modifing the mozilla sync request result to make the server to interact with external
Categories
(Firefox :: Security, defect)
Tracking
()
People
(Reporter: sandichrist6, Unassigned)
Details
(Keywords: steps-wanted, Whiteboard: QA-not-reproducible)
Attachments
(1 file)
135.05 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Steps to reproduce:
1:open firefox simply and intercept the request with burp
(in my case i get request like this:-
GET /direct?url=https%3A%2F%2Fpocket-image-cache.com%2F1200x%2Ffilters%3Ano_upscale%28%29%3Aformat%28jpg%29%3Aextract_cover%28%29%2Fhttps%253A%252F%252Fpocket-syndicated-images.s3.amazonaws.com%252Farticles%252F6213%252F1617941161_606fbd39a4bcc.png&resize=w450 HTTP/1.1
Host: img-getpocket.cdn.mozilla.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: image/webp,/
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: null
Connection: close)
2:In this some url param get passed then i modified the url with my burp collaborator payload
3:send the request and note the burp collaborator
Actual results:
It make http and dns request to external server
Expected results:
with this issus attacker use this server as attacking proxy...
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 2•3 years ago
|
||
I don't understand what the issue is here - not that there isn't one, but I truly don't understand what is the expectation and how it is being violated. Could you explain more clearly what is the information that's leaked or what you mean by "attacking proxy"?
Reporter | ||
Comment 3•3 years ago
|
||
that day i was working with other program, when i intercepting the request Accidentally i get this request then i want to find the working of the Get request after that i analys the request ,That fetch dome data from external,and AWS. Then i remove the links and put my burp collaborator payload link. Finally it makes request to my burp collaborator .Then i found it interaction to external server.
Impact .
External server interaction leads to RFI and other vulnerability
Reporter | ||
Comment 4•3 years ago
|
||
Comment 5•3 years ago
|
||
If I understand this correctly, changing the URL of the request makes the img-getpocket server connect to 'attacker-provided' external server.
I'm not sure if there's a way to abuse this in any way.
Comment 6•3 years ago
|
||
I can't confirm this issue since I don't know how to use Burp. Furthermore, in my point of view, this is more of a Networking or a Security issue than one relevant to the New Tab Page, however, I assume it must be correct if set by a DEV.
Please NI me if further testing is necessary.
Comment 7•3 years ago
|
||
Would appreciate if someone from security could take a look at this, please. Not currently sure if there is a New Tab Page task here.
Updated•3 years ago
|
Are you saying that by modifying the response from img-getpocket.cdn.mozilla.net
, you got Firefox to make a request to a server controlled by you?
Reporter | ||
Comment 9•2 years ago
|
||
yeah !! it creats external service interaction, some time it leads to ssrf also
Thankyou
Now that I think about this some more, that seems like the expected behavior - if you can modify a response to Firefox, you can e.g. send a redirect to an arbitrary site. I don't think there's a vulnerability here - Firefox uses https here (right, New Tab Page folks?) to ensure that attackers can't modify responses.
Description
•