OffSec Update (19 - 23 Oct 2020)

Progress

Collaboration

Filled EISA sheet for our team

Issues Reported

Bypass for patch intended to fix SECURITY-584 (CVE-2020-5284 - Traveloka Web (www) - Directory Traversal in Next.js) https://29022131.atlassian.net/browse/SECURITY-584?focusedCommentId=1009411
XHTML/XML Injection & Potential XXE on Invoice PDF Rendering (itinerary-api.trp.traveloka.com/v2/tripitinerary/download/invoice) https://29022131.atlassian.net/browse/SECURITY-605

Issues Resolved

Authentication bypass in AWS and GCP auth methods in HashiCorp Vault <1.4.4 (CVE-2020-16250, CVE-2020-16251) https://29022131.atlassian.net/browse/SECURITY-593
DOM-based XSS in Traveloka Web Login Page https://29022131.atlassian.net/browse/SECURITY-590
Open Redirect in Traveloka Mweb Login Page https://29022131.atlassian.net/browse/SECURITY-589

Strategic planning presentation for Red Team Q4 exercise given
Project Argos

Release 0.2

Change API docs generator from slate to mkdocs-material:

Powerful search feature, can be used to search keywords from all repositories.
Faster load times, does not hang the browser while loading.
Faster build times, up to 4x faster.
Written in Python, no need to add Ruby dependencies.
Subjectively looks more beautiful and cleaner.
More customizable.

Weekly pull and analyze predefined repositories.
Implements repository's dependencies in parser to improve coverage.

Project Altaria

Added CVEs found by the scanner in the dashboard
Added functionality to detect dangling A records by checking if the referenced IP belongs to one of our AWS or GCP accounts. Only shows the results in the lambda logs for now, still need to improve the feature

Plan

Meet with the team to discuss the RT plan and agree on everyone's tasks
Continue research as usual

People
-

Problem
-

Misc

Bug Bounty (email): verified and replied to 7 researchers (false positives / out-of-scope / known issues)