Tuesday, June 25, 2013

Bug Bounty - Is it similar? NO!

I'm going to share another case where I attempt from bug bounty program.
The issue I found initially was from Paypal Bug Bounty Program. And few weeks ago, I found a similar issue in Google's service. So did I rewarded from both of them? Lets check it out.

The issue I found is Sensitive Information Leakage. Where user's personal email used for registration for that application exposed to the attacker with a simple method.

In Paypal Bug Bounty Program, the URL affected was

As we can see from above screenshot, there's a form for us to "Retrieve Password" a.k.a Forgot Password.

If we submit a non-exist user, the application will throw a message "No User Found" 

So? what's the issue actually? its normal aint it?!

Nothing's wrong?! Hah! Look on image below then!

Got it? Yeah! If we put a valid username on that form,the message will show user's personal email. As shown above, I test for username administrator and I can see his/her personal email used for this application. This might be used for some Social Engineering attack.

For this issue, Paypal rewarded me $100. 

So how about the case with Google Bug Bounty? Did they reward me as well?
Yeah,Google did not accept that issue as a risk. I'm not going to deny their judgement. Its up to their company. Each company do have their own severity level identification.
Below is the screenshot I sent to Google team.

I think that's all guys. Till next time with another sharing from me :)


some of you might noticed that this post disappear with sudden previously. This is due to another reply I got from Google;

Yes, Google also take this issue as a threat/bug as well. So I need to draft the post until the issue fixed. Just checked just now and seems the issue was resolved.


Friday, June 21, 2013

Google Bug Bounty - Dont Waste Your Time XSSing the Sandbox Domain

Hi All,
In this post I'm going to share some of XSSes I found for Google Bug Bounty. However all of these findings are located in their sandbox-domain.

Eventhough there's still a risk for user such as phishing,malware,jdb and so on,still under Google Bug Bounty Program,it is not acceptable.

This info is mentioned at their page

If you still trying to send bugs found in sandbox-domain,this kind of email will appear in your inbox

The domain in which the feature is hosted is specifically meant as a
compartmentalized "sandbox" for various types of potentially unsafe,
user-controlled content. This domain is isolated from any sensitive
content due to the same-origin policy.
 Since there's no reward for sandbox-domain, I asked their permission to publish the bug in my blog and got their permission :)

Below are some of XSSes I found in their sandbox-domain and of course,rejected -_-"

bug existed due to old version of Jplayer

similar issue found in googleapis.com, old version Jplayer

Stored XSS. Can found this in Google Current. However,there's someone else found this previously

This one found after Internetwache posted in his blog trying to bypass limited char XSS.

I think that's all! See you again! 


Wednesday, June 19, 2013

Facebook Bug Bounty - Time Based SQLi in FB's Acquisition

I'm back.
Previous post I talked about how long the FB's Security team will reply you for your 1st reward (in my case almost a month)

Here's the POC for my finding.
Owh btw, I'll censored the URL. Why? I'm quite sure there's still more bugs in this acquisition. So, for a real bug hunter, with these images, they'll know how to find the real site :D Goodluck!

Time Based SQLi in FB's Acquisition

I checked out on their forgot password form. By testing with single quote (') there's a weird but well-known error appear.yes,SQL error.

Hmm..lets try to close the quote.


Now lets try to give some POC. Use a simple testing with 1 or 1=1 thingy.

hmm unknown error? so this is TRUE/FALSE response.

hah! different error.this might be its FALSE/TRUE response then.

I'm on the right track! but its still not enough for a POC!

Try to figure out a valid column? Lets try the same thing I used for my bounty in Paypal's bounty.

Testing to check if xxxxx is a valid column..NO!

Testing if user is a valid column. YEAH!!!

Final touch-up..lets try with Time-Based testing!

Finally..My bug accepted by Facebook and will join the FB's whitepage. Mission accomplished and..


Facebook Bug Bounty - Finally :D

Facebook Inc have their own Bug Bounty Program which you can find it here. The reward quite interesting.
On 9th May, I found a SQLi Bug in one of their acquisition. I submitted to their team and they acknowledge it.

On 29th May, I noticed that the bug had been fixed, and I shoot an email on that to their team asking for confirmation and of course waiting for my reward :P

However, there's no reply. At first its quite frustrating, but after thinking back when my first reward with Paypal bug bounty, they took quite a time as well. So I just waiting patiently. Even one of my buddy, Prakhar in his comment for this blog

So today,that day has come :D
The email that I have been waiting for was sent to my inbox.

Another mission accomplished!!

The POC? I'll share it on my next post :)