Category Archives: Web Security

Web Application Security

No hard feelings, I stole your cookies.

and I pwned your server. Have you ever heard about the Samy worm? If not, read the link. If yes, carry on. I was having fun around when I noticed that I could input HTML in a site.

I can’t actually explain everything regarding the attack but… I bypassed their XSS-protection (HttpOnly) by using HTTP defined requests. I “debugged” their server as well because someone never turned off that feature and I was able to steal some OAUTH keys (of my victim account) which in turn allowed me to post the same code in his profile. If both profiles were public, you understand that things would turn ugly pretty fast. On top of this, while I was filing the bug report, I noticed that some cookies allowed you to login, logout, the level of access etc. Ermmm… I woke up and it was 2014, not 2005.

 

Bypassing XSS Auditor in Google Chrome

I was playing around with a site belonging to the fellow writer blacktom, who also posts stuff in this blog. Anyway, blacktom developed this particular site about 7-8 years ago and did a classic mistake, no bad feelings :) , he used encoding where he should have used encryption.

Successful exploitation of the flaw would result in a reflected XSS transported via the URL (GET method). Although this flaw could lead to more serious things (remember, PHP uses a problematic function to decode base64 which could lead to remote shells etc), I just stored somewhere the URL, actually I have a bunch of .txt files with vuln sites that I found from time to time.

Anyway, a long time ago I stopped using Chrome when I was pentesting, because of the Firefox plugins that allowed a significant extension of the features. Also, Chrome didn’t allow testing for XSS vulnerabilities. Being lucky, I opened blacktom’s vuln app with Chrome and an alert stating XSS popped. Long story short, I tried a various combinations which all worked. So, bypassing XSS auditor is possible in another way, remember the <svg> tags allowing bypassing too.

I went on , trying document.cookie, AJAX to this server and all worked fine. I assumed that Chrome offers no auditing inside base64 encoded data for XSS. I filed a security bug about this, in which I will come back later. Anyway, thing is you can bypass XSS Auditor in Chrome using base64 encoding wherever this is allowed by the under attack web page :)

Back to the security bug, this is not the first time I find a security bug in a software and I file a report, but it is the first time that within a few hours I had a response, immediate, clear and thankful, from the developers. I had vulnerabilities(commonly called 0days, btw this is not a 0day 😛 ) before in major web applications and social networking sites and either they didn’t respond or even worse, their team couldn’t go further than TRUE or FALSE given the vulnerable variable and a classic, for example SQLi string.

So, Congratulations for the response and the product to all the guys behind chrome :)

Gathering information

Before you start attacking someone, you should gather first some info. When that someone is a user, your best chance is stupidity. A lot of users are members of social networks such as twitter, facebook, LinkedIn etc. If you know a lot you can track them via their profiles. What happens though if you know only their twitter nickname?

The no 1 place where users share their photos with a lot of personal information is facebook. Facebook has a cool “feature”. User photos are stored using patterns. Go on and right click any image you want and copy its location. You’ll get something like this

https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash3/AAA_BBB_CCC_DDD_EEEE_n.jpg

Well, what I’ve figured out is that CCC is the profile id. This means that http://www.facebook.com/profile.php?id=CCC is the link that will get me directly to the user’s profile who has this photo. Btw I haven’t figured the other numbers yet, if anynone has any idea drop a comment.

Many people choose to use the same profile photo from facebook to any other sites and because they are lazy asses they choose to download the photo and upload it directly to the other social networks. This means that the photo is stored and then uploaded (in a lot of cases) as

AAA_BBB_CCC_DDD_EEEE_n.jpg

, as it is stored natively on facebook.  Even better Windows allows you to copy an image location and you can paste the hyperling (http://) and then finds the image from the /temp/ folder and uploads it as it is, meaning again the image is uploaded using the name that was stored in facebook.

Focusing on twitter now.  User A uploads a profile photo on twitter. The photo was uploaded as my_profile_pic.jpg, the photo is stored and referenced on twitter as my_profile_pic.jpg.

In twitter, many users use nicknames that aren’t directly related with their personal data such as name, surname etc. This ID spoofing is blown away though if a user uploads a photo directly downloaded from his facebook profile since someone can directly relate the twitter account with the facebook account and from that poing even go deeper diggin more info about that user.

Again, if someone knows what’s going on with the other numbers in the facebook storage pattern, let me know :)

File Inclusions with SQL.

Last time I posted something technical was about SQL injection . I described how to identify a vulnerable parameter and how to exploit it manually, it is possible to use something FREE like sqlmap or other free or commercial products.

This time we are going to talk about Local File Inclusion and Remote File Inclusion. So, what is file inclusion?
Continue reading

SQL Cheatsheets

I suppose you have already read this .

When I was writing the post “SQL injections” I mentioned that I didn’t know some MsSQL reserved words. This time I have some cheatsheets mostly from darkc0de but you can find everything on the web too. Remember “A dumb asks questions, a smart asks google first” :) Continue reading

SQL injections

Databases are pieces of software that allow massive storage of data in a structured-by-the-developer order. All this data can be easily accessed using SQL language. The data can be anything, from text, personal identification number, credit card numbers or even files in certain cases. The success of those databases is that anyone with the proper authorization can access the data both fast and easily. The access is achieved by SQL. SQL stands for Structured Query Language. Continue reading