Image for post
Image for post
https://i.ytimg.com/vi/ArGh6FurR0Q/maxresdefault.jpg

Prezi: 1031 variables

Jake Reynolds
Oct 11, 2016 · 4 min read

Prezi is a popular presentation service used by procrastinating teens and adults alike who haven’t learned how to use powerpoint. It breaks away from the boring slide to slide style and gives some flair to a presentation. While I have never used this service I noticed they had a bug bounty program and decided to look into it.

I found this exploit a couple months ago when I began penetration testing, so my only hope at the time was spamming the url with some characters and seeing what the program gave me. I began with control characters like %0A and %0D and got some peculiar results; with a string like “helloWorld%0A” the new line would be successfuly parsed in the DOM:

Image for post
Image for post
helloWorld%0A

The Almighty

After a few more tries I was unable to gain anything from this, since Prezi successfully encodes quotation marks and other XSS characters. After one more refresh though, to the delight of my skiddie knowledge, I was presented with the Almighty of debug pages.

Image for post
Image for post
Top of debug page

This was the result of the “Debug=True” flag accidentally being set on a development server exposed to production. After this section there was a dump of 718 environmental server variables.

Image for post
Image for post
Beginning of environmental variables

These variables included a lot, but most that were highly sensitive were censored due to Django’s built-in debug code:

HIDDEN_SETTINGS = re.compile(‘API|TOKEN|KEY|SECRET|PASS|SIGNATURE’, flags=re.IGNORECASE) CLEANSED_SUBSTITUTE = ‘********************’

The security then was the responsibility of the server admin to name all sensitive variables with one of those in the “HIDDEN_SETTINGS” variable (only as a last resort, turning debug off in servers exposed to prod is the first line of defense). After triggering this error once, I was not able to trigger it again with the same string. I later found out this was because only one of their servers had the debug flag on, making it hard to reproduce.

He is risen

At this point I was ready to report the issue but I decided to try the other control character ‘%0D’ and see what happend. This time I found the Almighty debug page’s Son

Image for post
Image for post

The control character doesn’t show up in the request URL for some unknown reason. Since this was in another part of the site a different error was triggered and different info presented. This then dumped 313 url regex routes for their Django app. Most were properly configured to not allow unauthenticated viewing, but a more sophisticated actor could likely have made something of these.

He is risen, indeed

At this point I reported the vulnerability to Prezi through email and continued looking into the information that was given in these variable dumps. An interesting variable combination that was not masked by Django was GOOGLE_ANALYTICS_USER_EMAIL and GOOGLE_ANALYTICS_USER_PASS (which should have been masked). I reported this to Prezi and they verified this could have resulted in take over of that gmail account and the associated analytics account, but it was not in use anymore so they retired the account.

Prezi quickly discovered that they had just one server with a debug flag on and it was a development server accidentally exposed to prod, which is why this was not easily reproducible. They reconfigured that server and resolved the issue.

Resolution Timeline

4/27/16

  • 12:03 AM CDT: Issue reported to Prezi over email
  • 6:45 AM CDT: Confirmation by Prezi of email receipt

5/6/16

  • 8:42 AM CDT: Issue confirmed fixed and $1000 bounty awarded

At the time this was my first experience reporting to a bug bounty program and it was very enjoyable, I would like to thank Prezi for their professionalism and speedy responses. If you are interested make sure to check out https://bugbounty.prezi.com/

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMI family. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

Image for post
Image for post

HackerNoon.com

#BlackLivesMatter

By HackerNoon.com

how hackers start their afternoons. the real shit is on hackernoon.com. Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Jake Reynolds

Written by

https://jakereynolds.co All contents of this blog are not associated with my employer.

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Jake Reynolds

Written by

https://jakereynolds.co All contents of this blog are not associated with my employer.

HackerNoon.com

Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store