Welcome my first bug bounty write up, I don't do bug bounty that much especially web bug bounties but it started to interest me lately so I decided to start looking for bugs in UBER.
Before you start I highly recommend you read about SAML authentication if you are not already familiar with the topic, otherwise, it will be really hard to understand the bug.
You can read about SAML Here
I started gathering information about the target, I noticed that their internal systems are in scope (subdomains of uberinternal.com), so I started performing subdomain enumeration, For that, I used
aquatone which discovered a number of domains and gathered some screenshots of the domains.
One thing to notice was that most of the internal domains redirect to
uber.onelogin.com for the authentication process.
onelogin is known to use SAML authentication which is very interesting because of a large number of authentication bypasses discovered in applications implementing SAML, including some bugs affecting uber itself which you can find Here and Here.
My first intention was to look for SAML authentication bypasses, and believe it or not, I was going to start with the
uchat system but sadly someone got the bug first, this is not the first time I lost a bug because of bad timing so it's OK .. let's move on.
When you log in with SAML a request is sent to the authentication service, in our case this is
uber.onelogin.com and after the login
uber.onelogin.com will send back a response in case of successful login to the application which in this case
whatever.uberinternal.com what I was interested in finding was the page that receives the response from onelogin.
So let's take a look at the redirection that happens when calling a page that requires authentication, you can see in the following image that it passes a
SAMLRequest base64 parameter to
To decode the value of the parameter there exists an online tool that allows us to do just that and we can see the link that will receive the response from
Also, there's a good SAML plugin for burpsuite if you want to give it a try, also it has some really good advanced features to test SAML.
That was OK, however, I wanted to do that in bulk, so I created a tool that takes a list of URLs and gives back the SAML consuming URL, you can find the tool here in my GitHub account SAMLExtractor.
The next thing was to try to bypass SAML authentication on that link but I didn't have luck with that so I decided to do something else, I decided to do some discovery of the
oidauth/ directory to see if there are any more interesting files, for that I used
dirsearch using the following command.
./dirsearch.py -u https://carbon-prototype.uberinternal.com:443/oidauth/ -ejson
After performing the directory brute forcing I found the following page:
It's a logout page but why that's interesting .. well a lot of developers implement a redirection in the logout page and sometimes you can find
XSS vulnerability in there so I opened the above link and it did redirect me to the following page
The base parameter is taking a URL so how about replacing that with the old classic
Remember when I told you I created a tool that can take a list of URLs and then give you back the callback (SAML consume) URL, I decided to feed the tool with all subdomains of
uberinternal.com to see if there are other domains that use the same library and there was.
What I did next was to create a script that calls the vulnerable page
oidauth/prompt and try the XSS and if my input is reflected it gives me a nice vulnerable message.
After that, I verified the vulnerable pages and sent the first report to UBER, and after the first report, I found more two vulnerable subdomains which I reported in a separate report.
- First Report
- Second Report