Wojciech

@woj_ciech

How to find internal subdomains? YQL, Yahoo! and bug bounty.

July 15th 2017

Introduction

When I’m looking for new target on Hackerone I’m always paying attention to numbers of resolved reports and wonder if higher number means, that you can find bugs easier than on program which has smaller amount of closed submissions. I wanted to try this on myself so I picked Yahoo!, first position of resolved reports on HackerOne — 3613.

Recognition

We all know that Yahoo! is massive international company so I expected a lot of subdomains, paths and redirections, but where to start? My favorite tools for enumerating/bruteforcing subdomains are: Sublister — best of the best (https://github.com/aboul3la/Sublist3r) and Fierce (https://github.com/davidpepper/fierce-domain-scanner). I was hoping to find forgotten, misconfigured or running old software subdomain. Subliste3r gave me over 9000 subdomains, how to check them all?

Semi-automatic searching

Of these nine thousand subdomains there must be at least one vulnerable. I believe is hard to remember about everything in that large company. When Sublist3r did his job, I opened results and manually deleted useless and repetitive subdomains, which were not resolved or weren’t responding. Of course I did not check it one by one but still around 7000 subdomains left.
Let’s make a quick scan, this should help to sort it out. For this purpuose I used Nmap with output to XML because it is easier to parse.

nmap -sS -p80,443 -iL nmap_input.txt -oX nmap_output

Example XML output from Nmap:

<hostnames>
<hostname name=”start.producersdesktop.yahoo.com” type=”user”/>
<hostname name=”proxy.publish.bf1.yahoo.com” type=”PTR”/>
</hostnames>
<ports><port protocol=”tcp” portid=”80"><state state=”closed” reason=”reset” reason_ttl=”42"/><service name=”http” method=”table” conf=”3"/></port>
</ports>
<times srtt=”148262" rttvar=”148262" to=”741310"/>
</host>

We can only scan open ports by adding — open to nmap command. For me, most useful parameters were “state” and “hostname name”. I believe “hostname name” is DNS, in my case sometimes there was address of my ISP, so I knew this site is not resolved. On this basis we can throw out another couple hundreds subdomains. I wrote a script, which deletes xml entry according to hostname’s name and saves it as another XML.

import xmltree
def removeHostname():
for host in root.iter('host'):
for elem in host.iter():
if 'name' in elem.attrib and elem.attrib['name'] == 'ISP_redir_site':
root.remove(host)
tree.write('output.xml')

OK, so now we have all subdomains with open port 80. We can scan nmap them for HTML title ( — script http-title) and again removes those with similar titles.
Yahoo! has websites in different languages, for example: ru.search.yahoo.com, br.search.yahoo.com, de.stars.yahoo.com etc, it’s next step to reject significant amout of subdomains. At the end I had about 700 potentially vulnerable subdomains.

Boring research

This is the time to check what’s left. I couldn’t figure out how to find next common points between other subdomains, so I checked them manually. After a while, I saw similarity and repeatability in some subdomains, so it was easier than I thought. In this way I found open YQL internal console at http://yvap.query.yahoo.com/. Further exploration revealed testing Beaker instance at http://ygh-app.media.yahoo.com/.

YQL (Yahoo! Query Language) internal console
Beaker

Going deeper

I could not find anything interesting besides javascript code at http://yvap.query.yahoo.com/v1/test/js/console_ajax.js. There were more than one internal consoles but others were closed, at least it looked like.

Locked internal YQL console

Example query for YQL is https://query.yahooapis.com/v1/public/yql?q=show%20tables&diagnostics=true, so I tried this method for rest of locked consoles. It means that main panel of internal console is closed, but you still can submit queries through url. I enumerated all of them and checked one by one. Command “show tables” worked on most of them, so I was trying to go even deeper but after I reported it, it turned out it is publicly accessible and even should be.

Command “show tables” on one of locked YQL console

At http://ygh-app.media.yahoo.com/ I found testing Beaker website, to be honest I’ve never had to deal with Beaker but after quick reconnaissance, I found another information disclosure.

Summary

I know this is not revolutionary method and for sure may be faster, more precise and of course less time-consuming, but still wanted to share with you this approach. Couple weeks ago I found tool called Aquatone, which has everything in one.

Let me know if you use any other tools for reconnaissance.

Thanks @junot and @ftsqrl from Yahoo! team.

Cheers!

Timeline

May 10th — Report was sent to HackerOne

May 11th — Response from Yahoo! that YQL console issue has already been reported but second one is new.

May 12th — I presented issue with possibility to make queries to internal YQL consoles.

May 18th — Answer that this is intended behavior.

Jun 2nd — Bounty awarded.

More by Wojciech

More Related Stories