The vulnerability existed on this particular server: https://staging.teststudio.netflix.com. I initially found this URL from googling around and slowly removing common words from the search results. The exact Google search looked something like this: "site:netflix.com -help -blog -openconnect -locale -dvd -ir -developer -support".
After locating the URL, I loaded up Burp Suite and starting intercepting requests to see what was happening. I sent "OPTIONS / HTTP/1.0" to "https://staging.teststudio.netflix.com" and to my surprise it returned PUT and DELETE in the response as allowed HTTP methods, awesome!
I altered my request in Burp Suite and sent the following request to https://staging.teststudio.netflix.com:
(Just a quick note, I am aware that the alert message in the request is not the same as what is returned in the response in the screenshot below. These were initial screenshots I took as soon as I found the vulnerability. When I submitted it to Netflix, I changed the PoC slightly so it displayed a proper message :))
Great, it had created my file. Now if I navigate to https://staging.teststudio.netflix.com/vuln.html, I could see that my file was there and I could access it:
That is pretty much the vulnerability in a nut shell. To be honest it's hardly anything super exciting but I am still happy I was able to find the vulnerability. Also, I could have probably taken it further and got command execution (or something equally awesome) but I decided not to and just reported the vulnerability as it was.
I contacted Netflix's security guys using this email address: security-report(at)netflix.com and the issue was fixed within a few weeks. As a reward for reporting this vulnerability, Netflix put my name on their Hall of Fame.
Thanks for reading.