Skip to content

Commit

Permalink
Closes #235: Cloudshell CSWSH (#241)
Browse files Browse the repository at this point in the history 
* Closes #235: Cloudshell CSWSH

* Update gcp-cloudshell-cswsh.yaml

---------

Co-authored-by: Amitai Cohen <[email protected]>
  • Loading branch information
@ramimac @korniko98
ramimac and korniko98 authored Oct 4, 2023
1 parent 6cd3be8 commit 2fa1884
Showing 1 changed file with 31 additions and 0 deletions.
31 changes: 31 additions & 0 deletions vulnerabilities/gcp-cloudshell-cswsh.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
title: GCP Cloudshell Cross-Site WebSocket Hijacking (CSWSH)
slug: gcp-cloudshell-cswsh
cves: null
affectedPlatforms:
- GCP
affectedServices:
- GCP Cloudshell
image: https://images.unsplash.com/photo-1543789289-2fcb1e565eb6?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3270&q=80
severity: Low
discoveredBy:
name: Psi
org: null
domain: ψ.fun
twitter: null
publishedAt: 2020/03/11
disclosedAt: null
exploitabilityPeriod: null
knownITWExploitation: false
summary: |
Google Cloudshell leveraged websockets without validating that the origin matched the current instance host.
An attacker could therefore host a CSWSH attack on a Cloudshell instance they own, disabling authentication via
access to the underlying VM. They could then start the OAuth process with a spoofed host header, using
phishing to get the target Cloud Shell user into following a redirection link, completing the OAuth process
and ending in successful CSWSH, which would allow the attacker to hijack the target user's requests.
manualRemediation: |
null
detectionMethods: null
contributor: https://github.com/ramimac
references:
- https://ψ.fun/i/yvpMj
- https://security.googleblog.com/2020/03/announcing-our-first-gcp-vrp-prize.html

1 comment on commit 2fa1884

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@check-spelling-bot Report

🔴 Please review

See the 📜action log or 📝 job summary for details.

Unrecognized words (17) 
cloudshell
cswsh
fcb
gcp
Google
googleblog
GVuf
ixid
ixlib
MHxwa
phishing
ramimac
unsplash
vrp
websockets
yvp
YWdlf
To accept these unrecognized words as correct, you could run the following commands

... in a clone of the [email protected]:wiz-sec/open-cvdb.git repository
on the main branch (ℹ️ how do I use this?):

curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/main/apply.pl' |
perl - 'https://github.com/wiz-sec/open-cvdb/actions/runs/6407163734/attempts/1'
Errors (1)

See the 📜action log or 📝 job summary for details.

❌ Errors Count
❌ dictionary-not-found 3

See ❌ Event descriptions for more information.

If the flagged items are false positives

If items relate to a ...

  • binary file (or some other file you wouldn't want to check at all).

    Please add a file path to the excludes.txt file matching the containing file.

    File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

    ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

  • well-formed pattern.

    If you can write a pattern that would match it,
    try adding it to the patterns.txt file.

    Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

    Note that patterns can't match multiline strings.

Please sign in to comment.