Skip to main content

Posts

Showing posts from 2016

Xssing Web Part - 1

Xssing Web Part - 1 Hello, I'm thinking about sharing everything I know about XSS :) However it's not possible to put all methods in one single post so I would be making several parts of "Xssing Web". Mostly I would be talking about how to bypass XSS filters and how to turn most of non exploitable XSS to exploitable. All of you might have encountered one such end point that takes URL as parameter and redirects to it using javascript like : location.href='URL'  or window.location.href='URL'  or window.location.replace('URL')  or window.location='URL' In this post I would be talking about how to get XSS in such situations and how to bypass their filters. First thing we can do here is try ' javascript ' protocol or ' data ' URI scheme. window.location='javascript:alert(1)' or window.location='data:html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg' It would execute 'aler...

Bug Bounty : Account Takeover Vulnerability POC

Hello, In this post I'm going to share how I could takeover www.example.com users accounts. So, what was the vulnerability? Well , It was a very simple OAuth flaw which I could use to takeover users account with minimal user interaction. Cut the crap, Give me POC -_- Ok. www.example.com users have an option to connect their facebook account to their example.com account.  Once a user connects his facebook account to his example.com account he does not need to enter his username/password to login instead he can simply click on "Sign in using Facebook" and he will be logged in (only if he is already logged in into his facebook account which he connected to his example.com account) Ok all looks good let's see what happens in background when any user clicks on "Connect with Facebook" GET Request  :   https://m.facebook.com/v2.2/dialog/oauth?redirect_uri=https://www.example.com/user_profile.php?action=fb_connect&scope=email,...