Jump to content
malsploit

paypal-*.com [FPD] [XSS] + o eroare ciudata sql

By malsploit, in Bug Bounty

Recommended Posts

malsploit Newbie

malsploit

Posted
Posted

FPD

pfd.png

XSS

xss.png

Eroarea SQL

sqlip.png

Initial mi-au spus ca, din pacate, numai ofera bounty pentru domeniile respective. I-am intrebat daca pot sa fac full-disclosure si au raspuns, dupa 2 minute, ca vor trimite problema la ingineri pentru validare si ca voi primi bounty-ul. Dupa ce am primit mesajul asta, m-au pus sa le explic cum reproduc vulnerabilitatea.

  • Upvote 1
Link to comment
Share on other sites
malsploit Newbie

malsploit

Posted
  • Author
Posted
Ce jegosi. Astia chiar se cred buni pe site-ul lor si cauta sa nu mai dea bani.

Si felicitari pentru xss. Succes la mai multe, dar in acelasi timp crezi ca se mai merita ?

Nu stiu ce sa zic. Am primit 750$ pana acum si stau linistit in patul meu. Unii vor spune ca e putin si ca nu se merita. Mie mi-au prins bine banii astia si i-am obtinut intr-un mod placut, aproape jucandu-ma. Sunt constient ca prin exploatarea acelui xss, as fi putut face sume cu multe zero-uri. Dar oare se merita?

Link to comment
Share on other sites
dekeeu Newbie

dekeeu

Posted
Posted
ce leg?tur? are paypal.com cu paypal-....com ? just sayin'

**Please note that our partner sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned.  A listing of these sites designated for deprecation will not be publically maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored.

Sursa: https://www.paypal.com/us/webapps/mpp/security-tools/reporting-security-issues

Link to comment
Share on other sites
1337 Newbie

1337

Posted
Posted
FPD

pfd.png

XSS

xss.png

Eroarea SQL

sqlip.png

Initial mi-au spus ca, din pacate, numai ofera bounty pentru domeniile respective. I-am intrebat daca pot sa fac full-disclosure si au raspuns, dupa 2 minute, ca vor trimite problema la ingineri pentru validare si ca voi primi bounty-ul. Dupa ce am primit mesajul asta, m-au pus sa le explic cum reproduc vulnerabilitatea.

Ai primit destul de mult luand in considerare ca doar XSS-ul era singura "vulnerabilitate".Gandeste-te ca puteau sa-ti dea doar 100$.

Link to comment
Share on other sites
malsploit Newbie

malsploit

Posted
  • Author
Posted

au spus ca e valid :)

Hello ***,

Thank you for your participation in the PayPal Bug Bounty Program. Our security engineers have confirmed that your vulnerability submission is valid. After the vulnerability is fixed, we will notify you of the fix and issue you a bounty.We have provided your status update below.

For your fixed bug you will receive a payout on our next payment cycle. Our next payout will be within the next week.

Please note that PayPal has a review board that meets regularly to determine the bounty amount and the priorities of the fixes. This process requires that we review each bug carefully, thus we request that you allow us some time before we communicate back to you.

Title: [sqli] paypal-*.com

UID: DO110***

Status: Validated and Awaiting Fix

Per the terms of the Bug Bounty Program, we ask that you do not disclose your finding to the public or to the media while we implement a fix.

We take pride in keeping PayPal the safer place for online payment.

Thank you so much for your patience!

PayPal Security Team

Link to comment
Share on other sites
EAdrian Newbie

EAdrian

Posted
Posted 
**Please note that our partner sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned.  A listing of these sites designated for deprecation will not be publically maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored.

Sursa: https://www.paypal.com/us/webapps/mpp/security-tools/reporting-security-issues

Siteurile paypal-*.com sunt folosite de paypal pentru marketing si sunt administrate indirect de catre paypal. Aceste site-uri folosesc un certificat ssl semnat de paypal.

oki doki, nu stiam... mercic

Link to comment
Share on other sites
malsploit Newbie

malsploit

Posted
  • Author
Posted

am gasit un subdomeniu in paypal.com. Trimite prin POST un parametru care apare in sursa ca input hidden si contine ca valoare ip-ul meu. Merge trimis si prin GET si poate contine orice valoare. Nu se filtreaza nimic si a iesit un xss frumos.

Faptul ca pot face "spoofing" la ip, poate fi considerat o vulnerabilitate de catre ingineri?

Link to comment
Share on other sites
dekeeu Newbie

dekeeu

Posted
Posted
am gasit un subdomeniu in paypal.com. Trimite prin POST un parametru care apare in sursa ca input hidden si contine ca valoare ip-ul meu. Merge trimis si prin GET si poate contine orice valoare. Nu se filtreaza nimic si a iesit un xss frumos.

Faptul ca pot face "spoofing" la ip, poate fi considerat o vulnerabilitate de catre ingineri?

Da si normal ! Dar, NU le raporta pe amandoua in acelasi e-mail.

Link to comment
Share on other sites
malsploit Newbie

malsploit

Posted
  • Author
Posted

Am primit un email de la paypal:

Hello,

In an effort to provide recognition to our research partners who have supported our security efforts, we are updating our PayPal Bug Bounty Wall of Fame to feature individuals like yourself who have made significant contributions over each quarter. We will refresh our listings on a quarterly basis to include both our top 10 researchers by quarter, as well as our honorable mention page for everyone that provided a valid submission over the same time period.

We would like to thank you for your efforts and congratulate you for being recognized in the second quarter of 2013. We would like to list your name and, if applicable, your credentials and the name of your organization, on our proposed Wall of Fame page which will be available in the coming months. In order to do so, we must have your consent. Please follow the instructions below and return to us at our PayPal Site Security email portal and return to us by as soon as possible.

Acknowledgment Form:

Yes I, (your name) would like to participate in PayPal’s Wall of Fame program and hereby grant PayPal the right to display the display name and, to the extent applicable, the credentials and organization name set forth below on PayPal’s Wall of Fame. If at any time I wish to no longer participate in the Wall of Fame, I will contact PayPal via email and request my name be removed from the Wall of Fame. I acknowledge PayPal has the right to remove my display name from their Wall of Fame at any time if I do not comply with the Bug Bounty Program Terms (https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues) or the terms of any other agreement I may have with PayPal.

  • Upvote 1
Link to comment
Share on other sites
  • Active Members
akkiliON Enthusiast

akkiliON

Posted
  • Active Members
Posted (edited)

OFF: Am g?sit un Source Code Disclosure într-un site care apar?ine de ei.

Le-am dat un mesaj s? v?d dac? cumva pl?tesc pt a?a ceva. Nu le-am dat vulnerabilitatea s? v?d ce zic mai întâi.

ON: Felicit?ri hate.me. Poate ne vedem în HoF. :)

Edited by akkiliON
Link to comment
Share on other sites
malsploit Newbie

malsploit

Posted
  • Author
Posted (edited)

Am raportat un xss reflected in where.com. Aparea user-agentul stocat intr-o variabila. L-am raportat acum 2 saptamani si mi-au zis ca au nevoie de mai multe detalii. Le-am facut un screencast si au zis ca inginerii tot au nevoie de detalii. Am incercat sa le explic si tot o bagau pe asta. Aseara le-am trimis un raport in pdf de 2 pagini cu printscreen-uri, implicatii, explicatii. Le-am explicat ce inseamna reflected xss.

Mi-au raspuns: Sebastian(?), ne pare rau dar este duplicat.

Le-am trimis un mail si le-am spus ca nu ma cheama sebastian si ca am raportat vulnerabilitatea de 2 saptamani. Si-au cerut scuze si mi-au zis sa le trimit din nou vulnerabilitatea. Dimineata era reparata.

Edited by hate.me
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...