google forum's ultra vires loophole (us $500)

Posted by lipsius at 2020-02-27

Recently, I have been testing Google's services, looking for security holes everywhere, and finally found some very interesting holes. In the whole process of digging the loopholes, my heart is like riding a roller coaster, both happy to find the loopholes and lost when the loopholes are rejected. In this article, I'm going to introduce a simple but interesting Google forum authorization bypass vulnerability (which gave me a $500 reward).

First:GWT(Google Web Toolkit)

Have you heard of Google Web Toolkit (GWT)? I have to admit that although this is not an advanced technology (in fact, it appeared as early as 2006 and became an open source project in 2013), I never really touched Google before I started testing its services.

Google Web Toolkit

Baidu Encyclopedia Google Web Toolkit (GWT web toolkit, short for: GWT) is a tool set that allows developers to use Java programming language to quickly build and maintain complex but high-performance JavaScript front-end applications, which can reduce the development difficulty. With GWT, you can use Java programming language to write Ajax front-end, and then GWT will cross compile into optimized JavaScript.

When you first see GWT's HTTP requests, they look very different. At first glance, it's even garbled. An example is as follows:

Fortunately, there are many researches on GWT security now, and I can barely understand the meaning of some requests.

Class enumeration

Now let's take a look at Google groups. If you have never used this service before, you can simply understand it as a forum platform. You can create your own forum or group, invite participants to discuss topics, manage forum permissions, and decide who can view / update different sections of the Forum (Group). And, as you might expect, Google forums are built with GWT.

In general, when I test GWT requests, I don't mess up the signature bits of the request (that is, the numbers separated by pipe characters at the beginning and the end of the request), but test some parameters.

I quickly found a sensitive parameter. In the following GWT request, I found that the number in the box represents a specific class on the server side:

The number '4' points to the 'abstractsearchkey' class

The number '8' points to the 'shared. Category' class

So, I used burp to brutally crack the names of all classes:

Although this is not a huge security problem in itself (I have reported this problem to Google, which thinks it is "low-risk"), it gives me the impetus to move forward. I think there must be security flaws in the GWT implementation of Google forum.

View data for other groups

Again, I looked at all the GWT requests that were captured. It was found that a string in one of the requests was the name of the test group I created:

Yes, this "test test..." It's the best name I can think of.

In response to this request, the basic information of the group, such as e-mail, subject and description of the group, is included. OK, then, can I only view the information of the group I created by myself?

I quickly created a new group with my second Google account (set all permissions to "private", that is, only invited users are allowed to view any content of the group), and then I used my first account to query the information of the new group. As a result, I was able to see some sensitive information and successfully found an unauthorized loophole:

Data set to "private" can be seen even if it is not a member

Unfortunately, I can't see the conversations of group members, but I can only see the email and description of the group. However, this is the first time that I have found a vulnerability in GWT, which may indicate that it has the same vulnerability as other programming methods.


本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源: