Skip to main content

Posts

U-XSS in OperaMini for iOS Browser (0-Day) [CVE-2019-13607]

TL;DRThe latest version (16.0.14) of Operamini for iOS browser is affected by an Universal-XSS vulnerability which can be triggered by performing navigation from target domain to attacker controlled domain. When attacker controlled domain returns "javascript:code_here" in "location" header then browser executes the javascript code in the context of target domain instead of attacker domain. This vulnerability is yet not fixed by Opera team. 
Update [15 July 2019] : CVE-2019-13607 is assigned to this vulnerability.

So while playing with Operamini browser I noticed that when a navigation to "javascript" protocol occurs via "location" header then browser executes the provided javascript code.
For example if the value of "location" header is "javascript:alert()" then javascript code "alert()" gets executed by the browser. Normally browsers prevent navigation to "javascript:" URLs initiated via "location&quo…
Recent posts

JSP ContextPath Link Manipulation - XSS

This post is about how to manipulate resource links of HTML elements (script, img, link, etc) when getContextPath method is used to obtain base path of resources. With the ability to manipulate links you can do XSS, CSS Injection, etc.

Basically we are going to use path parameters to manipulate context path such that links would point to attacker's domain. There's a good blog that talk about the similar issues : https://superevr.com/blog/2011/three-semicolon-vulnerabilities

However this post is more about manipulating context path to hijack resource links of HTML elementsSo let's have a look at a simple JSP page (test.jsp)


This page just loads some resources like script, image, css and that's it. It doesn't take any direct input from user but it is using value returned by request.getContextPath() as base path to resources link.

What can we do here?

Let's try to control the base path by using path parameters :

http://127.0.0.1:8080/;pathParameter/contextPathEx…

URLs Anchor Text Spoofing

Hello friends,

In this post I would talk about how to spoof URLs visually using Unicode character Right to Left Override (U+202E).

So let's start with "What is U+202E" ?

In very simple words it's a Unicode Character that VISUALLY changes all subsequent characters from right position to the left position.

Example :

In unicode aware environment "\u202Eabcdef" would be displayed as "fedcba" but the actual string would still be "\u202Eabcdef".

Demo in Browser Console :




This trick is very old and it was being used to spoof the extension of files.
However now the same method can be applied to spoof the anchor text of the URLs as well.

In many websites like Facebook, Gmail, Instagram, WhatsApp, etc this character (U+202E) is removed from the anchor link but kept in anchor text hence we can easily spoof the anchor text there.

Let's spoof the anchor text of URL "rakeshmane.com" to "facebook.com"



Now simply copy pasting it to a Fac…

Xssing Web Part - 2

Xssing Web With Unicodes
Hello friends, 

This is the second part of "Xssing Web". In this post I would show how to abuse unicodes to bypass XSS filters. 
BTW if you want to check previous part click here.

Note : If you think there are any mistakes in this post then kindly mention it in comments.

I have developed several XSS challenges to show how unicodes can be used to bypass filters. If you want to try those challenges first then click here, get back here if you couldn't solve any.


Abusing Unicode :

So what is Unicode?

-> Unicode is nothing but the encoding standard. It defines UTF-8UTF-16,UTF-32, etc encodings.

1) UTF-8 :

Characters Size :1 byte to 4 byte

Example :
Character "A" => 0x41
Character "¡"  => 0xC2 0xA1
Character "ಓ" => 0xE0 0xB2 0x93
Character "𪨶" => 0xF0 0xAA 0xA8 0xB6

2) UTF-16:

Character Size : 2 byte

However in UTF-16 there are two ways to represent any characters.

i) UTF-16be (be- Big Endian) [Left to Right Byte …

Xssing Web Part - 1

Xssing Web Part - 1
Hello,

I'm thinking about sharing everything I know about XSS :) However it's not possible to put all methods in one single post so I would be making several parts of "Xssing Web". Mostly I would be talking about how to bypass XSS filters and how to turn most of non exploitable XSS to exploitable.


All of you might have encountered one such end point that takes URL as parameter and redirects to it using javascript like :

location.href='URL' 
or
window.location.href='URL' 
or
window.location.replace('URL') 
or
window.location='URL'


In this post I would be talking about how to get XSS in such situations and how to bypass their filters.

First thing we can do here is try 'javascript' protocol or 'data' URI scheme.

window.location='javascript:alert(1)'
or
window.location='data:html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg'

It would execute 'alert(1)' function.

From now onwards I will only be talki…

Bug Bounty : Account Takeover Vulnerability POC

Hello,

In this post I'm going to share how I could takeover www.example.com users accounts.

So, what was the vulnerability?
Well , It was a very simple OAuth flaw which I could use to takeover users account with minimal user interaction.

Cut the crap, Give me POC -_- Ok.

www.example.com users have an option to connect their facebook account to their example.com account. 



Once a user connects his facebook account to his example.com account he does not need to enter his username/password to login instead he can simply click on "Sign in using Facebook" and he will be logged in (only if he is already logged in into his facebook account which he connected to his example.com account)



Ok all looks good let's see what happens in background when any user clicks on "Connect with Facebook"

GET Request  :

https://m.facebook.com/v2.2/dialog/oauth?redirect_uri=https://www.example.com/user_profile.php?action=fb_connect&scope=email,user_birthday,user_education_history,user_home…