Skip to main content

Posts

Hootsuite - Breaking it's framebusting code

I noticed that Hootsuite doesn't have a protection for clickjacking  so i tested if it is vulnerable to that attack and it was after submitting the report they immediately deployed a fix: The javascript code for framebusting above breaks your ordinary framing code e.g. \<\iframe \src=\"hootsuite.com\" \width\=\"500\" \height\=\"\500\"\>\<\/\iframe\>\ . Even though trying double-framing strategy (inserting the first frame into the second frame) won't work                                           src: OWASP Defense Sheet                                 So, how do we have been breaking it? A write up from Paulos  Yibelo  regarding facebook clickjacking gave me an idea. The bypass script and the output Thanks for taking time to read. To God Be the Glory.
Recent posts

Dynatrace (formerly Ruxit) HTML Injection + a bonus find

HTML injections are just minor bugs which allows an attacker to command a webserver to interpret his malicious inputs. The bug relies on the ec parameter. If you put anything after that the website interprets it's function, the cause was lack of proper input validations. Vuln. url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec= Injected url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec= %3Ch1%3E%3Cmarquee%3Einjected%20by%20russel%20van%3C/marquee%3E%3C/h1%3E Immediately they filed a fix to this one. Another logical vulnerability was an information disclosure. This bug is much more sensitive as it shows the programming language used,server and full path disclosures. The bug relies on password reset page after you've sent your email,quite rare logical as behaviors like that rarely exist on sites. Pocs:

Insecure Direct Object Reference (IDOR) Vulnerability on Facebook

IDOR is one of the most dangerous vulnerability if exploited by any attacker. It allows them to take control,alter and delete other users data.  As we know Facebook started it's bug bounty program since 2011 and through the times it's security was proven,hardened and tested by security researchers around the globe as there were already many vulnerabilities disclosed,fixed and payed.  "If you can't find  holes in the domain,crawl it's subdomain"--was my technique. If you examine vulnerability, it lies due to the command is simply processed via html link instead of database query (e.g. SQL query). HTML is used for front-end, and it does not require authentication nor authorization checks unlike back end programming languages or SQL commands. This simply gives the attacker access to the resource to delete, rotate and edit the photo caption freely just by changing the parameter values of their target: e.g. https://mbasic.facebook.com/photo.php?fbid=

Hootsuite XSS at adding timeline tab

A little introduction first for hootsuite , it's a social media platform which aims to combine all of your social media accounts in one by connecting them in your hootsuite account. Now if you're not familiar it's okay you could explore hootsuite more, but in cross site scripting (xss) vulnerability you should be knowledgeable in reading this post. But if you're short also in knowledge, xss is a vulnerability that allows an attacker to inject javascript and execute their functions to steal user cookies,some to deface, others go in very deeply to rce (remote code execution). In hootsuite there's an option to add your timeline,means to connect your fb account. After that the social network (for fb) timeline has been created i tried to comment some payloads like \"\>\<\img \src\=\x \onerror\=\prompt\(\1\)> (without the backslashes),after hitting enter the javascript executes. Pocs:                                     To God be the Glo