Sunday, December 15, 2013

Google Adwords Stored XSS - From Nay to Yay!

Hi,
This is an old issue that I submitted to Google previously. Already shared the POC at my twitter on Sep' 13.


I promised to share a writeup on my recent finding in Google, but since the security team going to take some time to fix them, I'll share this as a replacement.

This issue was fixed in 2-3 days after my submission date. This is quite an interesting finding actually. The bug exist in the uploader function at "Upload editable report" under "Reports and uploads" tab.

A user can upload a report through this uploader for his/her reference in future. However, the filename parameter for the file can be manipulated since there's no sanitization happen on it.

The only filetype allowed to be uploaded are excel type; csv and tsv as shown in the website.
So what I did was, run a Burp to intercept the request and then change the filename into XSS payload.





Awesome!!!! A STORED XSS!! Moreover, if you guys look on it closely, the payload is properly hidden from user's view. Nice eh? haha..
Sent the report to Google team, and then wait for a few days to get their receive. At first I wonder why they took quite some times to accept this issue. Then, I realize that...this is actually...a SELF STORED XSS!!!


The team might reject or reward me with less amount if this is the case!!



But..


Thanks to Nirgoldshlager presentation in Blackhat 2012 about his bounties I have my mind what I need to do.

As you can see, there's a function in Adwords where the owner of the account can invite his/her friend as a partner! Let us see if it working :)





yup2..our victim take his/her action to be a partner of evil mind.muahahaha..a confirmation email will be sent to us and we just need to grant the access to the victim.




Done. And the victim will get the confirmation email and then happily login into his/her Adwords account..

and....
Sorry partner.muahahahaha...

Google Team response, 
 

So, I'm actually lucky since Adwords have this kind of function..but what if there's none?!!! This guy might have the answer :)


Thanks for your time. :)

Cio.

Wednesday, November 13, 2013

XSS in Google Local

Hi,

Quite lazy but still want to share among you guys. No use for me to keep it up for myself.

URL : http://www.google.com/local/add
Bug  : XSS,probability Stored XSS

The vulnerability exist in the Video attachment. If you guys use the double quotes (") in this form, it wont work. Double quotes already filtered.

However, the youtube's href point is using single quote and this character is not filtered.
Moreover, this youtube's link is located in a few usefull tag such as <a href=> <video src=> and some others.

Payload used: youtube.com/watch?v=blalala');alert(1);('a




thanks,
@yappare

Thursday, September 5, 2013

Your Gmail Account Can Be Owned IF...

Heyya..wassup..here's another sharing from me.

This issue was found accidentally when I tried to make a testing Gmail account..from that event, I noticed that, your Gmail can be owned EASILY without any technical skill needed.

Before proceed with the full disclosure, two questions for you.
1 - Did you used your gmail in a shared network? (internal office,internet cafe,airport wifi,hotel,others?)
Image from www.itp.net

2 - Did you forgot to enable your 2nd authentication or security question?
Image from http://sondreb.com


If your answer for both of these questions is YES, just keep calm and rilex when your account got compromised. Is this a bug?An issue? In Google's Security Team opinion, NO. This is what Google use for their account recovery process.

Proof of Concept
paswedtest@gmail.com was created without any security question. In a same network with an attacker (***@gmail.com), this guy logged into his Gmail.



So what happen when you logged into your account? See below.


Is this related? Yeah. Lets check when we try to recover an account.


Above is the first hint. Recover using your recent device..so, is it possible to recover an account using a HP computer when I was logged using ACER computer yesterday?? YES. The recovery process never check on the device, but the truth is they check on the User-Agent. (based on few testing by me and my friends) 

Lets proceed.


Put our email (where we want the recovery link send to) as shown above. Do it need to be related with the account? NO.


auw crap!! I dont know any of these! Read the statement, you dont need the answer. Just close your eyes and put it randomly. The process would not check on it at all!


Auww!! another crap! Guy,chillex..Just choose "Skip these questions". This section is just for decoration.


This? Another decoration. No need to fill them. Just submit. But wait! Look on the half-blur text..something related with IP..yeah..this recovery need the IP. So is it necessary to use the same IP used during login? (e.g. 1.1.1.1).. from our testing, it can be recovered in 1.1.1.2, 1.1.1.99 too as long it still under a same segment.


Easy? Yeah so easy :)

For those using a shared network (school,library,hotel,airport,cafe,office,etc)..Good luck with your hunting


Owh wait. Did I report this to Google Team? Yes. Their response(s)




chio!






Sunday, August 18, 2013

Yo Bug Hunter, whatcha going to do if your confirm-a-bug got rejected?!

Hi guys, Its been a while. Lately there's a havoc regarding a person named Khalil got his Facebook Bug submission got rejected. In case you dont know it yet, read it Here Hmm..this case quite similar to the 13 year old guy that got his Paypal bug rejected previously.But this 13 year old bug afaik, his bug already found by somebody else. But still, since both of them (Khalil and this guy) make a Public Disclosure, the Bug Bounty Program might get some impact on it. Maybe researcher will try to avoid to join their BB program after this. I did give a comment on this when Casey the founder/CEO of Bugcrowd ask in one of FB Group.


To be honest, even I had some experiences when my bug rejected not just from Facebook,also from Paypal,Google and even Bugcrowd! :P Why this happen? For sure these are some reasons why mine got rejected;

1 - Not in scope. Rules violation
  Read the rules first to check what is in scope and what is not!!

2 - Lack of techies step to let their side to reproduce the bug.
 Please,their side need to counter at least more than 100+ reports per staff..so,we want their reward, we need to help them as well.

3 - The impact is not worth to be called as bug!
 Here are some shots for my rejected bug.

So, whose fault? I dont blame much to any side. Just took it as another experience with BB program. So next time I wont repeat the same thing. But, in case your bug is really a BUG! and they said it as "Not a Bug" or "No Impact", proof to them! As what happen to me recently with Paypal BB Program. I found a Self/Stored XSS in Paypal's domain and give them the step to repro it as usual. But, this what I got in my latest status update!


My bug claimed by them as invalid?!! I ask them and this is their reply.



Because I dont really agree with them, I ask them to recheck on it with a more details on the issue. I got a good response from them, and they ask me to show the impact with a proper step. I did,and this is the result;


Now I can sit back and relax..time to hunt another bug..soon.. :)

Tuesday, June 25, 2013

Bug Bounty - Is it similar? NO!

Hi,
I'm going to share another case where I attempt from bug bounty program.
The issue I found initially was from Paypal Bug Bounty Program. And few weeks ago, I found a similar issue in Google's service. So did I rewarded from both of them? Lets check it out.

The issue I found is Sensitive Information Leakage. Where user's personal email used for registration for that application exposed to the attacker with a simple method.

In Paypal Bug Bounty Program, the URL affected was

https://www.paypal-communications.com/Zone/Registration.aspx
As we can see from above screenshot, there's a form for us to "Retrieve Password" a.k.a Forgot Password.

If we submit a non-exist user, the application will throw a message "No User Found" 


So? what's the issue actually? its normal aint it?!


Nothing's wrong?! Hah! Look on image below then!


Got it? Yeah! If we put a valid username on that form,the message will show user's personal email. As shown above, I test for username administrator and I can see his/her personal email used for this application. This might be used for some Social Engineering attack.

For this issue, Paypal rewarded me $100. 

So how about the case with Google Bug Bounty? Did they reward me as well?
Yeah,Google did not accept that issue as a risk. I'm not going to deny their judgement. Its up to their company. Each company do have their own severity level identification.
Below is the screenshot I sent to Google team.


I think that's all guys. Till next time with another sharing from me :)

EDIT

some of you might noticed that this post disappear with sudden previously. This is due to another reply I got from Google;


Yes, Google also take this issue as a threat/bug as well. So I need to draft the post until the issue fixed. Just checked just now and seems the issue was resolved.

Adios
@yappare