How I was able to read Uber logs and internal emails.
来源:互联网 发布:小米6 移动4g网络差 编辑:程序博客网 时间:2024/05/20 05:06
http://blog.pentestnepal.tech/post/149985438982/how-i-was-able-to-read-uber-logs-and-internal
How I was able to read Uber logs and internal emails.
After recent finding about Uber subdomain takeover was released, I looked into Uber to find similar bugs. One of my colleagues pointed out that em.uber.com had CNAME pointing to SendGrid and might be vulnerable to same kind of issue. I had limited experience with SendGrid so I decided to put it aside for a while thinking it might not be vulnerable. Then one day, I decided to give it a shot anyway because looking at a website through different angles can sometimes open various doors. So I signed up on SendGrid to start seeing what I could do.
Based on original hypothesis, I researched regarding how to claim this domain through SendGrid. I could not edit contents of the domain because it was beyond what SendGrid did which was to manage emails of a domain. There was an option called white label which would allow emails to be sent through a verified domain. I attempted to claim the domain. At the same time, I had forgot my password for Uber so I reset it. I realized that the reset email Uber had sent contained a reply email as @em.uber.com so I knew that MX was being used somehow. A quick look into MX through dnsgoodies.com showed that MX was pointing to mx.sendgrid.net.
After I figured that I could play around with MX, I started to research more about SendGrid’s workflow. At the same time unknowingly, I claimed em.uber.com in the Inbound Parse Webhook. My research discovered that Inbound Parse Webhook was used as a medium of email interception. However Uber had not claimed it so I thought this could be something I should focus on.
I looked around for API and found a python program written by SendGrid which could be used in inbound parse webhook. I edited the program to display the emails in my terminal. Then I ran the python web application. The application was running on localhost:5000. I used ngrok to tunnel that to a web address. This was because Inbound Parse required a receiver domain where it could send POST request.
Soon I was able to receive emails in em.uber.com. This was also true with all of its subomain. One of them waswww.uber.com which was also used in their sentry plugin. This allowed me to receive sentry logs fromwww.uber.com because they were sent as email.
Uber was able to quickly fix the vulnerability and told me that they also contacted SendGrid to see what they could do. SendGrid stated that the best option is for companies to claim the domain on their side.
After about 10 days of resolving the bug Uber rewarded me with $10,000 for reporting this bug.
Also at the moment of writing this bug it has come to my notice that SendGrid has added extra verification which forces you to have a verified domain before adding a inbound parse webhook which was not the case before.
Check the attached video on how this whole thing went:
Attached image shows the list of domains I was able to add in the webhook.
翻墙看视频.
- How I was able to read Uber logs and internal emails.
- How to collect TrustZone debug logs and check the meaning of error code in the logs
- How do I get my old emails from Windows 98/Outlook 2000 to Win...
- If I have been able to see further, it was only because I stood on the shoulders of giants.
- I was eager to get my paddles wet and see how this kayak performed in the water.
- I have a custom view that I want to be able to initialize both in-code and in nib.
- how can i read chm and pdf files
- Setup failed to configure the server. Refer to the server error logs and setup error logs for more i
- Internal Server Error The server encountered an internal error or misconfiguration and was unable to
- Linux log files location and how do I view logs files?
- Linux Log Files Location And How Do I View Logs Files on Linux?
- cocoapods was not able to update the 'master' repo.if it is a unexpected issue and persists you can
- CocoaPods问题: CocoaPods was not able to update the `master` repo.if it is a unexpected issue and
- How to use java Properties API -- read and write
- How To Read and Write XML Documents with GDataXML
- How To Read and Write XML Documents with GDataXML
- How to read Android crash log and stack trace
- How to read Android crash log and stack trace
- MySQL 5.5.45 (x64) - Local Credentials Disclosure
- How To Test your Firewall Configuration with Nmap and Tcpdump
- 【技术分享】手把手教你如何构造office漏洞POC(第一期)
- 【原创技术分享】Exponent-cms任意文件上传漏洞分析 (cve-2016-7095)
- Summary Ranges
- How I was able to read Uber logs and internal emails.
- Tokyo Westerns/MMA CTF - Rotten Uploader
- The Top 10 Most Popular Security Projects on GitHub Read more: http://news.softpedia.com/news/the-t
- 【COCOS2DX-BOX2D游戏开发之三】 读取tiledmap的tmx阻挡(转)
- 导教班,我的职业续航加油站
- SparkEnv
- Theano 初探(一)
- ubuntu16安装jdk1.8
- python过滤None