[BugBounty] Paypal stored XSS + Security bypass

Dear followers,

i recently discovered a stored cross site scripting vulnerability on Paypal’s core site. The scenario is a bit weird, but i hope to explain everything as good as possible.

During my testings i often create accounts with malicious Javascript contet as the Name, Organization etc etc. While testing on Paypal i did the same, i tried to make an account with the username.

But when i tried to fullfill the registration the security module of Paypal showed me an error that there is some kind problem with my request. When i looked at the URL i saw that there was some kind of progress bar

What came first in my mind , it’s the same url you get once logged in into a legimitate accout, so i tried to erease everything after the /webapps/ url, and suddenly i was into my new Paypal account with the malicious Javascript content. I went to the profile settings page and saw that 3 of my javascript snippets were executed. So far so good. Some of you might know that you need a szenario in which users of Paypal could be exploited in order to recieve a bug bounty. So i thought about where i could inject this to other Paypal users. A few months ago i found also a stored cross site scripting issue within a invoice created by paypal. If you look at the landing page of paypal you will see that every invoice you recieve will include the name of the user that send it to you. So, my Username is malicious Javascript, and Paypal allows me to send invoices to every single Paypal user by just knowing their E-Mail. So i went further and created an invoice, and sent it to my second Paypal accout. I logged in to the second one, and the Javascript Prompt appears on my screen.

To summarize the progress :

1. Create an account with the malicious Payload

2. At the point where the Paypal systems stops you from continuing erease the URL till /webapps/ (bypassed the Security restriction)

3. Create an invoice, send it to the victim

4. Victim logs into the the Account and the Payload gets executed

I did a small POC Video which describes the impact :

I hope you enjoyed 🙂

 

[BugBounty] Paypal DOM XSS main domain

Dear followers,

i recently discovered a DOM Cross Site Scripting issue while testing on Paypal, the process here was pretty straight forward, if you inserted the payload in  :

In the URL, the DOM executed the Javascript. This vulnerability would have affected all registered Paypal users and could have been used to exploit the Users. Unfortunately this issue got tagged as duplicate but i wanted to write about it anyway.

Here’s my POC i sent the Paypal inc. Bug Bounty team.


All the best

Patrik

 

[BugBounty] The 5000$ Google XSS

Dear followers,

i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations. My main research was to look for any field that could be vulnerable to Cross Site Scripting, but every field was protected against special characters as you can see in the image below. So pretty useless to search on further on this.
mac

So the next thing i saw was that the Tagmanager allowed a user to upload a set of definitions, tags, and Macros in form of a JSON File. json

What i did next was to download the sample JSON file and edited the Name fields of the macros (which were not allowed special characters)

And guess what ? After uploading and overwriting the settings, the Payload got executed.

Here’s the POC Video i sent in

 

Hope you enjoyed! 🙂

10721113_572544522871857_964844342_n

all the best

Patrik

 

 

[BugBounty] Yahoo phpinfo.php disclosure

Dear readers,

during my research of yahoo i found a phpinfo.php file information disclosure vulnerability, on one of their servers. The server on which i found that particular file was : http://nc10.n9323.mail.ne1.yahoo.com/phpinfo.php you might ask yourself how on earth i found this server. Let me explain what i did: Since the scope for the vulnerability program of yahoo is *.yahoo.com i did a ping on the main domain of Yahoo to find out the corresponding ip adress. The result was  98.138.253.109, the next thing i did was a whois request on that domain to find the netrange of this ip adress.

 

Bildschirmfoto 2014-09-26 um 16.49.33

NetRange: 98.136.0.0 – 98.139.255.255
CIDR: 98.136.0.0/14
OriginAS:
NetName: A-YAHOO-US9
NetHandle: NET-98-136-0-0-1
Parent: NET-98-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-12-07
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-98-136-0-0-1

As you can see the CIDR entry tells me that Yahoo owns a large Network 98.136.0.0/14 which is 260.000 unique IP-Adresses.  So i wrote a short shell script to ask every single ip Adress of the whole Yahoo range for the phpinfo.php file

and yes the result was the one i’ve found above.

 

Thanks for reading

All the best

Patrik