Posts

Edge IOS Address Bar Spoof

Image
Hello readers,

This post is about edge IOS address bar spoof vulnerability.
Address bar spoof vulnerability is an ability to keep legit URL in address bar while loading the content from other domain. This makes user believe that the content is actually served by a legit domain. For example browser is displaying https://www.google.com in address bar or in omni-box while rendering the content from https://www.evil.com
Original POC code:
test.html

<button onclick="window.open('http://lab-nick.codeanyapp.com/test.html')">   Goto-Google </button>
test2.html
<html> <body> <script> window.onload = function() { var payload = "PGh0bWw+Cjxib2R5Pgo8aDE+QWRkcmVzcyBCYXIgU3B vb2YgQEMwZDNHMzNrPC9oMT4KPC9ib2R5Pgo8L2h0bWw+"; document.write(atob(payload)); window.location = 'https://www.google.com:8888'; } …

Edge mixed content security policy bypass

Image
Hello readers,

This post is about an edge mixed content security policy bypass.

What is mixed content issue?

According to MDN resource when a user visits a page served over HTTPS, their connection with the web
server is encrypted with TLS and is therefore safeguarded from most sniffers and man-in-the-middle
attacks. An HTTPS page that includes content fetched using clear text HTTP is called a mixed content
page. Pages like this are only partially encrypted,
leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers.
That leaves the pages unsafe.

In short if we request to load any HTTP resources like scripts, stylesheets, video etc. over HTTPS then
browser simply deny the request. Since HTTP resources can be intercepted by the attacker.

For example suppose we have a page over HTTPS let’s call it https://securepage.com/secure.html Now request to create an iframe inside it to load an insecure resource http://demo.testfire.net and see how edge reacts.

[Sample code snip…

How I bypassed 2-Factor Authentication in a bug bounty program

Image
Hello readers, This post is about one of my recent finding in a private bug bounty program on hackerone. For the sake of privacy, let’s call the site as bountyplease.com According to Bountyplease.com scope, they are more interested in Authentication related issues. So I decided to test their 2-Factor Authentication mechanism.
As normal 2-Factor Authentication flow the process works in the following steps.

1. User login to account by providing valid email and password 2. A valid OTP send to users register number 3. User fill OTP 4. Login successful

But in case if any user lose their phone or SIM card the process works in the following steps.
1. User login to account by providing valid email and password 2. User select other options 3. User provide backup codes 4. Login successful


In both above described cases there is also a code flow as following.

1. User login to account by providing valid email and password 2. At this stage bountyplease.com display a page to submit 2FA code send to p…

Escalating user privileges in a BBP

Hi folks,
This post is about one of my recent finding in a private bug bounty program. Since the program refused for public disclosure (i don't know why) i am not attaching any screenshots. But still i will try to explain the idea. Let's call the site as example.com, So example.com is a trading platform and they have a limited trial period after that you have to spend $$ to renew your account. And the most irritating part is once your trial account is expire example.com lands you to https://example.com/subscription/expired every time. 
So i created a new trial account and start checking common endpoints like profile page, account balance page, recent activities page etc.
After i tried to get those endpoints with my old expired account and every time i was landing to https://example.com/subscription/expired :(
Now the challenges was to somehow get and update information of my old expired account. Luckily they have a API which is used to fetch, update and trade orders for us. Now al…

Story of a JSON XSS

Image