Dhaval Chauhan
Tuesday, September 27, 2016
Saturday, January 3, 2015
Heartbleed at Slack's Status Server
Slack has a bug bounty program on Hackerone
One day I found this status.slack.com
This sub-domain looked different, maybe because this server was outside the main network.
Though I could not find anything suspicious, lastly I checked the certificate and this was quite outdated
I fired the metasploit module for heartbleed
And BAM !
"[*] 50.116.50.254:443 - Printable info leaked: @SE&kfT- zR]bjUsf"!98532ED/Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie:...........'
And got this as a response from server.
I reported this to Slack and within few minutes got the reply
"Good catch - the status server sits outside of our main network and got skipped over. It's patched now with a new cert."
I was quite impressed by the response time !
One day I found this status.slack.com
This sub-domain looked different, maybe because this server was outside the main network.
Though I could not find anything suspicious, lastly I checked the certificate and this was quite outdated
I fired the metasploit module for heartbleed
And BAM !
"[*] 50.116.50.254:443 - Printable info leaked: @SE&kfT- zR]bjUsf"!98532ED/Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie:...........'
And got this as a response from server.
I reported this to Slack and within few minutes got the reply
"Good catch - the status server sits outside of our main network and got skipped over. It's patched now with a new cert."
I was quite impressed by the response time !
Square's SMTP Server without authentication
Few months back when Square started the bug bounty in Hackerone
After some dorking I found this "api-test.squareup.com"
Yea a test bed.
Usually these test sub-domains are vulnerable because they not maintained after initial development phase.
Visited the sub-domain alas nothing to see.
It was a blank page.
But the world doesn't end here.
Here comes the Nmap.
Scanned and found port 25 was open.
And hopefully it has no authentication
so "telnet api-test.squareup.com 25"
After some dorking I found this "api-test.squareup.com"
Yea a test bed.
Usually these test sub-domains are vulnerable because they not maintained after initial development phase.
Visited the sub-domain alas nothing to see.
It was a blank page.
But the world doesn't end here.
Here comes the Nmap.
Scanned and found port 25 was open.
And hopefully it has no authentication
so "telnet api-test.squareup.com 25"
So, I can send mail using the Square's Server to anyone.
I reported it they fixed it within few week.
I reported it they fixed it within few week.
Saturday, May 31, 2014
XSS in OAuth flow of Paypal
Again, One fine night while playing with Paypal's REST API lead to XSS in their OAuth flow.
I quickly made a working POC and sent to paypal.
POC:
Paypal REST API provides a simple payment solution.
So, basically one needs to create an application in developers section and integrate it with the website
But what lured me was "Return URL" section
I tried few vectors but there was some authentication which required "HTTP:// or HTTPS://" in the beginning of the string
But analysing the authentication it was just
So, Victim visits your site and as soon as he pays you with his paypal account.
His account is your account.
This vulnerability worked in Opera and Older versions of Firefox
I was rewarded a decent bounty for this by Paypal Security
I quickly made a working POC and sent to paypal.
POC:
Paypal REST API provides a simple payment solution.
So, basically one needs to create an application in developers section and integrate it with the website
But what lured me was "Return URL" section
I tried few vectors but there was some authentication which required "HTTP:// or HTTPS://" in the beginning of the string
But analysing the authentication it was just
"Client Side Authentication"
So, I fired up burp suite and edited the "oauth_return_url_live" parameter
Bingo, the payload was successfully injected
Lastly, all I did was put the things in order.
His account is your account.
This vulnerability worked in Opera and Older versions of Firefox
I was rewarded a decent bounty for this by Paypal Security
Wednesday, October 23, 2013
XSS at Blogger
One fine night when I was editing my Blogger Account I found an awkward behavior
This caught my eye and upon digging a bit ....BOOM
Now , Lets change this "continue"'s value = https://www.google.com
and it redirects to https://www.google.com
Lemme try something else "data:text/html;base64,......
AND......BOOM
Snapshots :
Anyways i wasn't rewarded a penny :( because of Browser Issue (nothing new with Google) and Same Origin Policy and some typical requirements and the list goes onn and on
Thanks to Google Security Team for fixing in the bug in matter of days and Listing me in Hall Of Fame
This caught my eye and upon digging a bit ....BOOM
POC :
The vulnerable link was : https://www.blogger.com/switch-profile.g?switchProfileSource=3&continue=/home
The vulnerable link was : https://www.blogger.com/switch-profile.g?switchProfileSource=3&continue=/home
Now , Lets change this "continue"'s value = https://www.google.com
and it redirects to https://www.google.com
Lemme try something else "data:text/html;base64,......
AND......BOOM
Snapshots :
Anyways i wasn't rewarded a penny :( because of Browser Issue (nothing new with Google) and Same Origin Policy and some typical requirements and the list goes onn and on
Thanks to Google Security Team for fixing in the bug in matter of days and Listing me in Hall Of Fame
Subscribe to:
Posts (Atom)