XS-Searching Google’s bug tracker to find out vulnerable source code by Luan Herrera
XS-Searching Google’s bug tracker to find out vulnerable source code by Luan Herrera
Mar 15, 2019
Monorail is an open-source issue tracker used by many “Chromium-orbiting” projects, including Monorail itself. Other projects include Angle, PDFium, Gerrit, V8, and the Alliance for Open Media. It is also used by Project Zero, Google’s 0-day bug-finding team.
This article is a detailed explanation of how I could have exploited Google’s Monorail issue tracker to leak sensitive information (vulnerable source code files and line numbers) from private bug reports through a XS-Search attack.
Where to start?
One of the first functionalities I looked into when analyzing Monorail was the ability to download the result of a certain search query as a CSV.
It didn’t take me long to notice that it was vulnerable to a CSRF attack. In other words, it was possible to force an user to download a CSV containing the results of a search query if a malicious link was accessed.
As seen in the image, there were no protections against CSRF attacks. So, for example,....