Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneJaysonzabateH1:22093
HistoryAug 01, 2014 - 3:11 p.m.

Slack: Content Spoofing all Integrations in https://team.slack.com/services/new/

2014-08-0115:11:46
jaysonzabate
hackerone.com
$200
33
JSON

Hello There,

I’ve discovered 48+ content spoofing and confirmed all of your Integrations at https://team.slack.com/services/new/ is vulnerable to Content spoofing and exploitable to all users. Content Spoofing An attack technique used to trick a user into thinking that fake web site content is legitimate data and is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.

###Proof of concept:

###Buildbox: https://asdasda.slack.com/services/new/buildbox?error=Content Spoofing
###Cloud 66: https://asdasda.slack.com/services/new/cloud66?error=Content Spoofing
###Code Climate: https://asdasda.slack.com/services/new/code-climate?error=Content Spoofing
###Codeship: https://asdasda.slack.com/services/new/codeship?error=Content Spoofing
###Crashlytics: https://asdasda.slack.com/services/new/crashlytics?error=Content Spoofing
###Datadog: https://asdasda.slack.com/services/new/datadog?error=Content Spoofing
###Dropbox: https://asdasda.slack.com/services/new/dropbox?error=Content Spoofing
###Envoy: https://asdasda.slack.com/services/new/envoy?error=Content Spoofing
###Github: https://asdasda.slack.com/services/new/github?error=Content Spoofing
###GoSquared : https://asdasda.slack.com/services/new/gosquared?error=Content Spoofing
###Google Drive: https://asdasda.slack.com/services/new/gdrive?error=Content Spoofing
###Google+ Hangouts: https://asdasda.slack.com/services/new/hangouts?error=Content Spoofing
###Help Scout: https://asdasda.slack.com/services/new/helpscout?error=Content Spoofing
###Heroku: https://asdasda.slack.com/services/new/heroku?error=Content Spoofing
###Honeybadger: https://asdasda.slack.com/services/new/honeybadger?error=Content Spoofing
###Hubot: https://asdasda.slack.com/services/new/hubot?error=Content Spoofing
###IFTTT: https://asdasda.slack.com/services/new/ifttt?error=Content Spoofing
###Jira: https://asdasda.slack.com/services/new/jira?error=Content Spoofing
###Jenkins CI: https://asdasda.slack.com/services/new/jenkins-ci?error=Content Spoofing
###Librato: https://asdasda.slack.com/services/new/librato?error=Content Spoofing
###Magnum CI: https://asdasda.slack.com/services/new/magnum-ci?error=Content Spoofing
###MailChimp: https://asdasda.slack.com/services/new/mailchimp?error=Content Spoofing
###Nagios: https://asdasda.slack.com/services/new/nagios?error=Content Spoofing
###New Relic:
###Ninefold: https://asdasda.slack.com/services/new/ninefold?error=Content Spoofing
###OpsGenie: https://asdasda.slack.com/services/new/opsgenie?error=Content Spoofing
###PagerDuty: https://asdasda.slack.com/services/new/pagerduty?error=Content Spoofing
###Papertrail: https://asdasda.slack.com/services/new/papertrail?error=Content Spoofing
###Phabricator: https://asdasda.slack.com/services/new/phabricator?error=Content Spoofing
###Pingdom: https://asdasda.slack.com/services/new/pingdom?error=Content Spoofing
###Pivotal Tracker: https://asdasda.slack.com/services/new/pivotaltracker?error=Content Spoofing
###RSS: https://asdasda.slack.com/services/new/rss?error=Content Spoofing
###Raygun: https://asdasda.slack.com/services/new/raygun?error=Content Spoofing
###Reamaze: https://asdasda.slack.com/services/new/reamaze?error=Content Spoofing
###Rollcall: https://asdasda.slack.com/services/new/rollcall?error=Content Spoofing
###Runscope: https://asdasda.slack.com/services/new/runscope?error=Content Spoofing
###Screenhero: https://asdasda.slack.com/services/new/screenhero?error=Content Spoofing
###Semaphore: https://asdasda.slack.com/services/new/semaphore?error=Content Spoofing
###Sentry: https://asdasda.slack.com/services/new/sentry?error=Content Spoofing
###StatusPage.io: https://asdasda.slack.com/services/new/statuspageio?error=Content Spoofing
###Stripe: https://asdasda.slack.com/services/new/stripe?error=Content Spoofing
###SupportFu: https://asdasda.slack.com/services/new/supportfu?error=Content Spoofing
###Travis CI: https://asdasda.slack.com/services/new/travis?error=Content Spoofing
###Trello: https://asdasda.slack.com/services/new/trello?error=Content Spoofing
###Twitter: https://asdasda.slack.com/services/new/twitter?error=Content Spoofing
###Userlike: https://asdasda.slack.com/services/new/userlike?error=Content Spoofing
###WorkingOn: https://asdasda.slack.com/services/new/workingon?error=Content Spoofing
###Zendesk: https://asdasda.slack.com/services/new/zendesk?error=Content Spoofing

###Please download the screenshot proof of concept: https://www.dropbox.com/s/mnwa2pm1x4ziweg/slack content spoofing.rar

Regards,
Jayson Zabate

JSON