With Yahoo and Paypal is related to two distinct vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201993868
Type myhack58
Reporter 佚名
Modified 2019-04-25T00:00:00


! This article share with Yahoo and Paypal is related to two unique vulnerability, one for Yahoo IDOR vulnerability insecure direct object references, another for Paypal, DoS vulnerabilities, two vulnerabilities found are for the Indian security engineers, which found that principles and ideas are relatively simple and typical, share this, hopefully the reader up to draw reference to the role. YAHOO IDOR vulnerability,$5,000) A busy day, when I go out to work back in the office when, is already 5 p.m., and one hour coming home from work. Okay, this time I only open the Burp test a few target sites. That time, I often use Yahoo Notepad(Yahoo network notes to record some personal experiences, at this time, I suddenly want to test this application in the end how. So, I open up the Yahoo network notes of the corresponding site – https://notepad.yahoo.com then, in the on the Burp bag at the same time, I also in to my personal notes space to write notes. Record notes after reading, I in the Proxy HTTP History tab to the check, a GET request in the encrypted string that catches my eye: GET /ws/v3/users/fziy4wzxr41k4qwsgumu2v2qymynzat6kclqpwmc/items? format=json&count=200&type=Journal&wssid=55mJmcMk3tg&rand=1478541308397&prog=aeon HTTP/1.1 Host: calendar.yahoo.com ! You can see that in the users/next to the encrypted string - fziy4wzxr41k4qwsgumu2v2qymynzat6kclqpwmc, it represents what? I immediately realized that it is my user name, it is encrypted and then transmitted to the server end! Then I thought, can't put it into my plain text of Yahoo userName? As a result, the structure of the GET request is as follows: GET /ws/v3/users/yahoo-username/items? format=json&kw=test&count=200&type=Journal&wssid=55mJmcMk3tg&rand=1478541308397&prog=aeon HTTP/1.1 Host: calendar.yahoo.com Surprise, I put the encrypted string into my plain text of a Yahoo userName, Yahoo the service side of the response and the encrypted string in the response is the same, that is, both the contents of the response are the same contain the same notes the contents of the JSON format! Next, I'm in the GET request, to try to put This username into my another Yahoo test account(test_account_2222), after which the response is I this Yahoo test account in the notes content. ! The problem is that Yahoo Notepad(Yahoo network notes although the user name for the encrypted transmission, but in the service end of the request process, without the user name and account matches the check mechanism, which also leads to you can enter any user name to access any account cloud Note Content. /ws/v3/users/fziy4wzxr41k4qwsgumu2v2qymynzat6kclqpwmc/items? /ws/v3/users/user-name/items? After a few test accounts for the repeated experiments to confirm, I determined the vulnerability the vulnerability does exist, theoretically, this should be considered a big vulnerability, because I can GET a request to enter any username to view any user account corresponding to the Yahoo network notes content. In fact, from the check application request to discover the vulnerability of the whole process, in total it took almost 15 minutes, the ecstatic of more than I also very sober sanity, to calm to calm it. This is certainly a very unique vulnerability requires a different way of thinking and a keen sense of smell, and this time congratulations I did it! Vulnerability final is Yahoo classified as IDOR(insecure direct object reference vulnerability, to obtain a$5,000 USD reward. My personal feeling is that the developers think that as long as the encryption is secure, but in fact, in addition to encryption, also need to verify means. PayPal the DoS vulnerability,$3,200) One day, I'm in the test site – braintreepayments.com the vulnerability, which belong to Paypal vulnerability all measured within the scope of the project, is PayPal's 2013 acquisition of the online payment platform. In the inspection of the website source code, I found the following this strange JavaScript code: var targetLocale = window. location. href. match(/locale=(. {5})/) ? window. location. href. match(/locale=(. {5})/)[1] : null; ! After carefully reading the code, the analysis shows that the locale for the language parameter, currentLocale for current language parameters, such as en-us. I noticed that the code snippet includes a function to check the user with the locale parameter in the request, if the parameter value is not equal to en-us, which is the browser to get to the currentLocale value, then the user's locale the parameter value will be the code method window. localStorage. setItem(‘locale’, targetLocale) stored in the storedLocale. Under this mechanism, whenever a user visits braintreepayments. com website, if its current currentLocale value and storedLocale do not match, then he will be forcibly redirected to web pages – https://braintreepayments.com/locale, in this case, even if he clicks https://braintreepayments. com/website, on any of the links, the final is also like to be redirected to a web page – https://braintreepayments.com/locale is. This function can be constructed out of a what is vulnerability? Of course Dos. Despite the locale, the region of parameters only the 5-digit letters, such as en-us, zh-cn, etc., to be saved in the browser's localstorage, but it's also enough to create a fit of the PoC, as follows: https://www.braintreepayments.com/legal/policy-updates?utm_campaign=BT_EMEA_LUX_SafeHarborUpdate_20160413&utm_medium=email&utm_source=Eloqua&elq_cid=5230793&locale=fword The PoC link to the impact, victims once click access the link above, they will be automatically redirected to the https://braintreepayments. com/fword web, even if they then click on the Log in or Sign up as useless, or will it continue to jump to https://braintreepayments. com/fword page. ! Vulnerability, if a malicious attacker through a number of public sources wantonly spread the PoC link, a large number of victims will be redirected to https://braintreepayments. com/fword page, it will cause ordinary users can not normally access using braintreepayment platform site, forming an indirect way of Dos attack, and the victims need to clear the browser JS cache in order to lift this malicious redirect. Vulnerability reported the post to get the Paypal official$3,200 dollars reward.