Plotly is a powerful data analytics and visualisation platform. Founded in 2012, the firm offer a range of products, including a collaborative web interface, API libraries, the Plotly.js library, on-premises services and various software utlities.
Plotly maintain a public bug bounty program in parallel with a private HackerOne program, which researchers with a positive Signal metric can request to be invited to.
I reached out to the team and started searching for bugs in early May. Let's take a look at two interesting reports, starting with the SSRF.
AWS EC2 Metadata Disclosure via SSRF
Brett Buerhaus' blogpost discussing a SSRF vulnerability on the ESEA eSports platform caught my attention in April last year. After proceeding to exploit a URL filter bypass for reflected XSS, Brett learned of an interesting SSRF technique from @NahamSec: EC2 instance metadata disclosure.
Live instances on Amazon's Elastic Compute Cloud can retrieve information by querying the link-local metadata address (169.254.169.254). As a starting point, the below URL discloses endpoints available for inspection:
The EC2 documentation for this topic contains a highly useful Metadata Categories table along with details on formatting and data types. Interestingly, I discovered that the metadata address can disclose AWS API credentials if the instance is connected to a specific IAM role:
If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role [...]
Whilst it was not possible to obtain API credentials in this case, the Plotly bug could be reproduced by an authenticated user by visiting a URL such as the following:
external endpoint processes a valid
url parameter and opens the Graph Maker with the retrieved data. As
http://169.254.169.254 URLs were accepted, the well-formatted metadata appeared in the Graph Maker:
Stored XSS via Presentation Link
I came across Plotly Presentations during my wider reconnaissance of the firm's properties and started to explore the Spectacle Editor tool.
Co-authored by Formidable Labs, Spectacle Editor is:
an Electron based app for creating, editing, saving, and publishing Spectacle presentations [...] a joint effort between Formidable and Plotly.
Links can be added to text elements in a Spectacle presentation and were accepted by the platform. After pasting
Straightforward stored XSS via a trusted URL element. After submitting the initial HackerOne report, I later exported and attached the Spectacle JSON file to assist the Plotly team with their investigation and fix.
I would like to commend Jody from Engineering for the swift handling of reports submitted to the Plotly program – and to the Development team for the quick resolution response.
For interested researchers, I'd like to mention that Plotly also pay on Triage for valid reports (a highly encouraged move from program operators).
The following timestamps are provided in GMT. Once the Plotly program becomes public, the applicable HackerOne reports will be disclosed.
SSRF via External URL Import leading to AWS Metadata Disclosure
- 2017-05-09 09:19 – issue reported
- 2017-05-10 17:41 – triaged & bounty issued
- 2017-05-17 22:25 – issue resolved
Stored XSS via Presentation Text Link
- 2017-05-02 16:49 – issue reported
- 2017-05-03 19:33 – triaged & bounty issued
- 2017-05-25 21:30 – issue resolved