Shulou(Shulou.com)05/31 Report--

How to bypass Uber's CSP defense success XSS, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Background

This time, I intend to exploit some "open redirection" vulnerabilities in the subdomain of Uber. Although, I know that Uber does not regard "open redirection" (Open Redirect) as a vulnerability. But I think, if you associate it with other vulnerabilities, it might lead to account takeover or other more serious security issues? I immediately put my idea into action. When I was looking for endpoints on partners.uber.com, the following URL caught my attention:

Https://partners.uber.com/carrier-discounts/att/redirect?href=http://www.wireless.att.com/

I saw this URL in a forum, and then I found a similar URL using Google dorks. So, is it affected by open redirection vulnerabilities? The answer is yes! The next thing I need to do is to find a vulnerability in the login section to combine and exploit them. But unfortunately, I looked for it for a long time and didn't find anything. The Uber response to the question of open redirection is as follows:

"99% of open redirects have low security impacts, and we still hope to see them again for rare cases that have a high impact, such as stealing oauth tokens."

When I checked the URL again a week later, I found that it was no longer working properly. As now, no matter what http parameter you enter, it will redirect you to https://www.wireless.att.com

So, they fixed it. Did they find it themselves or did someone report it? I don't know, and I don't want to know. It made me feel very depressed, but I quickly got out of it. Since this point is blocked, let's look for XSS.

If I ask you "which URL of Uber you are most familiar with", your answer may be to invite links. You can see these links anywhere, such as forum posts, Twitter,Facebook,Instagram, etc.

The following is an invitation link:

Https://www.uber.com/a/join?exp_hvp=1&invite_code=bq6ew1w9ue

I tried to check the XSS, but failed: (

Https://partners.uber.com/p3/referrals/ms?i=bq6ew1w9ue

The above link has the same invitation code, and if you click it, it will redirect to another URL, but why doesn't it check the other parameters here? I decided to use dorks to search again.

Site:partners.uber.com

I found a huge list of invitation links through dorks search. All I have to do is find another parameter, and luckily I found one!

Https://partners.uber.com/p3/referrals/ms?i=bq6ew1w9ue&m=ANNIVERSARY&v=1

It looks cool, but where is XSS? the "v" parameter shows how many years he or she has worked as a Uber driver. I tried to inject some XSS payload into this parameter, but there was no XSS pop-up window, and then I checked the source code.

Original code:

Content= "static/images/milestones/anniversary/anniversary_1.png" / >

After injecting payload:

Content= "static/images/milestones/anniversary/anniversary_1" >

.png "/ >

As you can see, our payload is not filtered, but there is no XSS pop-up at the same time. In my past experience, this situation is due to the enabling of content security policy (CSP). What is CSP? As described in the Netsparker blog:

The content Security Policy (CSP) standard is a way to selectively specify what content should be loaded in a Web application. This can be done by whitelisting specific sources using random numbers or hashes.

Therefore, as long as we find the domain that is on the whitelist, we can bypass CSP. Let's check the CSP header of Uber's partner.uber.com. The content here is a bit long, so I only show you the part after "script-src":

Script-src 'self'' unsafe-inline' 'nonce-9f4b94bf-a195-4d8c-b474-879ae6d1d471'' self' 'unsafe-inline' https://pullo.uberinternal.com https://apis.google.com https://www.google.com https://d1a3f4spazzrp4.cloudfront.net https://*.uber.com https://rules.quantcount.com https://www.google-analytics.com https://ssl.google-analytics.com https://d3i4yxtzktqr9n.cloudfront.net https://d1a3f4spazzrp4.cloudfront.net;

First, I checked rules.quantcount.com and found the json endpoint, but I didn't have much information about it. But they whitelist the domain names of * uber.com, so as long as we can find any JSON endpoints with callbacks or similar content, we can execute XSS. Here I recommend a blog called "DOM XSS  -  auth.uber.com". If you have time, you can look through his article:

Http://stamone-bug-bounty.blogspot.com/2017/10/dom-xss-auth24.html

In his article, he successfully bypassed CSP, and CSP allowed him to get something he wanted from * .marketo.com.

In which he found a callback parameter with the help of dorks, and you can see that it works well!

After reading this article, I visited Virustotal and checked the subdomains of Uber. One of the subdomains that begins with mkto caught my attention. Could "mkto" be short for marketo?

Yes, that's right!

When I visited mkto.uber.com, it redirected me to "https://app-ab19.marketo.com/index.php", which also validated my guess." Now let's try to use it to bypass CSP. I used payload to create the following link:

Https://partners.uber.com/p3/referrals/ms?i=bq6ew1w9ue&m=ANNIVERSARY&v=1">

As you can see, successfully bypassed CSP and triggered the XSS pop-up window!

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.