The story of a widget
This modest topic tells how important it is to pay enough attention and man hours to side service projects.
Vkontakte is an excellent example of service, for people in which: both a high-quality code and excellent support. However, its disadvantages are side projects.
So the xmpp protocol was closed, sawed out: group widgets, ad space, api stores and much more. This story is about one interesting vulnerability of the Vkontakte widget, which could.
')
One evening, when I added a social component to my new site (like, repost, subscription), the spirit of the pentester awoke in me and I decided to check out the comment widget that was most interesting to me.
Since I was interested in the logic of the request and the ability to change it to fit my needs, armed with tamper data, the request sent to the server barked:
Widget = frame, so as not to create unnecessary obstacles for yourself, it was decided to act without an intermediary, since VK allows it. To do this, take the referrer string, in its pure form, without any extra parameters (height, width, etc.), it represents:
When working directly, the functionality of sending comments is saved, but, unfortunately, attachments refuse to load.
It is empirically established that, in this form, the widget is no longer tied to the site on which it was placed (any type of widget requires to “connect” the site to the system, if the appid does not match the domain, then the widget will not be displayed) that the url parameter in the attachment is responsible for the link. No, this is logical, but only relative to the attached link.
Let me remind you that a comment that is added to the user's wall has two links.
In the basement is our attachment, and the top one should display the domain to which this widget and the custom link name are attached if the title parameter is used, however this is not the case and we can modify this data as we want.
Add a text description to the link and the header of the popup block:
Where image = XXXXX_XXXXX from photoXXXXX_XXXXX, which is in the url of any VK pictures.
We write an arbitrary comment (with the flag “display on your page) and publish it. We get on the wall
I have already mentioned that any widget is screwed to the site and if you open it, bypassing the frame, this condition is bypassed, but it is also impossible to insert the domain vk.com, instead of your domain. After manipulating the source link, we can very simply refer to the page of any user and leave a comment, allegedly on his wall. Of course, there is no practical benefit, but as one of the use cases is SI.
After finding this flaw, I, of course, reported to their technical support, the agent of which found this fact interesting and sent the bug for revision.
Thanks to the developers for the fact that they get such a wonderful product and I wish them to deal with all the shortcomings of side services.
Intro
Vkontakte is an excellent example of service, for people in which: both a high-quality code and excellent support. However, its disadvantages are side projects.
So the xmpp protocol was closed, sawed out: group widgets, ad space, api stores and much more. This story is about one interesting vulnerability of the Vkontakte widget, which could.
')
One evening, when I added a social component to my new site (like, repost, subscription), the spirit of the pentester awoke in me and I decided to check out the comment widget that was most interesting to me.
Main part
Since I was interested in the logic of the request and the ability to change it to fit my needs, armed with tamper data, the request sent to the server barked:
Widget = frame, so as not to create unnecessary obstacles for yourself, it was decided to act without an intermediary, since VK allows it. To do this, take the referrer string, in its pure form, without any extra parameters (height, width, etc.), it represents:
http://vk.com/widget_comments.php?app=APPID&_ver=1&page=0&status_publish=1&attach=*&url=http%3A%2F%2Fsite.ru%2F&title=&description=&image= When working directly, the functionality of sending comments is saved, but, unfortunately, attachments refuse to load.
It is empirically established that, in this form, the widget is no longer tied to the site on which it was placed (any type of widget requires to “connect” the site to the system, if the appid does not match the domain, then the widget will not be displayed) that the url parameter in the attachment is responsible for the link. No, this is logical, but only relative to the attached link.
Let me remind you that a comment that is added to the user's wall has two links.
In the basement is our attachment, and the top one should display the domain to which this widget and the custom link name are attached if the title parameter is used, however this is not the case and we can modify this data as we want.
Add a text description to the link and the header of the popup block:
vk.com/widget_comments.php?app=APPID&_ver=1&page=0&status_publish=1&attach=*&url=http%3A%2F%2Fm.habrahabr.ru%2F&title=habrahabr.ru&description=, !&image=XXXX_XXXX Where image = XXXXX_XXXXX from photoXXXXX_XXXXX, which is in the url of any VK pictures.
We write an arbitrary comment (with the flag “display on your page) and publish it. We get on the wall
I have already mentioned that any widget is screwed to the site and if you open it, bypassing the frame, this condition is bypassed, but it is also impossible to insert the domain vk.com, instead of your domain. After manipulating the source link, we can very simply refer to the page of any user and leave a comment, allegedly on his wall. Of course, there is no practical benefit, but as one of the use cases is SI.
Conclusion
After finding this flaw, I, of course, reported to their technical support, the agent of which found this fact interesting and sent the bug for revision.
Thanks to the developers for the fact that they get such a wonderful product and I wish them to deal with all the shortcomings of side services.
Source: https://habr.com/ru/post/193944/
All Articles