The Magical File Upload on The Chat

3 years ago 164
BOOK THIS SPACE FOR AD
ARTICLE AD

Harsh D Ranjan

Hello Everyone

Namaste Everone, I am Harsh D Ranjan an ordinary Bug Hunter.
Note: You won’t be getting any #Bugbountytips here.

This is my First time so please do leave a review here or drop your suggestions at my Twitter handle. @HarshDRanjan1

Ok, that’s enough let’s get started with the stuff you are here for.
So, last month I was hunting on a web app, which let us Integrate customer Chat features into our own Web-app with a lot of flexibility through it. (sorry I was not drinking anything like coffee or Tea at Starbucks)

So I tested for XSS, IDOR and did some Dorking but no Issues were found, then I decided to test the File Upload feature for different issues(You know which issues right? you know right ? ).

The Only Files types allowed were mp4, Txt, and Pdf. So I went ahead and tested some issues but no result but then I noticed that I have edited the Uploaded “file.txt” files 4–5 times in the repeater Tab and each of them gave me 200 Responses but the Other Party on the main web-app only received one Txt file. and when I opened the txt file I noticed that the content of the files is from 1 minute ago but the file was uploaded 5 minutes ago. BOOM BOOM BOOM I Got my Bug wororororororororororororor

yes so, the thing happening here is that, if we intercept the request during the upload we can edit the file after the upload is complete and the admin has seen the uploaded files and this was not intended.

Steps://
1. Attacker visit xyz.com and On the chat as a guest, Here try to upload a ‘.txt’ file with some credentials or important information and intercept this upload and send it to the repeater. (Burp Used)
2. Admin Open your main.yourdomain.com and see the contents of the ‘.txt’ file sent by the guest in his inbox
3. Attacker Now come to the repeater and change the credentials of the ‘.txt’ file, the credentials on the server will also change, instead of a new file created with the updated credentials and the admin of the web app won’t know a thing and see a Single file uploaded Minutes ago.

This Part was difficult because I was not able to show any Impact at this Point, Then My Pal @dhakal_anand talked with me regarding this issue and I came up with an Impact.

Able to Temper the already uploaded documents, the users are not allowed to edit the data on the server which is against the policy, the Broken feature can be misused, one of the ways can be: the attacker send something private and important information for the team, the team sees the content of the file within minutes and agrees to pay the attacker and as the team makes the payment or initiate it, the attacker removes the important data from the server or do some minor changes which create error and all the blame will go to the moderator as he is the only one able to access the ‘.txt’ files.
there can be many more ways to abuse it but I only found this one.

It was accepted as a Low severity Issue with $$$ in my Pocket because there was a Time limit on the Edit that is exactly 8 minutes and that chat was used between unauthorized users and moderators, after that the files won’t be edited as the Token expires after that.

So yeah, it ends here for now at least, will be back with another write-up soon.

Bye Bye.

Read Entire Article