Day 17 comes with great topics that will come handy after recon such as subdomain take over by looking over a blog from our friend Aishwarya Kendle. Also, a vulnerability that might need some prior knowledge such as HTTP Smuggling. Enjoy!
Hostile Subdomain Takeover
From Rajesh Ranjan. One of the subdomains of the scanned domain is pointing to an external service but the external service account was cancelled or has expired. Because the account is not in use anymore, an attacker can claim this account and takeover your subdomainRecently my friend Aishwarya Kendle publish a writeup about how he tookover 26+ subdomains. Check that out “How We Hijacked 26 Subdomains”.
From the write up, we can see the understanding of using different kind of subdomain enumeration tools and bash scripting in order to automatize the process. Aishwarya Kendle touch different tools such as subjack, and SubOver. Something that also was enjoyable during the blog was how he used google dorking and other tools in order to obtain the URLs, the use of unfurl came pretty handy in this way. If you personally are interested in subdomain takeovers “How We Hijacked 26 Subdomains” blog post will come useful.
From Sam (CoffeeJunkie). HTTP smuggling basically is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from other users. If you’re new about the topic PortSwigger has amazing explanations and labs for this vulnerability. The security impact that this kind of vulnerability provides is that the attacker can obtain unauthorized access to sensitive data, and directly compromise other application users.
Write Up and Explanation
Defparam while doing recon and using his tool which contained high level HTTP Smuggling exploits, he was able to see that there was a critical finding which involves slack, costumers, and organizations which share their privatedata/channels/conversations on Slack. The attacker used the following bug chain:
The bug chain is as follows:
- HTTP Request Smuggling CTLE to Arbitrary Request Hijacking (Poisoned Socket) on slackb.com
- Request Hijack forces victim HTTP requests to instead use GET
https://<URL> HTTP/1.1on slackb.com
- A request of GET
https://<URL> HTTP/1.1on the backend server socket results in a 301 redirect to
https://<URL>with slack cookies (most importantly the d cookie)
- Me with my Burp Collaborator steals victims cookies by using a collaborator server as the defined
<URL>in the attack
- Me (if I were evil) collects massive amounts of d session cookies and steals any/all possble Slack user/organization data from victim sessions