Wednesday, August 2, 2017

Hootsuite - Breaking it's framebusting code

I noticed that Hootsuite doesn't have a protection for clickjacking so i tested if it is vulnerable to that attack and it was

after submitting the report they immediately deployed a fix:




The javascript code for framebusting above breaks your ordinary framing code e.g. \<\iframe \src=\"hootsuite.com\" \width\=\"500\" \height\=\"\500\"\>\<\/\iframe\>\ . Even though trying double-framing strategy (inserting the first frame into the second frame) won't work


                                          src: OWASP Defense Sheet

                               

So, how do we have been breaking it?

A write up from Paulos  Yibelo regarding facebook clickjacking gave me an idea. The bypass script



and the output




Thanks for taking time to read.

To God Be the Glory.






Flag Counter










Friday, November 18, 2016

Dynatrace (formerly Ruxit) HTML Injection + a bonus find

HTML injections are just minor bugs which allows an attacker to command a webserver to interpret his malicious inputs. The bug relies on the ec parameter.

If you put anything after that the website interprets it's function, the cause was lack of proper input validations.
Vuln. url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec=

Injected url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec=%3Ch1%3E%3Cmarquee%3Einjected%20by%20russel%20van%3C/marquee%3E%3C/h1%3E

Immediately they filed a fix to this one. Another logical vulnerability was an information disclosure. This bug is much more sensitive as it shows the programming language used,server and full path disclosures. The bug relies on password reset page after you've sent your email,quite rare logical as behaviors like that rarely exist on sites.
Pocs:
 Thanks Dynatrace - former Ruxit.

Flag Counter
To God be the glory.

Thursday, November 17, 2016

Insecure Direct Object Reference (IDOR) Vulnerability on Facebook

IDOR is one of the most dangerous vulnerability if exploited by any attacker. It allows them to take control,alter and delete other users data.


 As we know Facebook started it's bug bounty program since 2011 and through the times it's security was proven,hardened and tested by security researchers around the globe as there were already many vulnerabilities disclosed,fixed and payed.





 "If you can't find  holes in the domain,crawl it's subdomain"--was my technique.

If you examine vulnerability, it lies due to the command is simply processed via html link instead of database query (e.g. SQL query). HTML is used for front-end, and it does not require authentication nor authorization checks unlike back end programming languages or SQL commands.

This simply gives the attacker access to the resource to delete, rotate and edit the photo caption freely just by changing the parameter values of their target:

e.g. https://mbasic.facebook.com/photo.php?fbid=<victim_id>&id=<victim_id>&r_prof.


Thank you Philippe.

To God be the glory.

Flag Counter

Hootsuite XSS at adding timeline tab

A little introduction first for hootsuite, it's a social media platform which aims to combine all of your social media accounts in one by connecting them in your hootsuite account. Now if you're not familiar it's okay you could explore hootsuite more, but in cross site scripting (xss) vulnerability you should be knowledgeable in reading this post. But if you're short also in knowledge, xss is a vulnerability that allows an attacker to inject javascript and execute their functions to steal user cookies,some to deface, others go in very deeply to rce (remote code execution).

In hootsuite there's an option to add your timeline,means to connect your fb account. After that the social network (for fb) timeline has been created i tried to comment some payloads
like
\"\>\<\img \src\=\x \onerror\=\prompt\(\1\)> (without the backslashes),after hitting enter the javascript executes.

Pocs:


                                 
 

To God be the Glory.

Flag Counter

Hootsuite - Breaking it's framebusting code

I noticed that Hootsuite doesn't have a protection for clickjacking  so i tested if it is vulnerable to that attack and it was ...