-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
cc56a54
commit a69bc42
Showing
5 changed files
with
34 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| --- | ||
| title: "Popping Helm's Deep: How one vulnerability opened up an entire fortress of new scope" | ||
| date: 2025-01-22 | ||
| image: /assets/images/posts/Uruk.png | ||
| layout: single | ||
| author_profile: true | ||
| --- | ||
|
|
||
| Like any good catholic, I've been obsessed with Lord of the Rings. And like any Lord of the Rings fan, one of my favorite scenes from Peter Jackson's interpretation is the siege of Helm's Deep. | ||
|
|
||
| Helms deep, the impenetrable fortress of the Rohirrim, is besieged by the Uruk-hai. Within it's walls, remain the last denizens of Edoras. While naturally the good guys win, King Theoden gives a riveting speech, and the day is saved, yadda yadda _whatever_.I want to focus on the role of this crazy nutter: | ||
|
|
||
|
|
||
|  | ||
|
|
||
| If you haven't seen the movie (please do), this psychopath is holding a torch and running into a _small, overlooked_ sewage gap in the wall where other Uruk-hai have placed a number mines: | ||
|
|
||
|  | ||
|
|
||
|
|
||
| Putting 2 and 2 together, what happens next is a bit explosive: | ||
|
|
||
|  | ||
|
|
||
| After which, the walls of Helms Deep are breached and the defense crumbles, leaving the juicy interior of the fortress to be plundered by the Saruman's army. | ||
|
|
||
| So how's that relate to bug bounty? Well, a while back, [Rez0](https://x.com/rez0__) and I were looking at a production web application that we weren't given credentials to. And no, this wasn't a self-signup application. All we had was the root domain. | ||
|
|
||
| Much like the Uruk-hai noticing the small overlooked gap Deeping Wall, Joseph noticed a small overlooked set of credentials in the _javascript_ on one of the pages of the applicaiton. As it turns out, these were administrator credentials which had access to one of the orgs in the application. And much like Helms Deep, what was _behind_ the wall was laughably more insecure than the wall itself. Nearly _every. single. endpoint._ was vulnerable to IDOR. We found at least 3 account takeovers. You could add yourself to other organizations, and trivially delete every user in the application. We effectively owned the app. | ||
|
|
||
| So the next time you're hacking on an app that you don't have credentials for, try to find a small overlooked gap in the wall, and you just might find entirely new untouched scope, ripe for the harvest. | ||
|
|
||
|
|
||
| Also, read LOTR. It's good for your soul. |
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.