Posts

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Image
Hi All,

Company Info :
Airbnb is an online marketplace and hospitality service, enabling people to lease or rent short-term lodging including vacation rentals, apartment rentals, homestays, hostel beds, or hotel rooms. The company does not own any lodging; it is merely a broker and receives percentage service fees (commissions) from both guests and hosts in conjunction with every booking. It has over 3,000,000 lodging listings in 65,000 cities and 191 countries,and the cost of lodging is set by the host.


Bug category :
Indirect Object Reference(IDOR)
Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References


Technical Details of the Bug : 
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is Authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows…

Add Credit Card to Any Uber account Through eats.uber.com(CSRF)

Hi All ,

Company Info :
Uber Technologies Inc. is an American technology company headquartered in San Francisco, California, United States, operating in 633 cities worldwide. It develops, markets and operates the Uber car transportation and food delivery mobile apps. Uber drivers use their own cars, although drivers can rent a car to drive with Uber.

Bug Category and reference links :
Cross Site request forgery(CSRF)
link :https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Technical Details of the Bug :
CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. Detection of CSRF flaws is fairly easy via penetration testing or code analysis.


Bug Description : 
It was Last September 2016 when eats.uber.com came in sco…

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

Image
Hi All,

Company Info :
Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world.


Bug category :
Indirect Object Reference(IDOR)
Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References


Technical Details of the Bug : 
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified.


Bug Descriptio…

Account Takeover of All Souq.com users by Adding new Email(CSRF)

Hi All ,

Company Info :
Souq.com is an English-Arabic language e-commerce platform, often described as the Amazon of the Middle East.It is the largest e-commerce platform in the Arab world. On March 28, 2017, Amazon.com Inc. confirmed it would be acquiring Souq.com for $580 million

Bug Category and reference links :
Cross Site request forgery(CSRF)
link :https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Technical Details of the Bug :
CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones.
Detection of CSRF flaws is fairly easy via penetration testing or code analysis.

About : 
It was in Last September when Souq.com was private program on hackerone. I started working on Souq.com and found that Site was vulnerable…

Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Hi All,

Bug Title : Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://addons.mozilla.org/en-US/firefox/

Steps to reproduce: 1.Go to the link : https://addons.mozilla.org/en-US/firefox/users/edit 2.Here you will get a option to hide your email address from other users. Once you hide your email address no other user can see or get your email address associated with your account. But there is a way we can get email address of any user. Steps to reproduce : 1.create a collection and go to collection setting. 2.Now go to Contributor and add any valid email ID of any user. 3.Now save it and intercept this request. HTTP request : POST /en-US/firefox/collections/vijaykumar1110/mypersonalcollections/edit/contr…

Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug Title : Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://bugzilla.mozilla.org/

Description : In Developers Bugzilla account you have option of Component watching feature where you can save your preference of bug watch.

Exact link : https://bugzilla.mozilla.org/userprefs.cgi?tab=component_watch

When you save the component watch it is saved with a ID.Now when delete it ,The vulnerable HTTP request will delete the Component watch ID .You can change the component ID and delete any user's Component.By running script you can delete all user's component watch.

Video POC link: https://www.dropbox.com/sc/b581mjcf95gbmek/AAC4OBJtn2Aol8HdGg7bCZpTa


Mozilla fixed a issue within a Day and rewarded wit…

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)

Image
Hi guys,

Today i want to show you how you can combine XSS and CSRF attack.This is very interesting but pretty difficult to find and create a POC.

Bug type : XSS+CSRF
Bug category : XSS,CSRF
OWASP link :
1.https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
2.https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Description : In tagged you can report spam/abuse on any user.In HTTP POST request you will find a hidden parameter called "Referer" .This URL is used to redirect to you the URL you provide.You can also attack victim to Redirection attack to any website.
Now in Javascript when you give referrer as any URL,It will redirect you to given URL by you.But when you put javascript:alert(1) as a URL it will execute the code which you provide.
Attack Steps :
1. Create a CSRF POC where you will give XSS payload javascript:alert(1)
2.Click on the Button and you will get XSS pop up
3.You can also redirect victim to any malicious UR…