tag:blogger.com,1999:blog-1532771398975237252024-03-13T13:01:24.499-07:00HACK ITno funky slogan here!ramailohttp://www.blogger.com/profile/01973185541671151372noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-153277139897523725.post-79533075928004364812015-12-14T22:56:00.000-08:002016-07-21T11:12:19.629-07:00Modifying/Deleting google drive files<div dir="ltr" style="text-align: left;" trbidi="on">
This is a short write up of a bug in OAuth 2.0 implementation of Google API. <br /><br />This bug could have allowed an application to delete/write on user's any of the file(s) in google drive, although the user permitted the application to access only those files that were created by the application.<br /><br /> For an instance, an application requiring access to files created by itself looks like:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-uRQXZCeSSo4/ViBiaF-V9XI/AAAAAAAAAbQ/iXEgWWDSipI/s1600/oauthFlaw.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="https://1.bp.blogspot.com/-uRQXZCeSSo4/ViBiaF-V9XI/AAAAAAAAAbQ/iXEgWWDSipI/s640/oauthFlaw.JPG" width="640" /></a></div>
<br />
<br />
<br />
According to <a href="https://developers.google.com/drive/v2/reference/permissions" target="_blank">google API documentation</a>, after the user clicks allow, the app should <b>only</b> be able to access files that was opened/created using this app.<br />
<br />
I went ahead and tried deleting a file that<i> was in the user's drive </i>but wasn't ever accessed/created by the application. Following is the request I sent to test this:<br />
<br />
<pre style="background: rgb(247, 247, 247); box-sizing: inherit; color: #455a64; font-family: 'Roboto Mono', monospace; font-size: 14px; font-stretch: normal; line-height: 20px; margin-bottom: 16px; margin-top: 16px; overflow-x: auto; padding: 8px;">DELETE https://www.googleapis.com/drive/v2/files/<var class="apiparam" style="-webkit-font-smoothing: auto; box-sizing: inherit; color: #ec407a; font-weight: 700;">fileId</var>/permissions/<var class="apiparam" style="-webkit-font-smoothing: auto; box-sizing: inherit; color: #ec407a; font-weight: 700;">permissionId</var></pre>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
The response was 204 No content. I checked the file in my drive, the file was no longer there. <br /></div>
<div style="text-align: left;">
This meant <b>any application that had drive.file permission(i.e the permission to see only those files that were created by the app itself) could have been abused to access private files of user. Not only this allowed an attacker to read all the files on your drive, but also an attacker could modify/delete those files.</b></div>
<br />
<br />
<br />
This was reported to google security team and has been fixed as of now.<br />
<br />
Jun 5, 2015 - Reported.<br />
Jun 5, 2015 - Triaged.<br />
Jun 11, 2015 - Additional details sent.<br />
Jun 26, 2015 - Fix confirmation, 1337$ bounty awarded.<br /><br /><br />Update: After Google fixed this issue, I was able to bypass the fix again. The bypass involved getting 'drive.readonly' permission along with 'drive.file' permission. 'drive.readonly' permission made everything in the user's Google drive visible to the application and 'drive.file' could still be used to delete/modify other files in user's Google drive.<br /><br />The bypass has also been fixed by Google security team.</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-153277139897523725.post-34725961005721007102014-12-18T07:53:00.000-08:002015-05-19T01:39:14.730-07:00Stored XSS on facebook and twitter!
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
I and my colleague Prakash were testing random stuffs to find a target that would be worth looking into. We found a new feature on Facebook which allows a user to visit the website of page-owner.<br />
<br />
The "Shop-now" feature looked interesting with different restrictions for different input fields.<br />
The app-link field caught my eyes, because "deep-link" URL had particularly idiosyncratic example :<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-UFDAapCTfW4/VJK0vc1Wx_I/AAAAAAAAAY4/EP_yHlo72do/s1600/blog1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="http://4.bp.blogspot.com/-UFDAapCTfW4/VJK0vc1Wx_I/AAAAAAAAAY4/EP_yHlo72do/s1600/blog1.JPG" width="320" /></a></div>
<br />
<br />
<br />
<br />
The field was sanitized for special characters like < , ", ' , > and didn't allow any tags to enter. The output for such characters would be:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-sMbrhhlboW8/VJK1LcBzXRI/AAAAAAAAAZA/oN9r1H-vaDY/s1600/really.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="http://2.bp.blogspot.com/-sMbrhhlboW8/VJK1LcBzXRI/AAAAAAAAAZA/oN9r1H-vaDY/s1600/really.JPG" width="320" /></a></div>
<br />
I thought of trying () . Surprisingly, they weren't being sanitized, and of course : wouldn't be filtered for sure because it would always be used in a URL. I still wasn't sure if any javascript would be executed. I saved the details to test it out with the applink as javascript:alert(document.domain). <br />
<br />
<br />
<br />
But then I realized I was only couple of clicks to see if the test was successful. In m.facebook.com, under the "shop now feature" was the script being stored. and then,<br />
<br />
(Detailed exploit scenerio is shown in video) <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-KFBkI2kKOO4/VJK20cd8K9I/AAAAAAAAAZM/_JQ_yj8dGv8/s1600/xss.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="http://3.bp.blogspot.com/-KFBkI2kKOO4/VJK20cd8K9I/AAAAAAAAAZM/_JQ_yj8dGv8/s1600/xss.JPG" width="320" /></a></div>
<br />
Script was straightforward inserted into "a href" tag and anyone clicking on the button link would be exploited.<br />
<br />
Now, along with client side filtering, it doesn't execute the script even if you managed to circumvent the client side protection in some way.<br />
<br />
A very similar endpoint existed in twitter, too. You could define the action of a button click by yourself<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-3SMxai4vkvo/VJK4AeTUNJI/AAAAAAAAAZU/jHoaU1ODoGM/s1600/twitter%2B(1).png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-HBsTj-skuAI/VJK4GV7V06I/AAAAAAAAAZc/YmH8JvVbtlI/s1600/twitter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="http://4.bp.blogspot.com/-HBsTj-skuAI/VJK4GV7V06I/AAAAAAAAAZc/YmH8JvVbtlI/s1600/twitter.png" width="320" /></a></div>
<br />
but more on that later.<br />
<br />
Both vulnerabilities have been patched by respective security teams. <br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/-krCm5jN87I" width="560"></iframe>
<br />
<br />
Thanks for the read!<br />
<br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-153277139897523725.post-22333200064465419712014-10-08T10:31:00.001-07:002014-10-08T18:53:41.379-07:00Facebook and twitter use Gmail! Wait, what? <div dir="ltr" style="text-align: left;" trbidi="on">
I cannot guarantee 100% accuracy of what I claim, yet I found this occupying my thoughts and reckon it to be an interesting issue.<br />
<br />
A simple tweak in GET request will let you know what services use google as their mailing service, and it's no black magic.<br />
<br />
I was first astonished to see if what I saw was for real.<br />
<br />
I found this URL while messing with the admin panel of mail manager provided by gmail.<br />
<br />
<a href="https://www.google.com/a/cpanel/ensolnepal.com/images/logo.gif">https://www.google.com/a/cpanel/ensolnepal.com/images/logo.gif</a><br />
<br />
This is what I got, as of now:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Vzzvcu0SUZA/VDVv84JcC8I/AAAAAAAAAXk/2qiQPcQGxvw/s1600/logo%2B(3).gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Vzzvcu0SUZA/VDVv84JcC8I/AAAAAAAAAXk/2qiQPcQGxvw/s1600/logo%2B(3).gif" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
so far, so good. </div>
<br />
<br />
This is where the logo of third party sites are hosted. If I just change the domain name,<br />
<a href="https://www.google.com/a/cpanel/ioe.edu.np/images/logo.gif">https://www.google.com/a/cpanel/ioe.edu.np/images/logo.gif</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-YfhFMjPqvB4/VDVwWJO8vNI/AAAAAAAAAXs/TDTqo2Phzhg/s1600/logo.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-YfhFMjPqvB4/VDVwWJO8vNI/AAAAAAAAAXs/TDTqo2Phzhg/s1600/logo.gif" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Wow, I haven't even logged into my college's webmail and I can see the logo that was uploaded for the logged in users to see.<br />
<br />
<br />
I requested webadmin of my college to set up an email for me after this and the logo that appeared before seemed to be the real thing.<br />
<br />
<br />
This is the thing I am talking about:<br />
<br />
<a href="http://2.bp.blogspot.com/-mDHlgFhLC1g/VDXqRjxvTkI/AAAAAAAAAYg/EVUqPv_YamQ/s1600/blog.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://2.bp.blogspot.com/-mDHlgFhLC1g/VDXqRjxvTkI/AAAAAAAAAYg/EVUqPv_YamQ/s1600/blog.PNG" height="74" width="320" /></a><br />
<br />
<br />
<br />
Now, lets just play around<br />
<a href="https://www.google.com/a/cpanel/facebook.com/images/logo.gif">https://www.google.com/a/cpanel/facebook.com/images/logo.gif</a><br />
<br />
This is what is seen as of now:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/--vSil-tPG-4/VDVysYZkG9I/AAAAAAAAAX4/4q_NKZvWZ9Q/s1600/logo%2B(4).gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/--vSil-tPG-4/VDVysYZkG9I/AAAAAAAAAX4/4q_NKZvWZ9Q/s1600/logo%2B(4).gif" /></a></div>
<br />
<br />
<br />
<br />
Well, well, what the heck!<br />
Facebook uses google's mail service ?<br />
<br />
<br />
I couldn't find a rational explanation for "No, they don't".<br />
<br />
<br />
<br />
and twitter?<br />
<a href="https://www.google.com/a/cpanel/twitter.com/images/logo.gif">https://www.google.com/a/cpanel/twitter.com/images/logo.gif</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-OZgcKJdSkf0/VDV-WO_yCNI/AAAAAAAAAYQ/Zs50YuNFL58/s1600/logo%2B(12).gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-OZgcKJdSkf0/VDV-WO_yCNI/AAAAAAAAAYQ/Zs50YuNFL58/s1600/logo%2B(12).gif" /></a></div>
<div>
<br />
<br />
<br />
<br /></div>
<div>
<br /></div>
<div>
You could just replace the URL to see if the site uses gmail as their mail service provider:</div>
<div>
<a href="https://www.google.com/a/cpanel/twitter.com/images/logo.gif">https://www.google.com/a/cpanel/YOUR_URL_HERE/images/logo.gif</a></div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
Now, lets see whether some other sites use gmail:<br />
<a href="https://www.google.com/a/cpanel/alexa.com/images/logo.gif">https://www.google.com/a/cpanel/alexa.com/images/logo.gif</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-9DJ6qRoTnhM/VDVy7D9wEVI/AAAAAAAAAYA/va77BY6N99M/s1600/hawa.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-9DJ6qRoTnhM/VDVy7D9wEVI/AAAAAAAAAYA/va77BY6N99M/s1600/hawa.gif" /></a></div>
<br />
<br />
Nope, since gmail's default logo appears, they dont seem to use gmail.(That's my explanation)<br />
<br />
I don't yet know if this is totally random but I checked for several domains I possess (and few of my friends) and it appears to be true in those particular cases.<br />
<br />
<br />
<br />
If you have gmail as your mail service provider and you are seeing something different, (or even if you think this is b***s***,) feel free to mention in comments.<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-153277139897523725.post-68764915205778229822014-05-28T09:03:00.001-07:002014-05-28T11:06:31.268-07:00How I hacked your unverified facebook accounts !<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Here's a little write-up on how I was able to delete any unverified account in facebook. By unverified, I mean those accounts who didnot yet verify their email address linked to facebook. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
All (or most) of my bugs have been authentication related to many vendors, this was no different. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<h4 style="text-align: left;">
Here is how I did it:</h4>
</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
There is(was , now) this sign up function, which lets you create new facebook account. The twist is, when you use a facebook account that already has an account in facebook (with its email unverified), the response you get is :<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-A8c6r9OVgg0/U4XUSkuk7dI/AAAAAAAAARk/CNn_pzUts4s/s1600/response.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-A8c6r9OVgg0/U4XUSkuk7dI/AAAAAAAAARk/CNn_pzUts4s/s1600/response.JPG" height="166" width="320" /></a></div>
<br />
When clicked on the "Insert the confirmation code instead" it lets you enter 5-digit number only code. Pretty simple , eh?<br />
<br />
Lets generate a dictionary from 00000 to 99999<br />
<br />
<br />
<textarea cols="80" rows="30" style="background-color: #aaaaaa;">#!/usr/bin/env python
def add_zeros(end,tot):
zeros=''
while (len(zeros)<(len(tot)-len(end))):
zeros=zeros+'0'
return zeros+end
verification_code=5
code=''
path=raw_input(" where do you want to store your dictionary file. eg. D:\derp\foo.txt ")
loop_range=verification_code-len(code)
nines=''
for i in range(0,loop_range):
nines=nines+'9'
nine=int(nines)
fob=open(path,'w')
for i in range(0,nine+1):
j=str(i)
if len(j)<len(nines):
j=add_zeros(j,nines)
number=code+j+'\n'
fob.write(number)
fob.close()
print 'Generated and Saved!'
</textarea><br />
<br />
Now, straightforward stuff! I fired up Burp, "Swiss army knife" for me.
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-5h9y2WDhv2U/U4XhgAaEd2I/AAAAAAAAAR0/n1hgof3yMV0/s1600/poc2+-+Copy.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-5h9y2WDhv2U/U4XhgAaEd2I/AAAAAAAAAR0/n1hgof3yMV0/s1600/poc2+-+Copy.JPG" height="212" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Notice something peculiar in the last request?<br />
Yes, the response length changes to show that you've made the correct guess. (AJAX response in burp response says that).<br />
<br />
Some math work :<br />
possible password = 100,000<br />
If , no. of requests = 100/sec<br />
Time taken to find out "teh code" (worst case scenerio) = 15 minutes<br />
<br />
<h3 style="text-align: left;">
<b>The impact?</b></h3>
I could permanently delete any unverified facebook accounts within 15 minutes. You would try to recover using "password recover" feature but all your friends, PM's would be gone. You would have to create entirely new account.<br />
<br />
All I had to do was squander my bandwidth (and sit back and relax).<br />
<br />
<h4 style="text-align: left;">
<b>How did I find out if an account was unverified?</b></h4>
Well, one way was to sign up using that email and see the response (if you are asked to enter confirmation code or not).<br />
<br />
For a large number of emails, the other way was to enumerate facebook users first, to find out if the email had a facebook account and then use "Change email address field" to sort out which accounts have facebook associated with it and are still unverified.<br />
<br />
<br />
8 hours later:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-lVD1LTgLNdA/U4XlAfPSt2I/AAAAAAAAASA/7LMUd4x7K7s/s1600/hak-it.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-lVD1LTgLNdA/U4XlAfPSt2I/AAAAAAAAASA/7LMUd4x7K7s/s1600/hak-it.JPG" height="58" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
and was patched within 3 days of submission, however they were making strange changes for about a month even after bounty payout (in their mobile platforms and mobile apps).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h4 style="clear: both; text-align: left;">
tl;dr :</h4>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #333333; font-family: Calibri, sans-serif; font-size: 13.5pt;">1)
Make an unconfirmed facebook account (the target)</span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: white; color: #333333; font-family: Calibri, sans-serif; font-size: 13.5pt;"><br /></span></div>
<div class="separator" style="margin-bottom: .0001pt; margin: 0in;">
<span style="font-family: Calibri, sans-serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="separator" style="margin-bottom: .0001pt; margin: 0in;">
<span style="background: white; color: #333333; font-family: "Calibri","sans-serif"; font-size: 13.5pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">2)Try
to register a new account with same email (the attacker) !</span><span style="font-family: Calibri, sans-serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<span style="background: white; color: #333333; font-family: "Calibri","sans-serif"; font-size: 13.5pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">3)It
will take you to
https://www.facebook.com/register/confirm.php?ce=emailaddress%40provider.com
from the registration form.</span><span style="font-family: Calibri, sans-serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<span style="background: white; color: #333333; font-family: "Calibri","sans-serif"; font-size: 13.5pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">4)Click
on "Insert the confirmation code instead"!</span><span style="font-family: Calibri, sans-serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div class="separator" style="margin-bottom: .0001pt; margin: 0in;">
</div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<span style="background: white; color: #333333; font-family: "Calibri","sans-serif"; font-size: 13.5pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">5)Generate
a dictionary .</span></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<span style="background: white; color: #333333; font-family: "Calibri","sans-serif"; font-size: 13.5pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<span style="background: white; color: #333333; font-family: "Calibri","sans-serif"; font-size: 13.5pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"></span></div>
<div class="separator" style="margin-bottom: .0001pt; margin: 0in;">
<span style="background: white; color: #333333; font-family: "Calibri","sans-serif"; font-size: 13.5pt; mso-ascii-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">6)Enjoy
deleting accounts!</span><span style="font-family: Calibri, sans-serif; font-size: 13.5pt;"><o:p></o:p></span></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
and a handsome bounty followed up:</div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Mxziuti7Rec/U4YcAsTYuXI/AAAAAAAAASk/F030c-hLDog/s1600/response2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Mxziuti7Rec/U4YcAsTYuXI/AAAAAAAAASk/F030c-hLDog/s1600/response2.JPG" height="65" width="320" /></a></div>
<div class="separator" style="margin: 0in 0in 0.0001pt;">
<br /></div>
<div>
<h4 style="text-align: left;">
Thanks for the read!</h4>
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
</div>
</div>
Unknownnoreply@blogger.com11tag:blogger.com,1999:blog-153277139897523725.post-74578847564900434092014-03-15T11:25:00.001-07:002014-05-31T20:06:48.266-07:00How I feel about Internet Bug bounty !<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Georgia, Times New Roman, serif;">Lately, I have been spending some time in some major bug bounties to have a new experience in a entirely new field, that I was completely unaware of few weeks ago!</span><br />
<div>
<span style="font-family: Georgia, Times New Roman, serif;"><br /></span></div>
<div>
<span style="font-family: Georgia, Times New Roman, serif;"><br /></span></div>
<div>
<span style="font-family: Georgia, Times New Roman, serif;">Since then, I have gone through many kind of responses! In fact one of the most interesting part of bug bounty stuff is to see how the security engineers view your stuffs!</span></div>
<div>
<span style="font-family: Georgia, Times New Roman, serif;"><br />Here are some interesting responses, I received as a reply</span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Georgia, Times New Roman, serif;"><a href="http://1.bp.blogspot.com/-A44mLINr7P0/UySCt1X1Z7I/AAAAAAAAAQw/silzy1tI4Jg/s1600/blog1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-A44mLINr7P0/UySCt1X1Z7I/AAAAAAAAAQw/silzy1tI4Jg/s1600/blog1.JPG" height="124" width="640" /></a></span></div>
<span style="font-family: Georgia, Times New Roman, serif;">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
This one made me feel LOL!</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-fn54i5EOEUM/UySKXAEuAdI/AAAAAAAAARA/h0Bvy34oRSY/s1600/blog3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-fn54i5EOEUM/UySKXAEuAdI/AAAAAAAAARA/h0Bvy34oRSY/s1600/blog3.JPG" height="94" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
and of course I made some valid submissions too!(might be luckily)</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Frankly, I've learned a lot testing well-reknowned and well reputed companies and eventually finding an attack vector is really fascinating. Its always fun to have a live target that could in some way, be exploited!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Black box testing is not always that easy! In general, One has to see how a system responds to a vector and change his strategy accordingly! However due to availibility of free and custom scanner tools, the process, system has always been tried to be replaced by custom scanner tools , a short-kurt! But this is very hard job because a tool merely understands the context and goes on trying to get a valid response after executing a random payload. So, basically, tools are not the solution!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A big conflict is , Is <b>bug bounty a field of security researching</b> ?<b> can bug bounty keep up that feel , that thurst , that enthusiasm of gaining knowledge who has a mindset of a so-called 'hacker'? (See here for what I refer to as a hacker <a href="http://www.catb.org/esr/faqs/hacker-howto.html" target="_blank">"Who is a hacker?"</a>)</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
The first thing I'd say is when bug bounty is done solely for making money purposes, it gets worse! The person loses enthusiasm to learn new stuffs and gets back to searching for skid method to get on a whitehat page.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Having said this, the money the company would reward you on its sole decision, is also a representation of severity level of bug! Of course, an FPD wont be rewarded the same amount as OAUTH bypasses!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Almost every site over internet now has a bug bounty program and a white hat acknowledgement page! This is just because , they cant take the risk of getting hacked! They are actually using the sentiment for their benifit! Many of sites being built in custom framework , framework based vulnerabilites do exist in a site that uses it!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The point here is , involvement in bug bounty if isn't a big acheivement, finding new attack methodology is one. Finding a bug maynot be that important , developing a mindset on how to think like an attacker , is one important lessons that bug bounty teaches you!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Is bug bounty really worth it from the company's perspective ?</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Well , In short , Yes! I would like to present recent examples. Mt. gox hadn't a department to respond security bugs. Bugs can really be expensive . Mt gox laid off(at least , it is what their website states) However similar kind of vendor coinbase is alive and strong, as it has one! Yahoo was breached several times before but after it launched the program , I haven't heard of it in quite a while!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>You call that skid, a security researcher who actually runs a scanner , doesnt even know what the flaw means and reports it ?</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: left;">
Well , this is true to some extent. But how about this? The same goes for the companies as well. A skid gets a $100 for reporting some random FPD. But A bug which could worth entire company's property and trust is rewarded 10,000$ by paypal 20k$ by google and 33,500$ by facebook. Is paypal just worth 10k$ ? </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So, I think basically the sides are even. One gets to the whitehat page with an vulnerability that would merely affect the server's CIA (confidentiality, integrity and Availability ) property and the other which could affect all the factors mentioned!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So, if they can pay very little (as compared to how devastating it could have been) , it is fair enough to report a xss. But what matters is, pasting payload on every search box you see without havin any knowledge of javascript doesn't train your mind in any way!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For an example , lets see this two findings by @joernchan in github</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://bounty.github.com/researchers/joernchen.html">https://bounty.github.com/researchers/joernchen.html</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The two issues he reported:</div>
<div class="separator" style="clear: both; text-align: left;">
1)RCE </div>
<div class="separator" style="clear: both; text-align: left;">
2)2-factor authn. brute force</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A severest possible bug is valued 5000$. Howver a 2-factor authn. which is merely an issue gets 1000$ because an attacker already needs to know the password of victim.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So for the first issue is reporter is in complete loss and for the second , the company is in loss.</div>
<div class="separator" style="clear: both; text-align: left;">
So , I see the sides pretty evenly balanced with the great findings always suffering pretty much of losses!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Also, XSS always aint no skid stuff. Javascript experts actually see how each payloads are processed , which characters are blacklisted , which is being reflected and in overall, if the input is being validated and sanitized well. Bug bounty should be more than pasting payloads from your notepad to search forms!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Of course "money" will always be a driving factor in the field! It should be because a server side privilege escalation or an authentication bypass should always be on top priority than a xss bug. And the level of priority is shown by amount the company wills to spend to reward the researcher.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Moreover , viewed from one perspective , it is also about that "feeling" of proudness for helping the community stay secure! Its always not about the money and shouldn't be!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</span></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-153277139897523725.post-68856401744741686712013-04-02T21:15:00.001-07:002015-10-18T20:53:00.263-07:00Bruteforce facebook using python and dictionary<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
(This is not a facebook hack tool , in fact, a facebook hack tool doesnot even exist , please read carefully that it is just a script in python to bruteforce facebook for educational purposes only)<br />
<br />
<br />
Here is a way to bruteforce facebook password of any account . The tool is coded in python . You need to have Python 2.7.3 and mechanize (a python library) installed on your PC.<br />
<br />
<br />
1)- To download Python in windows goto <a href="http://python.org/download/" target="_blank">http://python.org/download/</a> (download 2.7.x version)<br />
Linux machine come with python as preinstalled developer's tools. <br />
<br />
2)- To install mechanize goto <a href="http://wwwsearch.sourceforge.net/mechanize/download.html" target="_blank">http://wwwsearch.sourceforge.net/mechanize/download.html</a><br />
<br />
just download zip if you are in windows and tar.gz, if you are running Linux machine.<br />
<br />
3)-Now for windows, copy all files from C:/Python27 to C:/Windows/System32<br />
<br />
Go to step 5 for linux <br />
<br />
4)-Now goto directory of download mechanize in cmd . (the location where you extracted mechanize)<br />
<br />
<br />
5)- Now run <code>python setup.py install </code>cmd<br />
<br />
like<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-2qkJc-35W-c/UVuoFrhoDqI/AAAAAAAAAMI/dA54Lyebd2Q/s1600/blog.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="http://1.bp.blogspot.com/-2qkJc-35W-c/UVuoFrhoDqI/AAAAAAAAAMI/dA54Lyebd2Q/s320/blog.JPG" width="320" /></a></div>
<br />
<br />
<br />
Now YOU are ready to execute the program<br />
<br />
Download the .py file from following link after skipping add
</div>
<br />
<iframe frameborder="0" height="250" marginheight="0" marginwidth="0" scrolling="no" src="http://yllix.com/banner_show.php?section=General&pub=535963&format=300x250&ga=g" width="300"></iframe><br />
<br /><br /><input onclick="startGateway('150473');" type="button" value="Download here" />
<head><script src="http://fileice.net/gateway/mygate.php?id=42656635484257536e424971" type="text/javascript"></script></head>
now just open the bruteforcer with idle . To open IDLE , just click 'windows' button and searh for 'idle'<br />
<br />
Press Ctrl + N to open new window . To run the Program , Simply press F5.<br />
<br />
You should obtain following output :<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-FlTW5-JHXDI/UVusrlITiqI/AAAAAAAAAMY/ChqL6rG5gRs/s1600/blogma.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="http://1.bp.blogspot.com/-FlTW5-JHXDI/UVusrlITiqI/AAAAAAAAAMY/ChqL6rG5gRs/s320/blogma.JPG" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
Happy cracking !!!<br />
<br />
Warning : This Information is for educational purposes only!!! xD <br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com29tag:blogger.com,1999:blog-153277139897523725.post-45156002037219955472013-02-08T01:20:00.003-08:002014-05-19T06:21:30.658-07:00Security and privacy issues in facebook photos due to graph search <div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
Even though facebook graph search is an interesting feature recently added in facebook, for some people , the first impression has been 'creepy'<br />
<br />
<br />
In graph search you can search terms like<br />
<b>'Movies that movie actors like'</b><br />
<b>'People going to watch today's soccer match'</b><br />
<b>'People who like wine '</b><br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-eXcl5PPJPhY/URTDJ43aWTI/AAAAAAAAAKY/jQHcRuTQNCU/s1600/tyt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-eXcl5PPJPhY/URTDJ43aWTI/AAAAAAAAAKY/jQHcRuTQNCU/s320/tyt.jpg" height="254" width="320" /></a></div>
<br />
<br />
and this would refer to someone totally unrelated to you except that in your search query .<br />
<br />
Graph search promises to show only the contents that are publicly accessible to you. That implies same search will produce different results for different people.<br />
<br />
<br />
Due to this feature , people totally unconcerned with you can find you in results . This can make it necessary to make everything private on your timeline , a fear of 'being shown on other people's ' search results.<br />
<br />
So, if you are wanting your Facebook to be a private place for you , where no one you don't know bothers you , you'd better make every of your post and interests private in privacy settings of your account.</div>
Unknownnoreply@blogger.com1