Yassine ABOUKIR

Security Analyst at HackerOne Inc


A tale of three bug bounties

décembre 12, 2016Yassine ABOUKIR3 Comments

I have been lately shiftless regarding publishing and my recent articles on Infosec Institute were more descriptive than technical. Thus, I decided to write this blog post about three interesting security vulnerabilities I discovered in three programs : (1) PayPal, (2) and (3) are private programs on HackerOne that I will not be disclosing. The security flaws will be in the following order :

  1. Insecure Direct Object References : Partial disclosure of users payment information.
  2. Sensitive Information Disclosure : Users PII disclosure (Including hashed passwords)
  3. PayPal Unvalidated Redirect leading to Potential Cross-Site Scripting (XSS)

—————-

The first vulnerability was found two days before heading to DefCon 😀 The bug affected a recent acquisition of a quiet renowned U.S corporation. It was an Insecure Direct Object References which occurs when there are insufficient authorization checks performed against object identifiers used in requests. However, the vulnerable endpoint was an internal API that was used to retrieve data and the API edge in question was not visible to the naked eye which required me to perform a quick manual bruteforcing against the endpoint using common API edges.

The API endpoint you can spot while capturing HTTP requests was :

https://www.company.com/api/users/<User_ID>/

This would return user profile information. The invisible edge was credit_cards followed by Node ‘CC_ID which identifies the user’s credit card information :

https://www.company.com/api/users/<User_ID>/credit_cards/<CC_ID>

<CC_ID> was sequential, so altering it to any integer value would return either partial credit card information in case the user used it as payment method :

Otherwise the address mail associated with user PayPal account will be revealed

PRO-TIP: If you ever come across undocumented or internal API, always try to a conduct a comprehensive mapping and recon to uncover all edges that might lack sufficient authorizations.

July 24th, 2016 : Discovered, reported then fixed at the same day.

July 25th, 2016 : Bounty awarded $2000

—————-

The second security vulnerability was recently identified in another private program particularly in obsolete login endpoint. When you try to login using an invalid password, the application is likely to display a basic authentication login error, however the secret to finding bugs is by capturing and analyzing HTTP traffic in which you will notice that the login HTTP response, formatted in JSON, reveals users’ Personal Identifiable Information (PII) as well as hashed password (Salted SHA-1, Bycrypt) as you can see in the below screenshot :

The service is used by over than six million IT professionals and it was very sufficient to enter any e-mail in order to disclose the account’s hashed password and important information. The security team quickly handled the report, but unfortunately the payout was not as expected.

December 4th, 2016 : Dicovered and reported

December 7th, 2016 : Bounty of $1000 Awarded

—————-

The third security flaw was a bypass of redirection protection in PayPal Authentication flow, which would allow execution of malicious Javascript in a specific old browsers. The vulnerable endpoint is as follows :

https://www.paypal.com/authflow/entry/?returnUri=https://www.paypal.com/

If you try to redirect to an external domain such as :

https://www.paypal.com/authflow/entry/?returnUri=https://evilzone.org

it would not succeed and you are likely to be taen back to PayPal homepage.

However, I found that three forward slashes would bypass the validation in place, so the exploitation will be as follows :

https://www.paypal.com/authflow/entry/?returnUri=https:///evilzone.org

Or

https://www.paypal.com/authflow/entry/?returnUri=///evilzone.org

First thing I did was to try and escalate this unvalidated redirect to an exploitable Cross-Site Scripting (XSS). I used the Data: trick

https://www.paypal.com/authflow/entry/?returnUri=data:text/html;base64,PHNjcmlwdD5hbGVydChsb2NhdGlvbik8L3NjcmlwdD4=%23//

But the javascript did not execute in the context of PayPal, hence no access to cookies – Failed ! I tested with another payload :

https://www.paypal.com/authflow/entry/?returnUri=%2F%2F%2Fjavascript:alert(document.domain);

Unfortunately, modern browsers don’t execute Javascript in Location header and Mozilla Firefox, for instance, would display a corrupted content error. Still, this was exploitable in old browsers such as Mozilla Firefox 3.0.8, IE 6 and previous versions.

October 22th, 2016 : Discovered and Reported to PayPal

November 2nd, 2016 : Confirmed by PayPal

November 22th, 2016 : Initial bounty of $750

December 7th, 2016 : Vulnerability patched and a final payment of $750 ($1500 total)

 

The article came to its end, hoping that the minutes you spent reading it were very worth it. Please do not hesitate to post a comment shall you have any question, remark or suggestion.

This article has 3 comments
  1. Aaron Ullger
    13 décembre 2016

    Cool article! Nice finds

  2. Bobby
    14 décembre 2016

    thanks for sharing.

  3. Hussam
    31 décembre 2016

    Salam Yassine,
    that is a brilliant work,
    but can I ask you a favor?
    yes
    ok then do you have some list to bruteforce api endpoints?
    thanks


Leave a Reply

Prove you are not a Bot * Le temps imparti est dépassé. Merci de saisir de nouveau le CAPTCHA.