Share this page!

Maybe Scrolly?
Sam Curry Profile picture
Twitter logo
22 Dec, 7 tweets, 4 min read
Found some fun vulnerabilities on Instapage and HubSpot with @bbuerhaus, @sshell_, and @xEHLE_. Here's a thread with a couple mini writeups for them:

There are a few routes on the Hubspot CMS which are actually reverse proxies to Hubspot's CDN, you can see the "hs-fs" one below:
The "hs-fs" directory is pointed towards some CDN owned by Hubspot which all customers are allowed to add JavaScript and CSS to, but after registering to the Hubspot portal we found that you could deploy HTML files directly via a legacy API.
After uploading the file, it was possible to access it on any Hubspot website via the reverse proxy after adding in your customer ID and version numbers to the route. An example would be the following URL:

GET /hs-fs/hub/:uid/hub_generated/template_assets/:timestamp/:id/xss.html
One interesting thing about this as well was that Hubspot has a "_hcms/diagnostics" endpoint which reflects your entire HTTP request, including HTTPonly cookies. An attacker could use the JavaScript to fetch the response to this endpoint and grab the victim's HTTPonly cookies.
We ended up looking at a few other landing page providers including Instapage. One very simple bug on Instapage was where you could simply append a null byte to your domain in the domain registration and it would think it was unique, allowing you to "claim" any live domain.
After adding the domain with the appended null byte to your account, it was possibly to deploy any landing page to any live Instapage customer, meaning that you could post anything on any live customer website.
Overall these bugs affected probably ~250,000 different domains in total. We were able to create a PoC for ATO/OAuth vulnerabilities on a couple bug bounty programs (although it's definitely not their fault) and tons of places which had overscoped cookies. Thanks for reading! :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sam Curry

Sam Curry Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @samwcyo

Sam Curry Profile picture
13 Dec
It's frustrating, we reported a SQL injection vulnerability to the Vulcan Forged bug bounty program 6 months ago that let you pull master private keys and plaintext passwords. This vulnerability had a similar level of impact, but was rewarded with $2,000. (1/5)
Over the last year or so we've hacked on tons of Web2
crypto programs which are custodial wallet or are trusted mediums for people to interact with huge amounts of money, but the vulnerabilities are consistently paid <$5k when the *real* amount of risk is >$100m. (2/5)
Something to note is this isn't "speculative" impact, the vulnerabilities demonstrated clear access to user funds and since it's crypto there is a very real threat of someone actually draining the wallet. (3/5)
Read 5 tweets
Sam Curry Profile picture
12 Sep
Client side path traversal is a really fun thing to explore for CSRF and XSS. Revisited an unexploitable blind SSRF which (1) required the authorization header to be sent and (2) passed the authorization header to the provided "url" parameter. This would be account takeover ...
... but, you can't directly CSRF a victim into sending an authorization bearer, therefore you can't trigger the CSRF and steal their token via the blind SSRF which forwarded the header. Luckily for us, the blind SSRF API call was via GET (/example?url=https:// + auth header) ...
... and this allows us to explore the rest of the app for potential client-side path traversal vulnerabilities. These are somewhat easy to find because they don't pose much risk by themselves. If a web app is large and ran via static JavaScript, you can find them pretty easy ...
Read 6 tweets
Sam Curry Profile picture
15 Jan
Since it's 2021 I'd like to go ahead and disclose some bugs I wasn't able to talk about in 2020. These were issues that either got NDA'd or had long remediation timelines.

The following are quick summaries and proof of concepts for some of the simpler bugs:
1. IDOR on Apple via "X-Dsid" header allows attacker to retrieve name, credit card information, addresses, and various PII of any Apple users via DSID
Bounty: $25,000

Could create a "god cookie" which had access to all Apple customers name, address, phone, and billing info. Image
2. Reflected XSS/CSRF token bypass on SecureTransport 5.4 via URL parameters
Bounty: $7,000 and a comfy backpack from Axway :)

Could traverse to a "CSRF debug page" which would auto-submit a request with an appended CSRF token. Also vulnerable to (limited) XSS. ImageImage
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @samwcyo has new unrolls!

Check out other threads from @samwcyo!

Read all threads by @samwcyo

:(