latest articles

Bug Bounty: Bypassing Account Suspension In order to get full access to account[Mediafire]







Hi there,


In this post I am going to discuss about a bug which I found on Mediafire.
I noticed that Mediafire have a bug bounty program.



What is Mediafire:- 


MediaFire is a file hosting, file synchronization, and cloud storage service based in Shenandoah, Texas, United States. Founded in June 2006 by Derek Labian and Tom Langridge, the company provides client software for Microsoft Windows, Mac OS X, Linux, Android, iOS, BlackBerry 10, and web browsers.MediaFire has 43 million registered users and attracted 1.3 billion unique visitors to its domain in 2012.

There are three types on account on Mediafire 
1. Basic (free) :- Which have some basic level features and a limited storage and Bandwidth.
2. Pro (Paid) :- It has more features as it is paid much larger bandwidth and 100GB Storage.
3. Business (Paid) :- For teams, all Mediafire features like you an add other users , you can customize download page , you can increase bandwidth, you can export folder as zip, you can download the Logs of the users.


As It requires an international credit or debit card to create a Pro or Business , so I created an Basic account for free and started looking at the functionality.

Most features like deleting files, generating one time download link etc are using the Mediafire API. So i quickly looked at the documentation of the API. You can find the Mediafire API Here.

So On login what is happening:-
Whenever you do login to your account it generates a authenticity_token. The life of token is for  10 minutes after that it renew the token using this API call 
https://www.mediafire.com/api/1.5/user/renew_session_token.php
but if you session is ideal for 5-7 minutes then you have to enter the password again to renew the token. 


The Bug:-

So actually I was looking at some of their functionality but due to some work I did logout from my account. and after doing logout. It redirected me to a page which says 


This account has been locked.
See our page about account suspensions for more information.

I was like WHAT I DID WRONG ? :(

So as after sometime after completing the work. I came back and tried to login again but after redirecting me to the home page it again redirects to me on that page where it shows that the account is suspended.

Now I fired burp and started looking that what actually going on.

1. After login it generates the authenticity token and redirects to home page 
2. After verifying that this is a suspended account it redirects me to that page which shows the warning.

So I can do anything using the WebApp.
I started looking at the Mediafire API and tried one API call which is about creating a folder using API  http://www.mediafire.com/api/1.5/folder/create.php

Now I copied the authenticity token which was generated during the login and tried to create a folder and It was successful.

I can also access files etc using the Mediafire Android App.

So what is actually happening that API is generating the token but not invalidating it after confirming that the account is suspended and using the API I can access the most of the features of Mediafire.

So Now as a fix Mediafire invalidates the token as soon as they confirms that the account is suspended. and using the mobile application you can't use any features with suspended account. 


Disclosure Timeline
27-Feb-2016: Reported
9-Mar-2016: First response received > Looking at this report
14-Mar-2016: Bounty Awarded(Certificate and pro account)
15-Mar-2016: Resolved
27-Feb-2017: Disclosed


Thanks 
Jitendra K Singh (Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Website Sends the Actual Password on the Mobile Number: Considered as the Severe Vulnerability or Not ?


Hi there,


I was just looking at some website which provides free SMS sending service. There are a lot of website which provides this functionality in India. 
So what is a SMS

SMS stands for Short Messaging Service. It uses standardized communication protocols to enable mobile phone devices to exchange short text messages.

There are a lots of website which you can use to send free SMS to a mobile phone all you need to create an account on your desired website and you are ready.

Now I just looked one of the website like that I am not going to mention it's name lets call it site.com.
So on site.com you can use your mobile no to create an account they will deliver a temporary password to you on the given number and after login you have to change the password to your desired one.

Now what is going to happen if you forgot your password. So in case that you forgot your password just enter your mobile no on their password reset page and they will send the password you were using on that website , its pretty simple.
So you noticed anything which can create a risk or threat ?
Some can understand but for the others let me explain that ?


They are not using any hashing algorithm for hashing the password.
If a password is hashed then it can't be converted to the actual text you can only compare other hashes in order to guess the actual word.

Now how I identified that this website is not using any hashing algorithm ?

As I mentioned earlier that once a text is converted into hash it can't be converted back to the actual word from which the hash is generated.
 As the site.com is sending the actual password on the mobile phone it tells us that they are not using any hashing algorithms.
As they are not using the most important security layer of password hashing. Then how you are going to trust this website maybe they are saving all the contacts you added and the message you sent in actual format giving a chance to Hackers to steal all of your info if they got access to the database of that website.




So I will suggest you that you shouldn't have to use those sites which are not providing the most common security layer to its users.

Now the decision is on you do you want to let your private information to be publicly available ? 
If not then beware !!! ..........

Have a Good Day 

Thanks

Jitendra K Singh (Team Computer Korner)  

Special thanks to Moto G
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Bug Bounty: Vulnerability In customer.io







Hi there,

First of all sorry for this long pause from my side I was busy in somethings and it took me some time to sort out all the things.

So in this post I am going to discuss about a vulnerability I found in customer.io.

About customer.io:-
A light integration sends the Customer.io platform customer behavior data from your web or mobile app. Then you can start sending messages based on what users do or don't do after they log in. Increase engagement, revenue, and customer success.



I was looking at SPF record of some company and i found the that some companies have customer.io in their spf record the are allowing customer.io to send emails on their behalf.
SO i directly went to customer.io and created an account.
after creating an account I created a template for sending this as an email.
Now you can add as many email account you want for sending email so I tried saving an email of a site which have customer.io in their spf record. The email address no-reply@example.com(I dont want to disclose the website).
the email was added succesfully but after this one problem arised that customer.io doesnt let me send the email from that second email address i have added to my account.
so there are two conditions:-

1. When creating an account you have to verify the email address.
2. You can only send the email from the email you have used while creating the account.

So i tried some ideas like sending an email capturing that request with burp and modifying the email  but these doesn't work.

While adding the email there was an option to edit my primary email. thats looks something vulnerable to I clicked on edit the email and editing my primary email to no-reply@example.com and it was successful. Now I can send the emails on the behalf of the customers of that company.

First of all I reported this to some of his customers who were vulnerable to this after that i wrote and email to customer.io and explained this to them.
they told me that they are fixing this ASAP but since they dont have an bug bounty program they are no rewarding me anything. That was fine because I dont this testing for exploring and gaining knowledge.

They send me reply >24 hour of reporting this and I was happy with their quick response.

FIX

They did two thing to fix this vulnerability first of all they blocked my account. 😁😁😁😁😁😁😁😁😁😁. and after that they added domain verification whenever you try to add an email you have to verify its ownership. 



Hope you liked it 

Thanks 
Jitendra K Singh(Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Wi-Fi Hacking: Deauthentication Attack


Hi there,

So this post is about deauthentication attack.
So we can do a deauthentication attack without connecting to a target network.

How It works:-

So in this process aireplay-ng sends deauthenticate packets to both AP(Access Point or router) and client which is connected to it.
It sends spoof packets to AP and also some packets to client when AP acknowledges a packets which says that the target client is not authenticated to the AP. 
In other words attackers sends some deauth packets to the AP pretending to be the client and in the same time attackers send deauth packets to the client pretending to be the router saying that you need to authenticate again.


How We can do this attack:-

So we need aircrack suite to carry out this attack. lets start

  1. First of all you should have to a wireless card in monitor mode to enable this type
    airmon-ng start [Your wifi card name] and press enter it will enable a wireless card in monitor mode.
  2. Now scan all networks by typing
    airodump-ng [Your wireless card in monitor mode]
I have censored some information. after scanning network choose the AP on which you want to deauth a client. 


4. Now to deauthenicate a specific client first of all look how many clients are associated to that network to do this simply type
airodump-ng --channel [no] --bssid [mac of target network] [wifi card in monitor mode] and press enter

it will give a output like this 


5. Now to deauthenticate the client use this command
aireplay-ng --deauth [no of packets you want to send] -a [AP's MAC address] -c [client Mac address] [wifi card in monitor mode]
 if you want to deauthenticate the client for a long time you can set a large value of [no of packets] like 10000 etc.

So after this the client will be not be able to authenticate to the target network.

Hope you enjoyed reading this.
Next Post: Cracking WEP encryption Practical 


Regards
Jitendra (Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

WEP encryption: How it works and its weakness




Hi there,

First of all sorry for the delay as I was on vacations but finally I am back with a new post.

So I past few posts we talked about MAC address and how to login to a AP which has a MAC filter enabled on it.
So now we will talk about Encryption and How to Crack it.
Our first topic is about WEP encryption.

So lets start:-

WEP is an old encryption but still it is used in many networks to provide data confidentially that's why we are learning how to break it.
WEP stands for Wired Equivalent Privacy. It was designed to provide the data confidentially as compared to the wired networks.



Introduction:-

WEP uses a algorithm which is known as the  Rivest Cipher 4 algorithm. RC4 is designed by Ron Rivest of RSA security in 1987.
In RC4 algorithm  data packets is encrypted at AP (access point) and then decrypted at the client. Here what WEP does that it ensures that each packet has its unique keystream by using a random 24-bit Initializing Vector(IV) and it is not encrypted. It means that you are able to capture a data packets then you will be able to read the IV.


Authentication:-

There are two types of authentication that are used in WEP encryption 
1. Open System Authentication:- It this authentication the WLAN client need not to provide its credentials to the access point for the authentication.
2. Shared Key Authentication:- It takes place by following ways.
The client sends the authentication request to the AP.
The AP reply with a clear text challenge.
After these two steps the client encrypt the clear text challenge using the configured or entered WEP key and sends its back to the AP.
Now AP decrypts the response if this matches the challenge text then you will be authenticated otherwise a negative reply will be received.

Cracking:-


So  the Weakness here is  IV  was generated by 24-bit Initializing vector.
So in a busy network the possibility of randomness will not work because there will be too much packets which are received or sent and the IV are always generated by 24 bit random IV.

So we can collect more than two packets which have the same Initializing vector. and After that we can use aircrack-ng to determine the key stream and the WEP key.

If you captured lot of packets then the chances of determining key will increase.


We will be  doing the demonstration of Cracking WEP in next post.
Stay tuned 


Regards
Jitendra(Team Computer Korner)




Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Accessing an AP Which have a MAC filter enabled


So in the previous post I was talking about what is MAC address and I explained how to find your MAC address etc.
Now there are certain Wi-Fi networks which uses MAC filter to give access to their clients. 
MAC filter consist a whitelist of a MAC addresses. So a user can connect to that network only when his MAC address exists in that whitelist.

So let suppose if you know the password of a network(Access Point) but they have MAC filter enabled they you will not be able to connect to that network.

So in this post we will bypass the MAC filter of a router to get access to that network.

So we will first of all check the devices connected to a AP then we will change our MAC address and since we know the password we can connect to that network.

Tools we are going to use in this 

  1.  aircrack-ng suite 
  2. MAC changer
lets start 

1. First of all we need to enable our network card in monitor mode so we can able to caputre all the packets. our card is managed mode in default so we have to enable managed mode.
my network card name is wlan0.
open terminal in kali and give this command

airmon-ng start wlan0


it will start a network card in monitor mode and it will be mon0

2. Now we can monitor all the networks in our wifi card range so to monitor all the network give this command 


airodump-ng mon0



Now here bssid is the MAC address of the network 
ch = channel
PWR = our distance
Data= Data packets transferred
ENC= Encryption used

3. so now to monitor all the devies connected to the network open terminal and type 

airodump-ng --bssid <Mac address of network> --channel <channel> wifi _card_in_Monitor_mode



Now if will show you all the connected devices MAC address under the station field 
copy any of them.


Now give this command to change your MAC address to a MAC which is whitelist (copied in step 3) 
ifconfig wlan0 down
macchanger --mac <MAC copied in step 3>
ifconfig wlan0 up



Now enter the password and you will be successfully able to connect to the network which has mac filter enabled.



Note: To restore the permanent mac address again type >>macchanger -p



Hope this helped 

Feel free to comment

Thanks
Jitendra K Singh(Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

What is MAC: Explanation





What is a MAC address

MAC address stands for Media Access Control.
Each network card has a physical static address assigned by the card manufacturer called MAC address.
The MAC address is used between the devices to identify each other and to transfer packet to the right place.
Each packet has a source MAC and a destination MAC address.

This address is also known as the hardware addresses. They uniquely identify the adapter on LAN.
The MAC address are 12 bit hexadecimal number. It is written in the following format.

MM:MM:MM:SS:SS:SS

The first half of the MAC (24 bit) contains the ID number of adapter Manufacturer.
The second half (24 MORE BITS) of a MAC address represents the serial number assigned to the adapter by the manufacturer.

How to find your MAC address

  • On Windows: Open the command prompt and enter the following command 
ipconfig /all 
here is the image 


  • On linux: Open the terminal and give the following command 
ifconfig -a 


IF you want to find who is the manufacturer of you network card then using the following ways retrieve the MAC address of the network card.

Go to this address . Now paste the first six digit of you mac address and click on Lookup.
IT will show you the maufacturer.
lets take an example.
In the above image of Ubuntu the MAC address is 08:00:27:62:bf:e1.
Now paste the first six digit of this on the given box like this 080027.

Now it will show you the vendor of the card.

Hope you enjoyed it more is coming soon.

Thanks
Jitendra K Singh (Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Bypassing the weak CSRF Protection

Hi there,

So in InfoSec community everybody knows about the CSRF vulnerability.
And if the website is not using the CSRF protection they are lucky to find the Full account takeover using the CSRF.

However many of Security Researcher only look if there is a CSRF token present on a particular request or not. And if it was not they think that this particular request is vulnerable to CSRF.

Protection which Modern WebApp uses against CSRF

So there are many protection which modern WebApp use against CSRF.

1. Send an Authenticity token which each request:- So this is the basic protection which most of WebApp use. They send a Authenticity token with each request to protect their users against CSRF.

2. X-CSRF Token:- Many Webapp use this extra layer of protection by adding a X-CSRF token header with each request the token in the header is verified on every request sent to server.
3. Referrer Header Protection:- You can only find this type of CSRF protection in some of the WebApp like Twitter. In this type of protection they verify the referrer header and if the referrer header is coming from any other domain besides the domain of the Website. It drops the request and shows an error.


Some Methods to Bypass the CSRF protection

There are some methods which you can use to bypass the csrf protection

1. There are many webapp which only verifies the length of the CSRF token which means create an account on that website and note down the length of the CSRF token. Now SEnd any arbitrary CSRF token of the same length and it will get accepted.

2. You can also use GET method instead of POST method to bypass CSRF protection.

3. There is missing best practice in many of the website. After logging in they generate a CSRF token for us and this token remains same on every request until we do logout. But if we note down the same token and try a CSRF attack on any other persons account it will be successful.
So from my opinion CSRF token should have to be unique per use and they have to expire after use does the logout.

4. There is also a flaw exists which makes many Webapp vulnerable which generates the CSRF token and then save them to cookie and on each and every request they verifies the token in the POST request with the token in the cookie.
So it is easy to bypass this type of protection just change both token one which is inside the cookie and the other which is sent to the server on every request. And the request will be successful.
SO to mitigation  you dont have to just match the token with the token in the cookie.

Suggestion are welcome


Thanks 

Jitendra K Singh(Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more