Skip to main content

How I got access to Fastly account of dev.to

Hey Mates,
Hope you all are Good, This is my first write-up about how i gain access to a company's(dev.to) fastly account. 
One Day I got email that dev.to is going to open source on Github.

Previously I've found a critical account takeover bug in dev.to via stored XSS and get rewarded(Write-up later), Since I have account in dev.to that's why I receive this mail.

Now Let's get started.
Email From dev.to
Now I was damn sure that there is something that the developer's missed while making dev.to project open source in Github, first i visited their Github project at 
https://github.com/thepracticaldev and start searching manually for secret key's, private key's and Api key's, When searching for Api key I encountered with cache_buster.rb which is leaking the fastly Api key like this.

with(headers: { "Fastly-Key" => "k15177t3dctdg27138b03c737688c84g" })

Dont't waste your time this is not an exact fastly api key let's move on.

Now it's time for fastly api key, how to use this api key. Then I have search for fastly api in google and encountered with fastly docs at https://docs.fastly.com/api/auth which shows how to get sensitive details. The documentation consists of different api endpoints /tokens, /customer/id/tokens and many more.
I simply created a working POC to List all tokens belonging to the authenticated user like this below and send the detailed report to them.

Request Example
GET /tokens HTTP/1.1
Fastly-Key: k15177t3dctdg27138b03c737688c84g
Accept: application/json


Response Example

HTTP/1.1 200 OK
Content-Type: application/json
[
{

    "id": "5Yo3XXnrQpjc20u0ybrf2g",
    "user_id": "4y5K5trZocEAQYkesWlk7M",
    "services": [],
    "name": "my_token",
    "scope": "global",
    "created_at": "2016-06-22T03:19:48+00:00",
    "last_used_at": "2016-06-22T03:19:48+00:00",
    "expires_at": "2016-07-28T19:24:50+00:00",
    "ip": "127.17.202.173",
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
  }
]
 
This will list all the token belongs to the authenticated users. There are many endpoints like this.
1.List all tokens belonging to a specific customer
GET/customer/id/tokens
2.Get a single token based on the access_token used in the request.
GET/tokens/self

And Many more endpoints are listed athttps://docs.fastly.com/api/auth , I reported this issue to them they responded quickly and fix this within 6 days.

I hope you guys like this writeup. 
Hall of Fame from dev.to

Timeline

  • 9 August : Bug found and Reported
  • 9 August : Triaged
  • 15 August : Fixed
  • 15 August: Bounty Awarded

Comments

Popular posts from this blog

10 Rules of Bug Bounty

1.Targeting the Bug Bounty Program How long you target the program ? If the Answer is Just Few Hour’s or a night, Then That’s where you are doing wrong .Bug Hunting is Matter of Skill’s and Luck .Spending just few hours on program’s could be waste Because those bugs are mostly reported.You May end up getting depressed by duplicates , would suggest to at least choose any program Spend a week on it . Big Bug’s Takes time. Take your time to understand the Functionality of the application. keep writing notes and track of Suspicious endpoint’s. Because you’re not going to earn much for known issue unless you’re very early to report. If you find out about a public program after 10/12 hours of its launching. Don’t waste your time looking for known issues or low hanging fruit .Just take a deep dive into the application. 2. How do you Approach the Target ?
If Answer is Just by Signing up at Target , Checking For Vulnerabilities like CSRF, XSS,Subdomain’s etc , Then This Could be the problem where y…

Getting started with Bug Bounty.

Getting started with Bug Bounty.
Hey, guys! This post is dedicated to all those who want to do bug bounty. Although I am not a ranker like my friends Sai Kumar Reddy, KL Sreeram, Vasim Shekh, etc I learned many things throughout my way in bug bounty and I want to share them in this post 
What should you know before getting into bug bounty?  First of all, you should know basic things about web app(ofc. bug bounties are not limited to it) have what is HTTP? What is HTML? What are HTML Forms? What is JavaScript? What does JS do? Structure of a web app(Nowadays all web apps have MVC). IMO this thing matter. A book like Web Hacking 101 will help a lot.Keep learning new things, How?  HackerOne’s Hactivity (Web Hacking 101 also covers this section), Other Hunters blog, And just dig in whenever you see weird term or thing, Maybe you end up learning a good thing?Play with Burp, Explore it Approaching a target If you’re new don’t just focus on reward only sites, go for points in this way you will…