Thursday, 12 June 2014

Netflix Security Misconfiguration Vulnerability

In this blog post I will talk about how I found a security misconfiguration vulnerability on Netflix, more specifically a misconfiguration with their development server which left the PUT/DELETE methods enabled to external users.

The vulnerability existed on this particular server: https://staging.teststudio.netflix.com. I initially found this URL from googling around and slowly removing common words from the search results. The exact Google search looked something like this: "site:netflix.com -help -blog -openconnect -locale -dvd -ir -developer -support".

After locating the URL, I loaded up Burp Suite and starting intercepting requests to see what was happening. I sent "OPTIONS / HTTP/1.0" to "https://staging.teststudio.netflix.com" and to my surprise it returned PUT and DELETE in the response as allowed HTTP methods, awesome!

I altered my request in Burp Suite and sent the following request to https://staging.teststudio.netflix.com:

  
(Just a quick note, I am aware that the alert message in the request is not the same as what is returned in the response in the screenshot below. These were initial screenshots I took as soon as I found the vulnerability. When I submitted it to Netflix, I changed the PoC slightly so it displayed a proper message :))

Great, it had created my file. Now if I navigate to https://staging.teststudio.netflix.com/vuln.html, I could see that my file was there and I could access it:

Additionally, I could alter my Burp Suite request to delete the file as well:


That is pretty much the vulnerability in a nut shell. To be honest it's hardly anything super exciting but I am still happy I was able to find the vulnerability. Also, I could have probably taken it further and got command execution (or something equally awesome) but I decided not to and just reported the vulnerability as it was. 

I contacted Netflix's security guys using this email address: security-report(at)netflix.com and the issue was fixed within a few weeks. As a reward for reporting this vulnerability, Netflix put my name on their Hall of Fame.

Thanks for reading. 



No comments:

Post a Comment