Security Assessment Identifies Vulnerabilities in Financial Application
/ 3 min read
Quick take - On March 22, 2024, a security assessment of a financial application identified vulnerabilities related to Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS), revealing issues with the handling of encrypted requests and leading to the retrieval of sensitive data, while highlighting the complexities of vulnerability classification and the necessity for thorough security evaluations.
Fast Facts
- A security assessment on a financial application conducted on March 22, 2024, focused on vulnerabilities related to Server-Side Request Forgery (SSRF).
- The assessment revealed that the application used internal domains accessed via iframes, leading to the discovery of CSRF and Cross-Site Scripting (XSS) vulnerabilities.
- Initial testing overlooked CSRF due to the assumption that requests were encrypted, but they were actually Base64-encoded.
- The investigation uncovered a Print functionality that resembled SSRF techniques, allowing for the execution of payloads that retrieved sensitive data from the backend server.
- The initial vulnerability was classified as Priority 1 but later downgraded to Priority 2, highlighting the complexities in vulnerability identification and classification.
Comprehensive Security Assessment of Financial Application
On March 22, 2024, a comprehensive security assessment was conducted on a financial application. The focus was on identifying vulnerabilities associated with Server-Side Request Forgery (SSRF).
Understanding SSRF Vulnerabilities
SSRF is a web security vulnerability that allows an attacker to manipulate a server into making unauthorized requests. This typically arises when an application fetches remote resources based on user input without adequate validation or sanitization. The assessment revealed that the application utilized various internal domains for managing financial data, which were accessed through iframes.
Initially, the testing phase did not account for Cross-Site Request Forgery (CSRF) or other vulnerabilities, based on the assumption that requests were encrypted. However, it was subsequently discovered that these “encrypted” requests were actually Base64-encoded. This led to the identification of several CSRF vulnerabilities and Cross-Site Scripting (XSS) bugs. Notably, some of these vulnerabilities were found on out-of-scope domains, yet they had implications for the main application.
Discovery of Print Functionality
As the investigation progressed, the author uncovered a Print functionality that converted a webpage into HTML, encoded it in Base64, and sent it out for printing. This feature bore similarities to SSRF techniques discussed by security researchers, particularly those related to PDF conversion features. Further experimentation involved crafting payloads targeting AWS metadata endpoints and Linux file paths. However, initial attempts were hindered by iframe parameters that affected the output.
After refining these parameters, it was revealed that the backend server was operating on a Windows OS. This discovery prompted additional testing using Windows-specific directories, with various payloads encoded in Base64. The author successfully executed the payloads at a specific endpoint, resulting in the retrieval of sensitive data. This underscored the importance of persistence and innovative thinking in vulnerability identification.
Triage and Resolution Timeline
The initial triage of the discovered issue was classified as a Priority 1 (P1) by a Bugcrowd Application Security Engineer. However, the program owner later downgraded the classification to Priority 2 (P2), providing further reasoning for this decision. Throughout this process, the author expressed a personal sentiment regarding the validation of independently discovering bugs.
The timeline of events for this security issue included the initial report on March 22, 2024, triage on March 27, 2024, and resolution achieved on May 17, 2024. This case highlights the complexities involved in identifying and classifying security vulnerabilities and underscores the ongoing need for rigorous security assessments in financial applications.
Original Source: Read the Full Article Here
