Wednesday, 5 July 2017

Dropbox open redirect - Misconfigured Regex

After reading Geekboy's blog post: http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomains/, it reminded me of similar(cause of the) issue which I found at Dropbox. 

The bug which I found was a open-redirect at https://paper.dropbox.com/ep/account/sign-in?cont=https://12dropbox.com .

Note that:

  • Changing "cont" with any xyz.com domain didn't worked.
  • Changing "cont" with any xyz.dropbox.com domain didn't worked.

I then checked with xyzdropbox.com, and it worked.


So what could be root cause of this bug?

The only possible cause I can think of is misconfigured Regex
For the sake of better understanding lets consider a simple vulnerable regex:
  • This /dropbox\.com$/ regex will always return true for all #{anything}dropbox.com domains.
  • In Geekboy's case, the regex could be similar to this one: /^www\.site\.com/, so this can be bypassed with www.site.com.#{anything}.
The above two cases can be fixed by just adding ^ and $ in regex:
  • /^dropbox\.com$/
  • /^www\.site\.com$/
Conclusion:

While looking for bypasses, always check:
  • evil.victim.com
  • evilvaliddomain.victim.com
  • validdomain.evilvictim.com
  • validdomain.victim.comevil

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete