Get best of the week

How I hacked scammers, or just the insides of phishing panels

INTRO


Recently I came across a usual situation for the Internet - a classic request from a relative to cast their vote for him in some kind of vote. It turned out that the man was “hacked” by scammers, and the links to the vote were to phishing resources.


I am fond of security, so I decided to check the security of the phishing resource out of interest.


The admin panel of the scammers was successfully hacked, inside there was an n-number of stolen accounts. Their logins were transferred to the VK security service, plus the corresponding "abuse" complaints were sent to registrars, hosters.


And now I’ll tell you how and what Phishing-as-Service panels turn out to be ...


It all started as usual, a request from a relative to cast their vote for him in some kind of vote:


Relative:
Hi, I just want to win :) http://x-vote.ru/votes/701738#vote


In fact, most likely will ignore such a request, but from the point of view of security, there was an interest in checking for Race condition the vote itself - will it be possible for 1 account to cast a few votes in fact by sending them several in one short period of time.


, . , , , Oauth , .



, , .


, Race Condition , , , , , - - .


, , , - , , , , / "" HTML+JS, Blind XSS. , — / .


xsshunter — . XSS, :


  1. url, ;
  2. IP;
  3. Cookie;
  4. Dom-;
    … . , , , VPS.

, blind XSS- .



, XSS " " ( document.cookie).


, — "httpOnly", JS.


XSS , - API , (), .


, "" .


, , .


, , , — .




. bootstrap , , :


:



:



API:



IP.



, , :




:




, :





… .


API , , , , .., execute.getDialogsWithProfilesNewFixGroups.php, :
https://vk.com/dev/execute


.


— VK .


access-, , .


:


GET /method/execute.getDialogsWithProfilesNewFixGroups?access_token=****b750be150c961c******ace8d9dd54e448d5f5e5fd2******7e21388c497994536a740e3a45******&lang=ru&https=1&count=40&v=5.69 HTTP/1.1
Host: vk-api-proxy.xtrafrancyz.net

HTTP/1.1 200 OK
Date: Tue, 03 Mar 2020 09:57:08 GMT
Content-Type: application/json; charset=utf-8
Connection: close
Vary: Accept-Encoding
Server: vk-proxy
X-Powered-By: PHP/3.23359
Cache-Control: no-store
X-Frame-Options: DENY
Access-Control-Allow-Origin: *
Content-Length: 57453

{"response":{"a":{"count":271,"unread_dialogs":151,"items":[{"message":{"id":592***,"date":1583222677,"out":0,"user_id":14967****,"read_state":1,"title":"","body":"  : 063725.","owner_ids":[]},"in_read":592***,"out_read":592***}

, . , — "" , . , + , , .


, , , , .


, , ?


-, , , , , : , , blind xss , VK Bo0oM, , , , .


complaint' . cloudflare', . , , , . - Cloudflare , https://www.cloudflare.com/abuse/form, — 1 url ¯ \ (ツ) / ¯


— 10 .



, , .


UPD: QIWI Yandex, .

More articles:


All Articles