湛天雲海碧波影

湛天
雲海
碧波影

The New York Times(Nytimes.com) Covert Redirect Vu

日常生活點滴的記錄:

The New York Times(Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net   

The vulnerability exists at “adx_click.html?” page with “&goto” parameter, i.e. 
  http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion 
 
 
 
 
The vulnerability can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7. 
 
 
 
 
 (1) When a user is redirected from Nytimes to another site, Nytimes will check parameters “&sn1″ and “&sn2″. If the redirected URL’s domain is OK, Nytimes will allow the reidrection. 
However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Nytimes to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Nytimes directly. 
One of the vulnerable domain is, 
doubleclick.net (Google’s Ad website) 
 
 
 
 (2) Use one of webpages for the following tests. The webpage address is “http://tetraph.com/blog”. We can suppose that this webpage is malicious. 
Vulnerable URL: 
  http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion 
 
POC: 
  http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ftetraph%2Ecom%2Fblog%3F%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion 
 
 
 
 
 
 
 
 
Credit: 
Wang Jing, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore. 
  http://tetraph.com/wangjing/ 
 
 
 
 
 
 
 
More: 

http://threatpost.com/critical-holes-in-oauth-openid-could-leak-information-redirect-users/105876

https://en.wikipedia.org/wiki/Covert_Redirect

http://aga.ustc.edu.cn/news/view?id=2094

http://blog.kaspersky.com.cn/openid%E5%92%8Coauth%E6%98%93%E5%8F%97%E6%94%BB%E5%87%BB%EF%BC%8C%E9%9C%80%E4%BF%9D%E6%8C%81%E8%AD%A6%E6%83%95/938/

https://zh.wikipedia.org/zh-sg/隱蔽重定向漏洞

http://www.ustcif.com/default.php/content/2128/

http://blog.sina.com.cn/s/blog_13e2110420102v3b4.html

http://blog.sina.com.cn/s/blog_13de2fcd60102v8r6.html

http://yurusi.blogspot.sg/2014/11/covert-redirect.html

http://aibiyi.blogspot.sg/2014/11/covert-redirect.html

http://frenchairing.blogspot.sg/2014/11/des-vulnerabilites-pour-les-boutons.html

http://germancast.blogspot.sg/2014/11/sicherheitslucke-in-oauth-20-und-openid.html

http://japanbroad.blogspot.sg/2014/11/oauthopenid-facebook.html

http://russiapost.blogspot.sg/2014/11/openid-oauth-20.html

https://vulnerabilitypost.wordpress.com/2014/10/02/google-chromium-xss-auditor-filter-bypass/

http://tetraph.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://tetraph.tumblr.com/post/101408567382/falha-de-seguranca-afetam-logins-de-facebook

http://whitehatview.tumblr.com/post/101405308531/openid-oauth-2-0

http://blog.sina.com.cn/s/blog_ecd65d410102v6gp.html

http://essayjeans.blog.163.com/blog/static/237173074201493171559786/

http://tetraph.blog.163.com/blog/static/23460305120149316548212/

http://mathfas.wordpress.com/2014/10/31/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://blog.sina.com.cn/s/blog_9c466a590102v2hw.html

http://computerobsess.blogspot.sg/2014/10/sicherheitslucke-in-oauth-20-und-openid.html

http://securityrelated.blogspot.sg/2014/10/id-oauth.html

http://tetraph.blogspot.sg/2014/10/id-oauth.html

http://essaybeans.blogspot.sg/2014/10/blog-post.html

http://www.tetraph.com/blog/love/%E8%AE%A9%E4%BA%BA%E4%BC%A4%E5%BF%83%E7%9A%84%E7%88%B1%E6%83%85%E5%8F%A5%E5%AD%90-%E5%85%B3%E4%BA%8E%E6%8F%8F%E5%86%99%E4%BC%A4%E5%BF%83%E7%9A%84%E5%8F%A5%E5%AD%90-%E6%9C%80%E4%BC%A4%E5%BF%83%E7%9A%84/

http://diebiyi.com/articles/%E6%84%9B%E6%83%85/540/

http://www.youtube.com/watch?v=RekCK5tjXWQ

http://www.youtube.com/watch?v=KiNKYD9VRK8

https://vimeo.com/110769496

https://vimeo.com/110761588

http://v.youku.com/v_show/id_XNzIzMDU0NTc2.html

http://www.tudou.com/programs/view/49qWBJhRm7o

http://www.tudou.com/programs/view/Px3eEBhXjpc

http://v.youku.com/v_show/id_XODE1MDI4OTcy.html

http://tetraph.com/security/covert-redirect/youku%E4%BC%98%E9%85%B7covertredirect%E8%B7%B3%E8%BD%AC%E7%B3%BB%E7%BB%9F%E6%BC%8F%E6%B4%9E%E5%9F%BA%E4%BA%8Ebaidu-com-%E7%99%BE%E5%BA%A6/

http://www.inzeed.com/kaleidoscope/covert-redirect/otra-brecha-de-seguridad-amenaza-parte-de-internet/

http://www.tudou.com/programs/view/qkX60p9KHsk/

https://twitter.com/essayjeans/status/529171466202275840

https://www.facebook.com/essaybeans?ref=bookmarks

https://www.facebook.com/essayjeans?ref=bookmarks

https://www.facebook.com/tetraph

https://twitter.com/justqdjing/status/530969599420792832

http://www.reddit.com/user/gadshots

http://www.reddit.com/user/butterdry/

http://www.pinterest.com/pin/326018460499926302/

http://www.pinterest.com/tetraph/life/

http://www.pinterest.com/essaybeans/daily-life/

http://www.pinterest.com/pin/465278205227138284/

http://securitynewswire.com/securitynews2012/article.php?title=XSS_Risk_Found_in_Links_to_New_York_Times_Articles_Prior_to_2013

http://www.veooz.com/news/FHb0__Q.html

http://www.tomsguide.com/us/xss-flaw-ny-times,news-19784.html

http://www.hotforsecurity.com/blog/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013-10555.html

http://news.softpedia.com/news/XSS-Risk-Found-In-Links-to-New-York-Times-Articles-Prior-to-2013-462334.shtml

http://itsecuritynews.info/tag/wang-jing/

http://www.hellasforce.com/blog/xss-kindini-entopistikan-se-sindesmous-sto-new-york-times-se-arthra-prin-2013/

http://telezkope.com/Technology/Programming/3321242/cross-site-scripting-xss-vulnerability-in-new-york-times-articles-before-2013

http://news.silobreaker.com/google-doubleclicknetadvertising-system-url-redirection-vulnerabilities-can-be-used-by-spammers-5_2268368584637939712

http://worldnew.org/xss-flaw-may-exist-in-the-old-new-york-times-article-pages.html

评论
热度 ( 4 )
  1. 琐事,日常之事谷雨 醉心 冬小麦 转载了此文字
  2. 白帽子安全點滴的記錄 转载了此文字  到 湛天雲海碧波影
TOP