ftemplate%3Dhttps%253A%252F%252Fgithub.com%252Fesevece%252Fheroku_test ! 2, The user will be redirected to the following address: https://id.heroku.com/oauth/autorize?client_id=.... ! ! 3, The user again is redirected to: https://longboard.heroku.com/auth/heroku/callback?code=.... ! ! 4. finally, the user is redirected to the https://dashboard.heroku.com/new?template=https%3A%2F%2Fgithub.com%2Fesevece%2Fheroku_test&code=... ! ! 5, once the page is loaded, the application will automatically go to the Github API to initiate a get app. json request:

[1] [2] next