During one of penetration tests, I discovered a vulnerability that allowed us to bypass a host whitelist, leading to the exposure of sensitive data. This behavior could let attackers to exfiltrate sensitive information, such as password reset tokens, to external hosts they control. The severity of this vulnerability is significant, as it opens up further attack vectors that could potentially compromise the application and its users.
Environment overview
In this case, the vulnerability occurs from how the application handles host validation when sending requests.
The system was designed to whitelist specific domains and reject requests to unapproved external hosts. However, I found that this validation could be bypassed using a special character in the domain name, which allowed unauthorized external communication.
To exploit this vulnerability, we need to have user account in the tested application. The application used different templates, for this vulnerability I used Customer password reset template where (what is important) custom HTML content can be inserted.
Then I inserted an iframe element with a malicious URL into the editor:
Initially, the application displayed an error message:
Bypassing Validation
However, when we modified the domain by adding special characters, for example $, the application allowed the request to pass:
Exploiting the Bypass:
I decided to refine the payload by using a special character £, which the application transformed into a valid URL:
The application interpreted this as a valid, whitelisted URL:
In this case, when the special character £ was included in the domain, the application transformed it using an encoding system called Punycode. Punycode is designed to represent Unicode characters in a format that can be used in the domain name system.
As a result, the application transformed the £ into its Punycode equivalent (xn–z-bca), making the URL appear valid according to the host whitelist rules.
Extracting Sensitive Data
With the host whitelist bypassed, I was able to demonstrate how this vulnerability could be used to steal sensitive data, such as user password reset tokens. By embedding the following payload:
Recommendations
To avoid vulnerabilities like this in your applications remember to implement strict validation to ensure special characters and encoded URLs are properly handled and that only trusted domains are allowed.
