Sunday, September 10, 2017

URL Whitelist Bypass - Accounts Google (accounts.google.com) - VRP

Written by   on   in , , , , , , , , , , , , , , , ,   with 2 comments
After executing security tests against the changes behind the Google Two Factor Authentication, I came up with a serious situation.
In this particular request google allowed me to change the “next step” parameter, and I could insert any website I would like!
After reporting this issue, they told me that this was already reported internally, so It would not be valid for reward, but I got Hall of Fame anyway!

Details about the flaw:

Original link: https://accounts.google.com/signin/challenge/pwd/1?continue=https://mail.google.com/mail/&service=mail&hl=pt-PT&ss=1&scc=1&rm=false&osid=1&TL=AHnYQLyS15zLZZAZVOfOffY7nVH923l3UK6JSW9CP4YS7B4TRjiBSyJS38uns6KHZ6Z8z4Z8t-WGewKLoTVGUN8hMgYYXAHJwapRrNmZYIGaebn5_d23vO-KTOHFMZNBKUAPdiPZaKb2I2CFCXMLQ611QG6ThYSyjg==

This security flaw allowed any user to change the ?continue= parameter. In this case, the original link would redirect the users to https://mail.google.com/mail/ .

Malicious link: https://accounts.google.com/b/0/recovery/summary?hl=pt-PT&service=mail&continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe&eprsic=AMkw5H1N7WAjwEmj5az8PPrL-OcQC9xur_e_f8yx9kyWEsc_OftPTFMBR4LpdJgCOkVMm-_kaPv9h0dULCcwNkXpfe6BqHDIDREMvd2CXXUI2BknlyYPp8LaxKeEeCmJoyHSi11TBErdcJhtrO67pQO4zRgqnpOo0cTasr5MRxPod5A9_KMmnkKKjaGXwKp-LEMn5-DRSsFI0fIRKRNsbSwWnwGdkCOT9HDxbb263YHTnlw9CFAomS8&authuser=0

If I change the parameter to ?continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe, and send the malicious link to the internet, users would be redirected to malicous websites/files after clicking on the "continue" button.

Check out the video to know how a basic exploitation could be so dangerous!








Disclosure Timeline
January 26, 2017 at 00:00 (WET Time): Vulnerability Discovered
January 26, 2017 at 00:13 (WET Time): Initial Report
January 26, 2017 at 00:13 (WET Time): Auto response from Security bot
January 26, 2017 at 11:19 (WET Time): First response from Security Team
January 26, 2017 at 11:25 (WET Time): More details sent to Security Team
January 26, 2017 at 16:41 (WET Time): Response from Security Team having problems to reproduce the flaw
January 26, 2017 at 19:2 (WET Time): More Details and again, full explanation 
January 30, 2017 at 12:07 (WET Time): Response from Security Team having problems again with new details
January 30, 2017 at 12:52 (WET Time): Sent new details with youtube video explanation and Proof of Concept
January 31, 2017 at 14:06 (WET Time): Response from another Security Team Engineer saying he could reproduce the steps sent before and asked some more details
January 31, 2017 at 14:55 (WET Time): My last response
February 1, 2017 at 11:19 (WET Time): "Nice Catch! Email" 
February 3, 2017: Vulnerability Fixed
February 7, 2017 at 22:46 (WET Time): Bounty Rewarded.



Share:

XSS - Santander Totta Portal (2014) - Full Disclosure

Written by   on   in , , , , , , , , , , , ,   with 3 comments
Back in 2014 I found a serious XSS vulnerability at Santander Totta Portal. This flaw allowed attackers to create high phishing schemes and highjack bank accounts.
At the time of reporting this issue, Santander Totta ignored the problem, for months, after Portuguese social media confront them with this situation. Exame Informatica and Visão published articles calling their attention for the problem that was fixed right after. 
Today I fully disclose this situation, as it won’t bring any problems to the bank, as they changed their platform.

This is a lesson to all the companies who receive free reports every day. Do not ignore the reports you receive from researchers. They dedicate their free time to protect the internet at no cost. If you don’t know what to do, reply to them and ask for help, they will certainly redirect you to competent services.

You can watch this vulnerability being exploited on the video bellow. Sorry for the bad quality.



Share:

Wednesday, January 1, 2014

XSS - Falha de Segurança no Portal das Finanças (portaldasfinancas.gov.pt)

Written by   on   in , ,   with 4 comments
Bem e para começar o ano aqui vai mais uma descoberta e desta vez, num site governamental que tem uma utilização constante por parte dos portugueses.

Sobre

Titulo: XSS não persistente no Portal das Finanças (Área de Registo)
Risco: Alto
Data da Descoberta: Dezembro
Código Injectado: "><script>alert(document.cookie)</script><input
Autor: Manuel Sousa (me)

Passos para Reproduzir

1. Abrir http://www.portaldasfinancas.gov.pt/pt/adesaoForm.action, com o Firefox ou Internet Explorer, para ver a alertbox em javascript.
2. Injectar o payload no identificador do formulario, neste caso usei o email (adesaoForm.action?email=/payload/): "><script>alert(document.cookie)</script><input
3. Ver o resultado final =]

Depois de comunicado ao departamento de segurança responsável pelo portal, eis a resposta.





Outras partes do portal vulneráveis:


Disclosure Timeline


Dezembro 25, 2013 ás 01:00 (WET Time): Vulnerabilidade Descoberta
Dezembro 29, 2013 ás 20:39 (WET Time): Bug Reportado
Dezembro 30, 2013 ás 17:43 (WET Time): Resposta por parte do Departamento de Informática
Vulnerabilidade corrigida: Ainda não
Share:

Saturday, November 30, 2013

XSS - Google Groups (groups.google.com) - Vulnerability Reward Program

Written by   on   in , , ,   with 4 comments
Hi! Just want to share my finding, I have found Reflected XSS Vulnerability in Google Groups. With no user interaction, enjoy ;-)

About

Title: Reflected XSS in Google Groups
Business Risk: High
Discovery Date: October/November
Payload: <href="url" onmouseover=alert(1)>
Author: Manuel Sousa (me)

Steps to Reproduce


This bug requires 2 accounts.

1. Login to Google Groups With Account 1
2. Create a group.
3. Publish in the group and Upload a .swf file with a payload written in the file. (Download here!)
4. Now click on "see"
5. Now you will see a XSS in “sandbox” domain (No problem ;))

 Now we have a link to acesss the .swf file (https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/xss.swf?part=4&authuser=0&view=1)

 6. Logout Google Services with Account 1º
7. Login to Google Services With Account 2º
8. Now acess the file created before with account 1º
9. Now we will see a forbidden page. (the file is restricted)
10. Inject the code ( <href="url" onmouseover=alert(1)>SOMETEXTHERE)
11. Injected link: https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/XSSbyMS%3Chref=%22url%22%20onmouseover=alert%281%29%3E




Disclosure Timeline

October 24, 2013 at 11:00 PM (WET Time): Vulnerability Discovered
October 25, 2013 at 00:05 AM (WET Time): Initial Report
October 25, 2013 at 00:05 AM (WET Time): Autoresponse from Security bot
October 25, 2013 at 8:22 PM (WET Time): First response from Security Team
November 5, 2013 at 22:46 AM (WET Time): Bounty Rewarded.
November 7, 2013: Vulnerability Fixed
You can see my name in Hall of Fame, and I promise, I'll be there more often ;). (http://www.google.com/about/appsecurity/hall-of-fame/reward/)


Sorry about my English :3
Share: