Every CSRF token need not be verified in order to prevent CSRF

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user’s Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated. – Wikipedia

devsigh_gets_me_back

I had an interesting encounter with CSRF last week , one of them is yet to be fixed. Here is an interesting low impact issue

These days almost every form on a website use CSRF protection by default. Every time website load  , CSRF token should be different/unique/unpredictable . But this is not the case with 80% of websites out there. I’ll be explaining this two examples one is Dropbox and other is move-app(Facebook)

Let’s start.

Most of the dynamic website contain Sign in functionality as well as forgot password to recover the account.

“Most of the forgot password forms are vulnerable by design , a good practice is to ask a security question before sending reset link” – Aditya

My area of interest was CSRF token for the visitors , public forms like reset password ,sign in ,feedback and all. These tokens are session based (when the site load session started till you close  the browser).

The issue was token remains same for a particular session . For e.g when you submit reset password request first time , token is x, now every time you request areset password  token will be same x.

I thought to abuse this , I made a PHP crawler that will crawl the hidden CSRF value and thought to add token field with my CSRF form . here is the PHP code to extract all the input values from Coinbase.

<?php
$doc = new DOMDocument();
@$doc->loadHTMLFile(“https://www.coinbase.com/password_resets/new&#8221;);
$doc->saveHTML();
$tags = $doc->getElementsByTagName(‘input’);

foreach ($tags as $tag) {
$x= $tag->getAttribute(‘value’).’|’.$tag->nodeValue.”\n”;
echo $x;
}
?>

I tried to submit my form by scrapped CSRF token ,  badass idea. Didn’t worked , because my page was not creating any session.

Now , the goal was clear I have to use my session to abuse the CSRF. So, what I did is copied my cookie and token and used cookie with document.cookie and token value, this time Bingo !. Continue reading

Advertisements

How I made $2000 in 15 minutes

When I am not hunting I read about startups ,what’s happening in valley. I check their site , as a security guy I cannot control myself from checking their security. In the process , I came across this accounting web application (they are quite famous and making big bucks, I won’t take the name as they might get disturbed after this post. ) I was just testing for common bug XSS,CSRF and all regular stuff. 55013960   Every field was vulnerable to XSS and every form was vulnerable to CSRF as  token was not validating . Used Contact Us section from the site. Some non-technical lady replied “Thanks for contacting us , we don’t have any reward scheme or anything” .   55014089     Let’s give it one more try, this time I used About US page, googled the name of the engineer , found his Github  account and found his gmail there. He was really nice to me. test       Later we had Video chat on Skype , he was explaining me things ,asking me about my background.He was impressed. Following is a copy paste from the original POC that I sent back then   1. XSS:- javascript is not  filtered ,hence any arbitrary javascript code can be executed. Hence with document.cookie , a user’s cookie can be stolen ,that can lead to full account take over. Continue reading

An Introduction to SEO

Last week , We had our first company campus drive of the season. We all were excited. There were 3 job profiles , one of them were SEO executive. I had some know how of SEO , I was confident enough to grab this position because  my site has google page rank 5 and  I have  a “Certificate of Honor” in SEO

test

I was like:

8646a37ecf010eb8de3efd57d8f5af67

Although I got the Offer letter

test

but they made me uncomfortable during the interview so I thought let’s get prepared , here is some of the basic things you should know about SEO as internet user.

SEO stands for Search Engine Optimization . SEO are the techniques one use to get his site on top in a search result. If your is on top in  search result, users are more interested in visiting those top sites that means more traffic ,more user and more money.

For example: when you do a search for Manish Bhattacharya ,you will see something like this

testThe search result bring my site on the top , although there are other sites which have my information but my site is on top ,hence you if have to know more about me you will visit my site rather than visiting other random sites.

Now how SEO is done ? SEO require some optimization in code and contents. You should be aware of Keywords ,in last example Manish Bhattacharya was the keywords. Keywords are stream of words user search on search engine (google). You should be aware on what keywords you are focusing , suppose if you have selling mobiles phone in Delhi, so your keywords should be strong enough to pop up your site when user search for “Mobile phone store in Delhi”.

Other determining factors are your domain name, your site’s title and meta descriptions. Meta descriptions are information about the site that you see in search results. Here it is :

test

Meta descriptions and keywords can be added using Meta tag , inside <Head> after <title> like this

test

One of the questions I remember from the interview was the maximum length of Meta descriptions and keywords.In general maximum sizes are

  • Page Title – 70 characters
  • Meta description – 160 characters
  • Meta keywords – No more than 10 keyword phrases

SEO does not end here , your URL structures for e.g. default URL setting for any wordpress site is like php?id= some post id , a url with content descriptions is suggested for better SEO something like this “https://introvertmac.wordpress.com/2014/09/18/getting-into-github-leaderboard/&#8221; ,make your site easy to navigate , a better robots.txt and site map really helps a lot.

Also optimize your anchor tag and image tag, using title and alt in <img is suggested for better SEO. Using Heading(<h1>,<h2>…) Tag properly is a plus.

Other questions that I remember was “Types of SEO and what are Panda,Penguin,EMD “.

There are two types of SEO:

  1. White Hat
  2. Black Hat

White hat are the techniques that are suggested by the search engines to improve your page ranking while black hat are techniques that use weakness of ranking algorithm to rank them on the top.You can read more on this here.

Humming Bird,Panda ,Penguin,Venice and EMD are the names of Google search result algorithms .

There are other terms that you should know about SEM(search engine marketing),PPC (pay per click) and more. Hope I’ll share more with you on this. Here’s some suggested further reading if you are interested:

  1. http://www.searchenginejournal.com/maximizing-your-meta-tags-for-seo-and-ctr/
  2. https://econsultancy.com/reports/seo-best-practice-guide
  3. search-engine-optimization-starter-guide

This is just an introduction , SEO jobs are high paying even SEO experts makes millions just by freelancing.Neil patel ,Hiten Shah are some well known name in this business.

logging off..

@umenmactech

 

Cracking Github leaderboard

As you might know GitHub is a Git repository web-based hosting service which offers all of the distributed revision control and source code management (SCM) functionality of Git as well as adding own features.

later this  year Github started bug bounty, earlier they used to send swags to bug reporters plus adding their name on Github security page.

Cracking bug bounty for main domain is really hard because of competition all around. And Like always, I will repeat your social friend’s newsfeed matters a lot in  bug bounty .

I remember one of my facebook friend’s post “Easel.io is acquired by github “.

I was like

65e307e244b6debbd85a4c0e5f4dd3d64c29d9fe3730201e5d6401869f4b2698

Although CJ does not effect the much functionality of the Easel but as a bug hunter it is my responsibility to report things. It depends upon vendor they accept the bug or not.

Well, they had just acquired the Easel and they considered CJ , as a result I got listed on their “Original Gangster” list and with some awesome swags .

test

 

1653337_463483977085294_1358452723_nwell , CJ was still working for me :P.

Few days later I got bored . So thought to dig Easel.io again (that was my private swag mine). This time tamper data worked for me. There were CSRF tokens all over the application but those tokens were not getting validated on server side. This time the bug was critical and can take over any account by changing email using typical CSRF attacks (sorry can’t find the POC for this in my mail). I reported CSRF without any POC , Github’s security  guys were smart enough to reproduce the CSRF. Guess what ! Another Github packet for me and this time I was on leaderboard (only Indian at that time 😛 ) with 500pts. Github created a special page for me (https://bounty.github.com/researchers/introvertmac.html).

1904029_474835249283500_51653558_n

Well that’s not the end, reported few more CSRFs(login) later this week. Easel was still my private swag mine till yesterday, they sent me this

testEasel is shutting down 😦 Easel.io will be missed 😛 for sure.

All I can say  bug bounty is fun ,just  keep your eyes open .

logging off…

@umenmactech

How I made $5100 in a week

17 sept is a special day for me . The day which made me officially highest earning family member 😛 . A year ago today Facebook paid me $5000 for two Clickjacking in their mobile site (m.facebook.com).

There is a quite interesting story behind this. I was into bug hunting from a long time but till 11 sept. I was struggling for my first bounty. You might I was not trying hard even I confess I never tried too hard in hunting till date.

But what I can say is your networks on your social accounts (Twitter,Facebook ) matters a lot. Even though they don’t share “how they do things” but they motivate you with the amount they get from bounties.

Here’s the timeline:

10 sept: Kamil sevi posted “got bounty from Asana”,Let’s give Asana a try. Aditya‘s addon came handy ,reported CJ to Asana security.

12 sept: Asana accepted the CJ and rewarded me $100

asana

15 sept: One of my friend got $5000 from Facebook for some facebook group bug, I  was jealous and motivated .Started digging ,found two CJ . One with facebook message (new thread) , other with facebook notes.

17 sept: Both Clickjacking got valid and Bang ..

facebook

$5000 is more than enough for CJ. Well, there might be some luck or fate. Thanks  Adiya for sharing his tool.

 

logging off ..

@umenmactech

 

 

XSS on Shopify

Shopify is an e-commerce platform that enables individuals and businesses to create online stores.

yes, they have bug bounty program.

While testing I realized ,all the title fields are not sanitizing the JS .

 

shopify

 

 

I was like

I am rich

 

Reported the issue to the Shopify security team , they said “SELF XSS” . We don’t consider this an issue.

OK then,

challenge_accepted

 

They had  public forum(with login functionality) , I created  discussion title with XSS payload . When the page is published ,it triggered the payload just once. I tried again again by refreshing the page ,nothing happened.

I was frustrated , wrote “Fuck” in the comment and it reload the page and Bang !.

unnamed

I got a XSS and this is not self this time. What I have to do is just a get a comment from the user on the discussion page.

They accepted this one , and one more HOF for me 🙂

test

 

 

logging out……

@umenmactech