Non-Profitโ project* ๎ Somewhat foolishly, I took a request ๎ You wonโt believe what happened next... *http://haxx.ml/post/137946990286/hacking-open-source-software-for-fun-and
Combinator ๎ Open source โ MIT License ๎ Team and Enterprise editions ๎ Built on modern technologies โ Golang, React.js, Node.js ๎ New release monthly (16th)
you understand? :) ๎ Exposed by design ๎ Rapidly growing user base ๎ Interesting use cases (SaaS?) ๎ Open Source ๎ Provide info for those considering using it
Backend/API written in Golang โ One Linux ELF binary + static resources ๎ All business logic in the API ๎ MySQL or PostgreSQL database ๎ Mobile and desktop apps โ Android, iOS, Windows, OS X, Linux
Compiled but โmemory safeโ โ No manual memory management, etc. ๎ Runtime built-in ๎ Designed with security in mind โ Context-based output encoding โ Secure standard libraries โ No โeasyโ path to dynamic execution
logical area + endpoint ๎ Access model well implemented ๎ No injection vulnerabilities (?) ๎ Some team-related information leaks ๎ Fairly clean with some legacy/redundant functionality
Somewhat configurable โ Restrict to specific domains โ Require email verification โ Limit to SSO service (OAuth/LDAP) ๎ Two methods โ Direct Invite (email from system) โ Team Invite Link (more interesting)
๎ POST to /api/v1/teams/find_teams โ Payload: {"email":"[email protected]"} โ Returns team data, including Invite ID โ Can be called unauthenticated ๎ Only pre-req: team memberโs email/username
Team Admin โ Manage team settings and members ๎ System Admin โ Manage system settings through System Console ๎ Admins are Members too โ No access to other usersโ private channels, DMs, etc. โ Except in this one particular caseโฆ
{"link":"/api/v1/files/get_export"} ๎ GET /api/v1/files/get_export โ Returns ZIP file with exported data for ALL teams โ Chat messages, team invite IDs, etc. ๎ Can be triggered by any Team Admin โ Local and cross-team information leak
officially recommended ๎ Passwords stored as bcrypt hashes ๎ Chat messages stored in clear text ๎ Shared files stored as-is on file system ๎ Crypto used in โinterestingโ waysโฆ
http://192.168.1.54:8065/suchteam/reset_password? d={"time":"1462383751298","user_id":"55u99xsze7fc9y gs7d9zgqwhjh"}&h=$2a$10$L9yhcWMoS4qY.wSxJx/i JO77xZcGiFP.XDkwZEyJrH7M7eUkqx.am ๎ The value of d is known/predictable ๎ bcrypt hash (h) is generated by: โ bcrypt(value_of_d + โ:โ + password_reset_salt) ๎ Hmmmโฆ But why?
stored โ Any bcrypt hash will be accepted as long as it matches d + password reset salt โ Cost factor can be reduced to 4! ๎ The โtimeโ value of d can be set arbitrarily ๎ Knowing the password reset salt => reset any userโs password
type restrictions โ Preview functionality for common file types ๎ Stored as-is under folder path based on: โ Channel ID โ Uploading userโs ID โ Random string ๎ Access to files is well protected
s37zh35fmc/r5kcfatee7d6zfnjjiss9xwn1c/geb8dieqhib43 g3u9bedqiqn1o/hello.html? session_token_index=0&download=1 ๎ Downloads the file as an attachment โ Content-Disposition: attachment;filename="hello.htmlโ ๎ What happens if the value of download is 0? โ Or just remove the query string โ HTML executes!
Node.js โ Engine for running JavaScript on the server โ Not the same restrictions as in a browser ๎ Mostly just emulates a browser โ Uses cookies โ Local config, HTML, and JS files ๎ Not much to see hereโฆ Or?
of crypto โ New, cleaner API version โ Better team separation โ No sensitive data in System Console ๎ Root cause analysis over single fixes ๎ Potential improvements โ Optional database encryption โ Team separation on database level
mirakui
shift_evolve
oracle4engineer
maaaato
databricksjapan
sshimizu2006
ismk
hirotomotaguchi
jark
r3_yamauchi
eltociear
bluesmoon
mojombo
soudai
nonsquared
eileencodes
chriscoyier
kevinliebholz
bermonpainter
honnibal
tammyeverts
bkeepers
brad_frost
![Sign-in flow ๎ POST to /api/v1/users/login โ Payload: {"name":"suchteam","email":"[email protected]","passw ord":"passw0rd"}](https://files.speakerdeck.com/presentations/434234f2fce840119215aeee6a9cf065/slide_15.jpg){kind=link}
