3v1l 4c1d

26/12/2022

Hi Everyone,

𝐏𝐨𝐂 :
DoS via 𝗕𝗹𝗮𝗰𝗸 𝗟𝗜𝗦𝗧 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹

𝗖𝘂𝗽𝗹𝗶𝗸𝗮𝗻 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 𝘆𝗮𝗻𝗴 𝗥𝗲𝗻𝘁𝗮𝗻 :
"External":{"Title":"YAHAHA","PreviewMedia":{"Url":"𝗕𝗹𝗮𝗰𝗸𝗹𝗶𝘀𝘁𝗣𝗿𝗼𝘁𝗼𝗸𝗼𝗹"}

Request seperti itu biasanya digunakan di fitur 𝘀𝗲𝗻𝗱 𝗗𝗼𝗰𝘂𝗺𝗲𝗻𝘁, 𝗦𝘁𝗶𝗸𝗲𝗿, 𝗚𝗜𝗙, 𝗘𝘁𝗰 yang menerima FILE dari Eksternal ( Luar ).

𝗣𝗮𝘆𝗹𝗼𝗮𝗱 𝘆𝗮𝗻𝗴 𝗱𝗶𝗴𝘂𝗻𝗮𝗸𝗮𝗻 :
Javascript://

𝗙𝗶𝗻𝗮𝗹 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 :
"External":{"Title":"YAHAHA","PreviewMedia":{"Url":"Javascript://"}

𝗥𝗲𝘀𝗽𝗼𝗻𝗱𝘀 :
Android Apps CRASH

𝗝𝗮𝘃𝗮𝘀𝗰𝗿𝗶𝗽𝘁 𝗽𝗿𝗼𝘁𝗼𝗸𝗼𝗹 selalu dilarang untuk di 𝗣𝗿𝗲𝘃𝗶𝗲𝘄, karena pasti akan membuat 𝗸𝗲𝗿𝗲𝗻𝘁𝗮𝗻𝗮𝗻 𝘆𝗮𝗻𝗴 𝗳𝗮𝘁𝗮𝗹. Ketika attacker mengirimkan file yang telah dimanipulasi asal protokol Preview ke 𝗝𝗮𝘃𝗮𝘀𝗰𝗿𝗶𝗽𝘁 𝗽𝗿𝗼𝘁𝗼𝗸𝗼𝗹, maka 𝗔𝗻𝗱𝗿𝗼𝗶𝗱 𝗔𝗽𝗽𝘀 tidak dapat membuka Preview protokol yang dimodifikasi ke 𝗕𝗹𝗮𝗰𝗸𝗹𝗶𝘀𝘁 𝗣𝗿𝗼𝘁𝗼𝗸𝗼𝗹, sehingga Android Apps akan 𝗖𝗥𝗔𝗦𝗛.

Saya tidak begitu yakin apakah semua Apps memberlakukan kebijakan untuk melarang PREVIEW Javascript protokol atau Blacklist Protokol 𝗱𝗲𝗺𝗶 𝗸𝗲𝗮𝗺𝗮𝗻𝗮𝗻.

Ada banyak referensi bagaimana membuat 𝗔𝗽𝗽𝘀 𝗖𝗥𝗔𝗦𝗛, saya melampirkan beberapa referensi disini dengan attack skenario yang dapat direproduce :
1. Nice Referensi dari Robin Talaohu
𝗣𝗮𝘆𝗹𝗼𝗮𝗱 :
/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/
𝗥𝗲𝗳𝗲𝗿𝗲𝗻𝘀𝗶 :
https://progress28.com/2022/09/27/facebook-bug-bounty-h4ck-instagram-live-dan-mendapatkan-5-000-dollar/

2. JSON parsing exception of the empty string ( 𝗩𝗮𝗹𝗲𝗿𝗶𝗼 𝗕𝗿𝘂𝘀𝘀𝗮𝗻𝗶 )
𝗥𝗲𝗳𝗲𝗿𝗲𝗻𝘀𝗶 :
https://infosecwriteups.com/how-two-dead-users-allowed-remote-crash-of-any-instagram-android-user-8f20e88b1b59

Thanks telah membaca...
𝗦𝗲𝗺𝗼𝗴𝗮 𝗯𝗲𝗿𝗺𝗮𝗻𝗳𝗮𝗮𝘁 :)

Facebook Bug Bounty – H4ck *Instagram Live* dan mendapatkan 5000 USD

26/12/2022

Hi everyone,

PoC :
𝐗𝐒𝐒 𝐢𝐧 𝐈𝐟𝐫𝐚𝐦𝐞 𝐬𝐚𝐧𝐝𝐛𝐨𝐱𝐞𝐝 𝐯𝐢𝐚 𝐝𝐨𝐜𝐮𝐦𝐞𝐧𝐭.𝐰𝐫𝐢𝐭𝐞

𝗛𝗧𝗠𝗟 𝘀𝗻𝗶𝗽𝗽𝗲𝘁 :


Results of multiple escaped payloads:
1. javascript:𝐚𝐥𝐞𝐫𝐭(𝟏)
𝐑𝐞𝐬𝐮𝐥𝐭𝐬 :

𝐑𝐞𝐬𝐩𝐨𝐧𝐝𝐬 :
Popup not showing :(

2. javascript:𝐩𝐫𝐨𝐦𝐩𝐭(𝟏)
𝐑𝐞𝐬𝐮𝐥𝐭𝐬 :

𝐑𝐞𝐬𝐩𝐨𝐧𝐝𝐬 :
Popup not showing :(

𝐖𝐡𝐚𝐭'𝐬 𝐭𝐡𝐞 𝐬𝐨𝐥𝐮𝐭𝐢𝐨𝐧?
𝐒𝐨𝐥𝐮𝐭𝐢𝐨𝐧𝐬 :
3. javascript:𝐝𝐨𝐜𝐮𝐦𝐞𝐧𝐭.𝐰𝐫𝐢𝐭𝐞(𝟏)
𝐑𝐞𝐬𝐮𝐥𝐭𝐬 :

𝐑𝐞𝐬𝐩𝐨𝐧𝐝𝐬 :
XSS is triggered :)

𝐄𝐱𝐚𝐦𝐩𝐥𝐞 𝐑𝐞𝐬𝐮𝐥𝐭𝐬 :
https://lnkd.in/gkk2puSQ

𝐖𝐡𝐚𝐭 𝐡𝐚𝐩𝐩𝐞𝐧𝐞𝐝?
The sandbox attribute enables an extra set of restrictions for the content in the iframe.

𝐈 𝐪𝐮𝐨𝐭𝐞 𝐭𝐡𝐞 𝐚𝐫𝐭𝐢𝐜𝐥𝐞 :
https://lnkd.in/gijPAtBQ

𝐆𝐢𝐯𝐞𝐧 𝐚𝐧 𝐢𝐟𝐫𝐚𝐦𝐞 𝐰𝐢𝐭𝐡 𝐚𝐧 𝐞𝐦𝐩𝐭𝐲 𝐬𝐚𝐧𝐝𝐛𝐨𝐱 𝐚𝐭𝐭𝐫𝐢𝐛𝐮𝐭𝐞, 𝐭𝐡𝐞 𝐟𝐫𝐚𝐦𝐞𝐝 𝐝𝐨𝐜𝐮𝐦𝐞𝐧𝐭 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐟𝐮𝐥𝐥𝐲 𝐬𝐚𝐧𝐝𝐛𝐨𝐱𝐞𝐝, 𝐬𝐮𝐛𝐣𝐞𝐜𝐭𝐢𝐧𝐠 𝐢𝐭 𝐭𝐨 𝐭𝐡𝐞 𝐟𝐨𝐥𝐥𝐨𝐰𝐢𝐧𝐠 𝐫𝐞𝐬𝐭𝐫𝐢𝐜𝐭𝐢𝐨𝐧𝐬:

𝐉𝐚𝐯𝐚𝐒𝐜𝐫𝐢𝐩𝐭 𝐰𝐢𝐥𝐥 𝐧𝐨𝐭 𝐞𝐱𝐞𝐜𝐮𝐭𝐞 𝐢𝐧 𝐭𝐡𝐞 𝐟𝐫𝐚𝐦𝐞𝐝 𝐝𝐨𝐜𝐮𝐦𝐞𝐧𝐭. 𝐓𝐡𝐢𝐬 𝐧𝐨𝐭 𝐨𝐧𝐥𝐲 𝐢𝐧𝐜𝐥𝐮𝐝𝐞𝐬 𝐉𝐚𝐯𝐚𝐒𝐜𝐫𝐢𝐩𝐭 𝐞𝐱𝐩𝐥𝐢𝐜𝐢𝐭𝐥𝐲 𝐥𝐨𝐚𝐝𝐞𝐝 𝐯𝐢𝐚 𝐬𝐜𝐫𝐢𝐩𝐭 𝐭𝐚𝐠𝐬, 𝐛𝐮𝐭 𝐚𝐥𝐬𝐨 𝐢𝐧𝐥𝐢𝐧𝐞 𝐞𝐯𝐞𝐧𝐭 𝐡𝐚𝐧𝐝𝐥𝐞𝐫𝐬 𝐚𝐧𝐝 𝐣𝐚𝐯𝐚𝐬𝐜𝐫𝐢𝐩𝐭: 𝐔𝐑𝐋𝐬. 𝐓𝐡𝐢𝐬 𝐚𝐥𝐬𝐨 𝐦𝐞𝐚𝐧𝐬 𝐭𝐡𝐚𝐭 𝐜𝐨𝐧𝐭𝐞𝐧𝐭 𝐜𝐨𝐧𝐭𝐚𝐢𝐧𝐞𝐝 𝐢𝐧 𝐧𝐨𝐬𝐜𝐫𝐢𝐩𝐭 𝐭𝐚𝐠𝐬 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐝𝐢𝐬𝐩𝐥𝐚𝐲𝐞𝐝, 𝐞𝐱𝐚𝐜𝐭𝐥𝐲 𝐚𝐬 𝐭𝐡𝐨𝐮𝐠𝐡 𝐭𝐡𝐞 𝐮𝐬𝐞𝐫 𝐡𝐚𝐝 𝐝𝐢𝐬𝐚𝐛𝐥𝐞𝐝 𝐬𝐜𝐫𝐢𝐩𝐭 𝐡𝐞

10/12/2022

What is OAuth?
OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password. This minimizes risk in a major way: In the event ESPN suffers a breach, your Facebook password remains safe.

OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

How Do OAuth Authentication Vulnerabilities Occur
Since the OAuth specification is quite indistinct and flexible, there are chances of several vulnerabilities that can occur.

While configuring OAuth, the admin must consider all the major security configurations available, which enhances the overall security of consumers’ data.

In simple words, there are plenty of loopholes if adequate configuration practices aren’t considered while ensuring security for the end-user.

Apart from this, the fact that OAuth lacks built-in security features and everything relying on the developer’s end is yet another reason for security concerns.

How does OAuth work?
An OAuth Access Token transaction requires three players: the end user, the application (API), and the resource (service provider that has stored your privileged credentials). The transaction begins once the user expresses intent to access the API.

Application asks permission: The application or the API (application program interface) asks for authorization from the resource by providing the user’s verified identity as proof.

Application accesses resource: Tokens come with access permission for the API. These permissions are called scopes and each token will have an authorized scope for every API. The application gets access to the resource only to the extent the scope allows.
Tips to Avoid OAuth Authentication Vulnerabilities
1.Always Use Secure Sockets Layer(SSL)
2.Encrypting Clients’ Secrets
3.Using Refresh Tokens
4.Choose Short Lifetime for Token Access
5.SSL Certificate Check

Visit ESPN to get up-to-the-minute sports news coverage, scores, highlights and commentary for NFL, MLB, NBA, College Football, NCAA Basketball and more.

10/12/2022

What is SAML?
SAML stands for Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).

How does SAML Authentication Work?
1. With SAML authentication, each time a user accesses an app, the authentication process is relayed to the SAML identity provider.
2. The user enters their credentials (e.g. password, OTP, contextual attributes), which are then verified by the identity provider.
3. The identity provider returns an access or reject response in the form of a SAML assertion. If authentication is successful, the user is granted access to the resource, and if not, access is denied.

Benefits of SAML Authentication
Increased Security

Loose Coupling of Directories

Reduced Costs for Service Providers

10/12/2022

What is Single Sign-On (SSO)?
Single Sign-On (SSO) authentication is now required more than ever. Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services rising, a centralized login system has become a necessity. In this post, we will study how SSO authentication is implemented for the web.

Types of SSO authentication
Internal SSO login : Internal SSO systems are used by large companies, government offices, universities, and other large organizations.

External SSO login : External SSO systems are user-facing and exist in free or paid web applications.

Advantages of SSO
Stronger passwords
No repeated passwords
Better password policy enforcement
Multi-factor authentication

How does SSO authentication work?

The user arrives on the website or app they want to use.
The site sends the user to a central SSO login tool, and the user enters their credentials.
The SSO domain authenticates the credentials, validates the user, and generates a token.
The user is sent back to the original site, and the embedded token acts as proof that they’ve been authenticated. This grants them access to associated apps and sites that share the central SSO domain.

10/12/2022

What Is Web Cache Poisoning?
Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users. ... Once successful, they need to make sure that their response is cached and subsequently served to the intended victims.

How does a web cache work?
To understand how web cache poisoning vulnerabilities arise, it is important to have a basic understanding of how web caches work.

If a server had to send a new response to every single HTTP request separately, this would likely overload the server, resulting in latency issues and a poor user experience, especially during busy periods. Caching is primarily a means of reducing such issues.

The cache sits between the server and the user, where it saves (caches) the responses to particular requests, usually for a fixed amount of time. If another user then sends an equivalent request, the cache simply serves a copy of the cached response directly to the user, without any interaction from the back-end. This greatly eases the load on the server by reducing the number of duplicate requests it has to handle.

web cache poisoning

10/12/2022

What is SQL injection (SQLi)?
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior.

Sql Injection –


Types of SQL Injections
In-band SQLi
Inferential (Blind) SQLi

Out-of-band SQLi

SQL Injection examples
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:

Retrieving hidden data, where you can modify an SQL query to return additional results.
Subverting application logic, where you can change a query to interfere with the application's logic.
UNION attacks, where you can retrieve data from different database tables.
Examining the database, where you can extract information about the version and structure of the database.
Blind SQL injection, where the results of a query you control are not returned in the application's responses.
How to detect SQL injection vulnerabilities
The majority of SQL injection vulnerabilities can be found quickly and reliably using Burp Suite's web vulnerability scanner.

SQL injection can be detected manually by using a systematic set of tests against every entry point in the application. This typically involves:

Submitting the single quote character ' and looking for errors or other anomalies.
Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application's responses.
Submitting payloads designed to trigger time delays when executed within an SQL query, and looking for differences in the time taken to respond.
Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within an SQL query, and monitoring for any resulting interactions.

10/12/2022

What Is Directory Traversal?
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

How To Prevent A Directory Traversal Attack?
The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether. Many application functions that do this can be rewritten to deliver the same behavior in a safer way.

If it is considered unavoidable to pass user-supplied input to filesystem APIs, then two layers of defense should be used together to prevent attacks:

The application should validate the user input before processing it. Ideally, the validation should compare against a whitelist of permitted values. If that isn't possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters.
After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. It should verify that the canonicalized path starts with the expected base directory.

10/12/2022

What is XXE vulnerability?
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data.

What are the types of XXE attacks?
There are various types of XXE attacks:

Exploiting XXE to retrieve files, where an external entity is defined containing the contents of a file, and returned in the application's response.
Exploiting XXE to perform SSRF attacks, where an external entity is defined based on a URL to a back-end system.
Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.
Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.

10/12/2022

What is CSRF?
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

How does CSRF work?
For a CSRF attack to be possible, three key conditions must be in place:

A relevant action. There is an action within the application that the attacker has a reason to induce. This might be a privileged action (such as modifying permissions for other users) or any action on user-specific data (such as changing the user's own password).
Cookie-based session handling. Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. There is no other mechanism in place for tracking sessions or validating user requests.
No unpredictable request parameters. The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess. For example, when causing a user to change their password, the function is not vulnerable if an attacker needs to know the value of the existing password.

Preventing CSRF attacks
The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be:

Unpredictable with high entropy, as for session tokens in general.
Tied to the user's session.
Strictly validated in every case before the relevant action is executed.

03/12/2022

A Hacker Is A Person,not A Skill 🐞🪲

03/12/2022

Upps -_-all Most covered!