DEV Community: Muhaddis

Cross Site Scripting(XSS) in WhatsApp Web

Muhaddis — Mon, 03 Aug 2020 15:48:42 +0000

Acknowledgement From Recorded Future

Muhaddis — Mon, 03 Aug 2020 15:48:39 +0000

Cyber Security Rehearsing is going great. I cherish programming and afterwards the Vulnerabilities that stand because of the low level of Programming.

Same Issue I have found on Recorded Future's site. The defects I have found are Email Spoofing and Clickjacking and the site is responsible of their Security issues, I informed all of them and the following one day I got a thanks answer from them, In one week they settled this issue.

They offer Acknowledgements to me furthermore included my name in their site's Hall Of Fame.

See below Proof of concept.

Thanks to Recorded Future for giving me Acknowledgement.

Acknowledgement From KNB

Muhaddis — Mon, 03 Aug 2020 15:48:37 +0000

In the wake of burning through many hours in Cyber Security Researching about I am presently ready to create some logical defects in Web Applications, before some days I was testing the site of KNB I have established some basic and minor issues related with the security of their site.

I have established Clickjacking,** XSS (Cross-site scripting)** and some different issues related with their site.

In the wake of discovering Reflected base XSS in their site, I am able to change this Reflected XSS into Stored XSS and it would be significantly more Malicious. I also founded the issue of Missing DMARC records and other Clickjacking issues. After my reports to KNB I receive a positive reply from the company.

As indicated by their Responsible Disclosure they accepted my report and Acknowledged me. They additionally included my name in their website's Responsible Disclosure's Hall of Fame page.

I am appreciative to group KNB to accept these issues and attempt to fix them. Thank You!

Acknowledgement From Intel

Muhaddis — Mon, 03 Aug 2020 15:48:35 +0000

Before some days I have established a logical security issue in Intel's website however they have some different Responsible policy, they don't permit Researchers to do pen-testing without their authorization else they may take actions against it. So I contacted them and requested permission which they agreed and in a few days I reported them that issue and it got approved.

After working on my report, in a few days, they Acknowledged me with the Certificate and the security team is working to resolve this issue.

Thankful for your valuable time.

Acknowledgement From Inflectra

Muhaddis — Mon, 03 Aug 2020 15:48:33 +0000

As Cross-Site Scripting is one of my most loved imperfections I frequently test in web application and the greater part of the circumstances I got my outcome. Same issue I have recently found in Inflectra with the assistance of one of my companions.

Most of the time Cross-Site Scripting vulnerabilities exist in Forms, Search Results, Support and Forms fields. I have likewise established the Stored XSS in the Support Help Center of Inflectra.

Vulnerable Url: https://www.inflectra.com/Support/Forum/List.aspx

User Agent: Mozilla / Chrome / Safari / Android

Bug Type: Stored XSS (Cross-Site Scripting)

Fix: Modify your input validation.

Date: 6th Feb - 17

Current Status: Patched

Steps To Produce:

Goto https://www.inflectra.com/Support/Forums.aspx
In the Forms, field selects any Category and after that select any problem/question.
Click on the Reply Button on that question and here select Insert Table option.
Insert XSS (Cross-Site Scripting) Payload in every single table field as appeared in the picture. Then click Insert Table. Payload "><img src=# onerror=alert('XSS') /> You'll see the popup executes and the page is powerless against XSS.

At that point as I Inserted Table the code is executed and a popup shows up.

As I got the outcomes I reported this Security blemish to them they answered me in five working days and began attempting to resolve this issue.

They settled this issue in fifteen days and offered me to mention my name in their web site security Hall of Fame page.

I accepted their offer and in five more days I was on their Hall of Fame page.

Much Obliged for taking your valuable time. Much Obliged Inflectra for acknowledgement. (:

Acknowledgement From BugCrowd

Muhaddis — Mon, 03 Aug 2020 15:48:31 +0000

Welcome here, Hunting before the examination is very fun when contrasted with typical days. Well, I was not in an inclination of bug chasing with full fixation yet all that happened surprisingly, Sound funny? I'm not joking. Each analyst has a fantasy to test security platforms like HackerOne or BugCrowd and so forth. These stages are effectively tried by many top security researchers so I don't think whether my security discoveries will be acknowledged or not. In support of a renowned axiom, hope is the key to success, I began testing one of the subdomains of a BugCrowd. Recently one of my companions discovered Cross-Site Scripting (XSS) vulnerability in the same area and he has been compensated with an extraordinary measure of Bug Bounty. My fortunes worked this time, so let's go how it starts.

Bugcrowd is a vulnerability disclosure platform. It provides Bugcrowd Security Researchers with a secure platform to submit vulnerabilities to your team and allows you the ability to incentivize our researchers through. Bugcrowd points or monetary rewards

On 2nd February 2017, I wished to make a Security group account on CrowdControl to permit pen-testers to security test into my site directly in the wake of watching Cross-Site Scripting (XSS) video proof of concept on CrowdControl. I did it all and as I swung to Logout but I wouldn't permit me to logout without testing that web as well.

I configured my Burp-Suite and began testing, and in under five minutes I've established medium vulnerability, you can think of it as an Authentication issue, no it was not a session management flaw. At first, I thought to report it but it would be cooler if I tested the entire space. I wrote down the steps of replication and began chasing once more, and around five minutes I discovered the Information Disclosure issue, does it sound familiar? No, it was not a User/Email list through Signup.

Indeed, with the these both Vulnerability combination, I'm now able to disclose sensitive data and information which including:

I can read or reply reports
I can read or reply reports
Export all reports
User / Email Enumeration
User APIs (If activated)
I can invite any member to join the team (Just in case if the owner is a victim)

Much more sensitive data related to CrowdControl

By chaining both vulnerabilities and reporting that Vulnerability chain which leads to sensitive information disclosure and in the next five days they answered that they require some more information identified with that defect and it will be great if I give them a video demonstration of vulnerability.

I gave them video evidence of the idea and in the next fifteen days, they changed the report status to triaged and stamp it as P3 (third level need scope).

In the next twelve days, the report status changed to resolved from triage and they acknowledged me by issuing my name in their Hall of fame. Furthermore, the issue is not reproducible any longer from my side.

Furthermore, they remunerated me with a reward measure of 600$ abundance and that was my incredible accomplishment.

Why Bonus Bounty? According to the BugCrowd security policy CrowdControl is built on Ruby on Rails and they compensate a researcher 3X then their ordinary reward, and their beginning price is 200$.

Timeline

Report Submitted on 2nd February 2017 \
They asked for a video demonstration on 7th February 2017 \
Provided proof of Concept on 10th February 2017 \
I recall them about the report on 24th February 2017 \
They changed state to triaged and P3 on 24th February 2017 \
They resolved the report and added a 600$ reward on 8th March 2017 \
I received bug bounty on 12th March 2017 \
They sent me that bug bounty to my Payoneer’s account.

As indicated by the disclosure policy of BugCrowd I can't uncover that bug with complete proof of, yet I trust you comprehend the outline of that Vulnerability.

I am appreciative to BugCrowd for reward and acknowledged my endeavours and time. I am likewise appreciative to you for your profitable time. If you have any proposals or any perplexities identified with this article don't hesitate to remark down. Stay tuned, keep smiling :-)

Acknowledgement From Jet

Muhaddis — Mon, 03 Aug 2020 15:48:28 +0000

On third March 2017, I visited Jet.Com and by investing a modest measure of energy I discovered a famous vulnerability in their site. It was considered as a Cookie Replay issue that leads to lifetime access of the victim's account. In case you're a security analyst or a bug researcher I generally exhort you to invest as much time in chasing as much you can, and that I learnt from one of my Indian friends.

Steps to Replication:

Goto Jet's Account
Login to Your Account
Get the Cookies using " Burp Suite" or "EditThisCookie" or (AnyBrowser's Extension) Copy All These Cookies.
Logout from the Account
Clear All the Cookies of your Browser related with Jet's Account
Save the Cookies you Copied in a Text File
Now Inject/Import Old Cookies to the Jet's Account by "EditThisCookie" (Google Extension)
As you can see, You will be again logged In to Jet's Account Account using old Session Cookies.

After identifying that report they changed the to triaged and I’m glad to get another bounty, but then they revoked and I was like :|

Following two days the report status changed to duplicate and resolved.

They recognized me by including my name in their Security researcher Hall of fame.

I'll test that site again as I got some time and I'll do my best to locate another interesting vulnerability. I thank Jet for acknowledgement and my thanks to you too for your profitable time.

Acknowledgement From Hubspot

Muhaddis — Mon, 03 Aug 2020 15:48:26 +0000

This website has web-based advertising online tools which minimizes our work to such an extent. They have likewise an Email Signature maker which is vulnerable to Cross-Site Scripting (XSS). My companion proposed to me HubSpot Academy for finding out about Email Marketing tutorials. I have investigated their site and established that this Email Signature is vulnerable to Cross-Site Scripting (XSS) vulnerability. In spite of the fact that they additionally have a Responsible Disclosure program on BugCrowd however, I never noticed.

Below I'll show you I replicate Cross-Site Scripting (XSS) in HubSpot

Go to HubSpot Email Signature maker.

In the Email Signature required data frame, fill these fields with XSS payloads. This page is reacting invigoratingly to the ideal frame.

As page loads entered information, the JavaScript payload executed.

The following day they replied:
This submission has been previously reported by another researcher. Thanks for the submission, this submission is duplicate of another submission. We appreciate your effort and we hope that you’ll continue to research and submit any future security issues you find.

After confirming that report they Acknowledged me by posting my name in HubSpot Hall of Security Researcher HubSpot Hall of Fame.

I am grateful to HubSpot for acknowledging and I’ll test that site again as I got some time and I’ll do my best to locate another interesting vulnerability. I thank HubSpot for acknowledgement and my thanks to you too for your profitable time.

Acknowledgement From MAGIX

Muhaddis — Mon, 03 Aug 2020 15:48:24 +0000

Welcome everybody, this is Muhaddis and today I am sharing one of my recent discoveries in MAGIX Inc. Magix Software GmbH is the largest subsidiary of Bellevue Investments. Its managing director is Klaus Schmidt. The company is an international software publisher with a focus on multimedia software and services and is headquartered in Berlin.

As I wanted to be featured in their security researchers Hall of Fame and my fortunes go with me this time moreover. As they have an exceptionally immense web scope that opens entryways for me to upgrade my skills and make my position in the Hall of Fame. Before beginning pentesting I approached their responsible disclosure policy and quickly investigated the security researchers zone.

In the Hall of Fame a couple of researchers reported about Magix.Info it's one of MAGIX sub-associations. I began pentesting and in the meantime, I established three security vulnerabilities in Magix.Info and was feeling fantastic from inside.

Stored Cross Site Scripting (XSS)
Open Redirection Leads To Cross Site Scripting
Broken Authentication and Sessions Management Flaw

At first, I requested authorization to test their site incorporating sub-areas and in a couple of hours, I get a positive response from their specialized technical staff that I am permitted to do as such.

Without sitting around idly I composed an itemized write about it and sent them to their responsible security team.

Four months I have been pinging them about updates about that issue and their web domains are as yet vulnerable however I didn't get any response from them. I mailed them again asking for updates and they answered, Sorry, but you may have to be a little more specific about which problem you reported. Can you provide the date/time and/or subject line of your original report email? I just went back in my mails, had a look and could only find a previous request from you for us to give permission for some security testing, which we did. I couldn't find any actual report yet. Thanks.

I resent that old reported mail to them and following three days I got mail that, Thanks for your feedback and the contribution to the security of our website. We have forwarded this matter to our colleagues at website development and administration for their attention. They will evaluate the situation and take the necessary steps. We will be standing by for their feedback and keep you posted.

In this interim, I sat tight more two months for it and on August 22 I got a response that,

I was glad to contribute and expressed gratitude toward my patience. Further, they acknowledged me by adding my name on the top of their security researchers hall of fame (A nine days wonder).

I am grateful to MAGIX for acknowledging and. I thank MAGIX for acknowledgement and I thanks to you too for your profitable time reading this article.

Acknowledgement From Unsplash

Muhaddis — Mon, 03 Aug 2020 15:48:22 +0000

Who don't love complimentary gifts regardless of how much cash you have? One advantage for me after getting involved in Bug Bounties is I love particular organization Shirts, Swags and stickers and now I have a bunch of collections. I frequently called myself freebies hunter rather than Bug Bounty Hunter :P

Well in my social circles a person posted a photo of his lid back with a stuck couple of stickers and unsplash stickers was additionally a piece of that accumulation. I went to their site and found that it's a website dedicated to sharing copyright-free photography under the Unsplash license. I founded the best room for me. I established the best space for me.

At the time I don't know whether they have a responsible disclosure policy or not. Without sitting idle and looking for any security policy page, I registered myself here and began pentesting not for bounty hunting but for bug freebies reward hunting. I know it sounds unfathomably horrendous. After searching and looking into pages I discovered a security and it initiates my inner monster of Bug Hunting, just joking.

I was searching for security-related issues, I experienced their API documentation and discovered many intriguing things here.

In a couple of hours, I established three security vulnerabilities in their Web Application and one in their APIs which can disclose private and delicate data.

I reported these security vulnerabilities to their security team with detail explained and got responses from them in the next couple of hours.

Because of their security policy, I can't uncover finished bug reports with Proof of Concept. After addressing these security discoveries, Unsplash Co-founder & CPO recommended me on LinkedIn.

They will be adding me in their security page soon. It was truly a good experience with Unsplash and I truly appreciate their support team. A debt of gratitude is in order for pursuing. Keep in contact to pursue more nitty-gritty reviews on bug bounty and more identified with InfoSec.

Acknowledgement From AlienVault

Muhaddis — Mon, 03 Aug 2020 15:48:20 +0000

AlientVault has a responsible disclosure policy so I experienced it and wanted to test their web application related to security vulnerabilities. I was a little occupied nowadays so I scarcely managed time and began testing their web applications and just engaged with their primary domain. As few of my different companions got recognized from AlienVault and I also wished to don't miss that open door.

After doing a security test I established a couple of vulnerabilities in the meantime and reported it to the security support team without wasting time and get their response in ten days. Thank you for sharing your findings. We have just issued a security-test on this domain, so we will take this into considerations while performing the research.

Following a couple of more days, I approached them for updates and they replied, Thank you for contributing in AlienVault's responsible security disclosure process. Please accept that certificate of appreciation as an honour.

On October 30th, 2017 AlienVault launched a program on HackerOne. I reported the same issue to AlienVault through HackerOne and in the next couple of days they marked this report as resolved by following the issue utilizing HackerOne. I got listed in AlienVault's security researchers Hall of fame as HackerOne policy.

It's not finished by any stretch of the imagination, because it is minimally occupied nowadays and so I was unable to test their web application completely. I will require some time and will retry an infiltration testing to chase some more and high :D

Acknowledgement From Adobe

Muhaddis — Mon, 03 Aug 2020 15:48:18 +0000

I generally wanted to test their security and wanted to be a piece of authority Adobe security researchers. This time HackerOne provided me with a chance to do as such. The Adobe security administration group keeps running on HackerOne HackerOne HackerOne and I wanted to test their web application. Adobe has the most tremendous scope as indicated by HackerOne and it has settled circuitous more than one thousand or more reports

On 24th August 2016, I reported security vulnerability to Adobe related with SPF and DMARC records which may lead to Email address spoofing. This one is the same as I established in Magento.

After three days their security team members marked that report as triaged.

That was a good minute for me, I was truly cheerful on the grounds because that was my first report that got triaged in HackerOne. But after that who knows they took as much time to resolve, Be patience, my patience. I got some information about updates after a month that they are still working on it and inform me once it gets fixed. Affirm! It took over more than five months now however they didn't respond about any updates or inquiries. One day all of a sudden I opened my HackerOne account and investigated my triaged reports. This one is the special case that keeps going so long. I retried to test it and what I established is that it is not predictable from my side. I pinged them once again and requested updates. Following one day they marked it as resolved because it is not producible anymore

As per HackerOne policy, researchers are automatically featured in the team hall of fame if reports get resolved. I got recorded in Adobe's Hall of Fame and that was my great experience.

I would like to Thank adobe security team and I would also like to thank you for your precious time. If you have any questions or suggestions then please use the comment form below and let me know. I always appreciate your comments and suggestions.