Trello: Sessions Token In Get Parameter Request Initiating Websocket Connection

2017-12-05T19:22:33
ID H1:295461
Type hackerone
Reporter nohack
Modified 2017-12-06T17:39:05

Description

When anyone login into trello.com application then after authentication, application sends session token into get parameter. so attacker can sniffing this session token form web history, proxy history or log cause fully account takeover.

HTTP Request :

GET /1/Session/socket?token=(session_token)HTTP/1.1 Host: trello.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Sec-WebSocket-Version: 13 origin: https://trello.com Sec-WebSocket-Key: zrJfd2BPSD7/wMlqOsIwnA== Cookie: dsc=b4a1a1e7f1040aa8e7b92a116e2db8aae1b8320cf76ba4dbf0d03fe15e16ea34; lang=en-US; mab=5a24f6dbc707b40072c51080; landing=New%20Landing; _sp_id.dc4d=5baede9b22925108.1512499043.1.1512499879.1512499043.4b24f248-5913-42ea-9bb2-dcda734a1332; _sp_ses.dc4d=; _ga=GA1.2.2095733095.1512499044; _gid=GA1.2.1499217539.1512499044; __qca=P0-547730160-1512499050146; __hstc=183819321.731035752fea1a262db437564d3ce639.1512499064068.1512499064068.1512499064068.1; __hssrc=1; __hssc=183819321.1.1512499064069; hubspotutk=731035752fea1a262db437564d3ce639; token=(session_token)*; hasAccount=password Connection: keep-alive, Upgrade Pragma: no-cache Cache-Control: no-cache Upgrade: websocket

Impact

The web application uses the GET method to process requests that contain sensitive information, which can expose that information through the browser's history, Referers, web logs, and other sources.

Thanks