Sunday, November 29, 2015

Stored XSS in Google Docs (Bug Bounty)

I have found a Stored Cross Site Scripting vulnerability in Google Docs (https://docs.google.com). The XSS was pretty simple and at first I was not expecting a reward. The vulnerability lies within the main Google Docs interface (creating a document.). To reproduce, create an HTML file embed with the payload. Then save it as HTML and open it. Drag and drop the produced XSS vector in to Google Docs and XSS will pop. The vulnerability was fixed by Google within a week (pretty fast). I also received a bounty and listed in their Hall of Fame. I got the "Elite (31337/eleet)" reward.


Image POC: 






Video POC: 






Timeline:

November 4 ----- Reported
November 5 ----- Report was Triaged
November 6 ----- A bug was filed according to Michael J. (Google Security Team)
November 12 ---- Rewarded by Google Security Team

 
Reward:

$3,133.7 


Friday, November 13, 2015

Stored XSS in Slack via emoji (Bug Bounty)

I have found ANOTHER cross site scripting in Slack. This time, a Stored one, the most dangerous of all XSS... Anyway, The payload I used is very unique, the XSS has to be popped up thru an emoji. The Slack security team fixed this pretty fast since the XSS is a Stored one. This was my third bug from Slack.. and I immediately rose to Top 26 in their thanks page (https://hackerone.com/slack/thanks/). For more details regarding my report, just visit this link: https://hackerone.com/reports/96337


Image POC:

      






Reward:

$500

Reflected XSS in Slack (Bug Bounty)

I have found another Cross site scripting vulnerability in Slack. This time it is a Reflected XSS. The XSS was located in the team integration search bar. The bug was fixed immediately by the Slack security team. This was my second bug from Slack. You can read more about my report, just visit this site: https://hackerone.com/reports/97683

Image:




Reward:

$100 

XSS in Slack (Bug bounty)

I have found a Cross Site Scripting vulnerability in Slack. The XSS lies in the creation of new post. The XSS can be triggered by formatting text as code. Just type in the payload then change it to code format. The bug has been fixed by the Slack security team. The link of my report can be found here: https://hackerone.com/reports/89505


Image POC:


Reward:

$100 

Stored XSS in Parse (Bug Bounty)

I found a Stored Cross Site Scripting vulnerability in Parse, a Facebook Acquisition. The Stored XSS was located in the App dashboard. I have reported it to Facebook and have rewarded me with a $1000 bounty and I was also listed in their "Whitehat List" for the year 2015. The issue was fixed by the Facebook security team. Here is the video for more details. 
WhiteHat list: https://www.facebook.com/whitehat/thanks


Video:
 

  

Reward:

$1000
 

Saturday, October 10, 2015

Subdomain takeover in staging.wepay.com (Bug Bounty)

I found an "abandoned" subdomain of WePay that can be taken over, thus vulnerable to Subdomain takeover. I reported it to Wepay and fixed it after 2 hours (which is pretty fast). The vulnerable site was staging.wepay.com. If youre gonna visit that site, you will encounter an error saying "Unknown domain:staging.wepay.com" indicating that nobody owns that domain and anyone can take and register it to a hosting site. The CNAME/is pointing to Fastly.




Image:


Reward:

$100

XSS in Pinterest Developers (Bug Bounty)

I recently found an XSS in Pinterest developer website. It only took 2 days for Pinterest to fix it. At first glance, Pinterest told me that it is self-xss but I sent further info and realized it is a reflected xss and that it is eligible for a bounty.




Steps to reproduce: 

               1. Go to developers.pinterest.com
               2. then go to widget builder
               3. In the custom image enter the payload
               4. XSS pop-up




Image:




Reward:

$50


  

XSS in Heroku (Bug Bounty)

I found a Cross site scripting in dashboard.heroku.com. Heroku has their bug bounty program hosted in Bugcrowd. This is my first bug in bugcrowd. The bug was fixed after 2 weeks and rewarded me with a $200 bounty.


Steps to reproduce:

         1. Go to dashboard.heroku.com
         2. Go to "Deploy tab"
         3. Click "New Pipeline"
         4. Enter XSS payload
         5. Click "Create Pipeline" and XSS pop-up


Image:









Reward:

$200

Saturday, August 22, 2015

XSS in Paypal (Bug Bounty)

I have found an XSS Vulnerability in Paypal. It is located on their main site (https://www.paypal.com/). Unfortunately my report was Duplicate, another researcher already found the bug. Anyway, here is the POC:

  


Duplicate:




Timeline:

June 1 ------ Bug found

June 3 ------ Confirmed the vulnerability, gave me a case number.

June 5 ------ Said it was duplicate :( 


Thats all. Thanks. 

XSS in Magento (Bug Bounty)

I got a XSS Vulnerability in Magento Commerce (www.magentocommerce.com/magento-connect/). They have a bug bounty program. I have reported it to their security team via email. However they didnt replied to me even a single reply. But, after 2 months.. They have replied and gave me a bounty of $60 :)
http://magento.com/security

Video POC:




 This is the Video POC.
    
POC Image:







Reward:

 



Timeline:

June 4 ----------- Reported

August 4 -------- Fixed

August 25 ------ Replied and gave  $60 bounty


SQL Injection in DLSU's main website

De La Salle University is one of the Philippines' most prestigious universities and is included in the "Top 4 universities and colleges in the Philippines". However, their site has an SQL injection vulnerability. I have reported it to them the past 2 years (since I was 3rd year High School) but got no reply.
There are many vulnerable parameters. Among them is this:
http://www.dlsu.edu.ph/faculty/fis/alpha_list.asp?letter=B%27

Notice the string (%27) which will say whether it can be injected or not.

POC: 



That's all












XSS in gov.ph --- Official Gazette

While randomly searching for websites to "pwn", I came across the website of the Official Gazette of the Republic of the Philippines (http://gov.ph) I just typed a payload in the search bar then voila! XSS vulnerable. I contacted them via Twitter and the XSS was fixed after a day. (they are serious on web vulnerabilities now, unlike before).




POC:



The vulnerable part was in their search bar.... Just type the payload you want. In my case I used the most common payload which is "><img src=x onerror=alert(document.domain)>.. 

Vulnerability has been fixed, check it out yourself :)


Thanks.


-----------No Timeline----------- 

XSS in Edmodo.com (Bug Bounty)

So this bug is about an XSS vulnerability I found in Edmodo. The bug is now fixed. They have responded for 3 days (pretty fast) and also fixed the vulnerability on the last day.


 Steps to reproduce:

1. To reproduce the issue. You must have, of course, an Edmodo account. 

2. Go to the upper left panel and you will see 3 symbols, click the left one which is the "Backpack".

3. Now after that, go to "Folders".. on the left pane.

4. Click new folder. And enter the payload.. Now here is the trick:
                     *Ordinary payloads like: "><img src=x onerror=alert(1)>
                                                         will be filtered... to bypass... I used this instead:
                                                              &#x3C;img src=x onerror=alert(5)&#x3e; 

5. Now click "Create"...

6. XSS Pop-up.


POC:





As a reward, they will give me goodies :)  like Edmodo mugs, T-shirt etc....




 Timeline:

August 17 ---- Reported and Triaged

August 18 ---- Vulnerability confirmed. Asked for my mailing address for reward delivery

August 19 ---- Vulnerability was fixed. 

 
Thats all. Thanks :)





Acknowledgements, Rewards and Hall of Fames

I have been Acknowledged by the following sites as of 2016:

*Google
*Facebook
*Microsoft
*Yahoo
*Apple
*Twitter
*Snapchat
*US Dept of Homeland Security - CERT
*Western Union
*Adobe
*Xero
*Github
*Romit/Robocoin
*AT&T
*Mail.ru
*Khan Academy
*Ubiquiti Networks
*Urban Dictionary
*Wepay
*Slack
*Greenhouse.io
*General Motors (GM)
*Blinksale
*Heroku
*Magento
*Pinterest
*ProtonMail
*Spokeo
*Tagged
*Zendesk
*Edmodo