Hello there, Few days ago I've reported vulnerabilities to an external program called optiCutter:
The flaws that I've found were:
- Full response Server Side request forgery on www.screenshotmachine.com
- Full account takeover via a CSRF on www.opticutter.com
- Full account takeover via a CSRF on www.screenshotmachine.com
- CSRF in editing the API key for www.screenshotmachine.com which allowed me to add my API key to premium accounts and use they're premium API access using my API key.
- A site wide CSRF on test.opticutter.com www.opticutter.com and screenshotmachine.com including its subdomains which resulted in bugs with various severity from account takeovers to editing and adding new projects.
The company response:
Basically they said that CSRFs are not an issue as the user has to be logged in and they offered 20€ as a payment:
And when they were asked about CVSS this was their answer:
Anyways I refused to take the 20€ and stopped testing as it wasn't worth it, usually when I am hunting on an external program I would provide a detailed report for non technical readers including a Video poc and the PoC code to make my bugs easy to reproduce no matter what background the reader has.
In fact I could have kept reporting issues for free if they nicely asked. But the way they tried to lower the severity even tho it wasn't low it was pretty much a red flag to stop putting hours in and moving to the next target.
CSRF PoC:
As I mentioned before the whole web apps including subdomains were vulnerable, so I'll provide one poc but the same exploit can be applied to every single endpoint on the target:
Scenario: No csrf token was set in place, the requests content type is form url encoded which can be sent in cross site requests, there was no same site attribute to prevent sending the cookies in a cross site request.
poc:
SSRF PoC:
www.screenshotmachine.com has a screenshot feature that you can feed it a url and it would respond with a screenshot to you, apparently to prevent SSRFs they blacklisted 127.0.0.1 127.1 and IPv6 versions of localhost but somehow they totally forgot that 0 and 0.0.0.0 are valid localhost IPs, Basically this was very straight forward bug you can control the URL schema the host and the port fields of the URL
This was the vulnerable request
By feeding http://0:80 to the url parameter you'll get a successful response with the screenshot URL path in it, If you request that path you'll be presented with the screenshot.
As I mentioned before the URL schema is also controllable so your imagination is the limit when it comes to exploiting this behavior.
Takeaways:
- It can be hard to hunt on bug bounty platforms such as Hackerone Bc etc ... considering the amount of competition and how your bugs severity gets lowered in some cases, but shit happens, I came to a point where I started to appreciate how safe it is to do bug bounty on a platform.
- If you're willing to put the time in an external program, ask for recommendations from other bug hunters, in my case I didn't and I literally kept finding bugs at every step I do, I wasn't expecting a 4 digits reward, as I knew it's a small business but I also didn't expect to get scammed either.
If by any chance you're a client of optiCutter I hope that by now you came to realize that your information and data is worth 20€ to them.
Have nice day everyone...
