DoS on WAF Protected Sites by Abusing Cookie


Hi Folks,

Today, I'm gonna share one of my interesting finding in bug bounty.

I occasionally hunt bugs in bug bounty in my free time. So, I don't have enough time to blog. But on someone request, I share some of my bug bounty findings here.

I like to find some interesting and logical bugs.

Recently, I found an interesting bug in many sites but I can't disclose the name of every website, one website 'Upwork' already patched this bug and resolved the report that's why I disclose the name.

So, what's the bug? 

Denial of Service (DoS) > Single user cookie based DoS

There are a lot of websites using WAF like Cloudflare etc.

When the Cookie sets with malicious characters(like"><script> alert(1)</script> mean  with XSS or SQLI payloads etc.) value, the site WAF like Cloudflare block us from accessing that website, we need to remove that cookie to access the site

Many websites sets 'Referrer' value in a cookie.

So, 
A little dirty trick comes to my mind.


External site(exsite.com) redirects to vulnsite.com
Now, vulnesite.com sets the referrer value (exsite.com)in the cookie
If we create the page(page.html which redirects to vulnsite) and send the referrer with the payload(?payload) at the end of the url (exsite.com/page.html?%22%3E%3Cscript%3Ealert(1)%3C/script%3E)
After the site loads, vulnsite sets the referrer value  (exsite.com/page.html?%22%3E%3Cscript%3Ealert(1)%3C/script%3E) in the cookie.
(Means, a lazy cookie loads after the web page is loaded.)
Now, when we refresh the page, vulnsite WAF blocks us to access the vulnsite.

Now, just send the PoC URL
exsite.com/page.html?%22%3E%3Cscript%3Ealert(1)%3C/script%3E 
to the victim, when a victim visits the PoC URL, our payload silently sets in the victim cookie, now victim can not access that site anymore.



Attack Scenario:  

Attacker just creates the exploit and sends a crafted URL to the victim (affected website users) that triggered a single user denial of service with a cookie and the victim will not able to use the website or can't access that affected site.

This attack works in any OS and Browser.


Upwork Case:

When any external site redirects to upwork, Upwork sets a 'Referrer' value in a cookie and the referrer site URL in the cookie value.
OK
So, when we send the referrer with some illegal or malicious characters (SQLi or XSS) payloads at the end of the URL 
like  
https://www.hackerinside.me/p/page.html?%22%3E%3Cscript%3Ealert(1)%3C/script%3E,
Upwork sets the cookie with malicious characters value.
Now,
when we refresh the page, Cloudflare blocks us from accessing the website.
Also, the cookie has long expiry.


PoC Mobile Video: http://sendvid.com/xn99odv0 






I've reported this bug to Upwork and they rewarded me a $400 bounty.


Prevention:
  • Store only domain (www.site.com) in referrer cookie value to prevent this.
  • Store referrer value in a cookie with base64 encoding etc.

Upwork patched the bug with option 2 by encoding the value with base64.


Also, I've reported this bug to other sites and some website Triaged my report and rewarded me a bounty but still unpatched.

 There are a lot of sites, which are vulnerable to this attack
  
Also, I've found some other tricks to perform this attack means there are multiple ways to perform this type of attack.
 


Conclusion: 

Think like a bad guy and try to do something uncommon or different. Use your mind instead of scanners.
Thanks for reading. 
Hope you like this sharing. 

Comments

  1. velraj9 April 2019 at 05:00

    The article is good. Thankyou for sharing a good one. Keep sharing more like this article.
    Drupal Training in Chennai
    Drupal Training in Anna Nagar
    Drupal Training in Tnagar
    Photoshop Classes in Chennai
    Best Photoshop Training in Chennai
    Photoshop Course Training in Chennai
    Manual Testing Training in Chennai
    Mobile Testing Training in Chennai

    ReplyDelete
  2. Ravi24 February 2020 at 02:25


    Thanks for your extraordinary blog. Your idea for this was so brilliant. This would provide people with an excellent tally resource from someone who has experienced such issues. You would be coming at the subject from a different angle and people would appreciate your honesty and frankness. Good luck for your next blog!
    Tally ERP 9 Training
    tally classes
    Tally Training institute in Chennai
    Tally course in Chennai
    seo training classes
    seo training course
    seo training institute in chennai
    seo training institutes
    seo courses in chennai
    seo institutes in chennai
    seo classes in chennai
    seo training center in chennai

    ReplyDelete
  3. subha6 July 2020 at 05:40

    thanks for sharing dos on waf protected page... i wish to share my frds also.
    AngularJS training in chennai | AngularJS training in anna nagar | AngularJS training in omr | AngularJS training in porur | AngularJS training in tambaram | AngularJS training in velachery

    ReplyDelete
  4. Data Science Course14 July 2020 at 00:44

    This is an excellent post I seen thanks to share it. It is really what I wanted to see hope in future you will continue for sharing such a excellent post.

    Data Science Course

    ReplyDelete
  5. Unknown17 September 2020 at 06:07

    how did you find external site that redirect to upwork??

    ReplyDelete

Post a Comment

Popular posts from this blog

XSS like a Pro

Image
Hello Friends, I'm gonna share my interesting finding here. Recently,  About two months ago,  I received a private invitation on Bugcrowd and the next day I started to look for bugs on that website because there was only one target (testing site) in scope and they provided me some credentials. I can't disclose the site name, so let's assume https://redacted.com First of all, I logged-in to that site (redacted.com) with the provided credentials and inspected the site around 15 minutes and tried to understand it. After that, I started to look for bugs and found multiple bugs mostly stored XSS. At that day, I had found a total 11 vulnerabilities. I reported them and received a bounty on each report. So, I'm not disclosing the bounties. Also, I'm not sharing my all findings but some. So,  At the beginning, I tried to change my default password and successfully changed my password to '1' which was the first bug that there is no password policy.
Read more

Email Spoofing for Beginners

Image
Hello Everyone, Greetings to all, In this article, I'll talk about email spoofing in a little depth. So, First of all What is Email Spoofing?  If you already know about email spoofing then congratulations But don't worry if u don't know about email spoofing. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. It's not a new technique. It's a very old technique and still widely used in phishing and scamming. This article is going to be interesting and I'll try to short this long article as much simple as possible. Recently, my friend ask me How it's possible to spoof an email? So, there are a lot of questions related to this issue.  When a Domain is Spoofable? It is just as simple in an email as well because email protocols (SMTP) lack authentication. Anyone with a little basic knowledge can able to send an email wit
Read more