Tuesday, August 13, 2019

SSRF Vulnerability in https://app.[REDACTED].com


Almost a year ago I found a simple SSRF Vulnerability in a private program which allow me to inject a SSRF payload thru their Webhook.

There is a feature called "Test Webhook" on their application and while trying some other kind of vulnerability, I was able to trigger a SSRF on this feature.

So long story short, here's the report timeline and proof of concept of this issue.

--Proof of Concept--

1. Go to https://app.<REDACTED>.com/app/webhooks
2. In the "Test Webhook" input the test payload

In my test, I tried making a request from port 22, 21 and 80  (http://scanme.nmap.org:22) and the response is

Port 22: Response: Bad response: (u'wrong number of parts', 'SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10')

Port 21: Response: Response: Could not connect to remote server: No route to host: 101: Network is unreachable.

Port 80: Response: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<title>Go ahead and ScanMe!</title>

<link REL="SHORTCUT ICON" HREF="/shared/images/tiny-eyeicon.png" TYPE="image/png">
<link rel="stylesheet" href="/shared/css/insecdb.css" type="text/css">


Report Title: SSRF in https://app.<REDACTED>.com/app/webhooks
Reported: 24 Oct 2018 22:21:32 UTC
Closed: 29 Oct 2018 20:07:02 UTC (Duplicate)

So I hope you enjoy this write up and have a great day everyone!

Saturday, August 10, 2019

Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up)

A year ago I participated on this private program on Bugcrowd and found some good quality vulnerabilities which earns me a good amount of bounty and one of my favorite vulnerability was this Application Level DoS (Denial of Service) using a malicious SVG file. This is my first time reporting this kind of issue that time though I reported some SVG file related vulnerabilities but this one is new to me since it was a Denial of Service using the SVG and it makes me feel more excited about it before.

So after my first report was rewarded by them which is a Stored XSS using SVG file, I continued digging down on the same area and luckily found this issue. What really makes this as one of my favorite vulnerability that I found is because I learned something new from the Triaged person who handle this report. I learned something new from him because of this report.

So long story short, here's the report timeline and proof of concept.

--Proof of Concept--

1. Go to https://<REDATED> then login
2. Go to https://<REDATED>/<username>/primary-brand
3. Click the Edit button or turn ON the Edit button in the upper left conrner of the page
4. In the Images section upload the attach SVG file.
5. Open the upload SVG file and see the result.

I have attached a GIF file for the whole demonstration of the bug, I hope you understand.

Live Demo of my test: https://user-images.<REDATED>/<userid>/primary-brand/<filename>.svg

Tested in Firefox which results into browser crash and Google Chrome which also results into browser crash.


Report Title: DoS using SVG file in https://<REDACTED>
Reported: 17, February 2018 16:52:37 UTC
Update (Triaged Staff): 21 Feb 2018 17:24:32 UTC

Hello evanricafort,
The crashing of your browser must have been because of out of memory bounds. Can you try to use Windbg to check why it crashed? It allows me to check if there is a break instruction exception. This is not reproducible in my Chrome, Safari, and Firefox in Mac thus I would like to check the output from Windbg to check if this is indeed a vulnerability.
My Update Response: 21 Feb 2018 18:04:50 UTC

not really familiar with windbg but I tried it with my firefox browser and this is what I got
Microsoft (R) Windows Debugger Version 10.0.16299.91 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff66ca80000 00007ff66caf7000 C:\Program Files\Mozilla Firefox\firefox.exe
ModLoad: 00007ff9bb8b0000 00007ff9bba71000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ff9bb070000 00007ff9bb11d000 C:\Windows\system32\KERNEL32.DLL
ModLoad: 00007ff9b89c0000 00007ff9b8ba8000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 00007ff9b97b0000 00007ff9b9857000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007ff9b9280000 00007ff9b931d000 C:\Windows\system32\msvcrt.dll
ModLoad: 00007ff9ac2e0000 00007ff9ac305000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff9bb310000 00007ff9bb36b000 C:\Windows\system32\sechost.dll
ModLoad: 00007ff9b8cb0000 00007ff9b8dcd000 C:\Windows\system32\RPCRT4.dll
ModLoad: 00007ff9b4610000 00007ff9b461a000 C:\Windows\SYSTEM32\VERSION.dll
ModLoad: 00007ff9aa550000 00007ff9aa5ee000 C:\Program Files\Mozilla Firefox\MSVCP140.dll
ModLoad: 00007ff9ac400000 00007ff9ac417000 C:\Program Files\Mozilla Firefox\VCRUNTIME140.dll
ModLoad: 00007ff9b7170000 00007ff9b7264000 C:\Windows\SYSTEM32\ucrtbase.dll
ModLoad: 00007ff9b79d0000 00007ff9b79db000 C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ff9b8890000 00007ff9b88fa000 C:\Windows\system32\bcryptPrimitives.dll
ModLoad: 000001b246430000 000001b246434000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll
ModLoad: 000001b246440000 000001b246444000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll
ModLoad: 000001b246450000 000001b246453000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll
ModLoad: 000001b246460000 000001b246464000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll
ModLoad: 000001b246470000 000001b246474000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll
ModLoad: 000001b246480000 000001b246483000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll
ModLoad: 000001b246490000 000001b246495000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll
ModLoad: 000001b2464a0000 000001b2464a5000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
ModLoad: 000001b2464c0000 000001b2464c3000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll
ModLoad: 000001b2464d0000 000001b2464d3000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll


ModLoad: 00007ff9b0400000 00007ff9b0674000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.839_none_a2ddba30a539a2ae\comctl32.dll
(2a84.2b90): Break instruction exception - code 80000003 (first chance)
00007ff9`bb958860 cc int 3
 Follow-up Update (Triaged Staff): 23 Feb 2018 16:16:43 UTC

Hello Evan,

Based on the breakpoint, it did crash from your end:

ModLoad: 00007ff9b0400000 00007ff9b0674000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.839_none_a2ddba30a539a2ae\comctl32.dll
(2a84.2b90): Break instruction exception - code 80000003 (first chance)
00007ff9`bb958860 cc int 3

Windbg allows us to check if there is a DoS or if it has overwritten the EIP / instruction pointer, etc. In this case, it tells us that a crash has actually occurred. Since this is reproducible from your end and not for all users, I am marking this issue as P3.

Closed: 06 Jul 2018 20:28:52 UTC (Won't fix)
Thank you for your help in making <REDACTED> safer. The application will be sunset very soon and development has ceased. Therefore we are closing the reported issue as WON'T FIX.
Reward: $300 + 10 Kudos points

So I hope you enjoy this write up and have a great day everyone!

"Opportunities don't happen. You create them."
― Chris Grosser

Friday, August 09, 2019

Read other user support tickets in https://support..com (Write Up)


In this article I will show you how I found a Insecure Direct Object Reference Vulnerability that I found in a private program on Bugcrowd few years ago. The vulnerability allow me to access any support tickets without any restriction by just enumerating/changing the ticket IDs. The vulnerability feature was the ticket printing on the support dashboard.

This issue was reported to a private program on bugcrowd few years ago and closed as Won't fix.

So below is the report timeline and proof of concept of the issue.

--Proof of Concept--

1. Go to https://support.<REDACTED>.com
2. Create a ticket
3. Print your ticket and you will get the ff. url.
Vulnerable URL: https://support.<REDACTED>.com/client/ticket/print/<ticket id>

The ticket ID is composed of five numbers so using BurpSuite intruder, I was able to enumerate to check every single ticket which allowed me to read other users Email Address, Username, Message and etc...

Result: Insecure Direct Object Reference Vulnerability.

--Report Timeline--

Report Title: Read any support ticket on with restriction
Reported: 20, June 2017
Closed: 21, July 2017
Reward: $120

thank you for the submission. We are awarding the bounty. However, this was scheduled to go offline before your submission, so we are likely not going to fix this one.
Happy hunting!

So I hope you enjoy this write up, have a great day everyone!

“It is better to be hated for what you are than to be loved for what you are not.”
― Andre Gide, Autumn Leaves