Youtube URL Redirection..

Hi Guys,

Another bug in Google.. This time is with youtube.com

Hmm.. Found a bug in Youtube.. but unfortunately, this bug is out of scope.. Anyway, a bug is a bug.. Lets see..

The issue is an URL redirection vulnerability that existing in upload.youtube.com. When you upload a video which is not proper (invalid), the application redirects you to error URL. This URL is being sent to the server as a parameter, error_redirect. I tried changing the url to some random domain, and guess what, it redirected as i have uploaded an invalid video.

Then, in the request i observed there are two user specific tokens going to the server. They are nothing but anti-csrf tokens and working properly with a valid video. But in the case of an invalid video, they are no longer validated and are being ignored. So i tried to send the request with invalid file, but this time i removed the user specific tokens user_token and session_token. And as i expected, the application issued an 302 redirection to the url in error_redirect parameter.

So finally, i got a URL Open Redirection vulnerability in Youtube. Unfortunately, the bug is out-of-scope. But they fixed the bug nevertheless, by accepting all videos to the processing stage without validating the video.

A video presentation for the same can be found here...


Suggestions and Queries/Corrections are always welcome...

Comments

Post a Comment

Popular posts from this blog

Multiple Vulnerabilities in eFront CMS v3.6.15.4

Image
Hi friends, I am back with Three stories Today. There are multiple critical bugs effecting the e-front, one of the Top 10 e-learing cms available, version 3.6.15.4 build 18023. The details are as follows. Directory Traversal       ( CVE : 2015-4461 ) Local File Inclusion      ( CVE : 2015-4462 ) Bypass for Blocked extension file uploads      ( CVE : 2015-4463 ) About the e-front:   E-front is one of the Top 10 e-learning cms available free on the market till date. A small description from the vendor's site: "The core of eFront is distributed as an open-source project. We have created a superior training product and we are not afraid to let you try it! The open-source edit of eFront will cover a wide range of your needs. If you are looking for a specialized solution then take a look at different efront editions ." The Issues are fixed as part of new release, efront v3.6.15.5 build 18024. You can find the chan...
Read more

Cross Site Scripting through callback functionality

Image
Hello Guys, Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story. The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application. This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value. https://www.DUMMY-WEBSITE.com/users/ajaxonforgotpassword.php?callback=<script>alert(document.cookie)</script>...
Read more

How I could Delete Instagram Captions and Comments that are not mine,.....

Image
Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB . Instagram Web and mobile Applications For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature. request without a signature Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected. So while testing with both the App and Browser together, I realised that there is an authorisation ...
Read more