XSS in Google Local

Hi,

Quite lazy but still want to share among you guys. No use for me to keep it up for myself.

URL : http://www.google.com/local/add
Bug  : XSS,probability Stored XSS

The vulnerability exist in the Video attachment. If you guys use the double quotes (") in this form, it wont work. Double quotes already filtered.

However, the youtube's href point is using single quote and this character is not filtered.
Moreover, this youtube's link is located in a few usefull tag such as <a href=> <video src=> and some others.

Payload used: youtube.com/watch?v=blalala');alert(1);('a

thanks,
@yappare

Your Gmail Account Can Be Owned IF...

Heyya..wassup..here's another sharing from me.

This issue was found accidentally when I tried to make a testing Gmail account..from that event, I noticed that, your Gmail can be owned EASILY without any technical skill needed.

Before proceed with the full disclosure, two questions for you.
1 - Did you used your gmail in a shared network? (internal office,internet cafe,airport wifi,hotel,others?)

Image from www.itp.net

2 - Did you forgot to enable your 2nd authentication or security question?

Image from http://sondreb.com

If your answer for both of these questions is YES, just keep calm and rilex when your account got compromised. Is this a bug?An issue? In Google's Security Team opinion, NO. This is what Google use for their account recovery process.

Proof of Concept
paswedtest@gmail.com was created without any security question. In a same network with an attacker (***@gmail.com), this guy logged into his Gmail.

So what happen when you logged into your account? See below.

Is this related? Yeah. Lets check when we try to recover an account.

Above is the first hint. Recover using your recent device..so, is it possible to recover an account using a HP computer when I was logged using ACER computer yesterday?? YES. The recovery process never check on the device, but the truth is they check on the User-Agent. (based on few testing by me and my friends) 

Lets proceed.

Put our email (where we want the recovery link send to) as shown above. Do it need to be related with the account? NO.

auw crap!! I dont know any of these! Read the statement, you dont need the answer. Just close your eyes and put it randomly. The process would not check on it at all!

Auww!! another crap! Guy,chillex..Just choose "Skip these questions". This section is just for decoration.

This? Another decoration. No need to fill them. Just submit. But wait! Look on the half-blur text..something related with IP..yeah..this recovery need the IP. So is it necessary to use the same IP used during login? (e.g. 1.1.1.1).. from our testing, it can be recovered in 1.1.1.2, 1.1.1.99 too as long it still under a same segment.

Easy? Yeah so easy :)

For those using a shared network (school,library,hotel,airport,cafe,office,etc)..Good luck with your hunting

Owh wait. Did I report this to Google Team? Yes. Their response(s)

chio!

Yo Bug Hunter, whatcha going to do if your confirm-a-bug got rejected?!

Hi guys, Its been a while. Lately there's a havoc regarding a person named Khalil got his Facebook Bug submission got rejected. In case you dont know it yet, read it Here Hmm..this case quite similar to the 13 year old guy that got his Paypal bug rejected previously.But this 13 year old bug afaik, his bug already found by somebody else. But still, since both of them (Khalil and this guy) make a Public Disclosure, the Bug Bounty Program might get some impact on it. Maybe researcher will try to avoid to join their BB program after this. I did give a comment on this when Casey the founder/CEO of Bugcrowd ask in one of FB Group.

To be honest, even I had some experiences when my bug rejected not just from Facebook,also from Paypal,Google and even Bugcrowd! :P Why this happen? For sure these are some reasons why mine got rejected;

1 - Not in scope. Rules violation
  Read the rules first to check what is in scope and what is not!!

2 - Lack of techies step to let their side to reproduce the bug.
 Please,their side need to counter at least more than 100+ reports per staff..so,we want their reward, we need to help them as well.

3 - The impact is not worth to be called as bug!
 Here are some shots for my rejected bug.

So, whose fault? I dont blame much to any side. Just took it as another experience with BB program. So next time I wont repeat the same thing. But, in case your bug is really a BUG! and they said it as "Not a Bug" or "No Impact", proof to them! As what happen to me recently with Paypal BB Program. I found a Self/Stored XSS in Paypal's domain and give them the step to repro it as usual. But, this what I got in my latest status update!

My bug claimed by them as invalid?!! I ask them and this is their reply.

Because I dont really agree with them, I ask them to recheck on it with a more details on the issue. I got a good response from them, and they ask me to show the impact with a proper step. I did,and this is the result;

Now I can sit back and relax..time to hunt another bug..soon.. :)

Bug Bounty - Is it similar? NO!

Hi,
I'm going to share another case where I attempt from bug bounty program.
The issue I found initially was from Paypal Bug Bounty Program. And few weeks ago, I found a similar issue in Google's service. So did I rewarded from both of them? Lets check it out.

The issue I found is Sensitive Information Leakage. Where user's personal email used for registration for that application exposed to the attacker with a simple method.

In Paypal Bug Bounty Program, the URL affected was

https://www.paypal-communications.com/Zone/Registration.aspx

As we can see from above screenshot, there's a form for us to "Retrieve Password" a.k.a Forgot Password.

If we submit a non-exist user, the application will throw a message "No User Found" 

So? what's the issue actually? its normal aint it?!

Nothing's wrong?! Hah! Look on image below then!

Got it? Yeah! If we put a valid username on that form,the message will show user's personal email. As shown above, I test for username administrator and I can see his/her personal email used for this application. This might be used for some Social Engineering attack.

For this issue, Paypal rewarded me $100. 

So how about the case with Google Bug Bounty? Did they reward me as well?

Yeah,Google did not accept that issue as a risk. I'm not going to deny their judgement. Its up to their company. Each company do have their own severity level identification.

Below is the screenshot I sent to Google team.

I think that's all guys. Till next time with another sharing from me :)

EDIT

some of you might noticed that this post disappear with sudden previously. This is due to another reply I got from Google;

Yes, Google also take this issue as a threat/bug as well. So I need to draft the post until the issue fixed. Just checked just now and seems the issue was resolved.

Adios

@yappare

Google Bug Bounty - Dont Waste Your Time XSSing the Sandbox Domain

Hi All,
In this post I'm going to share some of XSSes I found for Google Bug Bounty. However all of these findings are located in their sandbox-domain.

Eventhough there's still a risk for user such as phishing,malware,jdb and so on,still under Google Bug Bounty Program,it is not acceptable.

This info is mentioned at their page
http://www.google.com/about/appsecurity/reward-program/#notavuln

If you still trying to send bugs found in sandbox-domain,this kind of email will appear in your inbox

The domain in which the feature is hosted is specifically meant as a
compartmentalized "sandbox" for various types of potentially unsafe,
user-controlled content. This domain is isolated from any sensitive
content due to the same-origin policy.

 Since there's no reward for sandbox-domain, I asked their permission to publish the bug in my blog and got their permission :)

Below are some of XSSes I found in their sandbox-domain and of course,rejected -_-"

*.googleapis.com

bug existed due to old version of Jplayer

*.googledrive.com

similar issue found in googleapis.com, old version Jplayer

*.googleusercontent.com

Stored XSS. Can found this in Google Current. However,there's someone else found this previously

*.2mdn.net

This one found after Internetwache posted in his blog trying to bypass limited char XSS.

I think that's all! See you again! 

adios

@yappare

Facebook Bug Bounty - Time Based SQLi in FB's Acquisition

Hi,
I'm back.
Previous post I talked about how long the FB's Security team will reply you for your 1st reward (in my case almost a month)

Here's the POC for my finding.
Owh btw, I'll censored the URL. Why? I'm quite sure there's still more bugs in this acquisition. So, for a real bug hunter, with these images, they'll know how to find the real site :D Goodluck!

Time Based SQLi in FB's Acquisition
----------------------------------------------

I checked out on their forgot password form. By testing with single quote (') there's a weird but well-known error appear.yes,SQL error.

Hmm..lets try to close the quote.

 auwwwwwwwwww...SQLi! 

Now lets try to give some POC. Use a simple testing with 1 or 1=1 thingy.

hmm unknown error? so this is TRUE/FALSE response.

hah! different error.this might be its FALSE/TRUE response then.

I'm on the right track! but its still not enough for a POC!

Try to figure out a valid column? Lets try the same thing I used for my bounty in Paypal's bounty.

Testing to check if xxxxx is a valid column..NO!

Testing if user is a valid column. YEAH!!!

Final touch-up..lets try with Time-Based testing!

Finally..My bug accepted by Facebook and will join the FB's whitepage. Mission accomplished and..

Adios.

@yappare