latest articles

Bypassing Private Profile Restrictions



So this post is about bypassing the private profile Restrictions on a private program on HackerOne. I will not disclose the program name so lets call it example.com


So I got an invitation to a private program on HackerOne. I created an account on it , it was a file hosting service where you can host all your files.

I started testing it. I created an account and started doing reconnaissance on it as well.
After creating a profile. In setting there were two options Private profile and public profile.
They create a page for a user like imgur does with subdomain. Anyone can visit there and can see some basic info about the user. But if you profile is private, no one can see your profile , your profile picture etc.

So I started looking for some bypass for this private profile restrictions. 

1. If a user visits to a profile image url directly they will be able to download the profile picture of the user even the profile is private. But the image url looks like this https://subdomain.example.com/api/people/1768280b-8a78-463a-bdb9-f1a96835f466/profileImage
So it will be hard to predict this 1768280b-8a78-463a-bdb9-f1a96835f466 random alphanumeric to retrieve the profile picture of the user.
So it was a failed attempt.

2 Now when you login there is a request which goes and in its response there is a id parameter which looks like this "id":"0a7561f5-dcd0-412e-bed3-f5734da4ddbd" and if you change this with the parameter in the 1 an image will be downloaded but it was not the real image of the user.

3. So after further investigation I found that this alphanumeric value is guid of a person.
So I was testing some of the file sharing functionalities in that site.
Now I configured my burp to listen all the request and response coming from it. Whenever a person shares a file with a person who have a private account on example.com there is a parameter in the response which leaks the person guid 

"profileImageUrl":"/api/people/00000000-0000-0000-0000-000000000000/profileImage","personGuid":"efef3e0b-a3b8-4fa9-b548-d23baccc96d1"

Now you can see the value in the profileImageUrl in 000 but personGuid have an interesting value. just change the 000 value with the value in personGuid and you can download the profile picture of the user.

They gave me their account email and told me that please download the profile pic of this account and i successfully did that

The team took about 1 year in fixing this issue. :( 

Thats all for this post 


Thanks
Jitendra K Singh ( Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Open Redirection in Oauth

Hi there,


I am fond of testing API. Whenever a bug bounty program launches their program first of all I look if they have an API or not. I have tested API of many websites like Mapbox ,Mediafire and found many issues.


Now I stumbled across a website I don't want to disclose the name of the website so lets call it example.com. Now in example.com you can create an application and can get data from the users. They have different scope like email, phone number, address etc.

Now they are using Oauth for all this. I created an application and started testing the same.
As soon as i created the application client_id and client secret was provided to me (intended).

Now application only allows https url as the redirect_uri.  I white-listed an url and I was ready to go.

I have given the scope of email and tried the Oauth url they provided. Now what is actually going if you provide the wrong scope you will be redirected to the url given in the redirect_uri

Now according to RFC 6749


If the request fails due to a missing, invalid, or mismatching
   redirection URI, or if the client identifier is missing or invalid,
   the authorization server SHOULD inform the resource owner of the
   error and MUST NOT automatically redirect the user-agent to the
   invalid redirection URI

If the resource owner denies the access request or if the request
   fails for reasons other than a missing or invalid redirection URI,
   the authorization server informs the client by adding the following
   parameters to the query component of the redirection URI using the
   "application/x-www-form-urlencoded" format






lets take a scenario
There is a website example.com and someone created an application with a white-listed url attacker.com 

Now In the second paragraph of RFC6749 many dev misinterpret the word other than.
If the scope parameter is invalid then they directly redirect the user to that website without any interaction and thats how it works as on open redirect.

Now this can be used for phishing purposes or redirecting users to a malicious website

Now they say that this is how the Oauth works but actually if the scope is invalid then google and Facebook doesn't redirect their user to the website mentioned in redirect_uri facebook shows this type of error if the scope is invalid 


Now after all this I reported this bug to example.com and they denied this by saying that this is how Oauth works. And after a long trail of comment they said we are going to operate our API according to RFC6749. thats it.

So everything is upto them if they want to make changes to protect their users of not.

Credits 
http://blog.intothesymmetry.com/2015/04/open-redirect-in-rfc6749-aka-oauth-20.html

And the mitigations that were provided by John Bradley,  Hannes Tschofenig you can found them here https://tools.ietf.org/id/draft-bradley-oauth-open-redirector-01.txt



Thanks 
Jitendra Kumar Singh(Team Computerkorner)
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Insufficient Transport Layer Protection: Mediafire Android Application


Hi there,

It was a quite long time since I published my last post sorry for keep you waiting.

So this is a story of  a bug which I found in Mediafire android application actually 
First of all I want to clarify that I never use rooted devices since it removes the most important security(access to /data/data folder) feature.

Now lets stick to the bug.

So after testing their API and WebApplication( I found about 10+ issues there) . Now its time to take a look at their android application.
So I installed their application directly from play store and configured Burp listen all the traffic coming from my device. Now lets start testing.

I was playing with the android application from past 3-4 hours but I was not able to find any issue. Actually they are using API there which I already tested.
Now I started looking for some issue like every request that goes with session token should have to be https. Suddenly I noticed a request and it disappeared in secs from http history tab of burp.
Now I started digging as that request doesn't have the HTTPS protection.
Now after looking for sometime I figured out that whenever you preview any image within the android app this request goes out.

http://ww7.mediafire.com/conversion_server.php?fc02&quickkey=<quick_Key_of_file>&doc_type=i&size_id=5&session_token=<session_token_here>




Now this request is not going on HTTPS and this request has the session token as well.

How to Exploit:-

Now if the victim is using a public wifi( malicious user's wifi) that malicious user can intercept the request and can takeover his account with the session. Now there is a catch as well the session token is only valid for 10 minutes and if you try to send a request after a idle time of 10 minutes you have to enter the password to re-authenticate yourself after that a new session token will be generated.
But there is an endpoint where you can renew the session token but you have to send the request before the 10 minutes idle time.

https://www.mediafire.com/api/1.5/user/renew_session_token.php?session_token=<TOKEN_YOU_GOT>


Now you have everything you can takeover the user session without getting session timeout.

Timeline
5 April 2016 17:25:36: Bug found
5 April 2016 17:36:37: Reported to Mediafire
7 April 2016 22:57:00: More information sent about renew the session token to bypasss the password requirement.
8 April 2016 00:52:33: Report is Triaged
8 April 2016 00:53:04: Bug is fixed
8 April 2016 (I don't remember the time ): Update issue for the Android Application.


It was my pleasure to work with Mediafire Security team as they are very fast in fixing and issuing the update.


Thats all for this post let me know you  opinion in comment section

Thanks
Jitendra Kumar Singh(Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

The Best Selling InfoSec Author at Udemy Banned!

Highlights: Udemy Inc. Banned Sagar Bansal on June 28 2018,  due to Copyright Infringements for a course named CISSP MASTERCLASS. The Interesting Fact is that Udemy Team UnBanned him on July 3, 2018, saying that Your Account has been Unbanned but your CISSP Course will keep disabled until you provide us proper proofs. But Again Banned after 11 Days!


Who is Sagar Bansal and What's the Actual Story?





Sagar Bansal a.k.a. World's Highest Paid CISSP Mentor nowadays is the Creator of PSCP Exam, Founder of PHMC|SECURITIES and the Author of Practical Hacking MasterClass.
He is a Security Ninja, and Only do Consulting Work on Per Hour Session Charges which are quite high actually www.sagarbansal.com/calendly you can book him here if you want.

On Udemy he had 7+ Courses out of which 1 was Best Seller, and 4 Were Highest Rated Courses. He taught more than 20K Students from over 100+ Counties.

When His CISSP MasterClass came out, there were many claims on the material and especially additional material he offered to students.




After 7 days of the launch of his course, it became a Highest Rated CISSP Course on the Platform. Many Competitors were Jealous and Someone Filed a DMCA and Copyright Infringement Violation Case.




Sagar Tried hard to save his side and presented some proofs but even after winning once and getting unbanned on July 3 2018 

                                     



He got Banned Again on July 14 2018 and this time, he was not given any reason, his emails are not being replied, and no proof or evidence for banning him is being presented

Here is a Screenshot of His CISSP MasterClass After the Ban





and if you were a student in his courses earlier, you can still access them but there is no way to buy those course for new students.




luckily we got an account and we can see even after the ban, it is working in old accounts.
His Courses were even Selling UnderGround after the ban until he released Edunoid.com which runs on a Teachable School and made his own school.

Now he is providing True Education by Giving Away his MasterClass Courses for almost Free, you can check the CISSP MasterClass at $1 on his website www.sagarbansal.com




Why $ 1? he says when he keeps it on 0 people waste time by enrolling in things they even don't know what they are enrolling in!

So What do you think of this incident...
How can a Mentor who teaches Information Security do such a big mistake of Copyright Infringement, and even if this was a mistake, why did Udemy Unbanned him, and then Banning again without any reason makes it a JOKE!

Let me know your thoughts in comments


Read more

Bug Bounty: Bypassing Account Suspension In order to get full access to account[Mediafire]







Hi there,


In this post I am going to discuss about a bug which I found on Mediafire.
I noticed that Mediafire have a bug bounty program.



What is Mediafire:- 


MediaFire is a file hosting, file synchronization, and cloud storage service based in Shenandoah, Texas, United States. Founded in June 2006 by Derek Labian and Tom Langridge, the company provides client software for Microsoft Windows, Mac OS X, Linux, Android, iOS, BlackBerry 10, and web browsers.MediaFire has 43 million registered users and attracted 1.3 billion unique visitors to its domain in 2012.

There are three types on account on Mediafire 
1. Basic (free) :- Which have some basic level features and a limited storage and Bandwidth.
2. Pro (Paid) :- It has more features as it is paid much larger bandwidth and 100GB Storage.
3. Business (Paid) :- For teams, all Mediafire features like you an add other users , you can customize download page , you can increase bandwidth, you can export folder as zip, you can download the Logs of the users.


As It requires an international credit or debit card to create a Pro or Business , so I created an Basic account for free and started looking at the functionality.

Most features like deleting files, generating one time download link etc are using the Mediafire API. So i quickly looked at the documentation of the API. You can find the Mediafire API Here.

So On login what is happening:-
Whenever you do login to your account it generates a authenticity_token. The life of token is for  10 minutes after that it renew the token using this API call 
https://www.mediafire.com/api/1.5/user/renew_session_token.php
but if you session is ideal for 5-7 minutes then you have to enter the password again to renew the token. 


The Bug:-

So actually I was looking at some of their functionality but due to some work I did logout from my account. and after doing logout. It redirected me to a page which says 


This account has been locked.
See our page about account suspensions for more information.

I was like WHAT I DID WRONG ? :(

So as after sometime after completing the work. I came back and tried to login again but after redirecting me to the home page it again redirects to me on that page where it shows that the account is suspended.

Now I fired burp and started looking that what actually going on.

1. After login it generates the authenticity token and redirects to home page 
2. After verifying that this is a suspended account it redirects me to that page which shows the warning.

So I can do anything using the WebApp.
I started looking at the Mediafire API and tried one API call which is about creating a folder using API  http://www.mediafire.com/api/1.5/folder/create.php

Now I copied the authenticity token which was generated during the login and tried to create a folder and It was successful.

I can also access files etc using the Mediafire Android App.

So what is actually happening that API is generating the token but not invalidating it after confirming that the account is suspended and using the API I can access the most of the features of Mediafire.

So Now as a fix Mediafire invalidates the token as soon as they confirms that the account is suspended. and using the mobile application you can't use any features with suspended account. 


Disclosure Timeline
27-Feb-2016: Reported
9-Mar-2016: First response received > Looking at this report
14-Mar-2016: Bounty Awarded(Certificate and pro account)
15-Mar-2016: Resolved
27-Feb-2017: Disclosed


Thanks 
Jitendra K Singh (Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Website Sends the Actual Password on the Mobile Number: Considered as the Severe Vulnerability or Not ?


Hi there,


I was just looking at some website which provides free SMS sending service. There are a lot of website which provides this functionality in India. 
So what is a SMS

SMS stands for Short Messaging Service. It uses standardized communication protocols to enable mobile phone devices to exchange short text messages.

There are a lots of website which you can use to send free SMS to a mobile phone all you need to create an account on your desired website and you are ready.

Now I just looked one of the website like that I am not going to mention it's name lets call it site.com.
So on site.com you can use your mobile no to create an account they will deliver a temporary password to you on the given number and after login you have to change the password to your desired one.

Now what is going to happen if you forgot your password. So in case that you forgot your password just enter your mobile no on their password reset page and they will send the password you were using on that website , its pretty simple.
So you noticed anything which can create a risk or threat ?
Some can understand but for the others let me explain that ?


They are not using any hashing algorithm for hashing the password.
If a password is hashed then it can't be converted to the actual text you can only compare other hashes in order to guess the actual word.

Now how I identified that this website is not using any hashing algorithm ?

As I mentioned earlier that once a text is converted into hash it can't be converted back to the actual word from which the hash is generated.
 As the site.com is sending the actual password on the mobile phone it tells us that they are not using any hashing algorithms.
As they are not using the most important security layer of password hashing. Then how you are going to trust this website maybe they are saving all the contacts you added and the message you sent in actual format giving a chance to Hackers to steal all of your info if they got access to the database of that website.




So I will suggest you that you shouldn't have to use those sites which are not providing the most common security layer to its users.

Now the decision is on you do you want to let your private information to be publicly available ? 
If not then beware !!! ..........

Have a Good Day 

Thanks

Jitendra K Singh (Team Computer Korner)  

Special thanks to Moto G
Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Bug Bounty: Vulnerability In customer.io







Hi there,

First of all sorry for this long pause from my side I was busy in somethings and it took me some time to sort out all the things.

So in this post I am going to discuss about a vulnerability I found in customer.io.

About customer.io:-
A light integration sends the Customer.io platform customer behavior data from your web or mobile app. Then you can start sending messages based on what users do or don't do after they log in. Increase engagement, revenue, and customer success.



I was looking at SPF record of some company and i found the that some companies have customer.io in their spf record the are allowing customer.io to send emails on their behalf.
SO i directly went to customer.io and created an account.
after creating an account I created a template for sending this as an email.
Now you can add as many email account you want for sending email so I tried saving an email of a site which have customer.io in their spf record. The email address no-reply@example.com(I dont want to disclose the website).
the email was added succesfully but after this one problem arised that customer.io doesnt let me send the email from that second email address i have added to my account.
so there are two conditions:-

1. When creating an account you have to verify the email address.
2. You can only send the email from the email you have used while creating the account.

So i tried some ideas like sending an email capturing that request with burp and modifying the email  but these doesn't work.

While adding the email there was an option to edit my primary email. thats looks something vulnerable to I clicked on edit the email and editing my primary email to no-reply@example.com and it was successful. Now I can send the emails on the behalf of the customers of that company.

First of all I reported this to some of his customers who were vulnerable to this after that i wrote and email to customer.io and explained this to them.
they told me that they are fixing this ASAP but since they dont have an bug bounty program they are no rewarding me anything. That was fine because I dont this testing for exploring and gaining knowledge.

They send me reply >24 hour of reporting this and I was happy with their quick response.

FIX

They did two thing to fix this vulnerability first of all they blocked my account. 😁😁😁😁😁😁😁😁😁😁. and after that they added domain verification whenever you try to add an email you have to verify its ownership. 



Hope you liked it 

Thanks 
Jitendra K Singh(Team Computer Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more

Wi-Fi Hacking: Deauthentication Attack


Hi there,

So this post is about deauthentication attack.
So we can do a deauthentication attack without connecting to a target network.

How It works:-

So in this process aireplay-ng sends deauthenticate packets to both AP(Access Point or router) and client which is connected to it.
It sends spoof packets to AP and also some packets to client when AP acknowledges a packets which says that the target client is not authenticated to the AP. 
In other words attackers sends some deauth packets to the AP pretending to be the client and in the same time attackers send deauth packets to the client pretending to be the router saying that you need to authenticate again.


How We can do this attack:-

So we need aircrack suite to carry out this attack. lets start

  1. First of all you should have to a wireless card in monitor mode to enable this type
    airmon-ng start [Your wifi card name] and press enter it will enable a wireless card in monitor mode.
  2. Now scan all networks by typing
    airodump-ng [Your wireless card in monitor mode]
I have censored some information. after scanning network choose the AP on which you want to deauth a client. 


4. Now to deauthenicate a specific client first of all look how many clients are associated to that network to do this simply type
airodump-ng --channel [no] --bssid [mac of target network] [wifi card in monitor mode] and press enter

it will give a output like this 


5. Now to deauthenticate the client use this command
aireplay-ng --deauth [no of packets you want to send] -a [AP's MAC address] -c [client Mac address] [wifi card in monitor mode]
 if you want to deauthenticate the client for a long time you can set a large value of [no of packets] like 10000 etc.

So after this the client will be not be able to authenticate to the target network.

Hope you enjoyed reading this.
Next Post: Cracking WEP encryption Practical 


Regards
Jitendra (Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!
Read more