ProgramsLeaderboard
EN
Bug Bounty
/
Disclosed reports

[standoff365.com] Session hijacking via Image in the Markdown

Summary by the company
Not enough whitelist sanitisation allowed inserting malformed links, leading to session takeover. Thank you, byq!
Summary by the hacker
💀
Recently developers have added a functionality that allows to insert and render images in the Markdown editors. From the first view the application loads and renders images only from https://api.standoff365.com host. But flaw in regular expression which checks image source host allows attacker to load images from any host that starts with https://api.standoff365.com substring.
 
Potential root cause in the https://standoff365.com/_next/static/chunks/pages/_app-77b486731aecfff6.js file:
 [...]
 if (d = t.properties.src, u !== Hc.NotFound && !new RegExp('^'.concat((0, p.VY) (), '.+')).test(d)) {
 	e.next = 14;
 	break
 }
 [...]
 
What makes this vulnerability serious is the fact that the application build HTTP request for image loading by itself and adds Authorization header with session token value. Such behavior leads to session token leakage to attacker's host:
Reward
₽450,000
Standoff 365
Standoff 365
Report No.: 1
Created: August 01, 21:22
Author: byq
Status: Accepted
Type: Vulnerability
Severity:
Critical
Comments
By
dingobongo
March 29, 2023
By
dingobongo
March 29, 2023
Hello!
You've found a real gem, great work!
We fixed it already and will assign you a reward soon.
Nikita
Standoff365
By
dingobongo
April 4, 2023
Hello again!
As I already mentioned, you did a great job - I hope approved reward will worth it ;)
It will be showed to you very soon.
By
dingobongo
April 4, 2023
By
dingobongo
April 4, 2023
By
Standoff 365
April 4, 2023
Reward assigned: ₽450,000.00
By
byq
April 4, 2023
Thanks!
Also, appreciate that you updated the severity if I set it wrong.
Unfortunately the Gravity value doesn't show the actual context because most of the vendors ignore it and don't update it.
By
dingobongo
April 4, 2023
Thanks, we're trying to assess risks fairly. What is critical for us, should be rated as critical :)
That's a pity if vendors do not pay attention to this, because gravity and quality are the main metrics vendors consider when inviting hackers to closed programs.
Honestly, I think these metrics should be rethinked a bit, because now hacker with only 1 accepted critical report will have maximum score of 1000 / 1000 which is good but not really statistically significant.
I hope this workflow will be put in order on the platform eventually.