Skip to main content

How I got access to Fastly account of dev.to

Hey Mates,
Hope you all are Good, This is my first write-up about how i gain access to a company's(dev.to) fastly account. 
One Day I got email that dev.to is going to open source on Github.

Previously I've found a critical account takeover bug in dev.to via stored XSS and get rewarded(Write-up later), Since I have account in dev.to that's why I receive this mail.

Now Let's get started.
Email From dev.to
Now I was damn sure that there is something that the developer's missed while making dev.to project open source in Github, first i visited their Github project at 
https://github.com/thepracticaldev and start searching manually for secret key's, private key's and Api key's, When searching for Api key I encountered with cache_buster.rb which is leaking the fastly Api key like this.

with(headers: { "Fastly-Key" => "k15177t3dctdg27138b03c737688c84g" })

Dont't waste your time this is not an exact fastly api key let's move on.

Now it's time for fastly api key, how to use this api key. Then I have search for fastly api in google and encountered with fastly docs at https://docs.fastly.com/api/auth which shows how to get sensitive details. The documentation consists of different api endpoints /tokens, /customer/id/tokens and many more.
I simply created a working POC to List all tokens belonging to the authenticated user like this below and send the detailed report to them.

Request Example
GET /tokens HTTP/1.1
Fastly-Key: k15177t3dctdg27138b03c737688c84g
Accept: application/json


Response Example

HTTP/1.1 200 OK
Content-Type: application/json
[
{

    "id": "5Yo3XXnrQpjc20u0ybrf2g",
    "user_id": "4y5K5trZocEAQYkesWlk7M",
    "services": [],
    "name": "my_token",
    "scope": "global",
    "created_at": "2016-06-22T03:19:48+00:00",
    "last_used_at": "2016-06-22T03:19:48+00:00",
    "expires_at": "2016-07-28T19:24:50+00:00",
    "ip": "127.17.202.173",
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
  }
]
 
This will list all the token belongs to the authenticated users. There are many endpoints like this.
1.List all tokens belonging to a specific customer
GET/customer/id/tokens
2.Get a single token based on the access_token used in the request.
GET/tokens/self

And Many more endpoints are listed athttps://docs.fastly.com/api/auth , I reported this issue to them they responded quickly and fix this within 6 days.

I hope you guys like this writeup. 
Hall of Fame from dev.to

Timeline

  • 9 August : Bug found and Reported
  • 9 August : Triaged
  • 15 August : Fixed
  • 15 August: Bounty Awarded

Comments

Popular posts from this blog

Getting started with Bug Bounty!

Hey, Guys Hope you all are doing well. I started my journey in bug bounties around 1.5 years ago, and I am thankful to all the members of security community who share their knowledge to the community. I have learned a lot of things from them and I am still learning new things daily from fellow hackers, hacking is a continuous process and ultimately reflects a state of mind. I have received a lot of messages from people's asking me how to start, where to start in bug bounties. So I have decided to write a blog which contain as much information which helps for beginners. Quote- "Hacking is a lifelong Journey of Learning " Table of Content Introduction Reading Practicing Connect with community Ask Questions Motivation Certifications Conclusion Introduction What is bug bounty? To get a basic understanding of the role, the name itself is quite self-explanatory. A bug bounty hunter looks for bugs in applications and platforms, which they later

Ethical Hacking Resource

Book’s: Tangle Web Security Guide Web Hacking 101 The Basics of Web Hacking: Tools and Techniques to Attack the Web Learning Pentesting Android Devices Android Hacker’s Handbook Learning IOS Pentesting Practical IOT Security Burp Suite Tool Attack Approach Essential of Burp Suite Browser Plugin’s : Chrome  :  http://resources.infosecinstitute.com/19-extensions-to-turn-google-chrome-into-penetration-testing-tool/ Firefox  :  http://resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/ Tool’s: https://bugbountyforum.com/tools/ https://forum.bugcrowd.com/t/researcher-resources-tools/167 Bug Bounty References: https://github.com/ngalongc/bug-bounty-reference https://github.com/Hack-with-Github/Awesome-Hacking Payload’s: fuzzdb  —  https://github.com/fuzzdb-project/fuzzdb SecLists  —  https://github.com/danielmiessler/SecLists NickSanzotta  —  https://github.com/NickSanzotta/BurpIntruder