Whitehack Information Security Consultant Griffin Receives Acknowledgment And Monetary Reward From Mozilla

A Whitehack Application Security Consultant has received another acknowledgment from Mozilla Corporation after reporting a cross-site scripting issue on a live reporting tool situated at crash-stats.mocotoolsstaging.net. This vulnerability could have enabled an attacker to hijack session details for staff and users of Mozilla should it be leveraged further.

Proof of concept:

curl -i -k https://crash-stats.mocotoolsstaging.net/api/SuperSearch/?_columns=Bad Payload

Response:

HTTP/1.1 400 BAD REQUEST
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Mon, 11 Apr 2016 14:02:19 GMT
Server: nginx/1.6.3
Set-Cookie: anoncsrf=vEoeM677uxldJowhZ4YXreUuW7R0i6Cy; expires=Mon, 11-Apr-2016 16:02:19 GMT; httponly; Max-Age=7200; Path=/; secure
Vary: Cookie
X-Frame-Options: DENY
Content-Length: 41
Connection: keep-alive

Unknown field “Bad Payload”

Fix:

https://github.com/mozilla/socorro/commit/da2a25bdea9d99f7338eb20b71e6475b3afa536b

Confirmed fixed:

$ curl -i -k https://crash-stats.mocotoolsstaging.net/api/SuperSearch/?_columns=Bad Payload
HTTP/1.1 400 BAD REQUEST
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
Date: Thu, 14 Apr 2016 17:24:14 GMT
Server: nginx/1.6.3
Set-Cookie: anoncsrf=SQVv3et0IpysKgPW5o9YVkfjTUiAEfRT; expires=Thu, 14-Apr-2016 19:24:14 GMT; httponly; Max-Age=7200; Path=/; secure
Vary: Cookie
X-Frame-Options: DENY
Content-Length: 56
Connection: keep-alive

{“error”: “Unknown field \”Bad Payload\””}

Timeline:

Issue Reported: 2016-04-09 19:13:45 PDT
Issue Confirmed: 2016-04-11 06:58:35 PDT
Issue Fixed: 2016-04-14 10:26:11 PDT
Received $3000 USD: 2016-04-18 10:41:17 PDT