Hackers of India

Poking servers with Facebook(and other web applications)

 Riyaz Walikar 

2012/12/06

Many web applications provide functionality to pull data from other websites for various reasons. Using user specified URLs, web applications can be made to fetch image files, download XML feeds from remote servers and in the case of Mozilla, text based manifest files as well. This functionality can be abused by making crafted queries using the vulnerable web application as a proxy to attack other remote servers. Attacks arising via this abuse of functionality are named as Cross Site Port Attacks.

Cross Site Port Attacks (XSPA) occur when a web application attempts to connect to user supplied URLs and does not validate backend responses received from the remote server. An attacker can abuse this functionality to send crafted queries to attack external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.)

In this paper we will see how commonly available functionality in most web applications can be abused by attackers to port scan intranet and external Internet facing servers, fingerprint internal network aware services, perform banner grabbing, identify web application frameworks, exploit vulnerable programs, run code on reachable machines, exploit web application vulnerabilities listening on internal networks, read local files using the file protocol and much more. XSPA has been discovered with Facebook, where it was possible to port scan any Internet facing server using Facebook’s IP addresses. Consecutively, XSPA was also discovered in several other prominent web applications on the Internet, including Google, Apigee, StatMyWeb, Mozilla.org, Face.com, Pinterest, Yahoo, Adobe Omniture and several others. We will take a look at the vulnerabilities that were present in the above mentioned web applications that could be used to launch attacks and perform port scans on remote servers and intranet devices using predefined functionality.