Posts

Less Time To Perform Penetration Tests ? Look For Known Bugs...!!

Image
August 1St 2017 Evening, 
I was having my evening tea as few hours left for a day off and suddenly I was assigned a new task by my manager. He rush down to me and said dear Raghav, you have to perform a quick security tests on particular website ABC and its sub-domain. Try to wrap it up in an hour or two. Find any critical or high bug and make the incident report so we can impress our client and buy proper time to perform security assessments.
The moment I received E-mail related to project, My first move was to search for sub-domains so I use following techniques like Google/Bing search operators, reverse IP lookups, dnsdumpster.com, Knock Sub-domain Scan and Acunetix Sub-domain Scanner.

Fig.1 Sub-domain Scanning

As I made the list of sub-domains, I quickly opened Firefox web browser then installed Wappalyzer Addon andstated looking for technologies and there versions for various domain. After 10 minutes I was finished with technology version mapping with targeted domains. After giving …

Logical Authentication Bypass Vulnerability

Image
28th September 2015 morning I received an Email from my colleague, Email says to perform aPenetration TestonAndroid Applicationof aBankcalled"ABC"(For security reasons not disclosing the name of the Application). Time limit was short as I have to complete the test & report in 2 days. So I looked for Critical vulnerability. One day passed & I checked for maximum Injections & Session managements vulnerability but there was no luck.
After giving some thought to the application I lose hope & started making report suddenly I my eye have a glimpse of Authentication Request that was going to Server.
Now, for understanding the request you have to understand the login functionality of the application. So developers of this app was trying to be smart as they were asking for Password & Memorable Keyword at the time of registration, for access your account in the app using some security policy like : 1.At least 8 characters password. 2.Password must contain One Upper Let…

Blind OOB XXE At UBER 26+ Domains Hacked.

Image
XXE (XML External Entity) :
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This is the story of how I was able to find XXE in one of the UBER'S Website that was in Bug Bounty Program Scope.

On July 26th 2016 Evening I was working on domain ubermovement Web Application.
As it was a small webapp there were no too much parameter to run injections tests. I started the old school tests and the first parameter I came across was the Search Box.


Now, I Attached my Burp Suite then gave a keyword to search and started monitoring the requests...

In Directory "search" I got two requests.
1.The Keyword …

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

Image
One whole year has passed, since I joined bug bounty program on various platforms and all I could find was hand full of XSS, XFS,CSRF,CRLF Vulnerability with 2 to 3 logical bugs  and about millions of duplicates...

22nd Dec 2015 Evening I started looking for sub domains of a website that was newly introduced to bug bounty program. After fingerprinting all domains I found a unique domain in which was hosted on IIS Server & running ASP.Net technology at back end. Nmap Scan gave me the version of server & technology. Web Application was running on Windows Server 2003, Microsoft IIS 6.0 with Microsoft SQL Server 2005. That was too old for 2015 technologies, so I go OLD School on one of the parameter of page for search for SQL Injection.


I injected a Quote and in few seconds I received a SQL Error. Now I was sure the SQL Vulnerability was present in this sub-domain. As It was a sub-domain the severity of the bug was less so my main job was to find as many unique sql bugs in the we…

Old School Source Code Disclosure Vulnerability

Image
On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".

Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"

The Path Of Application was disclosed : E:\netpub\vhosts\www\

Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"

The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclu…