Yelp Deconstruction 2

Yelp uses there own flavor of GraphQL with a UI site generator called CHAOS. GraphQL has Denial Of Service attacks with long queries but Yelp does not reward DOS attacks and requests that bug bounty hunters do not flood the API with them. They use batch queries to the API with cryptic looking large cookies that detail user location by coordinates. The cookies are large with a key-value format. They use data dome against bots so the web application firewall picks up whether there is a proxy being used denying access to the website depending on whether you use the Burp Suite chromium browser. I have only come across loading issues when proxying through fire fox and haven not been denied. Yelp uses cookielaw CDN and also has its own yelp CDN which means there could be vulnerabilities with caching and web cache deception or web cache poisoning the kind of attacks that are hard to produce but I should research further. Because they have their own CDN means it might still be in scope of the bug bounty program? They also use fastly as a CDN but fastly is out of scope being a third party. An API endpoint is https://api.yelp.com/v3 tried fuzzing the API with FFuf but did not get any hits that returned 200. https://api.yelp.com/v3/graphql is the GraphQL API endpoint, I tried different versions but returned nothing in repeater having tried to find an easy win. I tried to simply replace a user id with another user id but it was unfruitful trying again for an easy win. I used a different tab container and a temporary email for signing up a different user to do that but nothing came of it. It is a good way to find IDOR's by signing up different accounts and seeing if you can access other user's account, a form of broken access control. There are multiple different ids like bsi and wdi with their own encoding which is what I tried switching between different users. I was able to get it to work once but it was not evident that it was an exploitable bug. Yelp is partnered with Door Dash for deliveries though there is no payment functionality and you are directed off site to Door Dash. uWSGI is the web server used behind the scenes. They use a python framework called Pyramid. Tried to find a uWSGI cve but there were only old CVE's or did not apply because Apache server has something called uwsgi which is not the same web server as uWSGI. Dug through the Yelp Engineer blog and found their home made template engine called yelp_cheetah https://github.com/Yelp/yelp_cheetah. Would this be vulnerable to a server side template injection (SSTI) like other templating engines? I have a tentative grasp of SSTI's so I do not know. But the source code is on the github.

Comments

Post a Comment

Popular posts from this blog

Knowing how to pivot is important in OSINT it seems and to go from a wide scope to a narrower scope. Pivot charts are useful to collect information of results from selectors, each pivot being a resultant node of information. Going from a wide search to a narrower search is like the goldilock's effect, a little too wide and you lose focus but too focused you can lose out on other wider details. All sources state that methdology trumps tools and the focus early on in an OSINT career is to develop your methodology like knowing how to pivot and knowing the intelligence cycle. Being nimble and flexible in your search queries is important to hone your searches using Google as a primary tool to locate information. You just have to Google it. You Google to find tools like websites that facilitate investigations. It seems that Rae Baker, the author of Deep Dive into OSINT, is adept at using Google to serve her needs though she stresses the importance of methodology. Cynthia Hetherington of ...
Read more
Being in California I have seen plaques from the native sons of the golden west and thought nothing about them at the Burlingame train station. They seemed like a benign fraternity but if you dig a little deeper into their history you realize they were like California's KKK chapter against the Japanese. They really hated the Japanese and wanted to expel them from California as if the Japanese were vermin in the early 20th century. Native sons of the golden west go way back into the 1800's and their anti-japanese stance existed at the moment it seems that Japanese immigrants arrived in the late 1800's. They wanted to end birth right citizenship for Japanese Americans who were born in America. This echoes today with Republicans questioning birth right citizenship and considering getting rid of it. The hostilities towards Japanese immigrants resonants today with the attack on the newly arrived Latinx immigrants. The zenophobia is always an old trope that seems to never end wit...
Read more
My learning methods are flawed. I am not doing spaced retrieval exercises which is supposedly the most effective means of learning. Spacing out what you retrieve from memory of your reading is time tested the best way. I tend to read and reread which is ineffective and I don't force myself to sit away from the text and try to remember everything I have just read. It is like dyeing cloth. You dip the cloth in the dye over and over again and the coloration gets more and more saturated and radiant. Spacing the time you remember what you have learned repeatedly ,spaced repetition, is important and I have to practice this more.
Read more