Friday 28 April 2023

SSRF in Dropbox

Hey all,

Last year I found an SSRF on Dropbox. Dropbox wrote a great blog on it and how they prevent it. 

Check it out here:

Tuesday 25 September 2018


Introduction: was pointing to and any's forms was accessible through This lead to stored xss at because's forms were vulnerable to xss.

Impact: Nothing as far as I know. Except phishing!


Vulnerable section:

  • Reported: Jan 14th 2017
  • Closed as Informative: Jan 14th 2017
  • MySurveyLab fixed the bug within week(not sure).

Thursday 20 September 2018

DBID leakage through Dropbox Chooser


  • Chooser:
The Chooser is the fastest way to get files from Dropbox into your web app. It's a small JavaScript component that enables your app to get files from Dropbox without having to worry about the complexities of implementing a file browser, authentication, or managing uploads and storage. -Dropbox

  • DBID :

    DBID is a dropbox account id from which you can get the Account Owner Name and Email id attached to it through this endpoint.

How Chooser works:

  • A third party website embeds the chooser.
  • Then anyone visiting that website can share their files from Dropbox to that particular website.
  • You can try this at


As it can be seen, chooser was not only sharing the temporary download link to the third party but also DBID.


  • Reported: Jan 7th 2018
  • Triaged: Jan 9th 2018
  • Closed as resolved: Jan 20th 2018

Thursday 19 July 2018

[Dropbox] Cross domain data leakage for js files


Before h1-3120 2018 event, Nathanial, a Security Engineer from Dropbox introduced some of their favourite bugs to invited hackers for that event.
One of them was Cross domain data leakage for js files reported by h1/dumeelvavvalu,this was my most favourite bug among them.
On 10th July 2k18, I found the exact same bug due to recent code factoring.



That shared link of Dropbox used in poc is protected by an ACL, so normally only users who is having access to that particular file will only be accessible by them. Since script tag has the super power to fetch the script files data from any origin, we can access the data of it by making the attacker to visit a malicious page.

Dropbox fixed it by changing the Content-Type to application/binary.

Wednesday 5 July 2017

Dropbox open redirect - Misconfigured Regex

After reading Geekboy's blog post:, it reminded me of similar(cause of the) issue which I found at Dropbox. 

The bug which I found was a open-redirect at .

Note that:

  • Changing "cont" with any domain didn't worked.
  • Changing "cont" with any domain didn't worked.

I then checked with, and it worked.

So what could be root cause of this bug?

The only possible cause I can think of is misconfigured Regex
For the sake of better understanding lets consider a simple vulnerable regex:
  • This /dropbox\.com$/ regex will always return true for all #{anything} domains.
  • In Geekboy's case, the regex could be similar to this one: /^www\.site\.com/, so this can be bypassed with{anything}.
The above two cases can be fixed by just adding ^ and $ in regex:
  • /^dropbox\.com$/
  • /^www\.site\.com$/

While looking for bypasses, always check:
  • validdomain.victim.comevil

Sunday 11 January 2015



Im just another noob, but by time this blog will contain lots of valuable thing. :)