Hacking Tutorials

Cross Site Port Attack (XSPA) : Detection and Exploitation

Hello guys! Today I am going to tell you what is XSPA, how I found a XSPA vulnerability in facebook and used it to create a totally anonymous port scanner.

Cross Site Port Attack (XSPA)

A web app is vulnerable to Cross Site Port Attack if it processes user supplied URLs and does not sanitize the backend response received from remote servers before sending it back to the user. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.

Detecting a potential XSPA vulnerability is really simple, if the webapp takes URLs as input, try to make it connect to ports and analyse the output. Confused? Let me show you how I found a XSPA vulnerability in Facebook.

So I was reading about XSPA’s possible uses and suddenly a thought popped up in mind. I opened up a chat box in facebook and typed http://teamultimate.in in it and it loaded a preview of the link as usual

xspa tutorial

Then I ran a port scan on teamultimate.in and found that port 80, 443 and 8080 were open so I tried to make facebook connect to port 80 of the website (server actually) by entering http://teamultimate.in:80/, but its response wasn’t clarify if the port is closed or not.

So I started to look here and there in facebook for XSPA vulnerability and at last I opened developers.facebook.com and entered http://teamultimate.in:443/ the sharing debugger. Here’s the result:

cross site port attack xspa

It connected to that port and gave us HTTP response code as a bonus, so it is clear that its vulnerable to XSPA. First thing that came to my mind was to create a port scanner which can use this vulnerability but for me it was hard to use this page gives the following warning whenever a user enters a new URL

how to find xspa vulnerability

And I am not that good at programming so it was not possible for me to make a request, click this Fetch new information and fetch the results. Too much work :p

But the “Scraped URL” feature was a savior

xspa poc

It returns the HTTP response neat and clean

xspa example tutorial

When we try to connect to a closed port (98 in this case), it gives a blank page as output

ssrf xspa

So I created a python script that takes a domain/IP address as input and puts it into the q parameter, then it reads the source code of the result page and decides whether the IP is closed  or not. Its totally anonymous as the target will be getting requests from facebook server and not our device. I named it anoNmap.

anoNmap somdev sangwan

You can download it from its Github Repository.

Thats all folks! I hope you enjoyed the article and understood whatever I discussed in here.

Also Read: A Sniffing Tutorial That Was Missing From The Internet


1 Comment

Click here to post a comment

  • well done , can you please share any script with php code to do any of task like add random parameter and check for specific response if got then log it somewhere ?

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<