Unauthenticated user can upload an attachment at HackerOne
Hi every one, i few week ago i was apply to find an a bug that lead to upload Unauthenticated file to HackerOne platform, the bug found when i was tested a brute-force attack against some endpoint at HackerOne.
the behavior is related with another step [ function behavior ] to make this possible.
if you try to log-out from your account at HackerOne and you have two tab used HackerOne, all of them will sign-out automatic, this step as i think is to protect the platform from used submit form and you are not login-in for e.g.
what i found here is that you can for e.g stay in the submit form and you are not login-in and upload the attachment as
Anonymous since the
/attachments will check if you login-in then relate this attachment with your account, or by generate
tracer id if you are as
Anonymous so this attachment will linked to it.
so what i did to find this behavior is :
- tourn-on burpsuite tool and login-in to your HackerOne account.
- in burpsuite you will find an a request send to
/sessions, send it to
- go and click on create a report for any program/team you want, and stay in submit page.
- start a brute-force attack against
/sessionsendpoint for e.g
100 password, HackerOne have an protection against the brute-force so after 100 request your account will be Locked as a protection .
- after the attack finish go back to submit form and upload an attachment, the file will upload, and the
tracerid will connect with it.
/draft_sync , /preview will return with
401 Unauthorized error since the account is login-out [locked], but the
/attachments will let you upload the files.
what actually happen here is :
- account got brute-force.
- the rate limiting protection will locked the account as a safety step.
- the account will locked silently, and there are no notification/auto login-out if he/she already login-in, and the only way to know that is by click on link/path in site, then the message will show message that the account is locked .
- if the user stay in the same page he will not know that his account are locked, and he/she can used some function as upload file in submit form foe e.g .
- the attachment will be uploaded/stored as
Anonymousand will linked to the
tracerid that will generate since there are no user information to linked to it.
Unauthenticated user can upload an attachment without need to login-in or used the
Embedded Submission Form even if is closed/opened.
after send this report to HackerOne i got this response
it sad when your report change to duplicate if anther hacker/research/internal team found it before you :( .
- Nov 8th 2018: bug found.
- Nov 8th 2018: send the report to HackerOne
- Nov 8th 2018: jobert replay and closed the report as Duplicate.
- Nov 8th 2018: ask for disclose the report since it Duplicate.
- Nov 14th 2018: jobert response that they can’t disclose the Duplicate report and give me the agree to publish the write-up.
- DEC 24th 2018: write-up publish.