Spoofing file extensions on HackerOne

While testing HackerOne, I observed an issue with the file upload functionality. It seems that on File upload, the uploader uses the content within the file for determining the content type of file instead of filetype .

Although this does not pose much of a risk since the changed extensions would be visible at download time but wanted to blog about this.

This raises below 2 scenario:

Scenario 1

• Open any of your Hackerone report 
• Upload the batch.cmd from https://github.com/csanuragjain/roughProj/blob/master/batch.cmd?raw=true in comment and post the comment

• Open the batch.cmd on the posted comment
• Observe an image gets represented and their is no warning from HackerOne

• User downloads the file, thinking of it as an image file 
• if the user accidentally ignores the downloaded file extensions opens it then malicious batch file gets executed

Scenario 2 

• Open any of your Hackerone report
• Upload the myFile.txt from https://raw.githubusercontent.com/csanuragjain/roughProj/master/myFile.txt in comment and post the comment

• Open the myFile.txt on the posted comment
• You will see a warning from Hackerone, but since the file is txt file so user might just go ahead 

• User downloads the file, thinking of it as an text file

• if the user accidentally ignores the downloaded file extensions opens it then malicious HTML scripts execute

Reason:

1. Content-Disposition: attachment; filename="" in response from hackerone-attachments.s3.amazonaws.com does not contain filename, forcing browser to decide the naming convention. 
2. Since the Content type got decided on basis of file content header instead of extension by HackerOne so few browser would simply save it on user computer with incorrect extension, which caused the above Scenarios 1 and 2

HackerOne Report:

https://hackerone.com/reports/268123 (Closed as Informative)

SSL Pinning bypass on Android Emulator

Recently I developed interest in analyzing the Android apk network traffic.

I was able to capture traffic using HTTP interceptor for some of the apk but many other apk started giving error in interceptor - "The client failed to negotiate SSL connection".

On searching this issue, I came to know that apk are performing SSL pinning. In order to capture traffic for these apk, I need to bypass the SSL pinning. After reading multiple articles, I founded this easy way of performing the same.

Requirements:

1. Burp Suite - https://portswigger.net/burp/communitydownload
2. XPosed apk framework: https://forum.xda-developers.com/showthread.php?t=3034811
3. JustTrustMe - https://github.com/Fuzion24/JustTrustMe/releases
4. Memu Android emulator - https://www.memuplay.com/

Steps:

Configuring Burp Suite:

1. Install Burp Suite from https://portswigger.net/burp/communitydownload
2. Follow all steps mentioned at https://support.portswigger.net/customer/portal/articles/1816883-getting-started-with-burp-suite
3. For our case, we are setting Burp to listen to all interfaces on 8085 port

XPosed apk framework:

1. Download the framework from https://forum.xda-developers.com/showthread.php?t=3034811
2. For my case the download link was https://forum.xda-developers.com/attachment.php?attachmentid=4393082&d=1516301692

JustTrustMe apk:

1. Download the apk from https://github.com/Fuzion24/JustTrustMe/releases
2. For my case it came out to be https://github.com/Fuzion24/JustTrustMe/releases/download/v.2/JustTrustMe.apk

Memu Android emulator :

• Download the emulator from https://www.memuplay.com/ 

• Install the emulator and open the same.

• Click on Settings button and then goto Others tab

• Click on Enable for Root mode option

• Restart the emulator
• Click on "Install APK" button on the right side toolbar of Memu emulator

• Choose Xposed apk framework which was downloaded earlier
• Open the apk after installation
• Click on Install/Update option inside the apk
• After the installation is complete, restart the emulator
• If all went well, you will see something as shown below in screenshot

• Again, click on "Install APK" button on the right side toolbar of Memu emulator
• Choose JustTrustMe apk which was downloaded earlier
• After JustTrustMe is installed, open Xposed apk
• Open the Modules tab

• Activate the JustTrustMe module by ticking the checkbox

• Now, goto Wifi->Settings in the emulator
• Long press on the wifi name till you see option to Modify network

• Click on Advanced option
• Mention the ip of your system and port as 8085 (as Burp is listening on this port)

• Open any apk on the emulator which has SSL pinning enabled
• Observe that Burp suite is capturing all traffic and stops giving SSL error.

Note:

This post is only for educational purpose. Don't use this for any unauthorized activities.

Hope this helps.