Scope-creeping doesn’t always end up in a 0-day with a CVE assigned, and this was the fortune of Detectify Crowdsource hacker, Özgür Alp. He is an ethical hacker with 7+ years experience, well certified within offensive security and also high ranked on hacker leaderboards. Here is his success story on how he, with the help of the Detectify Crowdsource team, turned an open redirect into a public disclosed vulnerability known as CVE-2020-1323.
Discovery
While hunting on a private bug bounty program for low-hanging security vulnerabilities on my regular daily job, I found an endpoint called appredirect.aspx
having redirect_uri
parameter on it with the value https://appdomain.com/validpath.aspx
. It is a perfect case for an experienced bug hunter to check whether an open redirect attack is possible when you have a parameter, including “redirect” in it with the application URL.
I quickly fuzzed the parameter with the custom generated open redirect lists. While the endpoint had some security measures on it, it was possible to bypass these controls within one kind of payload; hence it was vulnerable to open redirect attacks.
I quickly reported the bug and got the bounty of $200 from that platform, but I didn’t think I was finished with this vulnerability yet continued testing further.
Trial and Error with Obstacles
Later on, within my further testing I noticed that the vulnerable application uses Microsoft Sharepoint as a content management system, a conventional technology used by Enterprises. Since this is a widely used software, I thought that more things could come from here.
At first, I visited the Microsoft Security Response Center to check whether it is eligible for a bounty. One of the items stated as an out-of-scope (OOS) submissions section is URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability).
Since regular open redirects were out-of-scope, I returned to the vulnerability to chain it within another misconfiguration to raise impact; however, I was unsuccessful. I also found a few different instances of the same vulnerability on various programs & reported them; however, their count was also not too much due to several reasons:
- The endpoint was not existing or returning forbidden on some of the Sharepoint instances.
- For full exploitation, additional information named
client_id
should be known if the endpoint was not used directly at that instance, which was a little bit hard because no generic endpoints were existing for enumeratingclient_id
information directly.
But before I decided to give up on it completely, I reported it to Detectify since their bug bounty platform accepts open redirect reports regardless of the vendor. From there, things escalated.
Diving into the complexity
Now, things started to get complicated here. Since it was a not patched bug from Microsoft, I reported this as a 0-day on the Detectify Crowdsource platform. My proof-of-concept report was accepted and developed into a live module, which meant the Crowdsource team validated the payload. However, the 0-day mark was removed, which I didn’t question at first and didn’t think more of until I got a message over Twitter, “I saw your name in Detectify for the Sharepoint open redirect, are you willing to share?”
This message got me thinking about whether it is ethical to share it publicly or not without informing the Microsoft team. Since I believe in knowledge-sharing in the community, I had to double-check the status with Detectify and whether it was available for disclosure.
When I returned to the Detectify Crowdsource team, we found out that a bug in my submission accidentally removed the 0-day mark with automation on the backend – good thing I followed-up! Even though it was deemed out of scope by Microsoft, and therefore not considered severe, it still made for an exciting turn of events. The team quickly removed the module from the production system, marked it as 0-day again, and started coordinating responsible disclosure between Microsoft and myself.
After 45 days, the period of patching/responding time Detectify Crowdsource gives to vendors for the 0-day reports, the module was live in the Detectify scanner and available to all their users again.
Fortune strikes back
After a while, Microsoft didn’t change their stance on this vulnerability being out of scope one since URL redirects are considered low impact. This was the expected result and was why I didn’t report it to them directly in the first place.
However, after two months passed, the Detectify Crowdsource team followed up with my report. They were able to work together with Microsoft to get the bug patched AND assigned with a CVE as CVE-2020-1323 making this eligible for future bounty payouts. Because of this, I also was recognized in the June Hall of Fame.
Persistence and Collaboration pays off
While it was surprising, it was also very pleasing that Microsoft changed its decision. I thought that the bounty would probably not be much (a few bucks?) since it is a low impact one, but still, anything is better than nothing, right?
This expectation also changed after two weeks when Detectify Crowdsource contacted me again for Microsoft’s bounty decision, which was $1200 in total! It was a shocking moment since my expectations were low, and the bounty was satisfying. The team also let me know since Microsoft patched the report, now the submission is eligible for the 0-day bonus from Crowdsource too!
Thanks to Detectify Crowdsource’s professionalism and advocacy for bug hunters and making the internet safer, I got a nice reward and name on a hall of fame.
Technical details
For the ones who curious about the vulnerability details, here they come:
- On the Sharepoint instances, there is an endpoint that exists as
/_layouts/15/appredirect.aspx
with the parameterredirect_uri
. While security controls exist for this parameter, which does not allow conventional payloads such ashttps://maliciousdomain.com
, it is possible to bypass this security control with the payloadhttps://whitelisteddomain.com%23%40maliciousdomain.com
. - Please note that a valid
client_id
parameter should also be used on the link for full exploitation, which could be gathered within crawling application pages when noticed it is a Sharepoint instance. - Since there is no endpoint exist which enumerates the
client_id
parameter for the endpoint, exploitation seems impossible without finding valid redirection endpoints withappredirect.aspx
endpoint. - Searching
appredirect.aspx inurl:redirect_uri
dork in Google may return vulnerable endpoints.
Remediation techniques
For those curious about open redirect remediation, here come the protection controls below:
- If redirects are conducted on the same domain, instead of redirecting only URLs/paths such as
/page.aspx
, application domain name could be added as prefix such ashttps://appdomain.com/page.aspx
no matter what the redirected payload is. - If redirects are conducted on the different domains, redirected domains should be checked on the backend for whether it is malicious or not.
- Different redirection behaviors for the various web browsers should be analyzed, and different bypass techniques should be avoided. A good list of payloads including bypasses is: https://raw.githubusercontent.com/cujanovic/Open-Redirect-Payloads/master/Open-Redirect-payloads.txt
Timeline:
27 Jan: Discovered the vulnerability and reported it on a private program
31 Jan: Submitted the report to Detectify
5 Feb: Module set as live at Detectify
13 Feb: Got message from Twitter
13 Feb: Module removed from Detectify and team contacted with Microsoft
26 Mar: Microsoft rejected the report as out-of-scope
1 Apr: Module set as live again at Detectify after 45 days
12 Jun: Microsoft confirms they patched the vulnerability and assigned CVE
24 Jun: Microsoft awarded the bounty
Written by:
Özgür Alp (@ozgur_bbh)
Özgür Alp has 7+ years experience in offensive cyber security specialist holding OSCP, OSWE and CEH certificates. He’s reported over 1000 critical & high & medium level vulnerabilities to the various platforms through his work as a consultant and bug bounty hobby. He is also an instructor on the subjects of offensive security. Currently holding on top 5 rank at all time statistics at one of the biggest bug bounty platforms in terms of both most accepted vulnerabilities/earned payouts.
Get in touch with Ozgur:
Linkedin: https://www.linkedin.com/in/ozguralp/
Twitter: https://twitter.com/ozgur_bbh
Blog: https://medium.com/@ozguralp
How can Detectify help?
Detectify works with highly skilled ethical hackers like Özgür Alp to crowdsource the most up-to-date security research. If you’re running Sharepoint, check to see if you have a vulnerable instance and 2000+ other known vulnerability with a start of a Detectify scan. Begin your 14-day free trial today.