How I was Able to Access any Localize Users Private Project as Admin Without the Project Owners Permission
I want to share one of my finding on Localize.io which I have reported to them on 21st April 2014.
While
researching and working on bug bounties, I have found that by using Insecure Direct Object we can execute the Privelege Escalation vulnerability and we can bypass
Process Validation & Permission Restrictions even when they are properly implemented and also we can access any other users Private Projects as Admin without the Project Owners or Admins Permission.
The
challenge was to execute the Privilege Escalation attack to Access the Private Projects by bypassing Process Validation & Permission Restrictions. I have found that the another users private project Url http://www.localize.io/projects/9n was not accessible without login also the we were not sure wether the project was public or private.
So, I tried to find the weakness in its Process Validation & Permissions, I found that if the Project is Public then we can access the Url without login and if the Project is Private then we can access the Url using other Users Privilege without able to view anything else of that project and we can send a invitation request to that Private Projects Owner or Admin. Also I found that we can enumerate all the Private Projects by decrementing or by incrementing the 9n to 8n or to 7n or 1a to 1b or bq to br etc in the following Url http://www.localize.io/projects/.
So, I tried to find the weakness in its Process Validation & Permissions, I found that if the Project is Public then we can access the Url without login and if the Project is Private then we can access the Url using other Users Privilege without able to view anything else of that project and we can send a invitation request to that Private Projects Owner or Admin. Also I found that we can enumerate all the Private Projects by decrementing or by incrementing the 9n to 8n or to 7n or 1a to 1b or bq to br etc in the following Url http://www.localize.io/projects/.
Now
only 1 options left that we can send a invitation request to that Private Projects Owner or Admin to Access the Private Project once that Private Project Owner or Admin Accepts the invitation request. So the whole process was something like this another Normal user send a request to the Private Project Admin and after his Approval we can access it as Contributor user privilege which is a default Privilege.
So
for that I created 2 dummy account for testing purpose on Localize.io and execute the below mentioned steps.
Steps to execute this attack are as following:
1) 1st User has created a Private Project called 9n which is accessible on this Url http://www.localize.io/projects/9n
2) For Private Projects any other 2nd User will not even have the permissions to view the project.
3) So the 2nd user will send the invitation request to the 1st user by accessing the following Url http://www.localize.io/projects/9n the invitation request will be as mentioned below:
2) For Private Projects any other 2nd User will not even have the permissions to view the project.
3) So the 2nd user will send the invitation request to the 1st user by accessing the following Url http://www.localize.io/projects/9n the invitation request will be as mentioned below:
Private Project Access Invitation Request (From 2nd User) :
POST / HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=Mt3tksoplgp9vle1177h2v8v11
Host: www.localize.io
Content-Length: 93
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
CSRFToken=MTMxNDkzNDUxNjUzNTU1MzYyNGU3NmMwLjAxOTUyMjcz&requestInvitation[repositoryID]=9n
Please Note: The requestInvitation[repositoryID] parameter value will be the Private Projects Value like 9n.
4) Now 2nd user want to access the private project of 1st user which is in http://www.localize.io/projects/9n which is not possible at all. So now the 2nd user will himself send below mentioned request to Accept his own Invitation Request to access the private projects of the 1st user. The Invitation Accept Request will be as mentioned below:
Invitation Accept Request (From 2nd User) :
POST /invitations/9n HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=Mt3tksoplgp9vle1177h2v8v11
Host: www.localize.io
Content-Length: 132
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
CSRFToken=MTU2MTY3NTE2NTUzNTU1OGU0ZTYwYWM4LjYxMjc4ODE3&invitations[userID]=3gk&invitations[accept]=1&invitations[role]=4
Please Note: The invitations[userID] parameter value 3gk is always same for all the users, the invitations[accept] parameter value 1 means to Accept the invitation request & 2 means to Reject the invitation and the invitations[role] parameter value 1 is for Contributor, 2 is for Moderator, 3 is for Developer, 4 is for Administrator Privileged User.
5) Bingo!!! The 2nd user now able to access the Private Project as Admin, mission accomplised :D.
Same way the attacker(ie any 2nd user can access any other users Private Projects as Admin)
Rootcause:
The other user was able to accept his own Private Project Access Invitation Requests by manipulating the Url http://www.localize.io/projects/9n & Parameters invitations[userID], invitations[accept], invitations[role] values.
Impact:
All Localize.io users were vulnerable to this attack and using these
vulnerability the Attacker can bypass the Process Validation & Permission Restrictions and can Access any Localize Users Private Project as Admin Without the Project Owners Permission.
Recommendation:
Do not assume that users will access application pages in the intended sequence (make sure people will also not be able to avoid access controls by taking a different “path”)
Do not trust the user not to tamper with any data that is transmitted via the client. If some user-submitted data has been validated and is then transmitted via the client, do not rely upon the retransmitted value without revalidation.
Do not trust the user not to tamper with any data that is transmitted via the client. If some user-submitted data has been validated and is then transmitted via the client, do not rely upon the retransmitted value without revalidation.
If a direct object reference must be used, ensure that the user is authorized before using it.
Avoid exposing of private object references to users such as file names and primary keys.
Avoid exposing of private object references to users such as file names and primary keys.
Do not trust any user-submitted parameters to signify access rights (such as admin = true)
Avoid exposing of direct object references to users by using an index.
Verify authorization to all reference objects.
Avoid exposing of direct object references to users by using an index.
Verify authorization to all reference objects.
The vulnerability was mitigated by Localize Security Team within 1 day.
So
in this way, one can bypass Process Validation & Permission Restrictions and can Access any Users Private Project as Admin Without the Project Owners Permission also this technique can be used to find
same type of vulnerability on different websites.
Suggestions and Feedbacks are welcome.
Cool article. How do you find these vulnerabilities in very big sites such FB,Google,Ebay and many more. I am learning about XSS,SQL injection and other vulnerabilities for last 3-4 months and able to find vulnerabilities in some small sites
ReplyDeleteCan you give some suggestion bro? How do you find vuln. in these major sites.
yoginder bagga@ Thanks bro :)....using ones logics, approach, experimentation an by understanding the validations an countermeasures weakness anyone can found those vuls sometimes it may take sometime to find them....gud to know keep learning more an more....read owasp testing guide...watch videos on securitytube.net....join garage4hackers.com forums...join websecrsearch page an group of fb, join mailing lists irc channels an read all sec researchers blogs these all resources may help u in learning and to build ur approach :)
ReplyDelete