Showing posts with label Hacker Prevent. Show all posts
Showing posts with label Hacker Prevent. Show all posts

Thursday, 4 December 2014

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks

The Weather Channel at Least 76.3% Links Vulnerable to XSS Attacks



Domain Description:
http://www.weather.com/



"The Weather Channel is an American basic cable and satellite television channel which broadcasts weather forecasts and weather-related news and analyses, along with documentaries and entertainment programming related to weather.  Launched on May 2, 1982, the channel broadcasts weather forecasts and weather-related news and analysis, along with documentaries and entertainment programming related to weather."

"As of February 2015, The Weather Channel was received by approximately 97.3 million American households that subscribe to a pay television service (83.6% of U.S. households with at least one television set), which gave it the highest national distribution of any U.S. cable channel. However, it was subsequently dropped by Verizon FiOS (losing its approximately 5.5 millions subscribers), giving the title of most distributed network to HLN. Actual viewership of the channel averaged 210,000 during 2013 and has been declining for several years. Content from The Weather Channel is available for purchase from the NBCUniversal Archives." (Wikipedia)




Vulnerability description:


The Weather Channel has a cyber security problem. Hacker can exploit it by XSS bugs.


Almost all links under the domain weather.com are vulnerable to XSS attacks. Attackers just need to add script at the end of The Weather Channel's URLs. Then the scripts will be executed.


10 thousands of Links were tested based a self-written tool. During the tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.


The reason of this vulnerability is that Weather Channel uses URLs to construct its HTML tags without filtering malicious script codes. 


The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.

















POC Codes, e.g.
http://www.weather.com/slideshows/main/"--/>"><img src=x onerror=prompt('justqdjing')>
http://www.weather.com/home-garden/home/white-house-lawns-20140316%22--/"--/>"><img src=x onerror=prompt('justqdjing')>t%28%27justqdjing%27%29%3E
http://www.weather.com/news/main/"><img src=x onerror=prompt('justqdjing')>






POC Video:





The Weather Channel has patched this Vulnerability in late November, 2014 (last Week).  "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the fllowing web securities have been published here, Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated Redirects and Forwards, Information Leakage, Denial of Service, File Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML Injection, Spam. This bug was published at The Full Disclosure in November, 2014.







Discovered by:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)








More Details:




Posted by at No comments:
Labels: , , , , , , , , , , , , , , , ,

Sunday, 4 May 2014

WordPress Website Login Page Covert Redirect Security Bugs Based on Google.com
















WordPress Website Login Page Covert Redirect Security Bugs Based on Google.com



(1) Domain:
wordpress.com


"Open source WordPress is the most popular online publishing platform, currently powering more than 20% of the web. We wanted to bring the WordPress experience to an even larger audience, so in 2005 we created WordPress.com. We’re a hosted version of the open source software. Here, you can start a blog or build a website in seconds without any technical knowledge. Overall, the WordPress.com network welcomes more than 409 million people viewing more than 15.5 billion pages each month. Our users publish about 41.7 million new posts and leave 60.5 million new comments each month." (https://wordpress.com/about/)







(2) Vulnerability Description:
Wordpress web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks. 


The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7. 

The vulnerability occurs at "wp-login.php?" page with "redirect_to" parameter, i.e.
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.google.com [1]

When a user click the URL ([1]) above, the "WordPress login" page appears. The user needs to enter his/her username and password. When this is done, the user is redirected to a webpage belonging to WordPress.
However, it seems that "wp-login.php" in "wordpress.com" allows some other domains, i.e.
google.com.
Now, a user could be redirected from "wp-login.php" to a URL in Google first and later be redirected from Google to a malicious site. This is as if being redirected from WordPress directly.




(2.1) Use one of webpages for the following tests. The webpage address is "https://redysnowfox.wordpress.com/". Can suppose that this webpage is malicious.


Vulnerable URL:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fen.wordpress.com


POC:
http://en.wordpress.com/wp-login.php?redirect_to=http%3A%2F%2Fgoogle.com%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26sqi%3D2%26ved%3D0CCoQFjAA%26url%3Dhttp%253A%252F%252Fwww.tetraph.com%252F%26ei%3DFSMgU-bSCOewiQfu5IDoAg%26usg%3DAFQjCNHRJ5hWvXyy2WcSdJPZNEwvbMW9Zg%26sig2%3D_ALzlmyIx3EfHwaNUBBI_Q




POC video:
https://www.youtube.com/watch?v=CxJ3jBAupsk


Blog Detail:
http://tetraph.blogspot.com/2014/05/wordpress-covert-redirect-vulnerability.html








(3) What is Covert Redirect? 
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.
Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect can work together with CSRF (Cross-site Request Forgery) as well. 








Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)



Posted by at 1 comment:
Labels: , , , , , , , , , , , , , ,

Thursday, 17 April 2014

GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability









GetPocket getpocket.com CSRF (Cross-Site Request Forgery ) Web Security Vulnerability

Domain: getpocket.com
"Pocket was founded in 2007 by Nate Weiner to help people save interesting articles, videos and more from the web for later enjoyment. Once saved to Pocket, the list of content is visible on any device — phone, tablet or computer. It can be viewed while waiting in line, on the couch, during commutes or travel — even offline. The world's leading save-for-later service currently has more than 17 million registered users and is integrated into more than 1500 apps including Flipboard, Twitter and Zite. It is available for major devices and platforms including iPad, iPhone, Android, Mac, Kindle Fire, Kobo, Google Chrome, Safari, Firefox, Opera and Windows." (From: https://getpocket.com/about)


Vulnerability Description:
Pocket has a computer cyber security bug problem. Hacker can exploit it by CSRF attacks.

 "Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application." (OWSAP)


Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.



Vulnerability Details:
The code programming flaw exists at "https://getpocket.com/edit/edit" page, i.e.https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=

Vulnerable URL:
https://getpocket.com/edit?url=http%3A%2F%2Fwpshout.com%2Fchange-wordpress-theme-external-php&title=


Use a website created by me for the following tests. The website is "http://itinfotech.tumblr.com/". Suppose that this website is malicious. If it contains the following link, attackers can post any message as they like.
<a href="https://getpocket.com/edit?url=http%3A%2F%2Fmake.wordpress.org%2Fcore%2F2014%2F01%2F15%2Fgit-mirrors-for-wordpress&title=csrf test">getpocket csrf test</a> [1]


When a logged victim clicks the link ([1]), a new item will be successfully saved to his/her "Pocket" without his/her notice. An attack happens.




Posted by at 1 comment:
Labels: , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)