Posts

Exploiting Misconfigured CORS

Image
Recently i was testing a bitcoin site just because empty pockets :p 
So after an analysis i found that the site protected against the basic attacks so i decided to dig deeper and start with exploring their API. 
In this process i started mapping all the API endpoints along with the associated methods and headers. So i noticed an endpoint which is used to fetch the secret API key of user with the following request
let's assume the site name : example.com
Request:

GET /api/xxxx HTTP/1.1
Host: example.com
User-Agent: <redacted>
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Referer: https://example.com/xxxx/
Content-Length: 270
Cookie: <redacted>
Connection: close



Response:

HTTP/1.1 200 OK
Server: nginx
Date: <redacted>
Content-Type: application/json
Connection: close
Access-Control-Allow-Credentials: true
Content-Length: 128

{
  "success" : 1,
  "return&…

Google(Apigee.com) ClickJacking Vulnerability

Image
Hi folks, 

This post is about one of my recent finding in apigee.com which was acquire by google in 2016. So i was monitoring request and responses, i noticed the following endpoint which has X-frame-options response header missing as shown in the below image.

https://apigee.com/platform/<orgnization_name>/users/<user_email>



So i quickly visited the page and there is a option to remove the user as shown in the below image.



In this case if the attacker is inside the origination he can easily trick the administrator to remove other users. 

Working POC:




Response from the google



Sad story :p 
Thanks for reading ;) 

Quantopian Authentication bypass vulnerability

Image

Snyk privilege escalation vulnerability

Image

Stripe privilege escalation vulnerability

Image

Ldesk XSS Vulnerability

Image

SecOS: 1 Walkthrough

Image
Hi guys i found another awesome CTF on vulnhub so let's walkthrough the Secos
Nmap :
Result of nmap shows two ports are open. Let's try to access port 8081.

Looks cool ! let's explore website but before open burpsuite and spider this host so that burp can capture some directories. 

So burp caught a page called hint. Let's visit this page.
As always it shows nothing at the front so let's check source code 

We got three hints, after looking at third hint i quickly goto signup option and created a account and logged in with the same account. Digging around i noticed three important points .
Administrator: Spiderman Change password option: Message option: Now we can understand hints simply saying that : We have you conduct a CSRF attack against the administrator i.e spiderman
Let's create a form for CSRF attack and the form should auto-submit so as soon as spiderman visits the page his password will be changed.

Save this form to /var/www directory and start apache server. w…