- Subdomain enumeration to identify services run by Facebook
- RTFM for third party services
- Download and decompile Java source code -- Look for unauthenticated services -- Look for SSRF vulnerabilities (e.g., http or https references)
- Combine vulnerabilities between systems
My expense report resulted in a server side request forgery on Lyft
- PDF generators are notorious for SSRF
- Test generators with simple HTML tags
- Read the code; search for HTML tags which take a URL attribute
- Validate your payloads if things aren't firing
Prototype Pollution and Bypassing Client Side HTML Sanitizers
- Prototype pollution (PP) is similar to an old Rails render bug; it works up the call stack
- Exploit PP by defining properties on the
__proto__
which don't exist - JS will keep calling
__prototype__
until it gets null - Setting a parameter to
{ __proto__ : 123 }
won't work; usingJSON.parse
will - Polluting arrays won't work because can't pollute length or indicies
- When hacking, include calls to external third party sites so as to monitor for integrations
- Review any third party integration to confirm functionality the in scope target is relying on
- Consider how the two applications may communicate and whether a vulnerability in the third party can affect the in scope property (in this case, replacing an existin PHPSESSID)
- Set a goal and focus on achieving that; in this case, accessing private YouTube videos
- Blindly modifying IDs is repetitive and boring
- Look for opportunities where two systems talk to each other; they may not respect access control boundaries
- Develop a full proof of concept to demonstrate impact; it'll help sell your case