Tuesday, June 25, 2013

Bug Bounty - Is it similar? NO!

Hi,
I'm going to share another case where I attempt from bug bounty program.
The issue I found initially was from Paypal Bug Bounty Program. And few weeks ago, I found a similar issue in Google's service. So did I rewarded from both of them? Lets check it out.

The issue I found is Sensitive Information Leakage. Where user's personal email used for registration for that application exposed to the attacker with a simple method.

In Paypal Bug Bounty Program, the URL affected was

https://www.paypal-communications.com/Zone/Registration.aspx
As we can see from above screenshot, there's a form for us to "Retrieve Password" a.k.a Forgot Password.

If we submit a non-exist user, the application will throw a message "No User Found" 


So? what's the issue actually? its normal aint it?!


Nothing's wrong?! Hah! Look on image below then!


Got it? Yeah! If we put a valid username on that form,the message will show user's personal email. As shown above, I test for username administrator and I can see his/her personal email used for this application. This might be used for some Social Engineering attack.

For this issue, Paypal rewarded me $100. 

So how about the case with Google Bug Bounty? Did they reward me as well?
Yeah,Google did not accept that issue as a risk. I'm not going to deny their judgement. Its up to their company. Each company do have their own severity level identification.
Below is the screenshot I sent to Google team.


I think that's all guys. Till next time with another sharing from me :)

EDIT

some of you might noticed that this post disappear with sudden previously. This is due to another reply I got from Google;


Yes, Google also take this issue as a threat/bug as well. So I need to draft the post until the issue fixed. Just checked just now and seems the issue was resolved.

Adios
@yappare

Friday, June 21, 2013

Google Bug Bounty - Dont Waste Your Time XSSing the Sandbox Domain

Hi All,
In this post I'm going to share some of XSSes I found for Google Bug Bounty. However all of these findings are located in their sandbox-domain.

Eventhough there's still a risk for user such as phishing,malware,jdb and so on,still under Google Bug Bounty Program,it is not acceptable.

This info is mentioned at their page
http://www.google.com/about/appsecurity/reward-program/#notavuln

If you still trying to send bugs found in sandbox-domain,this kind of email will appear in your inbox

The domain in which the feature is hosted is specifically meant as a
compartmentalized "sandbox" for various types of potentially unsafe,
user-controlled content. This domain is isolated from any sensitive
content due to the same-origin policy.
 Since there's no reward for sandbox-domain, I asked their permission to publish the bug in my blog and got their permission :)


Below are some of XSSes I found in their sandbox-domain and of course,rejected -_-"

*.googleapis.com
bug existed due to old version of Jplayer

*.googledrive.com
similar issue found in googleapis.com, old version Jplayer

*.googleusercontent.com
Stored XSS. Can found this in Google Current. However,there's someone else found this previously

*.2mdn.net
This one found after Internetwache posted in his blog trying to bypass limited char XSS.

I think that's all! See you again! 

adios
@yappare

Wednesday, June 19, 2013

Facebook Bug Bounty - Time Based SQLi in FB's Acquisition

Hi,
I'm back.
Previous post I talked about how long the FB's Security team will reply you for your 1st reward (in my case almost a month)

Here's the POC for my finding.
Owh btw, I'll censored the URL. Why? I'm quite sure there's still more bugs in this acquisition. So, for a real bug hunter, with these images, they'll know how to find the real site :D Goodluck!

Time Based SQLi in FB's Acquisition
----------------------------------------------

I checked out on their forgot password form. By testing with single quote (') there's a weird but well-known error appear.yes,SQL error.

Hmm..lets try to close the quote.



 auwwwwwwwwww...SQLi! 

Now lets try to give some POC. Use a simple testing with 1 or 1=1 thingy.

hmm unknown error? so this is TRUE/FALSE response.

hah! different error.this might be its FALSE/TRUE response then.

I'm on the right track! but its still not enough for a POC!

Try to figure out a valid column? Lets try the same thing I used for my bounty in Paypal's bounty.

Testing to check if xxxxx is a valid column..NO!

Testing if user is a valid column. YEAH!!!

Final touch-up..lets try with Time-Based testing!



Finally..My bug accepted by Facebook and will join the FB's whitepage. Mission accomplished and..

Adios.
@yappare

Facebook Bug Bounty - Finally :D

Facebook Inc have their own Bug Bounty Program which you can find it here. The reward quite interesting.
On 9th May, I found a SQLi Bug in one of their acquisition. I submitted to their team and they acknowledge it.


On 29th May, I noticed that the bug had been fixed, and I shoot an email on that to their team asking for confirmation and of course waiting for my reward :P


However, there's no reply. At first its quite frustrating, but after thinking back when my first reward with Paypal bug bounty, they took quite a time as well. So I just waiting patiently. Even one of my buddy, Prakhar in his comment for this blog


So today,that day has come :D
The email that I have been waiting for was sent to my inbox.


Another mission accomplished!!


The POC? I'll share it on my next post :)