Salesforce bug hunting to Critical bug
2022-8-15 19:36:5 Author: infosecwriteups.com(查看原文) 阅读量:31 收藏

Or how I learned that some bugs are truly rare

Ah, yes, third party is 9 out of 10 times out of scope. But sometimes it's not. Sometimes it's very much in scope. Unlike Zendesk , Salesforce can be misconfigured by its clients or left in a default state which allows for access to interesting/not-meant-to-be-publicly-accessible data.

The Bug

It's really simple (for more complicated and indepth analysis check this article.

Low vs Critical

First you have to find a subdomain that is on Salesforce/aura, which is usually help.target.com, support.target.com or community.target.com, but it can also be some random thing like state.target.com etc. In case of widescope program it's best to use nuclei with Salesforce aura module to automate the process, but sometimes manual approach may be necessary.

Second, after finding Salesforce/aura site, using burp or even Firefox/chrome network inspector find any POST request to aura endpoint. You'll know what you're looking for when there's message parameter in the body:

Final step, this is where you learn if the target is vulnerable or not, edit the message parameter by replacing the value with this (you don't even have to encode it):

If the result shows Success and email address that is [email protected] or [email protected] or similar

Congrats, you have found highly likely Low bug/P4.

But, if it's either showing email address that's [email protected], or null, or Guest user isn't authorized, then they have properly configured that subdomain and you should move on.

The Low vs The Critical

There are plenty of Salesforce websites that have low/p4 type of bug that is quick and easy to test, but can be a process to get any bounty for it (but, so far in my experience bounty for this one is between $50 and $150).

But, then there's the medium to high to Critical, of which the critical is the rarest breed.

The Big Stuff

The small stuff is simply getting the User/UserProfile to give non default/null value, but the medium and the big stuff, those are truly interesting.

I'm referring to Content/ContentDocument and CollaborationGroup, these just by their names sound like they could have something interesting, even critical. But, one of these is more likely to disappoint even when it seems that it has a lot of stuff to investigate.

Content/ContentDocument

This one is where you can at first get super excited because it has a huge list of documents, but then you see it's .png or similar, with words like logo, brand, design, etc. Those suck. They have never been interesting from my experience. But, when it's .doc , .pdf, etc. Those are very much worth looking into. From my experience, I once found a lot of pdf documents with detailed bank invoices and of course a lot of PII. Fastest payout ever (less than 24 hours and $2K and not a private program).

CollaborationGroup

Here's one that you can see how interesting it is from the response text. If it contains discussions about company plans, and names of employees and what their positions are at the company, I mean it's already obvious how the attacker could abuse this. And most importantly, the bbp in question will know exactly how much they don't want that to be accessible information. Granted, in my experience it didn't reach critical/P1, nor P2, but P3 pays well on good bbps.

The important thing here is that, especially if you're trying to do bug hunting as a full time job/single source of income, understanding what bbp considers third party out of scope. If it's something that they can configure themselves to be better secured that means it's highly likely an exception. And while P3 doesn't pay as well as P1/P2 , it does tend to be 4-5 times more than the P4 (obviously, it depends on the bbp).

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!


文章来源: https://infosecwriteups.com/salesforce-bug-hunting-to-critical-bug-b5da44789d3?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh