An interesting Blogger exploit has just been highlighted by Nir Goldshlager, in his first blog post on his new blog. It already has been fixed.
Along with gushing compliments for Google’s security team is an example of HTTP Parameter Pollution (HPP), a growing class of web application problems. HPP is when an attacker injects a parameter with a value inside an application-generated URL. The impact of pollution depends on the application and so the best known way to test and find HPP is fuzzing for possible injections in links and forms.
Nir’s example shows, in three phases, how an Author can be added to any Blogger site and then elevated to Administrator privilege:
- The attacker Use the invite author options in blogger (add authors):
Vulnerability location:
POST /add-authors.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)
The server checks the first blogid value and executes the second blogid value of the attacker
- After that the attacker receives a mail to confirm him as a author (author invitation link), After that, the attacker will be added as an author on the victim account.
- At this step it becomes possible to modify the attacker permission from an author to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges
as you can see there is Another field in this request called memberID, Any users in blogger have a memberID value, so the attacker also need to provide his memberId value in this post request, In Blogger service, any Administrator, Author have a memberid value, So to make a successful attack (become administrator), an attacker must add himself first as a author on the victim account, To perform the next step that will add himself as an administrator on the victim account.
Video of an attack:
Nice dude… you sniffed the traffic and could get the e-mail string sent throughout headers, then you replaced your email over other email. great.