SSRF in Dropbox

Hey all,

Last year I found an SSRF on Dropbox. Dropbox wrote a great blog on it and how they prevent it. 

Check it out here: https://dropbox.tech/security/bug-bounty-program-ssrf-attack.

[XSS] survey.dropbox.com

Introduction: 

survey.dropbox.com was pointing to mysurveylab.com and any mysurveylab.com's forms was accessible through survey.dropbox.com. This lead to stored xss at survey.dropbox.com because mysurveylab.com's forms were vulnerable to xss.

Impact: Nothing as far as I know. Except phishing!


POC:

Vulnerable section:

Timeline:

• Reported: Jan 14th 2017
• Closed as Informative: Jan 14th 2017
• MySurveyLab fixed the bug within week(not sure).

DBID leakage through Dropbox Chooser

Introduction:

• Chooser:

The Chooser is the fastest way to get files from Dropbox into your web app. It's a small JavaScript component that enables your app to get files from Dropbox without having to worry about the complexities of implementing a file browser, authentication, or managing uploads and storage. -Dropbox

• DBID :
  
  DBID is a dropbox account id from which you can get the Account Owner Name and Email id attached to it through this endpoint.

How Chooser works:

• A third party website embeds the chooser.
• Then anyone visiting that website can share their files from Dropbox to that particular website.
• You can try this at https://www.dropbox.com/developers/chooser.

Bug:

As it can be seen, chooser was not only sharing the temporary download link to the third party but also DBID.

POC:

Timeline:

• Reported: Jan 7th 2018
• Triaged: Jan 9th 2018
• Closed as resolved: Jan 20th 2018

[Dropbox] Cross domain data leakage for js files

Summary:

Before h1-3120 2018 event, Nathanial, a Security Engineer from Dropbox introduced some of their favourite bugs to invited hackers for that event.

One of them was Cross domain data leakage for js files reported by h1/dumeelvavvalu,this was my most favourite bug among them.

On 10th July 2k18, I found the exact same bug due to recent code factoring.

POC:

Details:

That shared link of Dropbox used in poc is protected by an ACL, so normally only users who is having access to that particular file will only be accessible by them. Since script tag has the super power to fetch the script files data from any origin, we can access the data of it by making the attacker to visit a malicious page.

Dropbox fixed it by changing the Content-Type to application/binary.

Dropbox open redirect - Misconfigured Regex

After reading Geekboy's blog post: http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomains/, it reminded me of similar(cause of the) issue which I found at Dropbox. 

The bug which I found was a open-redirect at https://paper.dropbox.com/ep/account/sign-in?cont=https://12dropbox.com .

Note that:

• Changing "cont" with any xyz.com domain didn't worked.
• Changing "cont" with any xyz.dropbox.com domain didn't worked.

I then checked with xyzdropbox.com, and it worked.

So what could be root cause of this bug?

The only possible cause I can think of is misconfigured Regex. 

For the sake of better understanding lets consider a simple vulnerable regex:

• This /dropbox\.com$/ regex will always return true for all #{anything}dropbox.com domains.
• In Geekboy's case, the regex could be similar to this one: /^www\.site\.com/, so this can be bypassed with www.site.com.#{anything}.

The above two cases can be fixed by just adding ^ and $ in regex:

• /^dropbox\.com$/
• /^www\.site\.com$/

Conclusion:

While looking for bypasses, always check:

• evil.victim.com
• evilvaliddomain.victim.com
• validdomain.evilvictim.com
• validdomain.victim.comevil

Welcome!

Hi! 

Im just another noob, but by time this blog will contain lots of valuable thing. :)