Posts

How I could've accessed personal details of tens of thousands of people

Image
This is a security issue I found in one of the company that work in different fields. They make different type of electronic equipments as well as offers the public an easy way to enroll and avail benefits of different Govt Schemes. Let's say the company name is XYZ and the domain is xyz.com. They provide people a way to enroll to various govt services with their service centres, like a govt agency and public can register/ apply for any kind of govt services, schemes, etc. They're also an authorized service provider of a Govt Scheme by a state govt. I was checking the functionalities in their website and noticed a login url under  /admin . I visited /admin/login.php  and saw a Login page. I tried 5-10 different user:pass combinations and none of them worked. I then decided to try sqli in the login form. Like most of the PHP sites created by noooobs, this site is also vulnerable to sqli in login form. I got access to the admin panel, I saw scanned copies of ID ...

Taking over Facebook Page Tabs

Image
In this post, I'm describing how I was able to take over 4 tabs on Facebook's own Pages. 1. Facebook India Ambassadors I was browsing Facebook as usual and not in a mood to test anything. I then visited Facebook India's page to check is there any update from Facebook India and that's when I noticed a page tab Facebook India Ambassadors . I clicked on it to see Facebook India's Brand Ambassadors and the tab showed a heroku error page. I was surprised to see that there. It looked interesting to me so I decided to dig further. I found out that it loads a third party website in an iframe in main section. The url was  http://immense-atoll-4159.herokuapp.com/  and I visited the url directly to verify that the subdomain doesn't exist. Heroku shows a does not exist error page if the subdomain doesn't exist. So I logged into my Heroku account and created a new project and give immense-atoll-4159  as project id. Then I created a simple NodeJS Script for...

Awww!!! It's *Public* Service Commission.....

Image
In this post, I'd like to talk about multiple issues I found on a website owned by Kerala Public Service Commission . The issues here are otp bypass to achieve IDOR. For those who don't know what's IDOR, quoting from OWASP " Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly ". The site url is `https://mailer.psc.kerala.gov.in/KPSCAptitudeTest/home`, which is a temporary site they've opened for the Aptitude Exam for engineering students. How the site works Students can register for the aptitude exam by providing following details :  College ID card number,  Mobile Number, Email, Name, Address, College Name, Desired Center Name and the photographs of themself, signature and id card. Question : This is for engineering students. What I'm doing there? ...

Send request to Martians. Earthlings are already your friends.

Image
Hello everyone, I'm back with another write up. This time it's a Google bug. YouTube is Google's video sharing site and a great place to explore. As a bug hunter, you can spend hours or days or even weeks in YouTube without hesitation. I always used YouTube to play some music when I worked as a developer last year. When I started bug hunting, I tried YouTube multiple times and can't find any. Then I started hunting on another google services. After hunting for more than 2 hours, I found a bug on one of Google's acquisition. According to  Google , a video PoC is required only if it is contributing something that the text can't. But I'm a great fan of videos and my first bug to google (duplicate) contained a 15min video 😎. I recorded a video of that bug I found and visited YouTube to upload it. when I clicked upload button, I noticed something strange aside it, something new. It looked like a message button. But then, the upload page has loaded ...

Claiming any email id in Facebook Business Manager

In this post, I am going to share with you how I was able to claim any email address in facebook business manager including admin@facebook.com. Weird.. isn't it? Yes. But according to facebook team, this is an intentional behavior. Again Weird... Lol!!! Ok let's come to the point. It happened about 6 months ago. While I was testing for bugs in facebook. I decided to take Facebook Business Manager as that day's target.  If you don't know what Facebook Business Manager is, "Facebook Business Manager is a service offered by facebook 

Hands On training | Google XSS Game

Image
Hello everyone, In a previous post, I talked about XSS aka Cross Site Scripting. Hope you all got a basic knowledge now. In this post, I am giving you more information on XSS with a hands on training on the Google XSS Game. You can find a video on how to solve this at the bottom of the page. At first, Google XSS Game is a training platform provided by google to practice XSS. It consist of 6 levels and in each level, you have to execute a JavaScript alert in order to advance to next level. In each level, you'll be provided with different problems and you've to execute the alert using different techniques in each level. This will help you to understand various methods than can be used to execute XSS in a web page. There are hundreds of such websites available which allow you to practice various types of vulnerabilities. So let's get started. Navigate to  https://xss-game.appspot.com . This is where the Google XSS Game is available. You'll see a page lik...

Introduction to XSS - Methods, Impact and Prevention

Image
When searching for hacking tutorials or reading through write ups, definitely you will come across the term XSS. In this post, I am going to explain what is XSS, what are it's impacts and how to achieve it with few examples. XSS aka Cross Site Scripting is a vulnerability which allow the attacker to inject and execute JavaScript code on the target website. This allow attacker to log the victim details, make a phishing page, bypass csrf, get cookies and many more. XSS is of 2 types. Stored and Reflected. Stored XSS is the type of XSS when the user entered data is stored in the server and the displayed in any other page. For example parameters like name, place, about etc can be vulnerable to stored XSS. That said, fields like password are stored once and never retrieved or showed in future, hence it is not vulnerable to stored XSS. When this can be exploited? The developer isn't validating user inputs. The developer added certain validations but they are client side ...