Posts

Showing posts from 2015

Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Hi All,

Bug Title : Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://addons.mozilla.org/en-US/firefox/

Steps to reproduce: 1.Go to the link : https://addons.mozilla.org/en-US/firefox/users/edit 2.Here you will get a option to hide your email address from other users. Once you hide your email address no other user can see or get your email address associated with your account. But there is a way we can get email address of any user. Steps to reproduce : 1.create a collection and go to collection setting. 2.Now go to Contributor and add any valid email ID of any user. 3.Now save it and intercept this request. HTTP request : POST /en-US/firefox/collections/vijaykumar1110/mypersonalcollections/edit/contr…

Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug Title : Delete Component watching for All Bugzilla Accounts in Mozilla(Indirect Object reference)

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Organization : Mozilla

Web Application Link : https://bugzilla.mozilla.org/

Description : In Developers Bugzilla account you have option of Component watching feature where you can save your preference of bug watch.

Exact link : https://bugzilla.mozilla.org/userprefs.cgi?tab=component_watch

When you save the component watch it is saved with a ID.Now when delete it ,The vulnerable HTTP request will delete the Component watch ID .You can change the component ID and delete any user's Component.By running script you can delete all user's component watch.

Video POC link: https://www.dropbox.com/sc/b581mjcf95gbmek/AAC4OBJtn2Aol8HdGg7bCZpTa


Mozilla fixed a issue within a Day and rewarded wit…

XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)

Image
Hi guys,

Today i want to show you how you can combine XSS and CSRF attack.This is very interesting but pretty difficult to find and create a POC.

Bug type : XSS+CSRF
Bug category : XSS,CSRF
OWASP link :
1.https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
2.https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Description : In tagged you can report spam/abuse on any user.In HTTP POST request you will find a hidden parameter called "Referer" .This URL is used to redirect to you the URL you provide.You can also attack victim to Redirection attack to any website.
Now in Javascript when you give referrer as any URL,It will redirect you to given URL by you.But when you put javascript:alert(1) as a URL it will execute the code which you provide.
Attack Steps :
1. Create a CSRF POC where you will give XSS payload javascript:alert(1)
2.Click on the Button and you will get XSS pop up
3.You can also redirect victim to any malicious UR…

Google re-captcha bypass on indeed

Image
Hi Guys,

Bug type : Broken authentication 

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management

Company : Indeed

Description of the vulnerability :
Indeed has implemented Google recaptcha in the forum for new topics and comments.It was vulnerable and same google code could be used for each time.Basically old google code could be used to send a request and server was accepting any google re captcha code.

VIdeo POC Link :

Hall of fame : https://bugcrowd.com/indeed/hall-of-fame

Reward : 200$



Unautherize access to vimeo private/public groups by adding Video (Broken authentication)

Image
Hi Guys,

I am vijay kumar an individual security researcher and active bug bounty  hunter in various  platform.I am starting my blog today to update different security groups and  people in the world.
You can know more about me in my blogger profile or about me page.

Let's talk about the bug :

Bug type : Indirect object reference(IDOR)

Category : Broken authentication and privilege escalation

OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References

Company : Vimeo

Description of the vulnerability :
In vimeo people can create private/public groups and upload the videos privately.There is a incremental numeric ID provided for the all groups.While adding video to the group HTTP POST parameter  contents groupID which is not validating at server side and leads to add your video to any group on vimeo.

VIdeo POC :

Hall of fame link : https://hackerone.com/vimeo/thanks(You will find it with the username https://hackerone.com/vijay_kumar1110)

Reward :…