Skip to main content

Google form setting Bypass - Making my way to the Google's Hall of Fame !

 Google !

Bug : Circumventing "Limit to 1 response" of Google forms (Parameter Injection)      

Discovered on: 30th, November 2016.            Research Time: 2:00 p.m to 9:30 p.m.


Earn more by display ads on blog with Lithific Ads

The setting is "Limit to 1 response" which means only one response per user. Once you filled the form there will be no chance to edit the responses or again fill a new form.
If you open the form to fill again, the response would be like the image below.

There is no way to edit or fill another form (Hurdle 1).
I created a test form and checked "Edit after submit".
Once this test form is filled I can change the previous response. I clicked on the "Edit your response"and intercepted the request. I changed the form id and forwarded the request. I was able to see the form that was submitted.
When I edited the form and submitted, a blank form was sent. (Hurdle 2).
I analysed the requests for test form that will be sent successfully after editing and the user's form which goes with empty fields.


 A parameter in the URL was being deleted at the Client-side when "SUBMIT" button was clicked for the user's form, deleting all the fields and sending the form. Google played it smartly!
URL : https://docs.google.com/forms/d/e/[form-id]/formResponse?edit2=[server generated-value]
The intercepted request for user's form was:

POST /forms/d/e/[form-id]/formResponse HTTP/1.1
Host: docs.google.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5<br> Accept-Encoding: gzip, deflate, 
Referer: https://docs.google.com/forms/d/e/[form-id]/viewform?edit2={server generated value}&amp;fbzx=[server generated value]
Cookie: ----
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 234
{message-body}.

I appended " ?edit2=[server generated value]" after formResponse in the URL of the request that was being deleted. Forwarded the request with the name changed and bypassed it. Like that, I could submit more than one form.
I Submitted this bug and got a response from Security team the next day.
What I deduced from reading the blogs of hackers was if you get the response like "Your report is triaged....." or "Nice Catch !....." the reward is sure. My expectations for the reward was so high that it didn't make me sleep for 2 weeks. Every morning as soon as I woke up I used to open my inbox.
On 14th December 2016, I got a mail from Google Security Team. I was expecting there would be "$" in it.
 I was not completely happy with the response. I made my way to the Hall of Fame and got acknowledged by Google.   
Click on this > Google VRP Hall of Fame 

facebook

Bug 1: Disclosing the total number of friends a user made.

In the first week of November 2016, I submitted this bug that was disclosing the number of friends a user made till date regardless of privacy settings.

 GET request url : https://graph.facebook.com/{user-id}/friends

The security team responded that it is not a privacy issue as it was disclosing only the "total_count" and declared as not eligible for the reward and appreciated the report.

Bug 2: Insecure Direct Object Reference on "See Friendship" page.

This bug to facebook in the second week of November 2016 during exams and reported it. The "See Friendship" page is only available for the two users who are friends but I found this works even for users who are not (though a user may not see "See friendship" on his/her's ex friend's profile). I was able to see and edit the posts that I made on the user's wall who was a friend then (privacy is set to the user's friends). I got a reply after a couple of weeks.


After few days I got a response from the Facebook Security team that it was not a valid bug because this was an intentional behaviour and user can edit his/her posts that were made on ex friend's timeline.

Earn more by display ads on blog with Lithific Ads


Comments

  1. Unknown6 May 2018 at 14:07

    The blog article very surprised to me! Your writing is good related to personal care In this I learned a lot! Thank you!, please checkout more information on Lotus Notes xpages Consultant

    ReplyDelete

Post a Comment

Popular posts from this blog

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500
Post a Comment
Read more

Facebook Messenger bug. React to any message on behalf of a Facebook Page

Reacting to Facebook Messages  An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc.  Reply to the messages . You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message. There is something for Facebook messenger too. You can reply to message by hovering over the message and there will be "Reply" option. Click on that.  Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened. Now I sent the request. There was an error that was thrown saying .. "The content is longer available".  Now my next adventure to try to find a bug in the Messaging continues. If you have a conversation with your girlfriend you can alway
1 comment
Read more