Bubble.io is a popular no-code platform that enables users to build fully functional applications without needing to write code. While it promises a user-friendly environment, this article takes a closer look at the underlying security mechanisms. We apply offensive security techniques to identify vulnerabilities in the platform, specifically in the way it interacts with Elasticsearch and handles payload encryption.
Through reverse engineering the platform's JavaScript code and analyzing the HTTP headers, we discovered a vulnerability that could potentially allow an attacker to execute arbitrary queries against the Elasticsearch instance powering Bubble.io applications.
- Elasticsearch: Used by Bubble.io to perform database searches.
- AES-CBC + PBKDF2_HMAC: Encryption methods used to protect requests to Elasticsearch.
-
Payload Structure:
The payload consists of three parts:- "y": A timestamp, generated by the JavaScript code on the page, encoded in Base64.
- "x": An IV (Initialization Vector), also generated by JavaScript, encoded in Base64.
- "z": The encrypted payload, which is a combination of "y" and AppName as the decryption key, and "x" as the IV.
-
Deserialization of the Payload:
To decrypt the payload:- Obtain the
AppNamefrom theX-Bubble-AppnameHTTP header. - Use the hardcoded IVs (
"po9"and"fl1") shared across all Bubble applications. - Apply AES decryption using the
AppNameand IV to decrypt "y" and "x", then use this to decrypt the payload ("z").
- Obtain the
-
Exploit Execution:
Once decrypted, the payload reveals how queries are structured, allowing an attacker to bypass limitations imposed by the platform (e.g., the number of results returned or certain comparison functions likeis equaloris not equal). -
Impact:
With the ability to manipulate queries, an attacker could potentially access all user data from the Elasticsearch database, bypassing security measures such as query restrictions.
The following sequence shows how an attacker could craft a malicious payload to bypass limitations:
- A standard query returns one user based on an email address.
- By altering the payload, an attacker could remove limitations on results, retrieving all user data in one response.
- Original Payload: Returns a limited set of data (e.g., one user).
- Modified Payload: Retrieves all users and their associated information.
Bubble.io’s no-code platform is not immune to security risks, as demonstrated by the vulnerabilities found in its use of Elasticsearch and cryptographic mechanisms. While no-code solutions are powerful, it’s important to understand the underlying systems and their potential weaknesses. This case highlights the need for developers and users of such platforms to consider security as an integral part of their development process.
Even though no-code platforms like Bubble.io make it easy to build applications, a lack of awareness about the security implications can lead to severe vulnerabilities. Developers must stay vigilant and take the necessary steps to safeguard sensitive data.
Note: This analysis is intended to raise awareness about security flaws in no-code platforms and encourage developers to take security seriously, regardless of the tools they use.