Summary by jakubjn
An S3 Bucket Misconfiguration allowed an attacker to set an arbitrary S3 Path and have it signed by the server. S3 Keys could be mined from online sources, putting a number of Asana Attachments at risk.
The vulnerability was found in the following websocket request:
{
"msg": "mutation",
"method": "/s3_attachment_create",
"params": {
"http_method": "post",
"endpoint_data": {
"global_id": "...",
"domain": "...",
"filesize": 1000,
"s3_path": "S3_PATH",
"__app_name": "Asana",
"__session_id": "..."
}
},
"id": "..."
}
Where "s3_path" was a parameter discovered in the JavaScript code. The original parameter: "key_suffix" was not vulnerable.