External authentication prompt injection via unsafe remote file include at https://cfeick-dev-zg7kh0.runway.gitlab.net/
HackerOne report #2262568 by todayisnew
on 2023-11-23, assigned to @cmaxim:
Report | Attachments | How To Reproduce
Report
Good day, I truly hope it treats you great on your side of the screen :)
I have found that your have a site which is vulnerable to a remote file include to an arbitrary host - in this case, I am able to load my own content from todayisnewpoc.surge.sh.
There is sanitization of the data being loaded from todayisnewpoc.surge.sh, which can prevent some common attack vectors/know payloads, but I am still able to inject a custom authentication prompt which loads when visiting the page.
This prompt is being served from an arbitrary location (authorization.site), which can be modified as needed to be as convincing as possible to any possible victim. Imagine yourdomain.authorization.site, for example. Depending on the browser being used, a message can be included along with the prompt to make it seem more trustworthy.
When a victim enters their information into the prompt, it is sent to the arbitrary location being used by the attacker (authorization.site) along with their IP address, and stored in plain text for the attacker to use when desired.
Additionally, if the victim closes the first prompt, an attacker can serve arbitrary text on the page to encourage them to authorize. If they do so by clicking on the Authorize button, then clicking on the subsequent Authorize button, the victim will again be shown my external authentication prompt from authorization.site
POC:
https://cfeick-dev-zg7kh0.runway.gitlab.net/docs?url=https://unwieldy-pear.surge.sh/auth2.yaml
How to fix: Restrict the ability to load external json/yaml files via the configUrl and url parameters, or implement an allowed-list for domains which can load via these parameters.
May you be well on your side of the screen :)
-Eric
Impact
This vulnerable results in an authentication prompt
in addition, browsers will even allow for a custom message to appear alongside the standard message.
This can be confusing for even the most seasoned websurfer!
Their plain text login, password and up address will be sent to the attackers server.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: