Write Up 1: Hellosign Integration [Full Read SSRF]
Write Up 1: Hellosign Integration [Full Read SSRF]
بسم الله الرحمن الرحيم
Well, after a lot of attempts to start this series of write-ups I’m finally doing it. Briefly, this series of write-ups will be just some stories about my cool findings.
Target:
Since the target had a private bug bounty program, I won’t be disclosing the name, but it was a company that makes the recruiting process more manageable.
Attack surface:
From the target description, you can already tell what could the attack surface be: access controls (different privileges), file uploads (CVs, company documents, etc), and so much more. I tried to focus first on features that include uploading/modifying files.
Recon:
After going through every button and feature, one of the used integrations caught my attention which was signing company documents with HelloSign,
I visualized the normal flow to sign a company’s document on the application
Everything about the flow above seemed good until I saw an edit button.
After submitting a modification on the signed document (name, type, etc), the application sends a multipart form to the server with the S3 bucket link to the file.
Without any further thinking I easily put the famous http://169.254.169.254/latest/meta-data/ and opened the file using the hellosign integration, finally I enumerated my way to get the access token.
Timeline
Jun 01, 2022 — Report Sent.
Jun 02, 2022 — Hackerone Triage asking for more information (Using documents signing feature was a PIA).
Jun 13, 2022 — Vulnerability Fixed.
Jun 13, 2022 — $2000 bounty awarded by the program.
Tips: maybe I didn’t share any cool technic in this write-up, but I shared an important lesson : don’t ignore edit buttons :).