Web App Exploitation: Leveraging Replay Attacks

Its been close to a month now since I disclosed a proof of concept bug to ultimate-guitar dot com which leverages what OSWAP would consider

  • Primary a broken access control issue resulting in
  • secondarily authentication bypass in the context of unauthorized file retrieval.
    The bug takes advantage of the way a proprietary web app loads content to be used to sample - which acts as a way to briefuly preview their now vast archive of user generated guitar pro tabs.

This article will discuss in great detail its discovery, manual exploitation, scripted exploitation, hypothetical scripted exploitation in bulk,potential mitigatation methods, comparisons with other websites offering similar services, and alternative methods to obtain guitar pro files.

A BIT OF BACKGROUND

AROBAS MUSIC AND GUITQR PRO 3

When I was first learning guitar - by far, the most useful tool to self teach myself came in the form of software named GuitarPro (Moving forward, will refer to as gp). This software was ahead of its time - it changed the game with respect to self teaching onesself music. For perspective, we are turn of the century, where software development had to take careful consideration into a vast variety of computational or bandwidth limitations with respect to end user appeal. That line was a fine one. Anyone who came up in that time will certainly remember the pains of downloading even a song via napster. A time when magazines still dominated the XXX scene, because you could be waiting up to a minute just to draw one decent quality pr0n image to screen.
Lude - I know, but its a relevant comparison. And for any of the Gen Z people who are reading this - Even with the headonistic nature of a platform such as the internet - we had very real barriers for going next level with it. And that is a rabbit hole for another day.
I bring this up as an introduction to the GP* ffile format - which cleverly created softwre and format which could be optomized incredibly for its time with respect to the limitations of processing power, internet bandwidth and speed, and functionally what users were expecting.

MIDI EXPANSION

I am not going to trip down the rabbit hole discussing audio formats. But if you have an interest in this sort of thing, it is wortwhile checking out this wikipedia article on MIDI. The important takeaway is as long as I can rememver, MIDI has been used in tons of games, applications, websites, hardware mappnig controls, etc. It is very much still a relevant format. why. Lets take a brief look at it as well as with respect to how it could be beneficial to a software like GuitarPro.

    1. The GuitarPro file format at its core is an extension of the MIDI file format. The first time I saw it was as .gp3, GuitarPro v3 but there exists .gp4, .gp5, .gpx, .gp7 to date. The format was designed by Arobas Music as a proprietary file type to be used with their OG GuitarPro software. Its midi
    • A. Track Layering (up to 16 channels)
    • B. Minimal file size, especially with respect to true audio (FLAC, WAV,) and even compressed (mp3)
    • C. Easy MIDI mapping to output audio device. One often overlooked trait of MIDI is that it is exclusively a sound related format. This is a common misconception. You have likely heard the term Midi Controller. The reason behind this, is because as a midi controller, the device itself doesnt make sounds - my mini MKII keyboard has no speakers and rather sends commands - not unlike a keyboard - only with a little more variety specifically with relationto music (dynamics, etc). The system interprets the raw data and in real time can apply it to a sound bank, an instrument, etc.
    • D. Cross platform compatibility …literally are midi renditions of original content that is actually owned by artists. Its not abnormal to have artists ask for takedowns out of worry that sales for an official tabbook might be effected. 2. The tablature is generated by players from all around the world and have been posted in public domain.

READ MORE

MONETIZATION MODEL

For clarity, most if not all guitar pro files served by ultimate-guitar are community generated - Theyve cleverly archived these files and created a community where guitarests would share and upload these files. So taking that in stride, important considerations taken include

The takeaway is, rest assured there is nothing illegal presented in this post. I am not subjected to conditions with respect to this disclosure (ultimate guitar is not part of a bug bounty) and the sites maintainers have not reached out to me since my responsible disclosure report my report.

Their model for monetizing is rooted in ads and an account tier system - which adds perks such as unlimited use of their web app in browser to run guitar pro tabs.

Years ago, their pages which offered guitar pro tabs had working download buttons.