Shulou(Shulou.com)05/31 Report--

This article is about how to understand the DoS loophole caused by the change of HackerOne user avatar name. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

The flaw is due to the fact that when HackerOne registered users upload their avatars, because there is no appropriate character length limit in the file name (filename:unnamed.jpg) of the avatar, a huge and lengthy file name (filename:XXXXXXXXXXXXXXXXXXXXXXX....jpg) upload can be constructed, which can later lead to a denial of service (DoS) on some pages of the HackerOne website.

When I signed up for HackerOne users, I found that there was no character length limit for the default image file unnamed.jpg in the picture file name (filename:unnamed.jpg) in the user's profile, so the first thing I thought of was to construct a file name as long as possible. The following is the request for uploading user avatars:

At first, this didn't seem like a serious problem, so I wondered if I could add the character length of the file name to cause the HackerOne server to throw a 500 server error, but it didn't work after several tests.

Then, I found that multiple endpoints of HackerOne will execute graphql requests to query for information about registered users, and the JSON messages they respond to also include the URL address of the user's profile picture and the file name named when the user uploads.

So, what I immediately thought of was to create a huge and lengthy file name at the user image, so I directly constructed a random string of about 3.6m Payload:

Then, in the upload request of the user image, replace the picture name unnamed (filename:unnamed.jpg) with this string, and then execute the Request upload request. Of course, the successful execution of the request took some time, where the test user account I used was @ d3f4ul7_m4n. The following is the screenshot of the user's image upload request and response after joining Payload:

Next, I created a vulnerability report with my HackerOne's main account @ red_assassin, and invited the above test user @ d3f4ul7_m4n to join the discussion. Then, I found that this invitation action initiated a request to the HackerOne server / reports//participants/. Because the avatar file name of the other party's account is included in the request response, the response will take quite a long time, sometimes even lead to timeout or browser crash.

To prove that the problem is harmful, I registered another user, @ fossnow27, constructed with the avatar name Payload, and invited him to participate in the same vulnerability report above. Now, after initiating an invitation to both @ d3f4ul7_m4n and @ fossnow27, the server / reports//participants/ response crashed because of the need to get a lengthy user avatar name.

Adaptively, I opened some HackerOne pages that displayed the personal information of registered users, such as the user configuration page, the personal vulnerability report page, and the invitation report page, and I found that I also encountered the DoS problem mentioned above when I opened these pages with slow response, or even directly hung up or the page crashed.

Loophole recurrence

1. Open the page https://hackerone.com/settings/profile/edit

2. Upload the user profile picture and open the capture package:

3. Filename:unnamed.jpg at the name of the avatar image in the request, replace the unnamed with the prepared long string Payload to form a file name similar to abcd.jpg, and perform the upload.

Vulnerability hazard

When some malicious users have duplicate disputes over reporting vulnerabilities, they can use this vulnerability method to prevent other whistleblowers from participating in the coordination when initiating the whistleblower vulnerability report. Vulnerability participants form access restrictions.

In addition, some thanks white hats are listed in some company public testing projects, in which the carbon also involves the acquisition of user avatar names (as below), so if some malicious white hats use the above loophole method, it can also lead to DoS problems in the company public testing projects.

The above is how to understand the DoS loophole caused by the change in the name of HackerOne user avatar. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.