Ethical Vulnerability Disclosure - HackerRank

Ethical Vulnerability Disclosure - HackerRank

Veer Dedhia

2020-01-22

Veer Dedhia is an instructor at Fullstack Academy's Cyber Bootcamp in NYC.

----

Overview

Over 10 days in October 2019, the Fullstack Cyber Bootcamp team found a stored XSS vulnerability in HackerRank that would allow a test-taker to exploit a test administrator. The vulnerability was disclosed to HackerRank support, and very promptly fixed (props to the HackerRank engineering team).

Background

HackerRank
HackerRank is a platform to create assessments, primarily for hiring programmers. It’s widely used by companies as a standard way to compare candidates. Worth noting are that the test administrators are from the company (maybe recruiters or HR), who are customers of HackerRank. Test takers are the candidates, who are outside and untrusted actors.

XSS
Cross-Site Scripting is a type of client-side web attack, where attacker-controlled code executes in the context of the victim’s browser. This type of vulnerability is consistently in the OWASP Top Ten list of web security issues.

Generally, XSS allows code execution on a remote victim’s device. The key issue is that the attacker has access to a user’s data on their computer. Those website resources may include cookies, saved passwords, and other private data. Cookies are often a juicy target, because websites use cookies as login tokens. An attacker can use a stolen cookie to log in to a website as the victim. 

For example, you can use my cookies from my cheesy blog (see below) to log into my account without knowing my password. Here's how:

  1. Navigate to Gruyere. Click “Agree and Start” to launch the vulnerable application. Copy the URL and send it to a friend. It will look like: https://google-gruyere.appspot.com/123456/
  2. “Sign up” for a user account with a dummy password.
  3. Open the Developer Tools in your browser.
  4. Copy your cookies using the following JavaScript command in the Developer Tools > console: console.log(document.cookie);. You should see something like: "GRUYERE=84673500|fullstack||author;"(it’s ok if there is more).
  5. Pass that string over to your friend, and have them set their cookies using this JavaScript: document.cookie = "PUT_COOKIES_HERE".
  6. Refresh the page, and check the username.

Stored XSS
Stored XSS is a form of cross-site scripting, where the attacker’s code is sent to the web server first, and waits there for the victim to trigger it. Upon navigating to the vulnerable webpage, the victim’s browser runs the attacker’s code, as if that code came from the website itself. Again, the code has access to cookies and other data.

Attack Demo

We found a stored XSS vulnerability in HackerRank, where a malicious test taker (job applicant) could send code to the server. That attacker code would later be viewed by the test administrator (recruiter), and the browser would execute the attacker’s code. Here’s a video where we demonstrate the full attack chain.

  1. We start as the Test Administrator, creating a new test for our job posting.
  2. We then invite a Job Applicant to take the test.
  3. The malicious Job Applicant enters some JavaScript code into the answers.
  4. Later, when the Test Administrator sees the completed test, the code executes!


Details
This vulnerability affected “Fill-in-the-Blank” style questions in HackerRank. Sanitization of the user inputted answers was inconsistent with other question types, which allowed the attacker to inject arbitrary HTML (including <script> tags). The HTML would render when the test administrator viewed the detailed answers, which would be routine when evaluating test results.

HackerRank quickly acknowledged and patched this vulnerability, encoding the user input such that it would render as plain-text for the test administrator. We were able to independently confirm this patch using the same demonstration as above.

  1. Attack requirements: any test with a “Fill in the Blank” question. Administrator sends the test invitation to the attacker.
  2. Attacker answers the question with <script> tags and any attacker-controlled JavaScript. Attacker submits the test.
  3. Administrator views the “Detailed” answers submitted by the attacker.
  4. Attacker-controlled JavaScript runs in the context of the Administrator’s browser, with their cookies and sessions. Authentication cookies may be stolen.

Disclosure Timeline

  • 2019-10-20: Vulnerability discovered in HackerRank site.
  • 2019-10-22: First disclosure to HackerRank via support form.
  • 2019-10-23 - 2019-10-24: Attack details and demo video sent to the support and engineering teams at HackerRank.
  • 2019-10-25: Acknowledgement of vulnerability from the CTO & Co-founder, Harishankaran.
  • 2019-10-30: HackerRank fixes this vulnerability and gives permission to publish.

 
Start our free Hacking 101 course