Pages

Thursday, July 28, 2011

InfoJacking - A Walk through Social Networking Websites

Last month, I presented at Source Seattle conference. The slides are available for download from Cigital's website here. I also wrote some views about different cases of collecting information here. The detection of hidden devices such as WAF's , protection against advanced attacks are very much important. I discussed different cases in my presentation about collecting information from HTTP response headers. I thought to just move on and verify the state of some social networking websites.

The Facebook response header dump looks like as follows

(Status-Line) HTTP/1.1 200 OK
Cache-Control private, no-cache, no-store, must-revalidate
Expires Sat, 01 Jan 2000 00:00:00 GMT
P3P CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma no-cache
Set-Cookie reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com
Set-Cookie wd=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.facebook.com; httponly
Content-Encoding gzip
Content-Type text/html; charset=utf-8
X-FB-Server 10.54.249.30
X-Cnection close
Transfer-Encoding chunked
Date Fri, 29 Jul 2011 02:39:59 GMT


The highlighted part in the dump suggests that Facebook is running under the shadow of NetScaler [WAF + Load Balancer] device. On continuous observing and validating certain functions, I extracted some combinations of URL's and related HTTP header sent with it i.e. X-FB-Server

https://www.facebook.com/login.php?login_attempt=1
X-FB-Server 10.36.129.112

http://www.facebook.com/home.php?sfrm=1
X-FB-Server 10.36.252.123

http://static.ak.fbcdn.net/rsrc.php/v1/yn/r/l2REPOIm5eD.css
X-FB-Server 10.138.17.184

http://static.ak.fbcdn.net/rsrc.php/v1/yp/r/uRff5za-w5e.css
X-FB-Server 10.138.64.186

http://static.ak.fbcdn.net/rsrc.php/v1/yT/r/cWd6w4ZgtPx.png
X-FB-Server 10.30.147.194

http://www.facebook.com/ajax/chat/buddy_list.php?__a=1
X-FB-Server 10.42.74.73

http://www.facebook.com/ajax/chat/buddy_list.php?__a=1
X-FB-Server 10.43.50.79

http://www.facebook.com/ajax/hovercard/user.php?id=1036258667&__a=1
X-FB-Server 10.42.174.47

http://www.facebook.com/ajax/ufi/modify.php?__a=1
X-FB-Server 10.42.108.21

http://www.facebook.com/?ref=logo&__a=20&ajaxpipe=1&quickling[version]=412753%3B0
X-FB-Server 10.42.118.79

The X-FB-Server header value was changing with different responses. However, one thing remains same is the combination of X-FB-Server with X-Cnection. This simply projects that WAF + Load Balancer is playing a role.

However, Facebook does not reveal the web server information in Server header. Additionally, Facebook responses contain the "X-Backend :" header with different values. For informational purposes, the X-Backend header is sent by 3 different servers : nginx , Apache-Coyote and lighttpd primarily.

The point is HTTP response headers reveals a lot of information which can be potentially useful for testing purposes.