{"id":123,"date":"2016-09-30T01:58:22","date_gmt":"2016-09-29T20:28:22","guid":{"rendered":"http:\/\/www.geekboy.ninja\/blog\/?p=123"},"modified":"2016-09-30T01:58:22","modified_gmt":"2016-09-29T20:28:22","slug":"uber-exploiting-stored-url-redirect-in-password-reset-token","status":"publish","type":"post","link":"http:\/\/www.geekboy.ninja\/blog\/uber-exploiting-stored-url-redirect-in-password-reset-token\/","title":{"rendered":"Uber | Exploiting Stored URL Redirect in Password Reset Token"},"content":{"rendered":"<p><span style=\"color: #000000;\">Hello Friends !<\/span><\/p>\n<p><span style=\"color: #000000;\">while trying my luck with <strong>Uber<\/strong>\u00a0i came a cross a wired behaviors in the\u00a0application which is not very common in today&#8217;s world.<\/span><\/p>\n<p><span style=\"color: #000000;\">i was messing around with password reset token generation of <strong>Uber<\/strong>, while requesting for password reset link i appended some known get parameter with password reset request which i was noticed before while checking for URL redirect issues in\u00a0there oauth implementation.<\/span><\/p>\n<p><span style=\"color: #000000;\">it was <strong>NEXT<\/strong>\u00a0parameter which is responsible\u00a0for next URL or page after successful login.<\/span><\/p>\n<p><span style=\"color: #000000;\">so now come to password reset page, normally <strong>Uber<\/strong> password reset page URL\u00a0looks like :\u00a0<strong>https:\/\/login.uber.com\/forgot-password<\/strong> , where <strong>crafted URL<\/strong> looks like :\u00a0<strong>https:\/\/login.uber.com\/forgot-password?source=auth&amp;next_url=evil.com<\/strong> .<\/span><\/p>\n<p><span style=\"color: #000000;\">so once users will request password reset token via <strong>crafted link<\/strong> , user\u00a0will get password reset token and once user\u00a0set his new password, user\u00a0will redirected to <strong>evil.com<\/strong>.<\/span><\/p>\n<p><span style=\"color: #000000;\">its a bug but as we know <strong>Uber don&#8217;t accept URL redirect<\/strong> issue until and\u00a0unless\u00a0there is something special, as URL redirect take place while password reset, i need to take advantage\u00a0of it.<\/span><\/p>\n<p><span style=\"color: #000000;\">i made a form which looks like same as <strong>Uber<\/strong> form which ask for <strong>Confirm\u00a0Password<\/strong>\u00a0after user sets his <strong>New Password<\/strong> which looks like :<\/span><\/p>\n<p><span style=\"color: #000000;\"><a style=\"color: #000000;\" href=\"http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/09\/pass.jpg\"><img loading=\"lazy\" class=\"aligncenter size-large wp-image-140\" src=\"http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/09\/pass-1024x413.jpg\" alt=\"pass\" width=\"634\" height=\"256\" srcset=\"http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/09\/pass-1024x413.jpg 1024w, http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/09\/pass-300x121.jpg 300w, http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/09\/pass-768x310.jpg 768w, http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/09\/pass-816x329.jpg 816w, http:\/\/www.geekboy.ninja\/blog\/wp-content\/uploads\/2016\/09\/pass.jpg 1377w\" sizes=\"(max-width: 634px) 100vw, 634px\" \/><\/a><\/span><\/p>\n<p><span style=\"color: #000000;\">i used <strong>data:<\/strong> scheme to make sure it looks more legit\u00a0instead of using any direct URL.<\/span><\/p>\n<p><span style=\"color: #000000;\">so now the scenario\u00a0is :<\/span><\/p>\n<ul>\n<li><span style=\"color: #000000;\"><strong>Attacker will request password reset token via crafted Link.<\/strong><\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>Let&#8217;s assume user reset his password via reset link.<\/strong><\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>User will set &amp; confirm the new password.<\/strong><\/span><\/li>\n<li><span style=\"color: #000000;\"><strong>Attacker will get users new password.<\/strong><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\">as we can see\u00a0its not win-win case , still we need to depend on the user if he choose to reset his account or not, but still it may\u00a0happens and in that situation attacker will get password of\u00a0users account, so <strong>Uber<\/strong> decided to fix\u00a0it\u00a0once i reported , and they\u00a0were very quick to acknowledge the report, i will suggest to participate in <strong><a style=\"color: #000000;\" href=\"https:\/\/hackerone.com\/uber\" target=\"_blank\">Uber bug bounty program<\/a>\u00a0.<\/strong><\/span><\/p>\n<p><span style=\"color: #000000;\"><strong>Here is the Video POC :<\/strong><\/span><\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/jhDa-WXYbDY\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<h2 style=\"text-align: center;\"><span style=\"color: #000000;\">HackerOne Report Thread <a style=\"color: #000000;\" href=\"https:\/\/hackerone.com\/reports\/163067\" target=\"_blank\">#163067 <\/a><\/span><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>Hello Friends ! while trying my luck with Uber\u00a0i came a cross a wired behaviors in the\u00a0application which is not very common in today&#8217;s world. i was messing around with password reset token generation of Uber, while requesting for password reset link i appended some known get parameter with password reset request which i was [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":125,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[8,9],"_links":{"self":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/123"}],"collection":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/comments?post=123"}],"version-history":[{"count":42,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":169,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/123\/revisions\/169"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media\/125"}],"wp:attachment":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media?parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/categories?post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/tags?post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}