Pingiskok

Got files from 133 companies via a quiz platform. Typical web3. After recon I spot quiz.* running a different stack and UI (third-party SaaS quiz platform. httpx lets you see what's what at a glance). Signed up, didn't even need to confirm email, dropped straight into the full dashboard. In the content section I found an embedded file manager. In DevTools (I've stopped using that degenerate Burp entirely, but I can't get used to Caido either) I see: GET /elfinder/connector?cmd=open&target=... elFinder. The moment you see elFinder your pulse should spike: it pumps out CVEs every year (path traversal, RCE, file delete). elFinder with the target parameter: target=flsproject_clientname1_s3_cHJvamVjdHMvcHJvZC9jbGllbnRuYW1l First thing that jumps out is the end of the string. cHJvamVjdHMv... looks like base64. When you see an opaque identifier, always try base64. 80% of the time "hashes" on the web are just base64. Decoding the tail: echo 'cHJvamVjdHMvcHJvZC9jbGllbnRuYW1l' | base64 -d - projects/prod/clientname Okay, so it's a filesystem path. And a structured one: projects/prod/clientname. Next the brain automatically asks the question: if my tenant lives at projects/prod/clientname, what lives at projects/prod/? That's literally just the parent directory. That's where all the tenant folders should be. I encode projects/prod back into base64, plug in the volume ID from the original request: echo -n 'projects/prod' | base64 cHJvamVjdHMvcHJvZA== Swap it into the request in place of the original hash. Response: 133 directories. Each one a separate client company of the platform. Confirmed reading files of other tenants, directory creation (deleted it immediately), uploading HTML that the CDN serves as text/html with no CSP, stored XSS on a legitimate domain thrown in as a bonus. Funny part is the bucket itself is locked down and directory listing returns AccessDenied. The problem isn't a public bucket. elFinder works as a proxy: the credentials to the bucket live on its server, and when you hit /elfinder/connector?cmd=ls&target=..., it uses its own credentials to go into the bucket and hands you the result. The bucket is configured fine, but elFinder has access to the ENTIRE bucket with no tenant prefix restriction. #bugbounty #infosec #pentesting #websecurity #appsec

@longlivedoma I think I'll get to this a bit later. Right now I'm working on another series that you should enjoy. But business logic is a veeeery broad topic, so I'll think about how to fit it into a series of articles.

Anything like this for Business logic?

@xer0c @tributaryso This might be one of the best compliments I could have received. Glad it helped you!

@tributaryso's payment verification just got even more secure. This article had a few gems. Published yesterday. Security improvements 🚢'ed today x.com/pingiskok/stat… This is how we use it in Tributary: @xeroc/accepting-recurring-solana-payments-in-react-without-losing-your-mind-652583e8c91d" target="_blank" rel="nofollow noopener">medium.com/@xeroc/accepti… #buildinpublic

@0a_yso I'd like to clarify that all the material is written from scratch. However, the information in it was gathered from public sources and my own experience.

@pingiskok What did you use as a source? Your own experience or other's research?

Every JWT writeup online covers 2–3 attacks and stops. I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place. rmrf.tips/en #infosec #appsec #bugbounty #websec #jwt

@0a_yso Of course, 90% of it is based on other people's research. And yes, it was my mistake not to cite the sources in the articles from the start. I'm planning to fix this in the upcoming updates to the articles.

@RCristio93143 Thanks bro! Access control & business logic is a massive topic - hard to cover properly even in 20 posts, but I'll try to tackle it down the line. Right now I'm finishing another series that I think you'll really enjoy - stay tuned

@pingiskok Broo make some on access control issues and business logic