Insights
Logs are often seen as a wall of text, filled with information that seems unimportant until a significant problem arises. Yet, have you ever thought about the security risks hidden within those walls of text, particularly when they include sensitive details like usernames and passwords? It’s a common belief that only trustworthy individuals, such as administrators, access these logs, but not considering the potential security implications can be a dangerous oversight. Today, we explore a case where logging non-sensitive data inadvertently led to a complete application takeover by a user with limited group privileges.
The Dilemma of Logging
For application developers, creating a robust logging system is essential for promptly identifying and resolving issues. The instinct may be to log as much information as possible for thorough debugging. However, this mindset can be detrimental to security. When logs become accessible or leaked, they can introduce a variety of threats—the more information logged, the greater the security risk.
Real-world Pentest Scenario Unveiled
Within the scrutinized application, there was a "manager" account with responsibilities to oversee a group of app users. Although this account did not have the front-end ability to edit other privileged users, such as managers or administrators, it had access to logs for efficient user issue resolution. These logs didn't include direct sensitive data but detailed user activities, like sent emails, failed login attempts, and other internal app operations. The security risk arose with the logging of email messages, which, on the surface, was useful for confirming the dispatch of reminders for meetings. However, it became concerning when entire email contents were logged, exposing potentially sensitive information to the manager role.
Vulnerability at a Glance
Here is how the exploit was conducted step by step:
1. The attacker requests an admin password reset through the password reset feature.
2. The application emails the password reset link to the admin and logs the email's content.
3. The attacker, with manager-level access to logs, retrieves the password reset link intended for the admin.
4. Using the intercepted link, the attacker resets the admin’s password.
5. Complete control of the account and application is achieved by the attacker.
Unearthed Issues and Recommendations
It became clear that a manager should have log access strictly for their user group, and logs pertaining to other user groups should be reserved for administrator review only. A significant security lapse was the absence of additional protective measures like Two-Factor Authentication (2FA) for admin accounts, which could have prevented such an exploit.
Conclusion and Moving Forward
This case study highlights the need for heightened diligence in designing logging systems. Such systems must balance functionality and problem-solving utility with security concerns. Extra care should be taken to ensure information within logs is shared appropriately, as they can inadvertently become a tool for application compromise through unintentional exposure of operational data. Strengthening security for privileged accounts with measures against password reset or phishing attacks is of the utmost importance in the fight against rising cyber threats. As cybersecurity becomes increasingly critical, robust logging practices are not merely an option but a necessity.
Consider seeking expertise in cybersecurity for a thorough security audit of your applications to protect against these and other potential vulnerabilities.
Within last year I shared a a few writeups of my bypasses of HTML sanitizers, including: > Write-up of DOMPurify 2.0.0 bypass using mutation XSS > Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass While breaking sanitizers is fun and I thoroughly enjoy doing it, I reached a point where I began to think whether I can contribute even more and propose a fix that will kill an entire class of bypasses.
A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in the browser is not new; the pyodide project has allowed this for a long time...
Summary: During my research on other bug bounty program I've found Cross-Site Scripting vulnerability in cmp3p.js file, which allows attacker to execute arbitrary javascript code in context of domain that include mentioned script. Below you can find the way of finding bug bounty vulnerabilities from the beginning to the ...