TIMELINE · EXPORT
submitted a report to HackerOne.
September 9, 2023, 10:43pm UTC
Summary The Leaderboards page at https://leaderboards.hackerone.live/error exhibits insecure error handling, potentially leading to information leakage or abuse. This report outlines the identified vulnerabilities and offers recommendations for mitigation.
Vulnerability Details Description Upon accessing the page, it displays an error message without adequately handling sensitive information or implementing proper error handling measures. The error message is directly rendered in the <h1> tag, indicating an unexpected error has occurred.
Code Analysis The provided HTML code reveals the following issues:
<!DOCTYPE html>
Code 1.01 KiBUnwrap lines Copy Download
1<html lang=”en”> 2<head> 3 <meta charSet=”utf-8"/> 4 <title>HackerOne Leaderboards</title> 5 <! — … → 6</head> 7<body> 8 <h1>Unexpected error occurred</h1> 9 <script> 10 ((r) => { 11 if (!window.history.state || !window.history.state.key) { 12 let n = Math.random().toString(32).slice(2); 13 window.history.replaceState({ key: n }, “”); 14 } 15 try { 16 let o = JSON.parse(sessionStorage.getItem(r) || “{}”)[window.history.state.key]; 17 typeof o == “number” && window.scrollTo(0, o); 18 } catch (n) { 19 console.error(n), sessionStorage.removeItem(r); 20 } 21 })(“positions”) 22 </script> 23 <! — … → 24</body> 25</html> 26Vulnerability Details 27Lack of Proper Error Handling: The error message is directly embedded in the HTML code without any additional context or information about the error. This may expose sensitive information about the application’s internal structure or potential vulnerabilities.
Random Key Generation for History State: While a random key is generated for the history state, this measure does not adequately address the primary concern of insecure error handling.
Impact
Potential Impact This insecure error handling could have several negative consequences:
Information Leakage: Attackers may gain insights into the application’s internal behavior, potentially identifying vulnerabilities or misconfigurations.
Abuse for Exploitation: Information disclosed in error messages could be utilized to craft targeted attacks, increasing the risk of successful exploitation.
Recommendations To address this issue, it is recommended to implement the following:
Implement Custom Error Pages: Create custom error pages that provide minimal information to users, avoiding the disclosure of sensitive details.
Log Errors Server-side: Log detailed error messages on the server side for internal debugging purposes, but ensure they are not displayed to end users.
Utilize Meaningful Error Codes: Use meaningful error codes or identifiers in the response headers to differentiate between different types of errors.
Implement Proper Exception Handling: Utilize try-catch blocks and implement appropriate exception handling to gracefully manage unexpected errors.
Conclusion The current implementation of the Leaderboards page at https://leaderboards.hackerone.live/error lacks proper error handling, potentially exposing sensitive information. Implementing the recommended changes will enhance the security posture of the application and reduce the risk of information leakage.
Disclaimer This report is provided for informational purposes only and does not imply any malicious intent towards the affected application. All testing was conducted in accordance with ethical hacking practices and in compliance with relevant laws and regulations.
- 1 attachment:
- F2684111: recording-1694299361424.webm
HackerOne triage
posted a comment.
September 11, 2023, 10:50am UTC
Hi @dbms ,
Thank you for your submission. I hope you are well. Your report is currently being reviewed and the HackerOne triage team will get back to you once there is additional information to share.
Have a great day!
Kind regards, @h1_analyst_grace
HackerOne triage
closed the report and changed the status to Informative.
September 11, 2023, 10:50am UTC
Hello @dbms, I hope you are having a good day!
Thank you for your reaching out to us, however, please note, for any scenario to be accepted as a practical security vulnerability you need to demonstrate the security issue along with a working proof-of-concept, if you are able to leverage this behavior, then please provide a working POC that can be used to reproduce the issue and demonstrate a security impact upon other users along with sufficient evidence and we will review this report again.
Thank you for your understanding and have a wonderful day ahead!
Best, @h1_analyst_grace
posted a comment.
September 13, 2023, 8:08pm UTC
Wouldn’t that be out of scope tho?
posted a comment.
September 13, 2023, 8:10pm UTC
Application Error Error: Event data could not be retrieved. at ty (functionsWorker-0.0557095893009143.js:6721:11) at async ry (functionsWorker-0.0557095893009143.js:6729:11) at async Fn (functionsWorker-0.0557095893009143.js:548:9) at async Promise.allSettled (index 1) at async um (functionsWorker-0.0557095893009143.js:1372:129) at async functionsWorker-0.0557095893009143.js:1480:294 at async o (functionsWorker-0.0557095893009143.js:4912:22) at async functionsWorker-0.0557095893009143.js:4916:14 at async next (functionsWorker-0.0557095893009143.js:7191:26) at async Object.fetch (functionsWorker-0.0557095893009143.js:7205:14)
<!DOCTYPE html><html lang=”en”><head><meta charSet=”utf-8"/><meta name=”viewport” content=”width=device-width,initial-scale=1,viewport-fit=cover”/><title>Application Error!</title></head><body><main style=”font-family:system-ui, sans-serif;padding:2rem”><h1 style=”font-size:24px”>Application Error</h1><pre style=”padding:2rem;background:hsla(10, 50%, 50%, 0.1);color:red;overflow:auto”>Error: Event data could not be retrieved.
at ty (functionsWorker-0.0557095893009143.js:6721:11) at async ry (functionsWorker-0.0557095893009143.js:6729:11) at async Fn (functionsWorker-0.0557095893009143.js:548:9) at async Promise.allSettled (index 1) at async um (functionsWorker-0.0557095893009143.js:1372:129) at async functionsWorker-0.0557095893009143.js:1480:294 at async o (functionsWorker-0.0557095893009143.js:4912:22) at async functionsWorker-0.0557095893009143.js:4916:14 at async next (functionsWorker-0.0557095893009143.js:7191:26) at async Object.fetch (functionsWorker-0.0557095893009143.js:7205:14)</pre></main><script> console.log( “💿 Hey developer👋. You can provide a way better UX than this when your app throws errors. Check out https://remix.run/guides/errors for more information.” ); </script></body></html>
posted a comment.
September 13, 2023, 8:11pm UTC
Video F2696517: PoC.webm 2.99 MiB
Zoom in Zoom out Copy Download
- 1 attachment:
- F2696517: PoC.webm
posted a comment.
September 13, 2023, 11:18pm UTC
Would love to hear back when you guys have time Check Network Requests:
Ensure that network requests (API calls, fetch requests, etc.) are being made correctly. Verify that the responses from the server are as expected. Check Data Handling:
Verify that the data retrieved from the server is being processed correctly in your JavaScript code. Check for any data manipulation or transformation errors. Error Handling:
Implement proper error handling in your JavaScript code to catch and handle scenarios where data retrieval fails. Check Async Code:
Given that the error mentions async and await, ensure that your asynchronous code is structured correctly. Check for any unhandled Promise rejections. Review Relevant Code Sections:
Go through the sections of your code mentioned in the stack trace (e.g., functionsWorker-0.0557095893009143.js:6721:11) and inspect the code for potential issues. Logging and Debugging:
Add logging statements to relevant parts of your JavaScript code to track the flow of execution and identify the point where the error occurs. Use browser developer tools to inspect variables, track function calls, and debug asynchronous code. Check for Server-Side Issues:
Ensure that the server is providing the correct data in response to client requests. Verify that the server-side code responsible for providing event data is functioning as expected. Verify Function Signatures:
Check that the functions mentioned in the stack trace (e.g., ty, ry, Fn, etc.) are defined and used correctly. Review External Dependencies:
If your code relies on external libraries or APIs, ensure that they are being used correctly and are up-to-date.
posted a comment.
September 17, 2023, 3:08am UTC
Any word on this?
posted a comment.
September 20, 2023, 12:27pm UTC
Still waiting to hear back
posted a comment.
September 25, 2023, 2:43pm UTC
Hello?
