While exploiting CVE-2021-32478 realised that when sharing the link on some social media it doesn’t show any preview on the link. While legit links on most cases they preview some brief description or even an image.
After a couple of searches on google found this post explaining it. Basically whenever you share a link then it makes a GET request filtering some html meta tags.
Makes sense that when sharing a link to this particular CVE which is almost a blank page it isn’t able to get that metadata from the page, hence showing no preview.
The idea to trick people into thinking that the link is legit consists of creading a malicious web server that includes a PHP file with the needed meta tags and then redirects to the malicious XSS url.
Following the instructions on how the preview are generated let’s create the evil php file to abuse CVE-2021-32478 which is in and enpoint that doesn’t show any preview which may be some sort of suspicious:
Another interesting detail is that in order to redirect afterwards it has to be done with
<meta http-equiv="refresh".../> because
Location http header caused preview to not being rendered.
Start a server with php (
php -S 0.0.0.0:8000) and ngrok (
ngrok http 8000). Now we can share the ngrok link and here is how it displays on discord (but works the same way in most common social medias):
If you share the link before starting the web server It won’t generate any preview since can’t get the meta tags.
Finally we can validate the POC when the victim clicks on the url we can see that we got the cookies:
However, sharing a ngrok url may be even more suspicous than sharing an url that doesn’t show a preview on social media. However this could be used with other phishing techniques.
Note that url shorteners won’t work because they rely on redirects, tried out maskphish when realised about that behaviour.