Here I'm presenting a writeup on the Unrestricted File Upload vulnerability that I found on a renowned company. Since I should not disclose the real domain, let's say it is redacted.com
This is the first bug that I found and got paid $116. This is easy to find and I think it took around 15 minutes to find and exploit.
But not all bugs can be found in a short span. There are even days where I didn't find any. But every time I try to hunt on a program I learned something new because I do a lot of googling to understand how applications work.
Moreover, I do bug bounty part-time for fun. Rewards or bounty that we get in return will boost our interest to do more hunting. All the programs that we can hunt for bugs are like a playground for me to practice what I learned.
Without wasting your time let's get into the writeup.
Vulnerability description
This bug was found on a domain appsadmin.redacted.com
I did subdomain enumeration on redacted.com and found a bunch of subdomains. Among those, the name appsadmin.redacted.com looks tempting for me. So I have chosen this one to start my hunting.
I reached https://appsadmin.redacted.com but no use the service is not reachable. Then I tried http://appsadmin.redacted.com it loads a login page.
I tried default credentials but no use. I checked the network traffic in the burp and analyzed the JS file in chrome dev tools. I came to know that this is an angular application and they are using the Lazy Loading feature to load JS files.
I intercepted the login response in burp and debugged the JS code in chrome dev tools and changed the login response in burp so that the JS code will think that Login was successful.
Now it loads JS files corresponding to the dashboard where you have features like listing all the apps, uploading apps, deleting apps, and so on ...
But since we are not a valid user/admin it shows no apps there and the corresponding API endpoint returned Not Authorised.
But they are handling upload functionality differently. They are using the https://apps.redacted.com/api/filesystem/upload endpoint to upload a file and it returns the Name(in GUID format) of the uploaded file.
I now know the Name(imageName in their terminology) but I don't know the exact location where it got saved.
There is another endpoint https://apps.redacted.com/api/filesystem/getImageFilePath?imageName= where you can specify the returned Name as a parameter and it returns the full URL where the file is uploaded to.
The returned full URL looks like https://<something>.cloudfront.net/<year>/<month>/<imageName>
As you might have guessed, the file is uploaded to their S3 bucket and served via CloudFront.
I tried uploading files of different formats and everything is uploaded successfully.
So there is no restriction on who is uploading the file and what kind of file is uploaded.
Impact
If you remember we don't need any permissions to upload any kind of file and the uploaded file resides there forever (till admin delete those).
So an attacker can upload any kind of malicious file like malware, virus, trojans .... and distribute it to the internet.
An attacker can also host their site by uploading HTML, JS, CSS files along with their malicious content for free and anonymously.
Conclusion
Point to remember while hunting for bugs on a program
- Check both HTTP and HTTPS site (if possible do port scan and go through open ports)
- Analyze JS files for more endpoints and secret keys (if possible do it manually). I would prefer to do it manually because automated tools miss a lot of endpoints.
- Use Chrome dev tools and debug the JS code to see how the response is handled. You can change the values dynamically while debugging in Chrome dev tools and can change the execution flow.
- Don't rush. Be calm and enjoy learning through bug hunting.
Comments
Post a Comment