Day 13/100 Hack and Improvement

2 minute read

Finishing Real-World Bug Hunting by Peter Yaworski, day 13 comes with new topics related to GitHub recon, OAuth vulnerabilities, and aplication logic vulnerabilities.

GitHub Recon

From Rajesh Ranjan. Millions of developers push code changes to GitHub several times in a single day, and those changes can be overwhelming when you’re working simultaneously with distributed dev teams ‘round the clock. As a bug bounty hunter, we can get some sensitive information from Github, like username,password, Database credentials and more gemes.

Dorks to find sensitive information from Github

Here are few dorks we can use to find some sensitive informations from Github.

"companyname" password

"companyname" jdbc

"companyname" dbpassword

"companyname" dbuser

"companyname" access_key

"companyname" secret_access_key

"companyname" bucket_password

"companyname" redis_password

"companyname" root_password

References

  1. https://securitytrails.com/blog/github-dorks
  2. https://www.youtube.com/watch?v=l0YsEk_59fQ

OAuth Vulnerabilities

From Sam (CoffeeJunkie). To understand this vulnerability, we have to understand that OAuth is an open protocol that simplifies and standardizes secure authorization on web, mobile, and desktop applications. It allows users to create accounts on websites without having to create a username or password. It is commonly seen in different platforms, and example of a OAuth button would be:

nmap scan

The good thing for attackers about OAuth implementation is that the configuration relies on a developer’s implementation mistakes. There are many examples on how this implementation can be vulnerable such as steal authentication tokens and access a targeted user’s account information on the resource server.

The OAuth Workflow

It might be a little complicated to understand how OAuth process works to start:

  • The resource owner is the user attempting to log in via OAuth.
  • The resource server is a third-party API that authenticates the resource owner. Any site can be a resource server, but the most popular ones include Facebook, Google, LinkedIn, and so on.
  • The client is the third-party application that the resource owner visits. The client is allowed to access data on the resource server.

In order to attempt to long in suing OAuth there most be a client request that access to your information from the resources server and asks the resource owner for approval to access the data.

Write Ups and Explanations

STEALING SLACK OAUTH TOKENS

A common OAuth vulnerability occurs when a developer improperly configures or compares permitted redirect_uri parameters, allowing attackers to steal OAuth tokens.

PASSING AUTHENTICATION WITH DEFAULT PASSWORDS

By providing different kind of options in order to login to Flurry, there was a misconfiguration where the password no need to be provided which means that the attacker can access to any account.

STEALING MICROSOFT LOGIN TOKENS

The attacker by using microsoft OAuth workflow, he could stelal the login tokens by adding URL encoding at the end of the fetching url.

Aplication Logic and Configuration Vulnerabilities

These kind of vulnerabilities take advantages generated by developers. These kind of vulnerabilities take advantages generated by developers. These kind of mistakes usually happen in different kind of frameworks and programming languages, therefore these mistakes can lead to vulnerabilities. Also, application vulnerabilities relies in logic and creativity from the attacker.

BYPASSING SHOPIFY ADMINISTRATOR PRIVILEGES

The attacker was able to get order notifications by removing permissions of the account with POST requests.

HACKERONE SIGNAL MANIPULATION

The attacker just needed to create and self close his report in order to manipulate his signal.

Conclusion

Recon can be very extense, althought there are many ways to do it and in this case GitHub works very well. Also, not all vulnerabilities require prior knowledge and skills, it depends of the logic and creativity of the attacker.

Leave a comment