Combining host header injection and lax host parsing serving malicious data

labsdetectify

TL;DR, There used to be a bug in Internet Explorer allowing attackers to force victims to send requests with malformed Host headers. File Descriptor used it to steal GitHub OAuth tokens, and we used it to confuse Heroku and Fastly’s host routing to make them serve our content on their customers’ domains. Fastly and Heroku have since then patched the issue on their side.

Building an XSS polyglot through SWF and CSP

labsdetectify

The mind twister was to abuse the CSP headers to inject a javascript through a third-party domain that only allowed SWF-upload. A few Payment Service Providers offers bug bounty programs. On one of the providers I was able to find a stored XSS on the receipt-page of a successful payment. The receipt page had a permalink-URL that was sent out by email to the buyer. This meant that the XSS could be accessed by anyone that had the receipt-link.

How I got the Bug Bounty for Mega.co.nz XSS

labsdetectify

Last week Mega.co.nz released a Bug Bounty Program. Of course I set out to see if I could find something.

I noticed quite early in my digging that Mega had hijacked the alert-function. You could see that by typing javascript:alert(/XSS/) into the address field when you’re visiting Mega.co.nz. The confirm and prompt-functions are not affected. I also noticed that the download behaviour depending on browser were quite different. In Chrome, the download happened automatically, but in Safari, a flash-segment was visible with a “Save File”-link.