Found some fun vulnerabilities on Instapage and HubSpot with @bbuerhaus, @sshell_, and @xEHLE_. Here's a thread with a couple mini writeups for them:
There are a few routes on the Hubspot CMS which are actually reverse proxies to Hubspot's CDN, you can see the "hs-fs" one below:
The "hs-fs" directory is pointed towards some CDN owned by Hubspot which all customers are allowed to add JavaScript and CSS to, but after registering to the Hubspot portal we found that you could deploy HTML files directly via a legacy API.
After uploading the file, it was possible to access it on any Hubspot website via the reverse proxy after adding in your customer ID and version numbers to the route. An example would be the following URL:
GET /hs-fs/hub/:uid/hub_generated/template_assets/:timestamp/:id/xss.html
One interesting thing about this as well was that Hubspot has a "_hcms/diagnostics" endpoint which reflects your entire HTTP request, including HTTPonly cookies. An attacker could use the JavaScript to fetch the response to this endpoint and grab the victim's HTTPonly cookies.
We ended up looking at a few other landing page providers including Instapage. One very simple bug on Instapage was where you could simply append a null byte to your domain in the domain registration and it would think it was unique, allowing you to "claim" any live domain.
After adding the domain with the appended null byte to your account, it was possibly to deploy any landing page to any live Instapage customer, meaning that you could post anything on any live customer website.
Overall these bugs affected probably ~250,000 different domains in total. We were able to create a PoC for ATO/OAuth vulnerabilities on a couple bug bounty programs (although it's definitely not their fault) and tons of places which had overscoped cookies. Thanks for reading! :)
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.