jubobs · February 18, 2019 23:36 · Feb 18, 2019 · Jan 25, 2019 · Jan 25, 2019 · Jan 25, 2019
diff --git a/teamwork-2019-01-18a.md b/teamwork-2019-01-18a.md
@@ -4,7 +4,9 @@ Researcher name: Julien Cretel
 
 Researcher email: [email protected]
 
-Date: 18/01/2019
+Report date: 18/01/2019
+
+Status: fixed (18/01/2019)
 
 ## Vulnerability
 

diff --git a/teamwork-2019-01-18a.md b/teamwork-2019-01-18a.md
@@ -4,7 +4,7 @@ Researcher name: Julien Cretel
 
 Researcher email: [email protected]
 
-Date: 18/01/2018
+Date: 18/01/2019
 
 ## Vulnerability
 

diff --git a/teamwork-2018-01-18a.md → teamwork-2019-01-18a.md b/teamwork-2018-01-18a.md → teamwork-2019-01-18a.md
@@ -1,4 +1,4 @@
-Report ID: teamwork-2018-01-18a
+Report ID: teamwork-2019-01-18a
 
 Researcher name: Julien Cretel
 

diff --git a/teamwork-2018-01-18a.md b/teamwork-2018-01-18a.md
@@ -19,7 +19,7 @@ phishing attacks against (possibly high-value) Teamwork users in order to
   * steal their Teamwork credentials;
   * install malware on their machines.
 
-## Attack scenario: stealing Teamwork credentials
+## Example attack scenario: stealing Teamwork credentials
 
 1. The attacker designs a malicious website to look like the Teamwork Projects login page,
   and serves it at `https://attacker-controlled-site.com`.

diff --git a/teamwork-2018-01-18a.md b/teamwork-2018-01-18a.md
@@ -38,7 +38,7 @@ phishing attacks against (possibly high-value) Teamwork users in order to
 
 ## Mitigation
 
-[OWASP's cheat sheet dedicated to this type of vulnerability][OWASP-unvalidated] provides some guidance.
+[OWASP's cheat sheet dedicated to this type of vulnerability][OWASP-cheat-sheet] provides some guidance.
 
 ## Resources
 

diff --git a/teamwork-2018-01-18a.md b/teamwork-2018-01-18a.md
@@ -38,8 +38,14 @@ phishing attacks against (possibly high-value) Teamwork users in order to
 
 ## Mitigation
 
-[OWASP's page dedicated to this type of vulnerability][OWASP-unvalidated] provides some guidance.
+[OWASP's cheat sheet dedicated to this type of vulnerability][OWASP-unvalidated] provides some guidance.
+
+## Resources
+
+* [Unvalidated Redirects and Forwards Cheat Sheet (OWASP)][OWASP-cheat-sheet]
+* [Top 10 2013-A10-Unvalidated Redirects and Forwards][OWASP-open-redirect]
+* [Video of proof-of-concept attack][poc-video]
 
-[OWASP-unvalidated]: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
+[OWASP-cheat-sheet]: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
 [OWASP-open-redirect]: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
 [poc-video]: https://www.youtube.com/watch?v=_NXHXn3PccE
diff --git a/teamwork-2018-01-18a.md b/teamwork-2018-01-18a.md
@@ -21,10 +21,10 @@ phishing attacks against (possibly high-value) Teamwork users in order to
 
 ## Attack scenario: stealing Teamwork credentials
 
-1. The attacker designs a malicious website designed to look like the Teamwork Projects login page, and serves it at
-`https://attacker-controlled-site.com`.
+1. The attacker designs a malicious website to look like the Teamwork Projects login page,
+  and serves it at `https://attacker-controlled-site.com`.
   Note: the attacker may use a domain name more similar to `teamwork.com` (e.g. `tearnwork.com`).
-2.. The attacker performs some reconnaissance on Teamwork users and acquires some high-impact targets.
+2. The attacker performs some reconnaissance on Teamwork users and acquires some high-impact targets.
   Some "misfeatures" of the Teamwork Web app make this relatively easy (more details about this available on demand).
 3. The attacker shares the following crafted URL `https://www.teamwork.com/welcome?code=https://attacker-controlled-site.com`
   with the victim, either by email or from within one of the Teamwork products.

diff --git a/teamwork-2018-01-18a.md b/teamwork-2018-01-18a.md
@@ -16,7 +16,7 @@ where the value of query parameter `code` doesn't seem to be validated in any wa
 
 This vulnerability can be exploited by attackers to mount
 phishing attacks against (possibly high-value) Teamwork users in order to
-  * steal their Teamwork credentials.
+  * steal their Teamwork credentials;
   * install malware on their machines.
 
 ## Attack scenario: stealing Teamwork credentials

diff --git a/teamwork-2018-01-18a.md b/teamwork-2018-01-18a.md
@@ -8,7 +8,7 @@ Date: 18/01/2018
 
 ## Vulnerability
 
-I've found an [*open-redirect vulnerability*][OWASP-open-redirect] on teamwork.com.
+I've found an [*open-redirect vulnerability*][OWASP-open-redirect] on https://www.teamwork.com.
 The endpoint of interest is `https://www.teamwork.com/welcome`,
 where the value of query parameter `code` doesn't seem to be validated in any way.
 

diff --git a/teamwork-2018-01-18a.md b/teamwork-2018-01-18a.md
@@ -1,6 +1,9 @@
 Report ID: teamwork-2018-01-18a
+
 Researcher name: Julien Cretel
+
 Researcher email: [email protected]
+
 Date: 18/01/2018
 
 ## Vulnerability

diff --git a/gistfile1.txt → teamwork-2018-01-18a.md b/gistfile1.txt → teamwork-2018-01-18a.md
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,42 @@
+Report ID: teamwork-2018-01-18a
+Researcher name: Julien Cretel
+Researcher email: [email protected]
+Date: 18/01/2018
+
+## Vulnerability
+
+I've found an [*open-redirect vulnerability*][OWASP-open-redirect] on teamwork.com.
+The endpoint of interest is `https://www.teamwork.com/welcome`,
+where the value of query parameter `code` doesn't seem to be validated in any way.
+
+## Risks & threats
+
+This vulnerability can be exploited by attackers to mount
+phishing attacks against (possibly high-value) Teamwork users in order to
+  * steal their Teamwork credentials.
+  * install malware on their machines.
+
+## Attack scenario: stealing Teamwork credentials
+
+1. The attacker designs a malicious website designed to look like the Teamwork Projects login page, and serves it at
+`https://attacker-controlled-site.com`.
+  Note: the attacker may use a domain name more similar to `teamwork.com` (e.g. `tearnwork.com`).
+2.. The attacker performs some reconnaissance on Teamwork users and acquires some high-impact targets.
+  Some "misfeatures" of the Teamwork Web app make this relatively easy (more details about this available on demand).
+3. The attacker shares the following crafted URL `https://www.teamwork.com/welcome?code=https://attacker-controlled-site.com`
+  with the victim, either by email or from within one of the Teamwork products.
+  Note: the attacker may hex-encode the query parameter in order to obfuscate it.
+4. The victim follows the link.
+5. The victim clicks the _Go to Projects_ button, and immediately gets redirected to
+  `https://attacker-controlled-site.com`, which looks like the Teamwork login form.
+6. The victim fills the login form and submits it, thereby handing over her Teamwork credentials to the attacker.
+
+[This (unlisted) video][poc-video] illustrates such an attack.
+
+## Mitigation
+
+[OWASP's page dedicated to this type of vulnerability][OWASP-unvalidated] provides some guidance.
+
+[OWASP-unvalidated]: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
+[OWASP-open-redirect]: https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards
+[poc-video]: https://www.youtube.com/watch?v=_NXHXn3PccE
No results found