malsploit Posted July 25, 2013 Report Posted July 25, 2013 FPDXSSEroarea SQL Initial mi-au spus ca, din pacate, numai ofera bounty pentru domeniile respective. I-am intrebat daca pot sa fac full-disclosure si au raspuns, dupa 2 minute, ca vor trimite problema la ingineri pentru validare si ca voi primi bounty-ul. Dupa ce am primit mesajul asta, m-au pus sa le explic cum reproduc vulnerabilitatea. 1 Quote
sicilianul Posted July 25, 2013 Report Posted July 25, 2013 (edited) Ce jegosi. Astia chiar se cred buni pe site-ul lor si cauta sa nu mai dea bani.Si felicitari pentru xss. Succes la mai multe, dar in acelasi timp crezi ca se mai merita ? Edited July 25, 2013 by sicilianul Quote
malsploit Posted July 25, 2013 Author Report Posted July 25, 2013 Ce jegosi. Astia chiar se cred buni pe site-ul lor si cauta sa nu mai dea bani.Si felicitari pentru xss. Succes la mai multe, dar in acelasi timp crezi ca se mai merita ?Nu stiu ce sa zic. Am primit 750$ pana acum si stau linistit in patul meu. Unii vor spune ca e putin si ca nu se merita. Mie mi-au prins bine banii astia si i-am obtinut intr-un mod placut, aproape jucandu-ma. Sunt constient ca prin exploatarea acelui xss, as fi putut face sume cu multe zero-uri. Dar oare se merita? Quote
incode Posted July 29, 2013 Report Posted July 29, 2013 Buna treaba , aveam si eu un sqli in paypal dar o raportato cineva... Good Job Quote
EAdrian Posted July 29, 2013 Report Posted July 29, 2013 ce leg?tur? are paypal.com cu paypal-....com ? just sayin' Quote
dekeeu Posted July 29, 2013 Report Posted July 29, 2013 ce leg?tur? are paypal.com cu paypal-....com ? just sayin'**Please note that our partner sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned. A listing of these sites designated for deprecation will not be publically maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored.Sursa: https://www.paypal.com/us/webapps/mpp/security-tools/reporting-security-issues Quote
SilenTx0 Posted July 29, 2013 Report Posted July 29, 2013 Felicitari!La mai multe.Buna treaba , aveam si eu un sqli in paypal dar o raportato cineva... Good JobNici nu se pune problema sa nu te credem cand spui asa ceva.Cel mai probabil era gasit pe google(defapt sigur nu probabil). Quote
malsploit Posted July 29, 2013 Author Report Posted July 29, 2013 ce leg?tur? are paypal.com cu paypal-....com ? just sayin'Siteurile paypal-*.com sunt folosite de paypal pentru marketing si sunt administrate indirect de catre paypal. Aceste site-uri folosesc un certificat ssl semnat de paypal. Quote
1337 Posted July 29, 2013 Report Posted July 29, 2013 FPDXSSEroarea SQL Initial mi-au spus ca, din pacate, numai ofera bounty pentru domeniile respective. I-am intrebat daca pot sa fac full-disclosure si au raspuns, dupa 2 minute, ca vor trimite problema la ingineri pentru validare si ca voi primi bounty-ul. Dupa ce am primit mesajul asta, m-au pus sa le explic cum reproduc vulnerabilitatea.Ai primit destul de mult luand in considerare ca doar XSS-ul era singura "vulnerabilitate".Gandeste-te ca puteau sa-ti dea doar 100$. Quote
malsploit Posted July 29, 2013 Author Report Posted July 29, 2013 au spus ca e valid Hello ***, Thank you for your participation in the PayPal Bug Bounty Program. Our security engineers have confirmed that your vulnerability submission is valid. After the vulnerability is fixed, we will notify you of the fix and issue you a bounty.We have provided your status update below. For your fixed bug you will receive a payout on our next payment cycle. Our next payout will be within the next week.Please note that PayPal has a review board that meets regularly to determine the bounty amount and the priorities of the fixes. This process requires that we review each bug carefully, thus we request that you allow us some time before we communicate back to you.Title: [sqli] paypal-*.comUID: DO110***Status: Validated and Awaiting FixPer the terms of the Bug Bounty Program, we ask that you do not disclose your finding to the public or to the media while we implement a fix.We take pride in keeping PayPal the safer place for online payment.Thank you so much for your patience!PayPal Security Team Quote
EAdrian Posted July 29, 2013 Report Posted July 29, 2013 **Please note that our partner sites (www.paypal-__.com) are mainly marketing based sites that are not part of the core PayPal customer domains (.paypal.com) and are managed by hosting vendor companies. They have variable timelines and are often decommissioned. A listing of these sites designated for deprecation will not be publically maintained due to frequent changes. When researching bugs on these sites, please keep this in mind as bug Submissions for sites on schedule for deprecation will not be honored.Sursa: https://www.paypal.com/us/webapps/mpp/security-tools/reporting-security-issuesSiteurile paypal-*.com sunt folosite de paypal pentru marketing si sunt administrate indirect de catre paypal. Aceste site-uri folosesc un certificat ssl semnat de paypal.oki doki, nu stiam... mercic Quote
malsploit Posted September 11, 2013 Author Report Posted September 11, 2013 am gasit un subdomeniu in paypal.com. Trimite prin POST un parametru care apare in sursa ca input hidden si contine ca valoare ip-ul meu. Merge trimis si prin GET si poate contine orice valoare. Nu se filtreaza nimic si a iesit un xss frumos. Faptul ca pot face "spoofing" la ip, poate fi considerat o vulnerabilitate de catre ingineri? Quote
dekeeu Posted September 11, 2013 Report Posted September 11, 2013 am gasit un subdomeniu in paypal.com. Trimite prin POST un parametru care apare in sursa ca input hidden si contine ca valoare ip-ul meu. Merge trimis si prin GET si poate contine orice valoare. Nu se filtreaza nimic si a iesit un xss frumos. Faptul ca pot face "spoofing" la ip, poate fi considerat o vulnerabilitate de catre ingineri?Da si normal ! Dar, NU le raporta pe amandoua in acelasi e-mail. Quote
malsploit Posted September 12, 2013 Author Report Posted September 12, 2013 Am primit un email de la paypal:Hello,In an effort to provide recognition to our research partners who have supported our security efforts, we are updating our PayPal Bug Bounty Wall of Fame to feature individuals like yourself who have made significant contributions over each quarter. We will refresh our listings on a quarterly basis to include both our top 10 researchers by quarter, as well as our honorable mention page for everyone that provided a valid submission over the same time period. We would like to thank you for your efforts and congratulate you for being recognized in the second quarter of 2013. We would like to list your name and, if applicable, your credentials and the name of your organization, on our proposed Wall of Fame page which will be available in the coming months. In order to do so, we must have your consent. Please follow the instructions below and return to us at our PayPal Site Security email portal and return to us by as soon as possible. Acknowledgment Form:Yes I, (your name) would like to participate in PayPal’s Wall of Fame program and hereby grant PayPal the right to display the display name and, to the extent applicable, the credentials and organization name set forth below on PayPal’s Wall of Fame. If at any time I wish to no longer participate in the Wall of Fame, I will contact PayPal via email and request my name be removed from the Wall of Fame. I acknowledge PayPal has the right to remove my display name from their Wall of Fame at any time if I do not comply with the Bug Bounty Program Terms (https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues) or the terms of any other agreement I may have with PayPal. 1 Quote
Active Members akkiliON Posted September 13, 2013 Active Members Report Posted September 13, 2013 de $$$ se mai aude ceva ?Odat? ce a spus c? e valid, pentru un SQLi în paypal-*.com prime?ti 1000$ ! Quote
malsploit Posted September 18, 2013 Author Report Posted September 18, 2013 (edited) https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mentionMai sunt 2 romani acolo Edited September 18, 2013 by hate.me Quote
Active Members akkiliON Posted September 18, 2013 Active Members Report Posted September 18, 2013 (edited) OFF: Am g?sit un Source Code Disclosure într-un site care apar?ine de ei. Le-am dat un mesaj s? v?d dac? cumva pl?tesc pt a?a ceva. Nu le-am dat vulnerabilitatea s? v?d ce zic mai întâi.ON: Felicit?ri hate.me. Poate ne vedem în HoF. Edited September 18, 2013 by akkiliON Quote
malsploit Posted September 20, 2013 Author Report Posted September 20, 2013 (edited) Am raportat un xss reflected in where.com. Aparea user-agentul stocat intr-o variabila. L-am raportat acum 2 saptamani si mi-au zis ca au nevoie de mai multe detalii. Le-am facut un screencast si au zis ca inginerii tot au nevoie de detalii. Am incercat sa le explic si tot o bagau pe asta. Aseara le-am trimis un raport in pdf de 2 pagini cu printscreen-uri, implicatii, explicatii. Le-am explicat ce inseamna reflected xss. Mi-au raspuns: Sebastian(?), ne pare rau dar este duplicat. Le-am trimis un mail si le-am spus ca nu ma cheama sebastian si ca am raportat vulnerabilitatea de 2 saptamani. Si-au cerut scuze si mi-au zis sa le trimit din nou vulnerabilitatea. Dimineata era reparata. Edited September 20, 2013 by hate.me Quote
