Hello guys! Today I am going to tell you what is XSPA, how I found a XSPA vulnerability in facebook and used it to create a totally anonymous port scanner.
Cross Site Port Attack (XSPA)
A web app is vulnerable to Cross Site Port Attack if it processes user supplied URLs and does not sanitize the backend response received from remote servers before sending it back to the user. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.) and even fetch data from remote services in unconventional ways.
Detecting a potential XSPA vulnerability is really simple, if the webapp takes URLs as input, try to make it connect to ports and analyse the output. Confused? Let me show you how I found a XSPA vulnerability in Facebook.
So I was reading about XSPA’s possible uses and suddenly a thought popped up in mind. I opened up a chat box in facebook and typed https://teamultimate.in in it and it loaded a preview of the link as usual
Then I ran a port scan on teamultimate.in and found that port 80, 443 and 8080 were open so I tried to make facebook connect to port 80 of the website (server actually) by entering https://teamultimate.in:80/, but its response wasn’t clarify if the port is closed or not.
So I started to look here and there in facebook for XSPA vulnerability and at last I opened developers.facebook.com and entered https://teamultimate.in:443/ the sharing debugger. Here’s the result:
It connected to that port and gave us HTTP response code as a bonus, so it is clear that its vulnerable to XSPA. First thing that came to my mind was to create a port scanner which can use this vulnerability but for me it was hard to use this page gives the following warning whenever a user enters a new URL
And I am not that good at programming so it was not possible for me to make a request, click this Fetch new information and fetch the results. Too much work :p
But the “Scraped URL” feature was a savior
It returns the HTTP response neat and clean
When we try to connect to a closed port (98 in this case), it gives a blank page as output
So I created a python script that takes a domain/IP address as input and puts it into the q parameter, then it reads the source code of the result page and decides whether the IP is closed or not. Its totally anonymous as the target will be getting requests from facebook server and not our device. I named it anoNmap.
You can download it from its Github Repository.
Thats all folks! I hope you enjoyed the article and understood whatever I discussed in here.