Cisco Meraki ajax based csrf

Hello friends 🙂 This is the writeup of my  Cisco Meraki findings  .I was just 😉 trying the different platform for a change  so i logged in  and was playing the game of request and resonse so after few back and forth of requests it was clear that’s its  an ajax based web app  now i started trying for standard security issues like xss, csrf ,injections etc . so finally i got one in which i was able to disconnect the admin from his own account .

[+]Abstract
when you will remove the token from the ajax request still request was getting completed so i checked again and it wasn’t validating the xsrf token so it was a csrf

[+]Poc Challenge
Thing is  that you can easily create poc via burp for those web apps which are sending their anti_csrf tokens via their body but sometimes you have to struggle for those web app who send their csrf tokens via header specially ajax based like “X-XSRF-Token”:”value “;

So now i have to create the Poc manually so i coded this
var request =new XMLHttpRequest();
request.open(‘POST’,”url”,true); // the post url where the  web app was sending the data       //request for removal

request.send();
request.log();

but ajax has its own security policies to be satisfied first  !
Same Origin Policy on AJAX

The same origin policy dictates that an AJAX object’s ability to fully communicate on the user’s behalf is possible assuming the following conditions are met
: ►The protocol used by the AJAX object must be identical to the protocol of the origin page.
► The target port of the AJAX object must be identical to the port of the origin page.
► The domain of the host and the domain of the AJAX object’s target host must be identical

the only thing to do was to use overly permissive browser  ===>  IE
So it worked

Video poc :

[+]Reported

[+] Fixed

Hope this write-up  was helpful
Regards
vishwaraj

Advertisements

Insecure Data Storage (Access Token exposed) Instagram

instagram
Hello friends this was the issue i founded during my security research while  reversing the instagram app .

during analysis i went towards the juicy part “shared_pref.xml” and hopefully it was having something for me 😀 i digged furthur and founded that it was leaking the fb_access token in clear text  :O i then i tried to check what can be its impact but before doing that i checked the validity of the token and related permission to it . so i opened up the facebook graph api explorer and paste that fetched token in the api and debugged it and other interesting things which i founded were that it was having publish actions ! and long existing time of (2 months ).

So why this is an issue ?

According to OWASP
It is important to threat-model your mobile app to understand the information assets it processes and how the underlying APIs handle those assets. These APIs should store sensitive information securely. Places OWASP most often sees data being stored insecurely include the following:

  • SQLite databases
  • Log Files
  • Plist Files
  • XML Data Stores or Manifest Files
  • Binary data stores
  • Cookie stores
  • SD Card
  • Cloud syncedLet me give you a scenario that .
    attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc .

Let me give you a scenario that .or possible explanation.
attacker will install a malicous app inside the victims device and that app will fetch that XML FILE which is having the access token and can remotely send the attacker those tokens and by which attacker can do evil stuffs with the victims etc.

so it was a insecure data storage issue
i immediately reported to facebook about this issue and was waiting eagerly for their reply 😀 .

[+] Tested on 4.2 jellybean android emulator .
Tools used :
[+]adb
[+]Reported on 11 December 2014 14:33

Video poc :

https://drive.google.com/file/d/0B6EUD5GE6yQCU2cxZUFTRVJ1RzQ/view?pli=1

And this was the reply

Facebook security : If your device was rooted ? then its not our issue  !

fb_insta

They rejected this issue just because i tested it on the emulator its my fault it comes pre rooted ? and i was like
blog_word

But still i was not happy with their answer and tried to explain furthur this time some core member of their dev team replied me this

“we appreciate your report but currently I’m going to close out this report. If you feel you have more information to add, feel free to reopen it and add that information.
Thanks,

and they closed it again .

so , later on i asked twitter security team about the same context issue ?

Ans: Hi vishwa thanks for reaching to us we don’t have any issue regarding to the context of device being rooted . if you got any serious issue then we are in eager to hear that .
Regards

twitter dev team .

Similarly i went through the yandex security team and their reply was the same as twitter regarding to the context  .

so this was all guys

thank you for reading this  better luck next time #never give up 🙂

Restricting the user’s to login into their account attacker’s way

Hello friends this is the POC Report belongs to  Magento which i have reported to them !

Issue:
In this when a user request for a password reset then a unique password is being sended to the user’s gmail ,
and the application won’t allow the user to login
until the password at the mail is not being given !
because application is resetting he password automatically without asking the user permissions .

impact:
Attacker can abuse this  functionality easily by requesting
a password reset and restrict the user to login his own account :v for hour’s
until user don’t know that the password is at their mail .

Video Poc:

Reply 😦

reply

Explained Further:
So the attacker will create an easy script in python to launch a password reset request on the behalf of user’s just via email  [Since magento is also vulnerable to  user enumeration bug in which i was able to extract the existing user’s into the magento  due to improper rate limiting ]

so attacker will be giving problem’s to your existing customers  and if the same code is used in enterprise magento then it will effect it too .

[+]Reported
[+]Not patched
[+]Disclosed

That’s all guys for this Report
Thanks for reading 🙂

Ebay Paypal Bug Bounty :Magento XSssed

Hello friends This post is the poc for the critical reflected xss which i have founded at Magento Search  bar . It was critical because the xss was in the search and the worst part was that it was also affecting The enterprise Magento software  (which was premium).

Hunting Process:

I tried first the usual one like “><img src=x onerror=prompt(document.domain);>  and then i constructed some   but all the other characters were filtering and none of them worked out but  interesting part was that while hitting the search i was getting the search result of all the other guys (hunter’s ) with some xss or scripts tags :v . Then i thought it has been already  patched or secure ! But still somewhere  i was having a hope to bypass their applied code then i thought to give a chance with obfuscation then i builded up this one with oldy goldy  hackbar  .

</SCRIPT>’><script>alert(String.fromCharCode(88,83,83))</SCRIPT>

and boom 😀 it just popped out !

magentoxss2
i reported  to them  under their  bug bounty program and unfortunately it was a duplicate one 😦  it has been done by another hunter and he enjoyed the treat of 1000$ ;-?
but still i bypassed ; )
lesson: don’t think so much just give it a shot  may be you will do better then other’s 😀
so this was all  guys  ; )

i hope you liked it  😀
@vishwaraj101