05/05/2018 von Patrik auf Allgemein

[Tools] Visual Recon – A beginners guide

📖Intro 📖

During the process of RECON you often get thousands of domains you have to look at. A suitable way to decrease the time you spend on each website is to take a screenshot of each website. There are several tools available such as EyeWitness (https://github.com/ChrisTruncer/EyeWitness) or ScreenShotter (https://github.com/BladeMight/ScreenShotter). Unfortunately, I had issues setting them up the way I wanted, so I created a little workflow which will use WebScreenshot, Aquatone and express-photo-gallery to quickly identify your attack-surface.

If you are into Recon and automation, you should definitely check out Nahamsec’s tool LazyRecon (https://github.com/nahamsec/lazyrecon/blob/master/lazyrecon.sh)

The way we will do it is to setup a virtual server, gather subdomains using aquatone-discover, scan the subdomains for open ports on 443 and 80 using aquatone-scan take a screenshot using WebScreenshot and finally create thumbnails using epg-prep and display them in a nice way using the node tool express-photo-gallery.

The following GIF shows the actual result, cool right?

💧Setting up a Digitalocean VPS💧:

For the Setup I am using a cheap VPS system from Digitalocean.

The easiest operating system for me was Ubuntu together with a 1GB of memory, one vCPU and 25GB of SSD Disk. This should be more than enough for the task.

For the region I always chose the one thats closest to my physical location to avoid latencies, (in my case Frankfurt is the closest location)

I like to add IPv6 support to my droplets to have a better coverage of IPv4 and IPv6 targets, for the authentication i use my SSH keys (who remembers Passwords anyways?)

👀Tutorial👀:

So the first step after deploying your machine is to log in using SSH:

`ssh root@yourip`, after this you want to install all the following necessary tools (see bottom). After you’ve installed all the necessary tools we can go ahead and start our visual recon process. For this example we will be using the domain uber.com you can find their bug bounty program here: https://hackerone.com/uber.

To start we first run aquatone (https://github.com/michenriksen/aquatone/) to identify potential subdomains, to do so: `aquatone-discover -d uber.com` , you should see an output similar to this:

once the script has finished enumerating the subdomains, we need to identify whether the subdomains have a web server running, while it is possible that there could be a webserver on a different port, for this blog we will only focus on the ones running on port 443 and 80. To do the actual scan we use the aquatone-scan, with ` aquatone-scan -d uber.com -t 30 -p small` (where -t is defining the Threads used, and -p is the amount of ports used, small does only look for port 80 and 443.)

Now that we have identified all the open ports of the assets we can now go ahead and run Webscreenshot. It is possible to create screenshots with Aquatone too (using aquatone-gather) however, I wasn’t able to set it up properly on a VPS system, as such I am doing this with WebScreenshot. To do so we use the command `webscreenshot -i /root/aquatone/uber.com/urls.txt -o uber.com` this command tells webscreenshot to grab the list of urls created by aquatone and take a screenshot of each available domain inside the uber.com folder

This will likely take some time. If you have a unstable internet connection, I recommend running this in a so called screen session. Screen allows you to run a script in a separate process and lets you detach it and return to it again. To do so run screen -R uber and press str+a+d to detach from the window. To return you simply type screen -r uber.

Once this is done, we use a tool called epg-prep (https://www.npmjs.com/package/epg-prep) to create thumbnails to do so, simply run: `epg-prep uber.com`

This will allow us to view the created pictures using express-photo-gallery.

In a final step, use the express-gallery-script from the bottom of this blogpost and save it as yourname.js. All you need to do is to change the folder name inside the script: app.use('/photos', Gallery('uber.com', options)); the folder name in this case is set uber.com but depending on which target you look at it may be different. Once you’ve done that you can simply run the script using node yourname.js. This will create a webserver listening on Port 3000 with an endpoint called /photos. So to access this you simply type: http://yourserverip:3000/photos to get a nice overview of the subdomains you have enumerated. You can easily switch the photos by pressing the left or right arrow on your keyboard. At the bottom you will see a summary of all the screenshots that have been taken.

The next section will include all the necessary tools and software used in this blogpost, it should be enough to simply copy + paste those in your SSH session.

System Tools

apt update && apt upgrade
curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
apt install -y git wget python python-pip phantomjs xvfb screen slurm gem phantomjs imagemagick graphicsmagick nodejs

Requirements for WebScreenshot

pip install webscreenshot
pip install selenium

Requirements for express-photo-gallery

sudo npm install -g npm
npm install express-photo-gallery
npm install express
npm install -g epg-prep

Requirements for Aquatone

git clone https://github.com/michenriksen/aquatone.git
cd aquatone/
gem install aquatone

express-photo-gallery Script

var express = require('express');
var app = express();

var Gallery = require('express-photo-gallery');

var options = {
  title: 'My Awesome Photo Gallery'
};

app.use('/photos', Gallery('uber.com', options));

app.listen(3000);

Easy right?

🙂 If you have any problems, feel free to reach out on twitter (@itsecurityguard) or hit me up on Bug Bounty Forum (https://bugbountyforum.com/)

So long,

Patrik

11/11/2014 von Patrik auf Bug Bounty

[BugBounty] Paypal stored XSS + Security bypass

Dear followers,

i recently discovered a stored cross site scripting vulnerability on Paypal’s core site. The scenario is a bit weird, but i hope to explain everything as good as possible.

During my testings i often create accounts with malicious Javascript contet as the Name, Organization etc etc. While testing on Paypal i did the same, i tried to make an account with the username.

"><img src=x onerror javascript=alert(1337)">.jpg

But when i tried to fullfill the registration the security module of Paypal showed me an error that there is some kind problem with my request. When i looked at the URL i saw that there was some kind of progress bar

https://www.paypal.com/webapps/merchantboarding/webflow/unifiedflow?execution=e1s1

What came first in my mind , it’s the same url you get once logged in into a legimitate accout, so i tried to erease everything after the /webapps/ url, and suddenly i was into my new Paypal account with the malicious Javascript content. I went to the profile settings page and saw that 3 of my javascript snippets were executed. So far so good. Some of you might know that you need a szenario in which users of Paypal could be exploited in order to recieve a bug bounty. So i thought about where i could inject this to other Paypal users. A few months ago i found also a stored cross site scripting issue within a invoice created by paypal. If you look at the landing page of paypal you will see that every invoice you recieve will include the name of the user that send it to you. So, my Username is malicious Javascript, and Paypal allows me to send invoices to every single Paypal user by just knowing their E-Mail. So i went further and created an invoice, and sent it to my second Paypal accout. I logged in to the second one, and the Javascript Prompt appears on my screen.

To summarize the progress :

1. Create an account with the malicious Payload

2. At the point where the Paypal systems stops you from continuing erease the URL till /webapps/ (bypassed the Security restriction)

3. Create an invoice, send it to the victim

4. Victim logs into the the Account and the Payload gets executed

I did a small POC Video which describes the impact :

I hope you enjoyed 🙂

10/31/2014 von Patrik auf Bug Bounty

[BugBounty] The 5000$ Google XSS

Dear followers,

i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations. My main research was to look for any field that could be vulnerable to Cross Site Scripting, but every field was protected against special characters as you can see in the image below. So pretty useless to search on further on this.

So the next thing i saw was that the Tagmanager allowed a user to upload a set of definitions, tags, and Macros in form of a JSON File.

What i did next was to download the sample JSON file and edited the Name fields of the macros (which were not allowed special characters)

      "data": {
        "name": "#“><img src=/ onerror=alert(3)>",
        "type": "AUTO_EVENT_VAR",
        "autoEventVarMacro": {
          "varType": "HISTORY_NEW_URL_FRAGMENT"
        }

And guess what ? After uploading and overwriting the settings, the Payload got executed.

Here’s the POC Video i sent in

Hope you enjoyed! 🙂

all the best

Patrik

05/21/2014 von Patrik auf Bug Bounty

[Bug Bounty] Prezi (map.prezi.com) Path Traversal

Dear Readers,

short story, i discovered a Path Traversal Issue on one of Prezi’s domains,

Timeline : Mail recieved 05/18/2014 21:01:00

: fixed 05/20/2014

Hi Patrik,

Thanks again for your submission, you were the first to report this issue and we deployed our fix, therefore you are eligible for a $1000 reward. Congrats!

We would like to ask for the following details for the payment:

Beneficiary Name
Beneficiary Address
Beneficiary Phone Number
Bank Name
Bank City and State
Bank Country
IBAN
SWIFT Code
Thanks and congrats again!

Attila

Head’s up to the great Prezi Security Team!

Patrik Fehrenbach

¯\_(ツ)_/¯

bug bounty