Sunday, October 23, 2016

Stored XSS in Google Cloud Console Monitoring (StackDriver)

I have found a Stored XSS in StackDriver which serves as Google's Cloud Console Monitoring. It serves as an app monitoring and enables users to monitor the activities of their apps like an analytics. The Stored XSS executed because of the app name. I have provided an XSS payload in the app name and when I was about to create a "rule", StackDriver will let you choose an app where the rule will be implemented. I was about to select the XSS app but then the XSS executed.

This is the 5th time I was rewarded by Google Security Team





That's all for now. Thanks.

Saturday, August 20, 2016

IDOR in Facebook - Reveal any secret group

Hi. I have found a vulnerability in Facebook in which I was able to reveal a secret group even though a user is not a member of that particular group. The vulnerability can be exploited via Facebook Mobile version (m.facebook.com). 

This was the vulnerable URL: 
https://mbasic.facebook.com/composer/mbasic/?c_src=share&referrer=permalink&target=[secret group id]. 

Replace the value of the ID in "target" parameter to the value of your target secret group. You must have two test accounts to be able to reproduce the bug. Though this bug is limited since you cannot post in that group, Facebook still resolved it.

This bug has been already fixed by Facebook Security Team and rewarded me with a $1500 bounty.


 I was then again listed in the Whitehat List of Facebook (It's my 2nd time being listed)
 

Monday, May 16, 2016

AngularJS Template Injection in Spotify Community site

I have found an AngularJS Template Injection vulnerability in the Spotify Community website. I have noticed that the site uses AngularJs when I viewed the page source. The vulnerable part lies within the text format, when you are creating a new post or thread in the forum. Go to the rich text format, enter the URL/link icon and enter an Angular expression like {{1+1}} or {{1==1}} then click the Preview tab. The expression will result to "2" and "true" respectively. The bug was fixed by Spotify security team within 3 days. They have a good response time too. AngularJS Template Injection is very dangerous and can escalate to XSS and RCE if not fixed.

POC:





Reward:

$250 

Tuesday, March 22, 2016

Acknowledgement from Microsoft

Being acknowledged by Microsoft is one of the greatest achievement a security researcher can attain. And fortunately I have been acknowledged by Microsoft, twice. I have reported several vulnerabilities to Microsoft (4 times if I remember). The first one was eligible for a bounty, which made me to be listed in their "Bounty Honor Roll". The rest were not and only made me listed in their "Security Researcher Acknowledgement" list. I thank Microsoft and the Microsoft Security team for this. Its been good working with them.

Links:

Bounty honor roll: 
https://technet.microsoft.com/en-us/library/dn469163.aspx

Security researcher...:
https://technet.microsoft.com/en-us/security/cc308575




Thanks for reading!

Monday, February 29, 2016

Reflected XSS in auto.mail.ru

I have found a reflected XSS in auto.mail.ru. The bug was easy to exploit since you will only enter the XSS payload into the searchbar. I have reported it to mail.ru via HackerOne and was resolved within a few days. I was also listed in their Hall of Fame as thanks. https://hackerone.com/reports/109373


 POC:

 

Saturday, February 27, 2016

My list of Recognitions (Hall of Fame)

As of February 2016, I have found many vulnerabilities and got listed in big companies' Hall of Fame thanks list. Below are the companies that I have reported vulnerabilities and got recognized:

*Facebook
*Google
*AT&T
*Microsoft  
*Edmodo
*Github 
*US - CERT Department of Homeland Security
*Romit
*Adobe
*Snapchat
*Yahoo
*Apple
*Mail.ru
*Khan Academy
*Urban Dictionary
*Slack
*WePay
*Heroku
*Pinterest
*Zendesk
*SendSafely
*ProtonMail
*BlinkSale
*Tagged/Hi5
*Spokeo
*Magento

Wednesday, February 24, 2016

Subdomain Takeover in Snapchat

I have found a subdomain takeover in Snapchat's acquisition, scan.me. Scan.me is currently integrated into Snapchat application. The vulnerable subdomain was support.scan.me pointing to Zendesk. I have reported it to Snapchat and was fixed quickly and rewarded me with a bounty and made me the Top 5 hacker in their thanks list. Here is the link of my report:  https://hackerone.com/reports/114134 


Reward:

$1000 

Friday, January 1, 2016

My Achievements so far during 2015....

2015 was a great year. The year where I found most of my vulnerabilities/bugs and was listed in big-time companies' hall of fame :) So here are the list of my achievements during 2015 (excluding duplicates):

*Found Stored XSS in Facebook's Parse (reward)
*Found multiple XSS in Edmodo (swag)
*Found XSS in Pinterest (reward)
*Found XSS in Heroku (reward)
*Found XSS in Magento (reward)
*Found Subdomain Takeover in WePay (reward)
*Found 3 XSS in Slack (reward)
*Found multiple XSS in Answerhub (swag) - writeup coming soon
*Found XSS in Zendesk (reward) - writeup coming soon
*Found Subdomain Takeover in UBNT (reward) - writeup coming soon
*Found 2 Subdomain Takeover in Tagged (reward) - writeup coming soon
*Found XSS in Western Union (reward) - writeup coming soon
*Found XSS in Google Docs (reward)

Well that's all. And all of them were made possible with the help of my brain and God :)

Thanks for reading!


 

Happy New Year!



HAPPY NEW YEAR! AND GOD BLESS!