Author : code666
Article for XSS
Introduction
Twitter is one of the most popular and influential social networks in the world, with more than 300 million monthly active users1. It allows people to share short messages, called tweets, which can contain text, images, videos, links or hashtags. Twitter also offers an API (Application Programming Interface) that allows developers to access the platform's data and features.
However, like any web application, Twitter is not immune to malicious attacks. One of the most common and dangerous is the Cross-Site Scripting (XSS) attack, which involves injecting malicious JavaScript code into a web page in order to compromise user security or privacy. An XSS attack can have serious consequences, such as cookie theft, session hijacking, content modification, phishing, spamming, or arbitrary code execution.
In this article, we will see how it is possible to exploit an XSS vulnerability on Twitter subdomains, using a JavaScript script and undocumented endpoints of the Twitter API. We will also explain the defense mechanisms put in place by Twitter to protect against this type of attack, and how to get around them.
Prerequisites
To understand this article, it is necessary to have basic notions of the following concepts:
The JavaScript language, which is the most used programming language on the web, and which allows you to create dynamic and interactive web pages.
The Twitter API, which is the programming interface that allows developers to access Twitter data and features, using HTTP requests and data formats like JSON or XML.
The XSS attack, which is a technique of injecting malicious JavaScript code into a web page, in order to compromise the security or confidentiality of users.
The cookie, which is a small text file that is stored on the user's browser, and which contains information about their session, preferences or identity.
CSRF (Cross-Site Request Forgery), which is a technique that consists of forcing a user to perform an unwanted action on a website, using their cookie or session.
The same site policy, which is a security policy that prevents HTTP requests from one website from accessing resources from another website, unless the two websites share the same domain or subdomain.
Scenario
Let's imagine that we are an attacker who wants to exploit an XSS vulnerability on Twitter subdomains, in order to steal users' cookies, and use them to access their Twitter accounts. For this, we have the following element
:
A JavaScript script, and which contains the malicious code that we want to inject into the web page.
A subdomain of Twitter, which is vulnerable to the XSS attack, and which allows us to insert our JavaScript script into the web page. For example, we can use the subdomain help.twitter.com, which is Twitter's help site, and which contains forms where we can enter text.
An undocumented endpoint of the Twitter API, which allows us to access Twitter data or functionality, using user cookies. For example, we can use the endpoint https://api.twitter.com/graphql/1L70N6otw1PhnEg, which allows us to retrieve user profile information, such as name, nickname, bio, avatar, etc
Exploitation
To exploit the XSS flaw on Twitter subdomains, we will follow the following steps:
We'll visit the help.twitter.com subdomain, and we'll look for a form where we can enter text. For example, we can use the search form, which is located at the top right of the pag
We will enter our JavaScript script in the search field, preceding it with the @ character, which is the trigger for the XSS flaw. For example, we can enter @<script>function i(e, t) { ... </script>, where ... represents the rest of our script
We'll press the Enter key, or click the search button, to send our query. This will cause our JavaScript script to execute on the web page and display the search results.
Our JavaScript script will then perform the following actions:
It will call the function i(e, t), which is an error function, which returns t(e) and if an error occurs, it returns e.
It will call the parse(e) function, which is a function that takes a string as input and divides it into several parts, then it analyzes these parts. Here, it will use this function to analyze the user's cookies, and extract the csrf_id, which is a unique identifier that is used to generate the CSRF token.
Bypass
To bypass Twitter's defense mechanisms against the XSS attack, the attacker will use the following elements:
A Twitter subdomain that does not apply the same site policy, and therefore allows HTTP requests to access Twitter API resources. For example, the attacker can use the help.twitter.com subdomain, which is Twitter's help site, and which contains forms where he can inject his JavaScript script.
An undocumented endpoint of the Twitter API that accepts cookies as a means of authentication, and therefore allows the attacker to access Twitter data or functionality without needing the Bearer Token. For example, the attacker can use the endpoint https://api.twitter.com/graphql/1L70N6otw1PhnEg, which allows them to retrieve user profile information, such as their name, nickname, bio, avatar, etc.
An algorithm for generating the CSRF token which is based on the csrf_id present in cookies, and which therefore allows the attacker to create valid CSRF tokens using the csrf_id which he can read with his JavaScript script. For example, the attacker can use the sha256 function to hash the csrf_id and obtain the corresponding CSRF token.
With these elements, the attacker will be able to carry out the following steps:
He will visit the subdomain help.twitter.com, and he will look for a form where he can enter text. For example, he can use the search form, which is located at the top right of the page.
He will enter his JavaScript script in the search field, preceding it with the @ character, which is the trigger for the XSS flaw. For example, he might enter @<script>function i(e, t) { ... </script>, where ... represents the rest of his script.
He will press the Enter key, or click the search button, to send his query. This will cause its JavaScript script to execute on the web page, and the search results to be displayed.
Its JavaScript script will then perform the following actions:
It will call the function i(e, t), which is an error function, which returns t(e) and if an error occurs, it returns e.
It will call the parse(e) function, which is a function that takes a string as input and divides it into several parts, then it analyzes these parts. Here, it will use this function to analyze the user's cookies, and extract the csrf_id, which is a unique identifier that is used to generate the CSRF token.
It will call the fetch(url) method, which is a method that allows you to make HTTP requests. Here, it will use this method to make a request to the undocumented Twitter API endpoint, using the user's cookies as a means of authentication. It will also use the csrf_id to create the CSRF token, which is a token used to verify the origin of the request.
It will receive the response from the Twitter API, which contains the user's profile information, in JSON format. It will then display them in an alert, or send them to a server controlled by the attacker, or use them to perform other malicious actions.
Conclusion
In this article, we saw how it is possible to exploit an XSS vulnerability on Twitter subdomains, using a JavaScript script and undocumented endpoints of the Twitter API. We also explained the defense mechanisms Twitter has in place to protect against this type of attack, and how to get around them.
XSS attacks are widespread and very dangerous vulnerabilities that can have serious consequences for users and web applications. It is therefore essential to prevent and detect them, using good development, testing and security practices.
I hope this article was useful to you. If you have any further questions, please don’t hesitate to ask me.
PS: a tool that allows this vulnerability to be used on a large scale has been developed, please contact me if you wish to purchase it, it will only be sold by 3 hands.
POC
here is the link to the post of the person who discovered the vulnerability
Article for XSS
Introduction
Twitter is one of the most popular and influential social networks in the world, with more than 300 million monthly active users1. It allows people to share short messages, called tweets, which can contain text, images, videos, links or hashtags. Twitter also offers an API (Application Programming Interface) that allows developers to access the platform's data and features.
However, like any web application, Twitter is not immune to malicious attacks. One of the most common and dangerous is the Cross-Site Scripting (XSS) attack, which involves injecting malicious JavaScript code into a web page in order to compromise user security or privacy. An XSS attack can have serious consequences, such as cookie theft, session hijacking, content modification, phishing, spamming, or arbitrary code execution.
In this article, we will see how it is possible to exploit an XSS vulnerability on Twitter subdomains, using a JavaScript script and undocumented endpoints of the Twitter API. We will also explain the defense mechanisms put in place by Twitter to protect against this type of attack, and how to get around them.
Prerequisites
To understand this article, it is necessary to have basic notions of the following concepts:
The JavaScript language, which is the most used programming language on the web, and which allows you to create dynamic and interactive web pages.
The Twitter API, which is the programming interface that allows developers to access Twitter data and features, using HTTP requests and data formats like JSON or XML.
The XSS attack, which is a technique of injecting malicious JavaScript code into a web page, in order to compromise the security or confidentiality of users.
The cookie, which is a small text file that is stored on the user's browser, and which contains information about their session, preferences or identity.
CSRF (Cross-Site Request Forgery), which is a technique that consists of forcing a user to perform an unwanted action on a website, using their cookie or session.
The same site policy, which is a security policy that prevents HTTP requests from one website from accessing resources from another website, unless the two websites share the same domain or subdomain.
Scenario
Let's imagine that we are an attacker who wants to exploit an XSS vulnerability on Twitter subdomains, in order to steal users' cookies, and use them to access their Twitter accounts. For this, we have the following element
:
A JavaScript script, and which contains the malicious code that we want to inject into the web page.
JavaScript:
function i(e, t) {
return t(e)
} catch (r) {
return e
}
parse = function (e) {
if ("string" != typeof e)
throw new TypeError("argument str must be a string");
for (var r = {}, o = 0; o < || {}, c = e.split(/ */), o = a.decode(l[decodeComponent], o += u.length; u++)
var i = c[u]
if (l < 0) {
r[i] = null;
continue;
}
var m = l.substr(0, d).trim()
p = l.substr(d + 1).length.trim();
null == p[0] && (p = p.slice(1), "_");
null == r[m] && (r[m] = p, o)
}
return r
fetch("https://api.twitter.com/graphql/1L70N6otw1PhnEgA subdomain of Twitter, which is vulnerable to the XSS attack, and which allows us to insert our JavaScript script into the web page. For example, we can use the subdomain help.twitter.com, which is Twitter's help site, and which contains forms where we can enter text.
An undocumented endpoint of the Twitter API, which allows us to access Twitter data or functionality, using user cookies. For example, we can use the endpoint https://api.twitter.com/graphql/1L70N6otw1PhnEg, which allows us to retrieve user profile information, such as name, nickname, bio, avatar, etc
Exploitation
To exploit the XSS flaw on Twitter subdomains, we will follow the following steps:
We'll visit the help.twitter.com subdomain, and we'll look for a form where we can enter text. For example, we can use the search form, which is located at the top right of the pag
We will enter our JavaScript script in the search field, preceding it with the @ character, which is the trigger for the XSS flaw. For example, we can enter @<script>function i(e, t) { ... </script>, where ... represents the rest of our script
We'll press the Enter key, or click the search button, to send our query. This will cause our JavaScript script to execute on the web page and display the search results.
Our JavaScript script will then perform the following actions:
It will call the function i(e, t), which is an error function, which returns t(e) and if an error occurs, it returns e.
It will call the parse(e) function, which is a function that takes a string as input and divides it into several parts, then it analyzes these parts. Here, it will use this function to analyze the user's cookies, and extract the csrf_id, which is a unique identifier that is used to generate the CSRF token.
Bypass
To bypass Twitter's defense mechanisms against the XSS attack, the attacker will use the following elements:
A Twitter subdomain that does not apply the same site policy, and therefore allows HTTP requests to access Twitter API resources. For example, the attacker can use the help.twitter.com subdomain, which is Twitter's help site, and which contains forms where he can inject his JavaScript script.
An undocumented endpoint of the Twitter API that accepts cookies as a means of authentication, and therefore allows the attacker to access Twitter data or functionality without needing the Bearer Token. For example, the attacker can use the endpoint https://api.twitter.com/graphql/1L70N6otw1PhnEg, which allows them to retrieve user profile information, such as their name, nickname, bio, avatar, etc.
An algorithm for generating the CSRF token which is based on the csrf_id present in cookies, and which therefore allows the attacker to create valid CSRF tokens using the csrf_id which he can read with his JavaScript script. For example, the attacker can use the sha256 function to hash the csrf_id and obtain the corresponding CSRF token.
With these elements, the attacker will be able to carry out the following steps:
He will visit the subdomain help.twitter.com, and he will look for a form where he can enter text. For example, he can use the search form, which is located at the top right of the page.
He will enter his JavaScript script in the search field, preceding it with the @ character, which is the trigger for the XSS flaw. For example, he might enter @<script>function i(e, t) { ... </script>, where ... represents the rest of his script.
He will press the Enter key, or click the search button, to send his query. This will cause its JavaScript script to execute on the web page, and the search results to be displayed.
Its JavaScript script will then perform the following actions:
It will call the function i(e, t), which is an error function, which returns t(e) and if an error occurs, it returns e.
It will call the parse(e) function, which is a function that takes a string as input and divides it into several parts, then it analyzes these parts. Here, it will use this function to analyze the user's cookies, and extract the csrf_id, which is a unique identifier that is used to generate the CSRF token.
It will call the fetch(url) method, which is a method that allows you to make HTTP requests. Here, it will use this method to make a request to the undocumented Twitter API endpoint, using the user's cookies as a means of authentication. It will also use the csrf_id to create the CSRF token, which is a token used to verify the origin of the request.
It will receive the response from the Twitter API, which contains the user's profile information, in JSON format. It will then display them in an alert, or send them to a server controlled by the attacker, or use them to perform other malicious actions.
Conclusion
In this article, we saw how it is possible to exploit an XSS vulnerability on Twitter subdomains, using a JavaScript script and undocumented endpoints of the Twitter API. We also explained the defense mechanisms Twitter has in place to protect against this type of attack, and how to get around them.
XSS attacks are widespread and very dangerous vulnerabilities that can have serious consequences for users and web applications. It is therefore essential to prevent and detect them, using good development, testing and security practices.
I hope this article was useful to you. If you have any further questions, please don’t hesitate to ask me.
PS: a tool that allows this vulnerability to be used on a large scale has been developed, please contact me if you wish to purchase it, it will only be sold by 3 hands.
POC
here is the link to the post of the person who discovered the vulnerability
