1
00:00:01,420 --> 00:00:03,640
Hello, everyone, and welcome to this video.

2
00:00:04,420 --> 00:00:09,760
So in this video, we are going to see an awesome bug which was reported by a security researcher to

3
00:00:09,760 --> 00:00:16,150
Facebook for which he was able to get a reward of, in total, thirty one thousand five hundred dollars

4
00:00:16,150 --> 00:00:18,200
for the SRF that he identified.

5
00:00:18,760 --> 00:00:20,600
That's a very, very interesting find.

6
00:00:21,100 --> 00:00:23,840
So I hope you guys learn a lot from this find.

7
00:00:23,860 --> 00:00:26,890
So we are going to do a complete breakdown of this report.

8
00:00:27,640 --> 00:00:34,310
And the best part is we are going to identify the same one lability into other application as well.

9
00:00:35,140 --> 00:00:44,320
So let's quickly start and Facebook is the largest social networking site, and he was able to identify

10
00:00:44,320 --> 00:00:49,870
one of the subdomain after subdomain enumeration and the subdomain was M hyphen.

11
00:00:50,020 --> 00:00:52,180
Nixa start the Facebook dot com.

12
00:00:52,540 --> 00:00:59,020
So whenever the user clicks on that particular subdomain, it redirects him to this end point, which

13
00:00:59,020 --> 00:01:04,080
is slash servlet, slash misti are web admin.

14
00:01:04,300 --> 00:01:09,280
You can observe into the below screenshot and it says you are all blocked.

15
00:01:09,310 --> 00:01:11,380
Please contact your sys admin.

16
00:01:12,640 --> 00:01:19,840
So what he did, he quickly googled the keyword, which was out where Redmond, which was coming into

17
00:01:19,840 --> 00:01:22,300
the end points when he saw the error.

18
00:01:22,450 --> 00:01:29,470
So he observed that it was a business intelligence portal that was built on MicroStrategy.

19
00:01:29,590 --> 00:01:34,000
So MFT R stands for MicroStrategy Overburdensome.

20
00:01:34,330 --> 00:01:34,720
All right.

21
00:01:34,730 --> 00:01:35,620
So we have the clue.

22
00:01:35,620 --> 00:01:43,290
Number one, that we have identified that there is a software of MicroStrategy which is running on my

23
00:01:43,340 --> 00:01:49,190
Phoenixes, not the Facebook dot com with domain that the researcher has identified.

24
00:01:49,990 --> 00:01:51,310
Let's move ahead.

25
00:01:51,580 --> 00:01:54,020
So Googling Mstislav abridgment.

26
00:01:55,360 --> 00:02:03,040
We came to know that, OK, so it is a micro strategy software, and we can also confirm that from this

27
00:02:03,040 --> 00:02:04,210
blog, as you can see.

28
00:02:04,720 --> 00:02:10,460
So it is one of the business intelligence portal known internally as Nix's.

29
00:02:10,720 --> 00:02:14,510
That's why the name of the domain was Nexxus.

30
00:02:14,570 --> 00:02:14,980
All right.

31
00:02:15,460 --> 00:02:19,270
So we have got some of the clues which point that.

32
00:02:20,470 --> 00:02:30,040
The subdomain is being hosted on to MicroStrategy software now moving it from the official configuration

33
00:02:30,040 --> 00:02:36,700
document from MicroStrategy, he identified that there are two to two and points which are publicly

34
00:02:36,700 --> 00:02:37,360
accessible.

35
00:02:37,720 --> 00:02:39,070
This is the first endpoint.

36
00:02:39,880 --> 00:02:47,910
But is your company dot com slash MicroStrategy slash servlet slash Mstislav app?

37
00:02:48,430 --> 00:02:53,190
And second, when is MicroStrategy slash servlet slash TASC proc?

38
00:02:53,650 --> 00:02:58,330
Let's see, which was the endpoint that we were able to see, which is Mystere.

39
00:02:59,170 --> 00:02:59,520
All right.

40
00:02:59,890 --> 00:03:05,740
So we identified that we are able to see one of the endpoint and also these two endpoints are publicly

41
00:03:05,740 --> 00:03:06,350
accessible.

42
00:03:06,730 --> 00:03:12,250
Now, going further into the official configuration document of MicroStrategy, the researcher identified

43
00:03:12,250 --> 00:03:16,810
that the you are l was slash servlet slash Mr Webb.

44
00:03:17,320 --> 00:03:22,080
Then you observe that task does not require any authentication.

45
00:03:22,090 --> 00:03:28,170
So it takes a value from the task only parameter to perform some custom, the regulation and content

46
00:03:28,170 --> 00:03:28,760
generation.

47
00:03:28,780 --> 00:03:37,720
So by enumerating some tasks using the intruder, he was able to identify the validation parameter where

48
00:03:37,720 --> 00:03:40,410
you can see over here you can observe.

49
00:03:40,900 --> 00:03:46,930
And there was something called as a short Yooralla task, which is the process short you order and does

50
00:03:46,930 --> 00:03:52,900
not check for valid authentication system if you did not understand what basically is happening here.

51
00:03:53,320 --> 00:03:58,840
So there is an endpoint, which is this endpoint which has been identified and into this endpoint.

52
00:03:59,740 --> 00:04:06,970
The task I showed you all and the source you are is Google dot com, which the security researcher gave

53
00:04:07,300 --> 00:04:14,120
to try if this domain, which is Facebook is trying to interacting with any third party domain or not.

54
00:04:14,590 --> 00:04:17,980
So for some specific reasons, it did not work.

55
00:04:17,980 --> 00:04:19,900
And you can see the error.

56
00:04:19,900 --> 00:04:27,250
The source, you are told, is not valid, which means the Web application is not making any HDB request

57
00:04:27,250 --> 00:04:29,740
or connection to any third party domain.

58
00:04:31,100 --> 00:04:36,460
So every time it gives me an error message, which is the soul you are told is not valid with a straight

59
00:04:36,480 --> 00:04:39,350
score of 500, which is internal error.

60
00:04:39,950 --> 00:04:40,370
All right.

61
00:04:40,610 --> 00:04:46,550
Then the security researcher thought of downloading the whole application package, which was more than

62
00:04:46,550 --> 00:04:47,090
400.

63
00:04:47,780 --> 00:04:50,130
This is the MicroStrategy software.

64
00:04:50,600 --> 00:04:54,320
So there were several scripts inside which contains some Java files.

65
00:04:54,830 --> 00:05:00,140
Now, this is something which you guys also need to understand that whenever you get stuck at a particular

66
00:05:00,140 --> 00:05:06,880
point of time, the best thing that comes handy is download the whole software package.

67
00:05:07,100 --> 00:05:14,360
For example, if you're working on a party or engineers, try to identify reading from the code itself,

68
00:05:14,360 --> 00:05:20,710
because that is the time when you may identify many hidden potential flaws.

69
00:05:21,380 --> 00:05:27,290
Or so you're the researcher downloaded the whole package and he started looking at each.

70
00:05:28,290 --> 00:05:37,380
Package one by one using Jadeja, I told Sajadi so grateful is used to read the decompiled files of

71
00:05:37,380 --> 00:05:37,740
Java.

72
00:05:38,260 --> 00:05:46,210
Now the main target was short, as we knew that short URL is one of the parameter.

73
00:05:46,230 --> 00:05:51,370
But whenever we try to load Google dot com into it and just through the error.

74
00:05:51,900 --> 00:05:58,440
So finally I found that our class from Gylfi, as you can see over here, and you can see a very, very

75
00:05:58,440 --> 00:06:06,240
interesting thing here where you can see private static, final string allow domain equals to dinny.

76
00:06:06,240 --> 00:06:07,470
You are a dot com.

77
00:06:08,640 --> 00:06:17,410
All right, so we know that there is a specific domain which is only allowed, which is tiny, you all

78
00:06:18,060 --> 00:06:18,410
OK?

79
00:06:18,510 --> 00:06:25,270
So now we know that only tiny Yodle is going to work in there, as you can see into this code.

80
00:06:25,290 --> 00:06:31,400
Now, you're the source who is not valid at a task exception, is there?

81
00:06:31,800 --> 00:06:39,850
If anyone tries to load any are, which is not equal to tiny, all of which does not start with tiny.

82
00:06:41,040 --> 00:06:48,120
So now we know that we are able to load only tiny you are and not anything else, which is Google dot

83
00:06:48,120 --> 00:06:50,490
com that we tried in the start.

84
00:06:51,030 --> 00:06:56,190
So now let's quickly exploit so that it is quickly started.

85
00:06:56,190 --> 00:07:05,580
The collaborative client copied the Bob collaborator's address, went to Dinny You URL and you can see

86
00:07:05,610 --> 00:07:07,050
this is the collaborator.

87
00:07:07,200 --> 00:07:09,840
You all converted it into a tiny.

88
00:07:09,840 --> 00:07:17,910
You are addressed as the tiny Yeoval addresses are allowed Espoo the software configuration and you

89
00:07:17,910 --> 00:07:18,930
can see over here.

90
00:07:19,230 --> 00:07:25,440
So this is that I need you all dot com slash the shortened Yodle which was given as you can see, and

91
00:07:25,440 --> 00:07:28,890
it's successfully connected to the collaborator client.

92
00:07:28,900 --> 00:07:29,380
Perfect.

93
00:07:29,820 --> 00:07:37,530
So we have a HDB request on our collaborator, which means it is an external SRF, so that when it is

94
00:07:37,530 --> 00:07:40,070
present over here, we have identified this.

95
00:07:40,350 --> 00:07:43,400
Let's quickly see whose IP address is this.

96
00:07:43,740 --> 00:07:49,730
And you can see this IP address belongs to Facebook, which can be confirmed from the WHO is recorded,

97
00:07:49,770 --> 00:07:54,360
as you can see here from the website, which is who is dot com slash?

98
00:07:54,540 --> 00:07:56,530
Who is the IP address?

99
00:07:56,910 --> 00:07:57,390
Perfect.

100
00:07:58,290 --> 00:07:59,010
Let's move ahead.

101
00:07:59,310 --> 00:08:02,820
Now it's the time to test the internal SRF.

102
00:08:03,240 --> 00:08:10,110
So we are going to create any sort of invalid internal IP address example, a wrong IP address and inserted

103
00:08:10,110 --> 00:08:10,860
into the source.

104
00:08:10,860 --> 00:08:12,480
You are URL parameter and observe.

105
00:08:12,510 --> 00:08:16,500
There is no response from the server, but you can see there is no response.

106
00:08:16,650 --> 00:08:24,540
But we are going to create a renewal of the internal IP address this time and inserted into the source

107
00:08:24,540 --> 00:08:27,090
you are parameter and observe it.

108
00:08:27,090 --> 00:08:36,390
Ask for http basic authentication, which means the server is running htp basic ot on board ADT, which

109
00:08:36,390 --> 00:08:44,550
can be confirmed over here, which means that we are able to enumerate the internal infrastructure behind

110
00:08:44,550 --> 00:08:49,230
the firewall environment and we are able to see what's running in the back end.

111
00:08:49,770 --> 00:08:56,250
But for some reasons, Facebook said thanks for writing in various features of our site, intentionally

112
00:08:56,250 --> 00:08:59,760
make requests to external users supplied, played host and board.

113
00:09:00,330 --> 00:09:07,680
So long story short, Facebook did not accept it and said we have the protections already in place,

114
00:09:07,680 --> 00:09:10,450
so we don't consider this behavior as a security risk.

115
00:09:10,980 --> 00:09:12,850
So now it's time to dig more deeper.

116
00:09:13,230 --> 00:09:20,640
So what the security researcher did was he tried to increase the impact of the security of this SSRI

117
00:09:20,790 --> 00:09:22,500
by identifying Exercice.

118
00:09:22,860 --> 00:09:30,660
So what he did, he quickly made up of Xerces, hosted on his target website and loaded that target

119
00:09:30,660 --> 00:09:31,710
website using Dinny.

120
00:09:31,710 --> 00:09:38,010
You are all over here and you can see a successful exercice over here which can be used to trick users

121
00:09:38,010 --> 00:09:39,660
and steal credentials.

122
00:09:40,200 --> 00:09:45,420
Perfect second way using a phishing attack with the help of SRF.

123
00:09:45,420 --> 00:09:53,040
So we know the Target website is able to successfully load tiny you all we can create and host of phishing

124
00:09:53,040 --> 00:09:59,520
based on our Facebook login that can steal victims Facebook login credentials, which can look like

125
00:09:59,520 --> 00:10:01,970
a legitimate login portal, as you can see here.

126
00:10:02,490 --> 00:10:06,930
And the word express that could not end is the attackers control domain.

127
00:10:07,200 --> 00:10:12,870
But the attacker will take this domain shorten and using Dinny you are ill and loaded into the source.

128
00:10:12,870 --> 00:10:19,380
You are a barometer of Facebook which will successfully show a page, which is this which is controlled

129
00:10:19,380 --> 00:10:20,390
by the attacker.

130
00:10:20,700 --> 00:10:27,390
So when any victim comes here, login for this credentialled, the attacker is able to get those credentials,

131
00:10:27,510 --> 00:10:28,590
which you can see.

132
00:10:29,400 --> 00:10:36,360
These are the credentials which the user will input and you can see where the attacker is able to successfully

133
00:10:36,600 --> 00:10:39,090
steal the credentials of the user.

134
00:10:40,020 --> 00:10:43,230
Now, this is something which shows our impact.

135
00:10:43,350 --> 00:10:49,530
So the attacker is able to steal the credentials and perform identity theft as well as the attacker

136
00:10:49,530 --> 00:10:56,190
is able to steal cookies using exercice or do a lot of things onto a user's computer.

137
00:10:57,880 --> 00:11:04,300
Next, the researcher was able to fingerprint the internal network of our services, so what he did

138
00:11:04,300 --> 00:11:10,540
was he was able to scan the internal network and send in more than 10000 requests to find an open put

139
00:11:10,540 --> 00:11:14,350
on the server or any application running onto that port.

140
00:11:14,380 --> 00:11:22,360
So what the security researcher did was he made a couple of tiny jewels and started identifying each

141
00:11:22,360 --> 00:11:24,310
board number to see which one is open.

142
00:11:24,310 --> 00:11:31,150
And he identified after scanning a successful application which was running on board, then three zero

143
00:11:31,150 --> 00:11:31,450
three.

144
00:11:31,780 --> 00:11:37,750
And the name of the application was lightweight, which can be seen from this screenshot here.

145
00:11:38,440 --> 00:11:44,530
So before I for further investigate on this, Facebook security team resolved that one liability and

146
00:11:44,530 --> 00:11:48,630
finally was awarded with a bounty of one thousand dollars.

147
00:11:48,970 --> 00:11:49,480
Perfect.

148
00:11:50,020 --> 00:11:57,580
So I hope you guys understood how the security researcher digs in more, deeper and deeper to identify

149
00:11:57,580 --> 00:12:00,520
the potential impact of the vulnerability.

150
00:12:00,820 --> 00:12:08,650
So first thing was to identify that only tiny you will go with the second thing, escalate the necessary

151
00:12:08,650 --> 00:12:16,630
to exercise and a phishing based scenario in which the attacker is able to steal the valid cookies and

152
00:12:16,630 --> 00:12:19,870
section of the user as well as the credentials.

153
00:12:20,930 --> 00:12:26,030
All right, so moving ahead, the security researcher has come to mind one more vulnerability, which

154
00:12:26,030 --> 00:12:30,710
is sensitivity to exposure to increase the bond amount from Facebook.

155
00:12:31,250 --> 00:12:34,280
So is this the end of the story has just begun.

156
00:12:34,640 --> 00:12:41,450
So the security researchers started more fiddling with the software package and he identified one of

157
00:12:41,450 --> 00:12:45,780
the other parameter was also one level, as you can see, all year.

158
00:12:46,160 --> 00:12:52,120
So he identified that third string is again over one parameter.

159
00:12:52,130 --> 00:12:54,050
So he identified one more SSRI.

160
00:12:54,620 --> 00:13:00,440
As you can see, he got a successful request onto his book collaborator Clanked.

161
00:13:01,610 --> 00:13:07,580
So this way, the researcher was able to identify one more SRF into Facebook.

162
00:13:08,060 --> 00:13:15,200
Now, if you move ahead now, this is another one that the researcher has identified, which is sensitive

163
00:13:15,200 --> 00:13:16,240
data exposure.

164
00:13:16,370 --> 00:13:22,580
And because of the sensitive data exposure, the remaining amount of Bondie is added because of the

165
00:13:22,580 --> 00:13:23,890
sensitive data exposure.

166
00:13:27,460 --> 00:13:31,900
For which he was given a bounty of thirty thousand dollars in total.

167
00:13:32,290 --> 00:13:33,050
That's huge.

168
00:13:33,100 --> 00:13:40,510
So now the is also reported that refundability to MicroStrategy because it was into the demo portal

169
00:13:40,510 --> 00:13:42,740
itself, as you can see over here.

170
00:13:43,120 --> 00:13:54,430
So the researcher was able to identify DEUCY information using the A.W. Esmeralda Epper from the MicroStrategy

171
00:13:54,430 --> 00:13:57,630
demo portal, as you can see into that screenshot over here.

172
00:13:58,030 --> 00:14:00,420
And they reported this to MicroStrategy as well.

173
00:14:00,430 --> 00:14:06,160
And they were generous enough to fix it and they gave a bounty of $ 500.

174
00:14:07,480 --> 00:14:14,200
So in total, thirty one thousand five hundred, in which one thousand dollars was for the SRF, three

175
00:14:14,210 --> 00:14:19,900
thousand for sensitive data leakage and five hundred dollars again for the same as SRF.

176
00:14:19,900 --> 00:14:22,550
On to the demo folder of MicroStrategy.

177
00:14:23,050 --> 00:14:25,690
So I hope you guys understand this report.

178
00:14:26,020 --> 00:14:32,320
I'm going to put the link into the description so you can just go over there and read the whole report

179
00:14:32,320 --> 00:14:32,620
again.

180
00:14:33,570 --> 00:14:39,150
In the next video, we are going to replicate the scenario and we are going to identify the same bug

181
00:14:39,150 --> 00:14:40,920
in the live Web website.

182
00:14:41,220 --> 00:14:41,760
Thank you.