[BugBounty] Paypal DOM XSS main domain

Dear followers,

i recently discovered a DOM Cross Site Scripting issue while testing on Paypal, the process here was pretty straight forward, if you inserted the payload in  :

In the URL, the DOM executed the Javascript. This vulnerability would have affected all registered Paypal users and could have been used to exploit the Users. Unfortunately this issue got tagged as duplicate but i wanted to write about it anyway.

Here’s my POC i sent the Paypal inc. Bug Bounty team.


All the best

Patrik

 

[BugBounty] The 5000$ Google XSS

Dear followers,

i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations. My main research was to look for any field that could be vulnerable to Cross Site Scripting, but every field was protected against special characters as you can see in the image below. So pretty useless to search on further on this.
mac

So the next thing i saw was that the Tagmanager allowed a user to upload a set of definitions, tags, and Macros in form of a JSON File. json

What i did next was to download the sample JSON file and edited the Name fields of the macros (which were not allowed special characters)

And guess what ? After uploading and overwriting the settings, the Payload got executed.

Here’s the POC Video i sent in

 

Hope you enjoyed! 🙂

10721113_572544522871857_964844342_n

all the best

Patrik

 

 

[BugBounty] Yahoo phpinfo.php disclosure

Dear readers,

during my research of yahoo i found a phpinfo.php file information disclosure vulnerability, on one of their servers. The server on which i found that particular file was : http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php you might ask yourself how on earth i found this server. Let me explain what i did: Since the scope for the vulnerability program of yahoo is *.yahoo.com i did a ping on the main domain of Yahoo to find out the corresponding ip adress. The result was  98.138.253.109, the next thing i did was a whois request on that domain to find the netrange of this ip adress.

 

Bildschirmfoto 2014-09-26 um 16.49.33

NetRange: 98.136.0.0 – 98.139.255.255
CIDR: 98.136.0.0/14
OriginAS:
NetName: A-YAHOO-US9
NetHandle: NET-98-136-0-0-1
Parent: NET-98-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-12-07
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-98-136-0-0-1

As you can see the CIDR entry tells me that Yahoo owns a large Network 98.136.0.0/14 which is 260.000 unique IP-Adresses.  So i wrote a short shell script to ask every single ip Adress of the whole Yahoo range for the phpinfo.php file

and yes the result was the one i’ve found above.

 

Thanks for reading

All the best

Patrik

 

 

[Bug Bounty] Prezi (map.prezi.com) Path Traversal

Dear Readers,

short story, i discovered a Path Traversal Issue on one of Prezi’s domains,

Bildschirmfoto 2014-05-18 um 23.48.33

 

Timeline : Mail recieved 05/18/2014 21:01:00

: fixed 05/20/2014

Hi Patrik,

Thanks again for your submission, you were the first to report this issue and we deployed our fix, therefore you are eligible for a $1000 reward. Congrats!

We would like to ask for the following details for the payment:

Beneficiary Name
Beneficiary Address
Beneficiary Phone Number
Bank Name
Bank City and State
Bank Country
IBAN
SWIFT Code
Thanks and congrats again!

Attila

Head’s up to the great Prezi Security Team!