The story of one widget
This modest topic tells about the importance of paying enough attention and man-hours to side projects of the service.
Vkontakte is a great example of a service for people in which: a high-quality code, and an excellent support. However, its downside is side projects.
So the xmpp protocol was closed, sawn out: group widgets, an ad platform, api stores and much more. This story is about one interesting vulnerability of the Vkontakte widget that could.
One evening, when I added the social component to my new site (like, repost, subscription), the spirit of a pentester woke up in me and I decided to check the comment widget that was most interesting to me.
Since I was interested in the logic of the request and the ability to change it to fit my needs, armed with tamper data, I heard a request sent to the server:
Widget = frame, so as not to create unnecessary obstacles for myself, it was decided to act without an intermediary, since VK allows this. To do this, take the referrer line, in its pure form, without unnecessary parameters (height, width, etc.), it is:
When working, the comment sending functionality is directly saved, but, unfortunately, attachments refuse to load.
Empirically, we establish that in this form the widget is no longer tied to the site on which it was placed (any type of widget requires "connecting" the site to the system, if the appid does not match the domain, the widget will not be displayed), and the most interesting thing is that the url parameter in the attachment is responsible for the link. No, this is logical, but only with respect to the attached link.
Let me remind you that the comment that is added to the user's wall has two links.
In the basement is our attachment, and the top one should display the domain to which this widget is attached and the custom name of the link if the title parameter is used, but this is not so and we can modify these data as we want.
Add the text description to the link and the title of the popup block:
Where image = XXXXX_XXXXX from photoXXXXX_XXXXX, which is located in the url of any VK photo.
We write an arbitrary comment (with the flag "display on your page) and publish. We get to the wall.
I have already mentioned that any widget is screwed to the site and if you open it bypassing the frame, this condition is bypassed, but the inability to stick the vk.com domain instead of its own domain is also bypassed. Having manipulated the source link, we can very easily link to the page of any user and leave a comment, supposedly on its wall. Of course, there is no practical benefit, but SI is one of the use cases.
After finding this flaw, I, of course, reported to their tech support, whose agent found this fact interesting and sent a bug for revision.
Thanks to the developers that they have such a wonderful product and I wish them to deal with all the shortcomings of the side services.
Intro
Vkontakte is a great example of a service for people in which: a high-quality code, and an excellent support. However, its downside is side projects.
So the xmpp protocol was closed, sawn out: group widgets, an ad platform, api stores and much more. This story is about one interesting vulnerability of the Vkontakte widget that could.
One evening, when I added the social component to my new site (like, repost, subscription), the spirit of a pentester woke up in me and I decided to check the comment widget that was most interesting to me.
Main part
Since I was interested in the logic of the request and the ability to change it to fit my needs, armed with tamper data, I heard a request sent to the server:
Widget = frame, so as not to create unnecessary obstacles for myself, it was decided to act without an intermediary, since VK allows this. To do this, take the referrer line, in its pure form, without unnecessary parameters (height, width, etc.), it is:
http://vk.com/widget_comments.php?app=APPID&_ver=1&page=0&status_publish=1&attach=*&url=http%3A%2F%2Fsite.ru%2F&title=&description=&image=
When working, the comment sending functionality is directly saved, but, unfortunately, attachments refuse to load.
Empirically, we establish that in this form the widget is no longer tied to the site on which it was placed (any type of widget requires "connecting" the site to the system, if the appid does not match the domain, the widget will not be displayed), and the most interesting thing is that the url parameter in the attachment is responsible for the link. No, this is logical, but only with respect to the attached link.
Let me remind you that the comment that is added to the user's wall has two links.
In the basement is our attachment, and the top one should display the domain to which this widget is attached and the custom name of the link if the title parameter is used, but this is not so and we can modify these data as we want.
Add the text description to the link and the title of the popup block:
vk.com/widget_comments.php?app=APPID&_ver=1&page=0&status_publish=1&attach=*&url=http%3A%2F%2Fm.habrahabr.ru%2F&title=habrahabr.ru&description=Привет, Хабрахабр!&image=XXXX_XXXX
Where image = XXXXX_XXXXX from photoXXXXX_XXXXX, which is located in the url of any VK photo.
We write an arbitrary comment (with the flag "display on your page) and publish. We get to the wall.
I have already mentioned that any widget is screwed to the site and if you open it bypassing the frame, this condition is bypassed, but the inability to stick the vk.com domain instead of its own domain is also bypassed. Having manipulated the source link, we can very easily link to the page of any user and leave a comment, supposedly on its wall. Of course, there is no practical benefit, but SI is one of the use cases.
Conclusion
After finding this flaw, I, of course, reported to their tech support, whose agent found this fact interesting and sent a bug for revision.
Thanks to the developers that they have such a wonderful product and I wish them to deal with all the shortcomings of the side services.