HackerOneレポート確認[297803:[crm.unikrn.com] Open Redirect]

以下のHackerOneレポートを読みました。

カテゴリ:Open Redirect

 

 

 

PoCとしてcurlが載っており、最初のHTTPリクエストを受けてリダイレクトしていることがわかります。

< HTTP/1.1 302 Moved Temporarily
< Date: Thu, 14 Dec 2017 09:06:08 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< Location: https://crm.unikrn.com//example.com/
< Server: cloudflare-nginx
< CF-RAY: 3cd0016601fb853e-HKG
<
* Ignoring the response-body
* Connection #0 to host crm.unikrn.com left intact
* Issue another request to this URL: 'https://crm.unikrn.com//example.com/'
* Trying 104.20.9.41...
* TCP_NODELAY set
* Connected to crm.unikrn.com (104.20.9.41) port 443 (#1)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.unikrn.com
* Server certificate: RapidSSL SHA256 CA - G2
* Server certificate: GeoTrust Primary Certification Authority - G3
> GET //example.com/ HTTP/1.1
> Host: crm.unikrn.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 14 Dec 2017 09:06:13 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d42e68e619766e93f4ba615c19abf9eef1513242372; expires=Fri, 14-Dec-18 09:06:12 GMT; path=/; domain=.unikrn.com; HttpOnly
< X-Powered-By: PHP/7.0.24
< Set-Cookie: 839f76f7dca1d4c71482f5436e1aba22=3a92cdc4ad916ccb96391468d2ad7eda; path=/; HttpOnly
< Cache-Control: no-cache
< Location: //example.com
< Server: cloudflare-nginx
< CF-RAY: 3cd001795f3884a2-HKG
<
* Ignoring the response-body
* Connection #1 to host crm.unikrn.com left intact
* Issue another request to this URL: 'https://example.com'
* Rebuilt URL to: https://example.com/
* Trying 93.184.216.34...
* TCP_NODELAY set
* Connected to example.com (93.184.216.34) port 443 (#2)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: www.example.org
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> GET / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: max-age=604800
< Content-Type: text/html
< Date: Thu, 14 Dec 2017 09:06:13 GMT
< Etag: "359670651"
< Expires: Thu, 21 Dec 2017 09:06:13 GMT
< Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
< Server: ECS (rhv/818F)
< Vary: Accept-Encoding
< X-Cache: HIT
< Content-Length: 1270

 

結果として、example.comステータスコード200で返しています。

 

同じ条件で今動作をさせると、以下のようになりました。

syachineko@LAPTOP-MEPUFLGT:~$ curl http://crm.unikrn.com//example.com/ -L -v
* Trying 104.18.27.15:80...
* Connected to crm.unikrn.com (104.18.27.15) port 80 (#0)
> GET //example.com/ HTTP/1.1
> Host: crm.unikrn.com
> User-Agent: curl/7.72.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 22 Oct 2020 05:46:23 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Thu, 22 Oct 2020 06:46:23 GMT
< Location: https://crm.unikrn.com//example.com/
< cf-request-id: 05f071267c00000af0571c5000000001
< Server: cloudflare
< CF-RAY: 5e60eaea68450af0-NRT
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
<
* Ignoring the response-body
* Connection #0 to host crm.unikrn.com left intact
* Issue another request to this URL: 'https://crm.unikrn.com//example.com/'
* Trying 104.18.27.15:443...
* Connected to crm.unikrn.com (104.18.27.15) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=unikrn.com
* start date: Jul 1 00:00:00 2020 GMT
* expire date: Jul 1 12:00:00 2021 GMT
* subjectAltName: host "crm.unikrn.com" matched cert's "*.unikrn.com"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x560106363410)
> GET //example.com/ HTTP/2
> Host: crm.unikrn.com
> user-agent: curl/7.72.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302
< date: Thu, 22 Oct 2020 05:46:23 GMT
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< location: https://crm.unikrn.com/
< cf-request-id: 05f07126e90000a516271bb000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5e60eaeb0883a516-NRT
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
<
* Connection #1 to host crm.unikrn.com left intact
* Issue another request to this URL: 'https://crm.unikrn.com/'
* Found bundle for host crm.unikrn.com: 0x56010635c040 [can multiplex]
* Re-using existing connection! (#1) with host crm.unikrn.com
* Connected to crm.unikrn.com (104.18.27.15) port 443 (#1)
* Using Stream ID: 3 (easy handle 0x560106363410)
> GET / HTTP/2
> Host: crm.unikrn.com
> user-agent: curl/7.72.0
> accept: */*
>
< HTTP/2 200
< date: Thu, 22 Oct 2020 05:46:24 GMT
< content-type: application/json
< content-length: 38
< set-cookie: __cfduid=d80c1246f199dd2b0318281ad07d77bb61603345583; expires=Sat, 21-Nov-20 05:46:23 GMT; path=/; domain=.unikrn.com; HttpOnly; SameSite=Lax; Secure
< cf-cache-status: DYNAMIC
< cf-request-id: 05f07127090000a51613084000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5e60eaeb48a5a516-NRT
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
<
* Connection #1 to host crm.unikrn.com left intact

 

記載の通り、最初のHTTPリクエストで301のリダイレクトとなりますが、

Location: https://crm.unikrn.com//example.com/

となっており、example.comへ遷移しないようになっていました。

そのあとのGETリクエストもHostはexample.comになっており、

example.comへのリダイレクトは失敗しています。

 

なお、上記URLへは通常のcurlを打った段階でリダイレクトがかかっていました。

今後、リダイレクトがかかるサイトを見つけた際は上記のように試してみることにします。

 

そういえば、curlで色々試していて、

https://crm.unikrn.com@example.com/

というような形にすると、いきなりexample.comに対してリクエストを投げていました。

そういう仕様なんでしょうか・・・?

 

以上