BOOK THIS SPACE FOR AD
ARTICLE ADAbstract:
This article presents the discovery and analysis of 10 security vulnerabilities within Cloverleaf’s main web application (app.cloverleaf.me). I detail each vulnerability, its potential impact, and recommendations for mitigation. The findings, ranging from Open Redirect to Zero-Click Account Takeover, highlight key weaknesses in Cloverleaf’s platform and emphasize the importance of proactive security testing. By sharing these insights, I aim to raise awareness about web application security and demonstrate the critical role of bug bounty programs in identifying and addressing vulnerabilities before they can be exploited.
Introduction:
Background of Cloverleaf:
Cloverleaf builds high-performing teams through assessments and automated team coaching. Reveal insights about your teammates and yourself and receive coaching tips delivered to your email, calendar and messaging apps.
Responsible Disclosure Program:
Cloverleaf will offer $125 US for any newly discovered vulnerability. If multiple reports are filed for the same issue, the email timestamps will be used to award the first report received. Cloverleaf Supports payment for verified awards via Bank Transfer or PayPal.
Vulnerability Findings:
Vulnerability 1: Open Redirect via Login and Callback Endpoints
What is Open Redirect vulnerability:
An open redirect vulnerability occurs when a web application or website allows an attacker to redirect users to a malicious external URL without proper validation.
Description:
Cloverleaf’s application is vulnerable to Open Redirect attacks in two key endpoints: the SSO login endpoint (api/auth/sso/login) and the callback endpoint (api/auth/sso/callback) used in authentication and after a successful authentication. These vulnerabilities allow an attacker to manipulate the redirection process, potentially redirecting users to malicious sites before logging in via Single Sign-On (SSO).
How was it identified:
During the reconnaissance phase of my assessment, I used tools like ffuf to discover hidden endpoints and paths across the application. While exploring the application, I came across a specific endpoint that allowed user redirection. To identify the parameters used in this endpoint, I leveraged the Arjun tool, which helped me uncover that the endpoint accepted a “subdomain” parameter. This led me to further investigate its functionality, revealing the open redirect vulnerability.
SSO Login Endpoint (api/auth/sso/login):
The api/auth/sso/login?subdomain= endpoint is used to initiate SSO authentication. When an organization registers with Cloverleaf and enables SSO functionality, a unique subdomain is assigned to the organization. After successful authentication, the user is redirected to this subdomain. However, the application fails to adequately validate the subdomain parameter, which allows attackers to inject arbitrary domain names into the redirect URL.
For example, an attacker can manipulate the subdomain parameter as follows:
https://app.cloverleaf.me/api/auth/sso/login?subdomain=maldevoThe application will first check if maldevo has SSO enabled. If not, it redirects the user to maldevo.cloverleaf.com error page.
However, if the attacker appends a slash (/) to the subdomain value:
https://app.cloverleaf.me/api/auth/sso/login?subdomain=google.com/The application treats this as a valid subdomain and performs a redirection to the malicious domain google.com, leading to a potential phishing or social engineering attack.
SSO Callback Endpoint (api/auth/sso/callback):
Similarly, before SSO login, the application uses a callback subdomain to complete the redirection to the user’s designated subdomain. However, this endpoint is also susceptible to an Open Redirect attack. The callback subdomain is not adequately validated, allowing an attacker to craft a malicious Domain. For instance, an attacker can manipulate the callback subdomain parameter like this:
https://app.cloverleaf.me/api/auth/sso/callback?subdomain=attacker.com/The callback mechanism does not properly sanitize this parameter, users will be redirected to attacker.com after successfully clicking the link, potentially exposing them to phishing or data theft.