Google Drive integration errors created SSRF flaws in multiple applications

by | Feb 7, 2022 | News

Reading Time: 1 Minute

Bug hunter earned $17k bounty for HelloSign bug. Implementation flaws in Google Drive integrations created server-side request forgery (SSRF) vulnerabilities in a variety of applications, a security researcher has revealed.

 

 

 

This included Dropbox’s digital signature platform, HelloSign, but “by far the finest” SSRF was achieved via CRLF and request pipelining in another, unnamed application, recounts bug bounty hunter Harsh Jaiswal in a GitHub write-up

 

HelloSign bounty

Jaiswal received a bounty award of $17,576 for a “pretty simple” but critical SSRF related to HelloSign’s Google Drive Docs export feature.

“By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse external JSON data which leads to an SSRF attack,” said Dropbox’s security team in a bug thread on HackerOne.

“We updated the parser to securely make a request which mitigates the vulnerability,” they added.

 

Controlling downloadUrl

Jaiswal said the implementation issues arose in integrations that fetched files from the Google Drive API on the server side.

To demonstrate the concept, he outlined a scenario in which an application retrieves and renders an image file from Google Drive in a way that could give attackers control of the HTTP request made to googleapis.com via the file_id.

“This means we can do a path traversal and add query parameters,” explaned the researcher.

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable.

However, he found another route to SSRF.

Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl.

A payload containing a malicious JSON object with the downloadUrl set to an attacker-controlled URL could then, depending on application logic, trigger a blind SSRF.

 

CRLF, request pipelining

 

The SSRF via CRLF and request pipelining was found on a private bug bounty program and related to how slides were imported from Google Drive.

The path traversal part of Jaiswal’s exploit worked but not the query parameters, the researcher found.

 

 
 
 

 

 

However, CRLF – denoting special character elements ‘carriage return’ and ‘line feed’ – applied to the authToken property, allowing him to control part of the request headers.

“Using this I was able to craft a new request to www.googleapis.com with my controlled query params using request pipelining,” said Jaiswal.

 

More to find

The researcher said most of the reported SSRFs have now been rectified, but that more could be lurking, undiscovered, in other applications.

“If there’s a custom implementation of [Google Drive] and no sanitization is done it could cause this bug,” he told The Daily Swig. “I’m pretty sure there are more apps still affected by this finding.

 

See Also: Offensive Security Tool: Stratus Red Team

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

See Also: How ILOVEYOU worm became the first global computer virus pandemic

 

Source: portswigger.net

 

Source Link

 


 

merch

Share This