Zoho QEngine: Arbitrary File Read

Zoho QEngine is a test automation software to test your code on various devices & browsers before they get released.

🚀 One of its handy functions is openURL(), which lets you load a test URL in a supported browser like Chrome. Sounds neat, right? But as a security researcher, I couldn’t resist digging a bit deeper. 😏

🛠️ First Stop: Common SSRF Attack Vectors

Initially like all security researchers, My initial intinct was to test for good ol’ SSRF test cases & check if, I am able to access their internal services or cloud metadata urls 169.254.169.254.

💡 Fun fact: Zoho runs most of its services on its own cloud, no surprise — these URLs didn’t fetch anything interesting.

🔄 Switching Gears: Testing Non-HTTP Protocols

What if we try something besides http://? 🤔 Like… file:// protocol?

💻 Enter: openURL(“file:///etc/passwd”, “new tab”)

QEngine Vulnerable Test Case Code

🎆 BOOM! we now get to see the content of /etc/passwd from Zoho QEngine’s test environment. 🕵️‍♂️

/etc/passwd screenshot of test case

🔒 Why It’s Low Risk (But Still Cool)

Zoho QEngine runs each test case in an isolated Docker environment. So, there’s no sensitive data here to steal-phew! 😌

Imagine if this was run on a real system without Docker. The impact could be HUGE! 🚨

I made a detailed report of my findings and submitted it to Zoho’s BugBounty platform. They confirmed the issue and rewarded me with 💸.

💡 Key Takeaways

1. Always validate user inputs by enforcing strict whitelisting of protocols, domains, and paths for URLs. This includes checking for internal service URLs and metadata endpoints to prevent unintended access.
2. While Dockerized environments enhance security, don’t rely solely on them for isolation. They might still expose environment secrets, configuration files, or other sensitive data. In some cases, vulnerabilities could even lead to Docker escapes.

Originally published at https://blog.jayateerthag.in on December 10, 2024.