why choose aiko
why aiko
trusted by
trusted by
how it works
steps
OOB SSRF in User Profile Update
Risk:
High
Endpoint: PATCH /api/v1/user
Affected Parameter: avatar_url
Request Example:
{
"facets": {
"has_edited_notes": "[REDACTED]",
"has_captured_meeting": "[REDACTED]"
},
"email": "[REDACTED]",
"avatar_url": "http://attacker-owned-site.com/image.jpg"
}
Description: The avatar_url parameter in the/api/v1/user endpoint is vulnerable to an out of bound Server-Side Request Forgery (SSRF) attack. By manipulating this parameter, a malicious actor can make the application interact with externally owned websites. This vulnerability allows the attacker to bypass the Cloudflare protection layer and reveal the real IP addresses of the server, which were found to be 89.39.106.191 and 89.39.106.222. This leak poses a significant risk as it exposes the server to direct attacks, potentially bypassing any CDN or WAF protections.
The risk associated with this vulnerability is high, considering the potential for IP address disclosure and the subsequent targeted attacks against the server infrastructure.
Implement strict input validation on the avatar_url field to ensure that only legitimate URLs are accepted.
Employ a server-side URL parser that validates and sanitizes external URLs.
Configure network-level controls to restrict outbound requests to trusted domains and IPs only.
Lack of Email Validation in
User Profile Update
Risk:
Low
Endpoint: PATCH /api/v1/user
Affected Parameter: email
Request Example:
{
"email": "[email protected]",
"avatar_url": "[REDACTED]"
}
Description: The email parameter in the /api/v1/user endpoint is not subject to adequate validation checks. This oversight allows a malicious actor to change the email address associated with a user account to any email, including those belonging to other legitimate users. Consequently, real users with such emails might be unable to sign up or access their accounts, leading to confusion and potential disruption in user experience.
While this vulnerability poses a lower risk in terms of immediate security threats, such as data breaches or account takeover, it can significantly impact the scalability and user trust in supernormal.com. It's important to address this to maintain the integrity of user accounts and the overall reliability of the service.
Introduce strict validation for the email field, ensuring that the new email is not already in use by another account.
Implement a confirmation process for email changes, where users must verify ownership of the new email address via a confirmation link.
Apply rate limits to how frequently an email address can be changed to prevent misuse of this feature.
SMTP Smuggling via Email Parameter
Risk:
High
Endpoint: POST /api/v1/auth/email
Affected Parameter: email
Request Example:
{
"email": "[PAYLOAD]"
}
Description: The SMTP Smuggling vulnerability discovered in the /api/v1/auth/email endpoint permits attackers to spoof emails appearing to be sent from supernormal.com addresses (e.g., [email protected]). By using specially crafted email addresses, attackers can exploit SMTP communication processes. This vulnerability is particularly concerning as it enables the dissemination of fraudulent emails, potentially leading to phishing scams, misinformation, and significant reputational damage for supernormal.com.
This vulnerability carries a high risk due to its potential impact on email authenticity and organizational reputation. The ability for an external entity to send emails that appear to be from supernormal.com can lead to a range of adverse outcomes, including user deception, data breaches through phishing, and erosion of trust in the platform.
Implement a validation rule that disallows the use of any email addresses containing '@supernormal.com' unless they are verified as part of an internal process.
Implement strict input validation and sanitization for the email parameter to prevent SMTP command injection.
Use a dedicated email service or library that is designed to prevent SMTP injection attacks.
Implement DMARC, SPF, and DKIM email authentication protocols to help prevent email spoofing.
Stored XSS via Avatar URL in User Profile Update
Risk:
Critical
Endpoint: PATCH /api/v1/user
Affected Parameter: avatar_url
Request Example:
{
"avatar_url": "http://[REDACTED_WEBSITE]/inject.js"
}
Description: A critical Stored Cross-Site Scripting (XSS) vulnerability exists in the avatar_url parameter of the /api/v1/user endpoint. This flaw allows attackers to inject malicious JavaScript code via a crafted URL. When a profile with this URL is viewed, the JavaScript is executed in the viewer's browser. This poses a significant threat as it could lead to the exfiltration of session cookies or other sensitive information, particularly if an administrator views the compromised profile.
Rated as critical, this vulnerability poses a severe threat to data confidentiality and integrity. Successful exploitation can lead to unauthorized access to privileged accounts and sensitive data, potentially resulting in extensive security breaches.
Apply strict input sanitization on the avatar_url field, ensuring that only valid image URLs are processed.
Implement Content Security Policy (CSP) headers to prevent the execution of inline scripts and restrict the sources of executable content.
Use output encoding when rendering user-supplied content to prevent script execution in the browser.
Implement a whitelist of allowed domains for avatar URLs to prevent linking to potentially malicious external resources.