Hacking Google for fun and profit

I have been doing bug bounties since September 2013(Asana was the first), participated and qualified in almost all bug bounties at least once. My bucket list had Facebook, Yahoo, Twitter, Dropbox, Github and 100+ such sites (including couple of YC Startups ) but Google VRP was tough nut to crack. I always wanted to start my bug bounty story with Google, but failed in past with few duplicates.

I was watching 2016 Google I/O, Firebase was the main focus. I had reported couple of security issues when they were quite young. Got a mini box full of stickers, bands and hot souces for my contribution.

So when I saw Firebase got a new site that too on a *google.com(https://firebase.google.com/),  it all came back to me.

The minimum bounty on Google main domain(*.google.com) is $500, more than that you’ll get your name in prestigious Google Hall of Fame.
Continue reading →

Understanding CSRF attacks

 

What is CSRF ?

“Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.” – Wikipedia

CSRF is at 8th position in OWASP top 10 bug list. Usage of frameworks like Django, ROR reduces the risk of CSRF to a large extent but it is still there. Also, it is carried out from user’s IP address, website’s logs will have no evidence.

Examples of CSRF:

CSRF comes in all shape and sizes. Dangerous one can take over an account, minor one can destroy your session or log you out.

Every request that change state on server should have CSRF protection.

It can be an email change or addition of user details like a bank account.
Continue reading →

Web application security checklist

I printed out my Asana task list of web app security testing,hopefully you’ll find it useful. OWASP 10 are the starting points of web testing, followed by other not so common issues.

Comments inside my task list are more helpful(provide various attack scenario and test cases) but Asana don’t export  comments while printing, maybe I’ll write a proper short guide explaining all the points in future. Stay tuned on my twitter for further updates.

Here is the PDF of Security task list

security_checklist

Thanks

Manish (@umenmactech)

 

How I made $2000 in 15 minutes

When I am not hunting I read about startups ,what’s happening in valley. I check their site , as a security guy I cannot control myself from checking their security. In the process , I came across this accounting web application (they are quite famous and making big bucks, I won’t take the name as they might get disturbed after this post. ) I was just testing for common bug XSS,CSRF and all regular stuff.   Every field was vulnerable to XSS and every form was vulnerable to CSRF as  token was not validating . Used Contact Us section from the site. Some non-technical lady replied “Thanks for contacting us , we don’t have any reward scheme or anything” .       Let’s give it one more try, this time I used About US page, googled the name of the engineer , found his Github  account and found his gmail there. He was really nice to me.       Later we had Video chat on Skype , he was explaining me things ,asking me about my background.He was impressed. Following is a copy paste from the original POC that I sent back then   1. XSS:- javascript is not  filtered ,hence any arbitrary javascript code can be executed. Hence with document.cookie , a user’s cookie can be stolen ,that can lead to full account take over. Continue reading →

XSS on Shopify

Shopify is an e-commerce platform that enables individuals and businesses to create online stores.

yes, they have bug bounty program.

While testing I realized ,all the title fields are not sanitizing the JS .

 

 

 

I was like

 

Reported the issue to the Shopify security team , they said “SELF XSS” . We don’t consider this an issue.

OK then,

 

They had  public forum(with login functionality) , I created  discussion title with XSS payload . When the page is published ,it triggered the payload just once. I tried again again by refreshing the page ,nothing happened.

I was frustrated , wrote “Fuck” in the comment and it reload the page and Bang !.

I got a XSS and this is not self this time. What I have to do is just a get a comment from the user on the discussion page.

They accepted this one , and one more HOF for me 🙂

 

 

logging out……

@umenmactech