Day 12/100 Hack and Improvement

3 minute read

Starting day 12 with interesting information that can be gathered from Parampsider which can be useful to get XSS and SSRF. Besides recon, day 12 comes with two vulnerabilities race conditions and IDORs.

Finding Hidden parameters with Paramspider

Today I was checking some tools to find more juicy informations using waybackmachine, and found this amazing tool called ParamSpider made by 0xAsm0d3us.

In this tool, 0xAsm0d3us has combinded tomnomnom gf to find more juicy informations like, we can use this to get some XSS, Open redirect and even SSRFs vulnerability.

I was hunting on a Private program, and tried this tool, and the result I got was awesome. I got some hidden parameters using this tool. You can use the following command to get potential parameters.

gf potential domain.txt //for xss + ssrf + open redirect parameters

nmap scan

To find the Parameters, that might be vulnerable to XSS, you can use the following command to get the results.

gf xss domain.txt //for potential xss vulnerable parameters 

nmap scan

A Bigshout to 0xAsm0d3us for creating this tool.

Race Conditions

Race conditions happens when two processes race to complete based on an initial condition that becomes invalid while the process are executing. As a classic bank example:

  1. You have $500 in your bank account, and you need to transfer the entire amount to a friend.
  2. Using your phone, you log into your banking app and request a transfer of $500 to your friend.
  3. After 10 seconds, the request is still processing. So you log into the banking site on your laptop, see that your balance is still $500, and request the transfer again.
  4. The laptop and mobile requests finish within a few seconds of each other.
  5. Your bank account is now $0.
  6. Your friend messages you to say he received $1,000.
  7. You refresh your account, and your balance is still $0.

Write Ups and Examples

ACCEPTING A HACKERONE INVITE MULTIPLE TIMES

There is a probability of race conditions which allows invitation tokens to be consumed at least twice depending on the server response time. It is not a huge vulnerability, but it was violating the conditions of the tokens.

EXCEEDING KEYBASE INVITATION LIMITS

So users in keybase where allowed to sen just 3 invitations, the attacker found a way to send 7 invitations through race condition.

SHOPIFY PARTNERS RACE CONDITION

The attacker found a way to take over with a matching email and race condition. The attacker was able to confirm emails that he does not own through rate conditions.

Insecure Direct Object References (IDOR)

This vulnerability happens when an attacker can access or modify a reference to an object such as things like a file, database record, account, and so on.

Finding Simple IDORs

The idea to find a simple IDOR could occur when you find an integer within a parameter such as id=1, and the you change it to id=2. In order to make easier to find these kind of IDORs, you can use burpsuite which with its intruder tool will allow the attacker numerical payloads in the vulnerable parameter. In order to understand the responses and how accessible is the data, it is very recommendable to look at the code responses and the length of the response.

Finding more complex IDORs

This kind of IDORs can happen when the id parameter is found in a POST request and it is not identifiable by the parameter name. It can be even harder to identify when websites uses randomized identifiers, such as universal unique identifiers (UUIDs). These UUIDs are 36-character alphanumeric strings that don’t follow a pattern. In order to test this vulnerability, it is almost impossible to find records by testing random values. Therefore, you can exchange UUIDs by creating two accounts. In some cases, attackers can be able to find UUIDs leaked in different parameters in the HTML source code. In this case, is worth to report leaked UUIDs due to might violate the companies privacy policy.

Write Ups and Explanations

BINARY.COM PRIVILEGE ESCALATION

The attacker found a way to view the cashier account sensitive information by just knowing the user account ID. The attacker was able to see the information being leaked in the HTML source code in the following <iframe> tag:

<iframe src="https://cashier.binary.com/login.asp?Sportsbook=Binary (CR) SA USD&amp;PIN=CR342435&amp;Lang=en&amp;Password=0e552ae717a1d08cb147f132a31676559e3273ef&amp;Secret=1328d47abeda2b672b6424093c4dbc76&amp;Action=DEPOSIT" frameborder="0" width="100%" height="2000" id="cashiercont" scrolling="auto" style="padding:0px;margin:0px;"></iframe>

TWITTER MOPUB API TOKEN THEFT

The attacker was able to identify the vulnerability because the endpoint was missing proper authorization checks which allows to steal API tokens. By changing the UUID, the attacker was able steal the API tokens.

Conclusion

Paramspider is a pretty useful tool in order to get possible parameters for XSS and SSRF. Race Conditions can be used in different ways that can impact the web application, and IDORs can be gathered in different ways.

Leave a comment