Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] wayback machine URL parameter bypass #15197

Closed
diracdeltas opened this issue Apr 8, 2021 · 1 comment · Fixed by brave/brave-core#8487
Closed

[hackerone] wayback machine URL parameter bypass #15197

diracdeltas opened this issue Apr 8, 2021 · 1 comment · Fixed by brave/brave-core#8487
Assignees
@simonhong
Labels
OS/Desktop QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/exclude security
Milestone
1.25.x - Release

Comments

@diracdeltas
Copy link
Member

see Slack or https://hackerone.com/reports/1157892 for details.
simonhong added a commit to brave/brave-core that referenced this issue Apr 9, 2021
@simonhong
Invalidate encoded callback and timestamp key strings from wayback url
cc60962 
fix brave/brave-browser#15197

Deleted timestamp/callback key/values from querys instead of set empty value.
@simonhong simonhong mentioned this issue Apr 9, 2021
Merged
24 tasks
@simonhong simonhong added this to the 1.25.x - Nightly milestone Apr 9, 2021
@stephendonner
Copy link

stephendonner commented Apr 12, 2021
edited by GeetaSarvadnya
Loading

Verified PASSED using nightly with the test plan from brave/brave-core#8487, build used was

Brave 1.25.11 Chromium: 90.0.4430.61 (Official Build) nightly (x86_64)
Revision dced74d4124b26b14126b611853d33512b60c7b6-refs/branch-heads/4430@{#1115}
OS macOS Version 11.2.3 (Build 20D91)

Steps:

  1. loaded https://brave.com/hackerone/?lkasjdf=asldjflakjsf&%63allback=%7B%22archived_snapshots%22%3A%7B%22closest%22%3A%7B%22url%22%3A%22https%3A%2F%2Fexample.com%2Ffavicon.ico%22%7D%7D%7D%2F%2F
  2. clicked on Check for saved version orange button
  3. confirmed I remained on the same URL as in step 1

Screen Shot 2021-04-12 at 4 40 44 PM

Screen Shot 2021-04-12 at 4 40 50 PM

Verification passed on

Brave 1.25.59 Chromium: 90.0.4430.212 (Official Build) beta (64-bit)
Revision e3cd97fc771b893b7fd1879196d1215b622c2bed-refs/branch-heads/4430@{#1429}
OS Ubuntu 18.04 LTS

Verified test plan from brave/brave-core#8487.
Verified that there was no redirection to https://example.com/favicon.ico

image

Verification passed on

Brave | 1.25.60 Chromium: 90.0.4430.212 (Official Build) beta (64-bit)
-- | --
Revision | e3cd97fc771b893b7fd1879196d1215b622c2bed-refs/branch-heads/4430@{#1429}
OS | Windows 10 OS Version 2004 (Build 19041.985)

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simonhong simonhong

Labels
OS/Desktop QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/exclude security
Projects
None yet
Milestone
1.25.x - Release
Development

Successfully merging a pull request may close this issue.

Invalidate encoded callback and timestamp key strings from wayback url brave/brave-core
6 participants
@stephendonner @diracdeltas @simonhong @LaurenWags @btlechowski @GeetaSarvadnya