jueves, 14 de mayo de 2015

How Github added a button because of me

Hi all! This time I'm writing a little bit different post.

Last month I was browsing on Gist from Github reading a little script and I forked it. I opened Chrome and I navigated to my Gist URL, but I was logged with other account, then I decided to comment in that Gist to do some tests.

While testing I took care that me (the admin and creator of the Gist), could edit it, delete it... but I WASN'T ABLE to edit other users comments. I did not find that option neither in the Github API neither the UI.

  • I opened my proxy
  • I edited a comment did by me previously
  • I changed the ID of the comment in the request by other user comment's ID
  • I forwarded the request
Suprisingly the comment was edited, so I thought it could be a security risk (because the UI did not offer users that option), so I reported it to their Bug Bounty Program.
 Sadly I got this after a few emails from one of their engineers:

8th April, first answer from their team:
Then I was be like: "Awwwwwwwwwwwwwwwww yeaaaaaaaaaaah", but after a few emails...

6th May, final answer:
At this moment I was like: "Oh man, today is going to be a very baaaaaaaaaaaad day".

This was my Proof of Concept video which I attached to my report:

Github Bug Bounty Report from Miguel Ángel Jimeno Arce on Vimeo.

Finally I'm happy with this report and I agree with their decision.

I would like to thank their security team and specially Greg Ose.


miércoles, 19 de noviembre de 2014

[image filename self-XSS] imgur [reported, unfixed]

This is a Self-XSS I discovered in the famous images uploader imgur.com
Steps to reproduce:
1. Take any image you have in your system, for example "cats.png"
2. Go to the terminal and rename it, I used: mv 'cats.png' '"><svg onload=prompt(document.domain)>.png'
3. Upload the renamed image.
4. XSS!

Kind regards.

miércoles, 22 de octubre de 2014

[Multiple Stored XSS] Compose.io [Reported, ignored, unfixed]

I reported this security issue on August and I've not got any answer...
Affected domain: compose.io
Vulnerability description: Stored XSS affecting multiple fields and sections.
How to:
  1. Go to Admin --> Users  https://app.compose.io/[your name]/mongo/[your user]/users---> Add new user
  2. Type your payload in the name field and type a random password, then confirm the user.
  3. Done!
It's funny because it affects multiple fields of the app, not only the users field. It also affects https://app.compose.io/account/activity

A few images...

They offer Hall of Fame ---> https://bugcrowd.com/list-of-bug-bounty-programs
Their Hall of Fame ----> https://www.compose.io/security

Kind regards.

domingo, 21 de septiembre de 2014

[Reflected XSS] Photobucket [Reported, Unfixed]

Hi all!
Today I want to publish a reflected XSS which I found on February on Photobucket. While I was cleaning my email inbox I noticed I had this report since February and they have not answered me, so here it is!
Affected domain: http://photobucket.com
Steps to reproduce the vulnerability:
1. Go to http://photobucket.com/images/anything-you-want
2. Add this to it ---> " onmousemove="alert(0)">
Now your URL could be something like this: http://photobucket.com/images/android" onmousemove="alert(0)">?page=1

You have the XSS!

Kind regards!

sábado, 6 de septiembre de 2014

[Multiple Stored XSS and Self-XSS] Audiomack [Fixed, 50$ reward]

Hey! I've benn on holidays all August.
I want to publish a tale of XSSes on Audiomack, some are Stored and some Self-XSS.
I must say that they were so fast fixing them (Self isn't fixed) and also I must say them thanks for their reward.

  1. Stored XSS (25 $
Go to "www.audiomack.com/manage" --> Change your "Artist name" to this --> "><<svg/onload=prompt(document.cookie)> --> Save the changes --> Go to audiomack.com

   2. Stored XSS (25 $) and Self-XSS (unfixed, no reward)

Login into your account --> go to https://www.audiomack.com/manage/songs/upload --> upload any mp3 file with this name ---> "><<svg onload=prompt(0)>.mp3 (This is the Self-XSS) -->You will get the XSS alert and proof of vuln. --> Publish it ----> my example ---> http://www.audiomack.com/song/svgonloadprompt0/nirij (it has a prompt(0), so it is secure for you to click on it :P) --> It affects non-registered users also ---> example with logged out chrome in the attached images

Kind regards

    martes, 15 de julio de 2014

    [Stored XSS] Eventbrite [Fixed, HoF]

    Hi all! This is one of the Stored XSS which I found on Eventbrite.
    Steps to reproduce:
    1. Login.
    2. Go to: eventbrite. es /create
    3. Put your XSS payload in this fields: State and City (Estado and Ciudad in Spanish).
    4. Random values in all other fields.
    5. Publish your event and go to it.
    6. You will get your XSS Proof of Concept.

    I reported it and I got the answer in a few hours.
    "Thanks for contacting Eventbrite Security

    We are fixing this issue as we speak. It is an oversight in a new UI
    change to our global headers.

    The actual field affected is the State field of the Venue description.

    We are happy to include you on our Wall of Fame. Please provide the
    name and twitter handle/URL you wish to be listed under.


    - --
    Eventbrite Security

    Then, they added me to their Wall of Fame ;)

     Kind regards!