Very good article that I recommend you guys to read. This is part 1.
http://blog.checkpoint.com/2015/08/04/wordpress-vulnerabilities-1/
Enjoy!
I come across a web application in a bounty private program that reflected my var – xss – with the following code:
var _s_tab = xss;
var _s_params = "";
var _s_autoScroll = true;
setTimeout("try { s_callAjax('search', ''); }
catch(ex) { setTimeout(\"s_callAjax('search', '');\", 2000);}", 50);
So what I tried next was to put a XSS vector in place:
</pre> <pre>vuln-site/?t=xss;alert(1);//</pre> <pre>
Which reflected:
var _s_tab = xss;alert1;//;
So it removed the () chars… I thought to myself – A Challenge!
My next step was to try something that I already used in a previous research.
Use location.hash and then execute my attack.
vuln-site/?t=1;document.body.innerHTML=location.hash#<img src=x onerror=prompt(1)>
The other good thing about this type of attack is that the payload is in part of the url hash and is therefore never sent to the server. (no servers logs of actual attack payload)
I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure…
central.push({ 'var1': 'INJECT_HERE' });
So after some attempts I was unable to find one so I called for help 🙂
@soaj1664ashar 10 char fun: ‘-open()-‘
Making a valid Javascript:
central.push({ 'var1': ''-open()-'' });
This XSS vector only opens a new tab/window but in my clients case it was stored in a cookie so it was a pain in the ass to close a window each time he navigated in his web application.
Nice catch!
[News] Exploits start against flaw that could hamstring huge swaths of Internet – http://t.co/u15KiTgFm0
— bugcrowd (@Bugcrowd) August 3, 2015
Just checked the Hall of Fame of Cobalt.io and I’m now number 1 in the rank. Not bad for a portuguese guy that started in March.
Next objective… 1000 points! Let’s go!
Who is Desk.com?
Salesforce Desk.com help desk software offers small businesses an all-in-one customer service software solution that will help keep customers happy and loyal. Desk.com can be set up in just hours, and provides multi-channel support, including phone, email, self-help pages, and social media. Not only will this innovative help desk software let your agents more easily serve customers, your small business will have the insights needed to build better products and make smarter, growth-driving decisions.
– in http://www.salesforce.com/desk/overview/
Who uses Desk.com?
When I help companies to fix security issues I do not ask anything in return.
I come across a security issue on Mixpanel when auditing private client on Cobalt.io and I send to Mixpanel a little security advisory describing a Reflected Filename Download vulnerability with a couple of screenshots.
Mixpanel security team fixed the vulnerability very fast showing that they care about security.
Some people say that it’s the price of fame but I don’t think it’s the case.
Someone is using my name and reputation to contact site owners and sell their security services. Apparently it’s a guy from Pakistan with the Paypal – [email protected].