This is an old note I never got around to posting until now. Back when I was fuzzing Toyota's Bug Disclosure Program, before I realized how limited their scope was, I was grepping their subdomains for generic open redirects in hopes of chaining small bugs together for escalated impact. Using an open-redirect for XSS, SSRF, or SQLi. And I did in fact stumble over such a vulnerability. One Toyota asset returned a positive result for an open redirect that looked like:
http://ohno.toyota.tld/?u=attacker.com
Furthermore, it also enabled cross-site scripting and could have potentially had second-order effects as well. Consider a service on the backend of the server that we might not be able to view from the client-side, but that we can reach like:
http://ohno.toyota.tld/?u=http://127.0.0.1:8001/dashboard&sql_problems=1'
Small bugs can often be escalated. A useful thing to keep in mind while fuzzing the web. Toyota's team was solid. Initially, my report was closed as non-applicable, but their security folks reviewed the report again and re-opened it, patching and emailing me back within a week.
No comments:
Post a Comment