BOOK THIS SPACE FOR AD
ARTICLE ADHello guys! My name is Tuhin Bose (@tuhin1729). I am currently working as a Chief Technology Officer at Virtual Cyber Labs. In this write-up, I am going to share how I earned $$$ from a bug bounty program for reporting 3 vulnerabilities to them. So without wasting time, let’s start:
tuhin1729The application is contact information management website where users can login to their google account and it’ll fetch their contact information from that google account so that they can access it anytime and from anywhere even if they lose access to their phone. They also have an premium feature in which you’ll get some extra feature like syncing contact from multiple google accounts, scanning and saving business cards as contacts etc. They have also an referral feature through which you can refer to your friends and get some premium features for free.
I created an account there. After testing several vulnerabilities (from my checklist), I started testing the profile picture upload section. So the flow of the profile picture upload is something like this:
User will upload a picture from his device:2. After uploading the picture, the image will be uploaded on img.redacted.com. When user will click on save button, the image and other details will be saved:
So after testing IDOR, SQLi, DoS and some other attacks I tried SSRF there. I quickly replaced the URL with my Burp Collaborator’s payload and guess what!
I quickly checked the ip and found that the ip belongs to their back-end load balancer. I was tried to exploit it further but there is no way to do so. Later, I reported this behavior only and their reply was:
So, I forgot about it and started testing other endpoints.
While testing the referral feature, I noticed an interesting this. In the referral URL(https://app.redacted.com/refer/YOUR_REFERRAL_CODE), the profile picture of the user is shown:
I remembered about the previous finding in which we can replace our profile picture URL with any third party websites.
I quickly changed my profile picture and replace the profile picture link with my burp collaborator and visited the referral page from another device and BOOM! I have got a HTTP request to my burp collaborator having the device’s ip address, Browser Information and Device Model:
So what is the attacking scenario?
Attacker save his profile picture from his burp collaborator URL.Attacker send his referral link to victim.Victim opens the referral URL (Since the referral link belongs to one of the subdomain of redacted.com, so the victim will definitely open it) and BOOM! Victim’s private information will be sent to attacker.I hosted a poc.svg file in my ngrok server which have the following content:
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
and I replaced my profile picture URL with the URL of poc.svg file (https://xyz.ngrok.io/poc.svg). Then I simply right click on the profile picture and copy the URL. I noticed that it’s https://img.redacted.com/static/XXX which means they fetched the poc.svg file from my server. I quickly paste the link to my browser and BOOM!
I quickly made a poc and reported to them.
After checking some features, I moved on to the change password section. The request looks like:
POST /api/oauth.updatePassword HTTP/1.1Host: app.redacted.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer D5FC5XXXX
x-csrf-token: uXvbmXXXX
Content-Type: application/json
Content-Length: 56
Origin: https://app.redacted.com
Connection: close
Referer: https://app.redacted.com/account
Cookie: XYZ=ABC; PQR=DSPH{"password":"NewPassword","revokeSessions":true,"client":"ABWeb"}
After trying some vulnerabilities, I tried to change the password to null and I saw something interesting:
Look at the response time; it’s 30,460 millisecond with a 504 Gateway Time-out!!! There is some DoS happened.
I quickly reported them about this three issues and after some days, I got their reply with a $$$ bounty.
Timeline:
June 6, 2021 — Reported First Vulnerability
June 6, 2021 — Asked for Impact
June 8, 2021 — Discovered and Reported the Exploitation of the Vulnerability
June 8, 2021 — Reported Second Vulnerability
June 11, 2021 — Reported Third Vulnerability
June 13, 2021 — Triaged
June 15, 2021 — Replied With the Bounty Email
If you want to learn Bug Bounty Hunting, you can enroll in our course from here.
Follow me on Instagram: @tuhin1729
Thanks for reading. I hope you enjoyed this blog.