tag:blogger.com,1999:blog-49295586935924637852024-03-05T10:05:59.463-08:00KumarKumarhttp://www.blogger.com/profile/12055252907314362129noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4929558693592463785.post-78772245385044307532023-04-28T10:48:00.003-07:002023-04-28T10:52:58.241-07:00SSRF in Dropbox<p>Hey all,</p><p>Last year I found an SSRF on Dropbox. Dropbox wrote a great blog on it and how they prevent it. </p><p>Check it out here: <a href="https://dropbox.tech/security/bug-bounty-program-ssrf-attack">https://dropbox.tech/security/bug-bounty-program-ssrf-attack</a>.</p>Kumarhttp://www.blogger.com/profile/12055252907314362129noreply@blogger.com0tag:blogger.com,1999:blog-4929558693592463785.post-47922095505680866902018-09-25T11:02:00.003-07:002018-09-25T11:10:26.415-07:00[XSS] survey.dropbox.com<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;"><b><u><br /></u></b></span></span>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;"><b><u>Introduction</u>:</b></span><span style="color: red;"> </span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;"><br /></span></span>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="color: red;">survey.dropbox.com</span> was pointing to mysurveylab.com and any <span style="color: red;">mysurveylab.com's</span> forms was accessible through <span style="color: red;">survey.dropbox.com</span>. This lead to stored xss at survey.dropbox.com because mysurveylab.com's forms were vulnerable to xss.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><b><u>Impact:</u></b> Nothing as far as I know. Except phishing!</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><b><u>POC</u>:</b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><u><br /></u></b></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjTXJH8RJKGLR-7NvjIHRrUorF3u7_LqgY3Tani8ah2HloG1s46k3EJZSTl0PBPrZQx2L2mWiLy3ZkqJbCFTgbxs0GLADT1WlCO7W75a6oYUPHsaQ7ZUfa9VRmjH8jfz4m8K5XGfPUsF_8/s1600/Screenshot_from_2017-01-14_03-35-06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjTXJH8RJKGLR-7NvjIHRrUorF3u7_LqgY3Tani8ah2HloG1s46k3EJZSTl0PBPrZQx2L2mWiLy3ZkqJbCFTgbxs0GLADT1WlCO7W75a6oYUPHsaQ7ZUfa9VRmjH8jfz4m8K5XGfPUsF_8/s640/Screenshot_from_2017-01-14_03-35-06.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Vulnerable section:</u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2cjJzq2jVMfDmMKmtAbXjmY9zlTJ-OaqM7fw31-UFEOb7A8DO1kO2tzcyjuX7wJS_UVtynbcUKlhmzUPSkIXvNSgBGr7b9XB8201BfBd-9ifj-1Da8UwcIMw3jvilm8zP5o7y6i5u3mEz/s1600/Screenshot_from_2017-01-14_03-50-10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="942" data-original-width="1281" height="470" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2cjJzq2jVMfDmMKmtAbXjmY9zlTJ-OaqM7fw31-UFEOb7A8DO1kO2tzcyjuX7wJS_UVtynbcUKlhmzUPSkIXvNSgBGr7b9XB8201BfBd-9ifj-1Da8UwcIMw3jvilm8zP5o7y6i5u3mEz/s640/Screenshot_from_2017-01-14_03-50-10.png" width="640" /></a></div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><u><br /></u></b></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Timeline</u>:</b></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul style="text-align: left;">
<li><b>Reported: Jan 14th 2017</b></li>
<li><b>Closed as Informative: Jan 14th 2017</b></li>
<li><b>MySurveyLab fixed the bug within week(not sure).</b></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><u><br /></u></b></span></div>
Kumarhttp://www.blogger.com/profile/12055252907314362129noreply@blogger.com0tag:blogger.com,1999:blog-4929558693592463785.post-13054373488525852282018-09-20T12:07:00.002-07:002018-09-20T12:25:21.892-07:00DBID leakage through Dropbox Chooser<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;"><b><u>Introduction</u>:</b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span>
<br />
<ul style="text-align: left;">
<li><b style="font-family: "courier new", courier, monospace;">Chooser:</b></li>
</ul>
</div>
<blockquote class="tr_bq" style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;">The Chooser is the fastest way to get files from Dropbox into your web app. It's a small JavaScript component that enables your app to get files from Dropbox without having to worry about the complexities of implementing a file browser, authentication, or managing uploads and storage. <span style="color: red; font-size: large;"><u>-Dropbox</u></span></span></blockquote>
<br />
<ul style="text-align: left;">
<li><b>DBID : </b><br /><br /><span style="font-family: "courier new" , "courier" , monospace;">DBID is a dropbox account id from which you can get the <span style="color: red;">Account Owner Name</span> and <span style="color: red;">Email id attached to it </span>through this <a href="https://www.dropbox.com/developers/documentation/http/documentation#users-get_account" rel="nofollow">endpoint</a>.</span></li>
</ul>
<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><u>How Chooser works</u>:</b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span>
<br />
<ul style="text-align: left;">
<li><span style="font-family: "courier new" , "courier" , monospace;">A third party website embeds the chooser.</span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;">Then anyone visiting that website can share their files from Dropbox to that particular website.</span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;">You can try this at https://www.dropbox.com/developers/chooser.</span></li>
</ul>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilhzuuaMjMKUNnACgsMmXEhM-gXm4KN8tJQvipu-GHVOGMnGghydftFsWYMazsiDSdWxqv7e-U9oJpLmppFH-YHysid4q49CfWhBrHK63GK_GtYsOHewHco0BQHcQujYqa5OqGtr_kmYY0/s1600/Screenshot+from+2018-05-27+12-24-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="671" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilhzuuaMjMKUNnACgsMmXEhM-gXm4KN8tJQvipu-GHVOGMnGghydftFsWYMazsiDSdWxqv7e-U9oJpLmppFH-YHysid4q49CfWhBrHK63GK_GtYsOHewHco0BQHcQujYqa5OqGtr_kmYY0/s400/Screenshot+from+2018-05-27+12-24-48.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Bug:</u></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u><br /></u></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNKalHvD2_u3NV28fzKnm9VNT5j2HZrBRdA8jhbz8GnEwxLvigzm0OxCT18GDzg19ZfAar8H_AvfoAywkqSP7iAHvcxwpoAZNBK8BjYprVDCaQfvu6vZkRtWoS6dTNPLzZ8Q6xPH9yAFrS/s1600/Screenshot_from_2018-01-07_00-24-05+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="387" data-original-width="872" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNKalHvD2_u3NV28fzKnm9VNT5j2HZrBRdA8jhbz8GnEwxLvigzm0OxCT18GDzg19ZfAar8H_AvfoAywkqSP7iAHvcxwpoAZNBK8BjYprVDCaQfvu6vZkRtWoS6dTNPLzZ8Q6xPH9yAFrS/s640/Screenshot_from_2018-01-07_00-24-05+%25281%2529.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<b><u><br /></u></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u><br /></u></b></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<span style="font-family: "courier new" , "courier" , monospace;">As it can be seen, chooser was not only sharing the temporary download link to the third party but also DBID.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><u>POC</u>:</b></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeoF5ve6iGPF0Ln8TLYbnYo7CUFugt-h-1Bobm-STse8Pfm2b_Z1CmkAmXp8ftyNOYKow6Wn3IVYOaCKGNRsozaHx21ScxemRTI7erYFVWyqCehnNysjLVdLMuDBbmuoIgu46AdFvnUYgU/s1600/Screenshot_from_2018-01-07_00-25-55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="281" data-original-width="1240" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeoF5ve6iGPF0Ln8TLYbnYo7CUFugt-h-1Bobm-STse8Pfm2b_Z1CmkAmXp8ftyNOYKow6Wn3IVYOaCKGNRsozaHx21ScxemRTI7erYFVWyqCehnNysjLVdLMuDBbmuoIgu46AdFvnUYgU/s640/Screenshot_from_2018-01-07_00-25-55.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span>
<script src="https://gist.github.com/k-sau/cdd0053a581bb656b72a414ace1159ab.js"></script>
<span style="font-family: "courier new" , "courier" , monospace;"><b><br /></b></span>
<span style="font-family: "courier new" , "courier" , monospace;"><b>Timeline:</b></span><br />
<ul style="text-align: left;">
<li><span style="font-family: "courier new" , "courier" , monospace;"><b>Reported: Jan 7th 2018</b></span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;"><b>Triaged: Jan 9th 2018</b></span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;"><b>Closed as resolved: Jan 20th 2018</b></span></li>
</ul>
</div>
</div>
Kumarhttp://www.blogger.com/profile/12055252907314362129noreply@blogger.com0tag:blogger.com,1999:blog-4929558693592463785.post-7109571833535729012018-07-19T06:36:00.001-07:002019-01-28T09:19:19.104-08:00[Dropbox] Cross domain data leakage for js files<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;">Summary:</span></h2>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">Before <span style="color: red;">h1-3120 2018 event,</span> Nathanial, a Security Engineer from Dropbox introduced some of their favourite bugs to invited hackers for that event.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">One of them was <span style="color: red;">Cross domain data leakage for js files </span>reported by <span style="color: red;">h1/dumeelvavvalu</span></span><span style="font-family: "courier new" , "courier" , monospace;">,this was my most favourite bug among them.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;">On 10th July 2k18, I found the exact same bug due to recent code factoring.</span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<h2 style="text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;">POC:</span></h2>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<script src="https://gist.github.com/k-sau/5ef0379d2ce31400156dc23611fed929.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4YfSOr8klkLdN040sV8R-oWtKzevnToVQllp1soOox5gqWLQBgEaecAvcEfMZV-qAIIZzFvHrAICoDJxvxvW0_lM04RrdVNJH6XYsLi9igpPIbqiZNYFtTGhnloA_wq8X17SmHrZQhLeH/s1600/Screenshot_from_2018-07-10_00-16-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="287" data-original-width="1317" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4YfSOr8klkLdN040sV8R-oWtKzevnToVQllp1soOox5gqWLQBgEaecAvcEfMZV-qAIIZzFvHrAICoDJxvxvW0_lM04RrdVNJH6XYsLi9igpPIbqiZNYFtTGhnloA_wq8X17SmHrZQhLeH/s400/Screenshot_from_2018-07-10_00-16-39.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="clear: both; text-align: left;">
<span style="font-family: "courier new" , "courier" , monospace;">Details:</span></h2>
<br />
<span style="font-family: "courier new" , "courier" , monospace;">That shared link of Dropbox used in poc is protected by an ACL, so normally only users who is having access to that particular file will only be accessible by them. Since script tag has the super power to fetch the script files data from any origin, we can access the data of it by making the attacker to visit a malicious page.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">Dropbox fixed it by changing the <span style="color: red;">Content-Type</span> to <span style="color: red;">application/binary</span></span><span style="font-family: "courier new" , "courier" , monospace;">.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
Kumarhttp://www.blogger.com/profile/12055252907314362129noreply@blogger.com0tag:blogger.com,1999:blog-4929558693592463785.post-59312512426805364762017-07-05T04:20:00.000-07:002017-07-05T04:20:00.157-07:00Dropbox open redirect - Misconfigured Regex<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Courier New, Courier, monospace;">After reading Geekboy's blog post: http://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomains/, it reminded me of similar(cause of the) issue which I found at Dropbox. </span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">The bug which I found was a open-redirect at https://paper.dropbox.com/ep/account/sign-in?cont=<span style="color: red;">https://12dropbox.com</span> .</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;"><b>Note that:</b></span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: Courier New, Courier, monospace;">Changing "<b>cont</b>" with any xyz.com domain didn't worked.</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">Changing "<b>cont</b>" with any xyz.dropbox.com domain didn't worked.</span></li>
</ul>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">I then checked with xyzdropbox.com, and it worked.</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">So what could be root cause of this bug?</span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">The only possible cause I can think of is misconfigured <span style="color: red;">Regex</span>. </span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">For the sake of better understanding lets consider a simple vulnerable regex:</span></div>
<div>
<ul style="text-align: left;">
<li><span style="font-family: Courier New, Courier, monospace;">This <span style="color: red;">/dropbox\.com$/</span> regex will always return true for all <span style="color: red;">#{anything}dropbox.com</span> domains.</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">In Geekboy's case, the regex could be similar to this one: <span style="color: red;">/^www\.site\.com/</span>, so this can be bypassed with <span style="color: red;">www.site.com.#{anything}</span>.</span></li>
</ul>
<div>
<span style="font-family: Courier New, Courier, monospace;">The above two cases can be fixed by just adding <span style="color: red;">^</span> and <span style="color: red;">$</span> in regex:</span></div>
</div>
<div>
<ul style="text-align: left;">
<li><span style="font-family: Courier New, Courier, monospace;">/^dropbox\.com$/</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">/^www\.site\.com$/</span></li>
</ul>
<div>
<span style="font-family: Courier New, Courier, monospace;"><b>Conclusion:</b></span></div>
</div>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
<div>
<span style="font-family: Courier New, Courier, monospace;">While looking for bypasses, always check:</span></div>
<div>
<ul style="text-align: left;">
<li><span style="font-family: Courier New, Courier, monospace;"><span style="color: red;">evil</span>.victim.com</span></li>
<li><span style="font-family: Courier New, Courier, monospace;"><span style="color: red;">evil</span>validdomain.victim.com</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">validdomain.<span style="color: red;">evil</span>victim.com</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">validdomain.victim.com<span style="color: red;">evil</span></span></li>
</ul>
<div>
<span style="font-family: Courier New, Courier, monospace;"><br /></span></div>
</div>
</div>
Kumarhttp://www.blogger.com/profile/12055252907314362129noreply@blogger.com1tag:blogger.com,1999:blog-4929558693592463785.post-68049144934339229852015-01-11T05:10:00.000-08:002018-09-20T12:27:13.409-07:00Welcome!<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "courier new" , "courier" , monospace;">Hi! </span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">Im just another noob, but by time this blog will contain lots of valuable thing. :)</span></div>
Kumarhttp://www.blogger.com/profile/12055252907314362129noreply@blogger.com2