ПрограммыРейтинг пользователей
RU
Bug Bounty
/
Раскрытые отчеты

[standoff365.com] Session hijacking via Image in the Markdown

Дополнительное описание от вендора
Not enough whitelist sanitisation allowed inserting malformed links, leading to session takeover. Thank you, byq!
Дополнительное описание от хакера
💀
Recently developers have added a functionality that allows to insert and render images in the Markdown editors. From the first view the application loads and renders images only from https://api.standoff365.com host. But flaw in regular expression which checks image source host allows attacker to load images from any host that starts with https://api.standoff365.com substring.
 
Potential root cause in the https://standoff365.com/_next/static/chunks/pages/_app-77b486731aecfff6.js file:
 [...]
 if (d = t.properties.src, u !== Hc.NotFound && !new RegExp('^'.concat((0, p.VY) (), '.+')).test(d)) {
 	e.next = 14;
 	break
 }
 [...]
 
What makes this vulnerability serious is the fact that the application build HTTP request for image loading by itself and adds Authorization header with session token value. Such behavior leads to session token leakage to attacker's host:
Вознаграждение
450 000 ₽
Standoff 365
Standoff 365
№ отчета: 1
Создан: 01 августа, 21:22
Автор: byq
Статус: Принят
Тип: Об уязвимости
Уровень:
Критический
Комментарии
От
dingobongo
29 марта 2023
От
dingobongo
29 марта 2023
Hello!
You've found a real gem, great work!
We fixed it already and will assign you a reward soon.
Nikita
Standoff365
От
dingobongo
4 апреля 2023
Hello again!
As I already mentioned, you did a great job - I hope approved reward will worth it ;)
It will be showed to you very soon.
От
dingobongo
4 апреля 2023
От
dingobongo
4 апреля 2023
От
Standoff 365
4 апреля 2023
Начислено вознаграждение: 450 000,00 ₽
От
byq
4 апреля 2023
Thanks!
Also, appreciate that you updated the severity if I set it wrong.
Unfortunately the Gravity value doesn't show the actual context because most of the vendors ignore it and don't update it.
От
dingobongo
4 апреля 2023
Thanks, we're trying to assess risks fairly. What is critical for us, should be rated as critical :)
That's a pity if vendors do not pay attention to this, because gravity and quality are the main metrics vendors consider when inviting hackers to closed programs.
Honestly, I think these metrics should be rethinked a bit, because now hacker with only 1 accepted critical report will have maximum score of 1000 / 1000 which is good but not really statistically significant.
I hope this workflow will be put in order on the platform eventually.