Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze the HackerOne security team's internal handling of attachment export vulnerabilities, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Hello, everyone, what I want to share with you today is a vulnerability related to the HackerOne platform, which lies in that you can use the "Export as.zip" function of the HackerOne platform (exported to .zip format) to export image attachments to the vulnerability in the background of the HackerOne security team.

Vulnerability description

First of all, I would like to make it clear that this loophole was discovered by me at the end of 2016, and HackerOne has also made it public. I would like to write it here, first for sharing, and second, to tell you that it is not that difficult to find the loophole.

This is a functional Bug vulnerability, which belongs to an information disclosure vulnerability. However, based on the severity of the vulnerability and its impact on the business, HackerOne decided to give me the highest vulnerability reward, which is also the highest reward given by HackerOne for a single submitted vulnerability since it launched its own vulnerability test project.

Vulnerability severity: high (7.5)

Leak characterization: information Disclosure (CWE-200)

A hint of a leak

HackerOne is a well-known third-party vulnerability testing platform. In HackerOne, when a vulnerability is publicly disclosed by a manufacturer's vulnerability test project, there are two disclosure modes, one is full disclosure (Full disclosure), the other is limited disclosure (Limited disclosure). Among them, full disclosure is the normal disclosure method we usually see in H1, which includes vulnerability information, screenshots of test attachments and the entire vulnerability handling process; while in limited disclosure, vulnerability summary information is hidden, and even the comments, communication and operation process between the security team and the white hat are limited.

On November 14, 2016, the HackerOne platform launched a report called "EXPORT" leading to a new feature, which can be found on the TIMELINE- EXPORT button in the public disclosure vulnerability report, as follows:

When viewing some HackerOne publicly disclosed vulnerability reports, white hats can use this feature to export reports in two ways: View raw text (view the original text) and Export as .zip (export to .zip format).

View raw text (View original text): from which you can see the text of the entire vulnerability report, making it easy to copy and paste. As follows:

Export as .zip (exported to .zip format): the text of the entire vulnerability report can be packaged and downloaded in .zip format. As follows:

Loophole discovery

It was only on the third day after HackerOne launched the report export feature that I noticed that, to be honest, my rhythm was a little late, but no matter how much, I'd better start running some tests. The first test I did on November 17th was to export some edited restricted disclosure reports to see if I could see some redacted text in it, but it turned out that it didn't work at all.

On November 29th, when I was looking at the disclosure vulnerability on HackerOne's hacktivity, I suddenly saw a white hat named @ faisalahmed submit a vulnerability related to the HackerOne report export feature. in the submission vulnerability, @ faisalahmed described that he could see some restricted content (redacted text) hidden by editing through View raw text (view the original text), What, really?! How come I never found out! After reading the @ faisalahmed vulnerability report (https://hackerone.com/reports/182358), I realized that the vulnerability was submitted the day after the report export function, and I was completely behind!

Well, I don't have that luck, so let's read the loophole report carefully. So I clicked the "EXPORT" button to export the entire vulnerability report to .zip format and download it.

When I unzipped the .zip format, I saw that it contained a text document and a picture, and the text document explained the process and result of the whole vulnerability, but, wait, what is this picture here? I can't wait to open it. This is a screenshot of vulnerability verification (PoC), but it's not in HackerOne's publicly disclosed report. Also, I read in the report that @ faisalahmed wants HackerOne to remove a comment attached to a picture after the report is made public, as follows:

If I guess correctly, this image is the attachment that @ faisalahmed wants HackerOne to remove, so I immediately wrote the following simple vulnerability reproduction step and submitted the vulnerability to HackerOne.

Steps to reproduce the vulnerability:

1. Visit the vulnerability report https://hackerone.com/reports/182358 submitted by @ faisalahmed

2. Click the "EXPORT" button and use the Export as .zip function to export the vulnerability report to .zip format.

3. Extract the .zip format report package (HackerOne_Report-security#182358.zip)

4. You can view the image attachments that have been removed from the public disclosure report.

Only 12 minutes after the vulnerability was reported, the HackerOne security team identified and classified the vulnerability:

After 20 minutes, the HackerOne security team performed the fix and deployed the solution to the production environment system:

Two days later, HackerOne officially awarded me the highest award of $12500   since the start of its vulnerability testing program:

Vulnerability repair

Now, when we download any of the HackerOne publicly disclosed vulnerability reports in .zip format, we can no longer find any screenshot attachments that have been deleted and edited, but contain only a txt vulnerability text.

The above is how to analyze the HackerOne security team's internal handling of attachment export vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.