400$ WORTH IDOR AND IDOR EXPLAINED

Hello Everyone out there! This days i’m busy with some other stuff but after a long interval of time in April i again started to hunt bugs to get some bulks for my vacation trip lol :p . When i started hunting in April, I set my aim to InvisionApp.com.

What is IDOR ?
In simple words we can say, taking actions from another user’s account from your account without any interaction with user.

Why IDOR happen?
This happen when a backend have lack of authentication check, check my bellow explanation if you want to understand it
Suppose a web app is deleting user account in this way,

Delete Account form
1
2
3
4
<form method="post" action="http://vulnerable.com/user/delete_account/">
<input type="hidden" name="user_id" value="12345678">
<input type="submit" value="Delete Account">
</form>

Code working on /user/delete_account/
1
2
3
4
5
6
7
8
9
10
11
<?php
include "connection_db.php";
$user_id = $_POST['user_id'];
$sql = "DELETE FROM user WHERE id={$user_id}";
if ($conn->query($sql) === TRUE) {
    echo "User account deleted successfully";
} else {
    echo "Error deleting user account " . $conn->error;
}
?>

Okay as you seen there is no authentication check whenever a valid user_id value will be given and if it exist in DB it will be deleted which is so critical, this can be prevented in many ways like session check a password verification and many  other ways. i hope now you understood how IDOR works now please read bellow PoC.
While testing InvisionApp i came across Board section where you can make board and post in it and anyone can comment on it only ADMIN of board have rights to delete any other comment. So i created two accounts one was admin and one was normal user, and tried to delete Admin’s comment. So let me be in short bellow is the reproduction steps,


Steps to Reproduce : “A” Admin & “B” Attacker

1- Sign in from 2 different accounts ( A & B ) in 2 different browsers ( or use incognito as 2nd browser )
2- Now go to “A” account and create a board and add anything in it.
3- Comment from both “A” & “B” account.
4- Note down comment id of vitim’s comment ( Means ID of “A” )
5- Now go to “B” account, and capture the request while deleting comment of “B” account and change comment id (of “A” account) in URL ( Example : api/board/item/comment/*COMMENT ID* )
In “B” account u do not have option to delete comment of admin which is “A”
6- Status will be “200 OK” and comment should be deleted of another account


HTTP Request Example

DELETE /api/board/item/comment/*VICTIM COMMENT ID* HTTP/1.1
Host: projects.invisionapp.com
Connection: keep-alive
X-Timezone-Offset: -420
Origin: https://projects.invisionapp.com
X-XSRF-TOKEN: dTK57p6DW5mteX-nBBanCmeza0RUvUaI1JksYSQF0cU
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36
X-Referrer-Hash: #/boards/2636413/80399396
Accept: application/json, text/plain, /
X-Page-Loaded-At: 1459747535276
Referer: https://projects.invisionapp.com/d/main
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: ** Cookies Goes Here **

Bug Timeline :
3rd April : Reported Bug.
6th April : Triaged.
10th April : Given to developers to fix.
14th April : Asked to confirm the fix.
14th April : Fix confirmed by me
15th April : Rewarded with 400 USD

Video Poc :

OCULUS EMAIL FORGERY BY MAILGUN SPF ENTRIES WORTH 1000$

** Stay Tuned to blog : I will soon public my another bug on Instagram worth 2000$ **

Hey Everyone ! Once again i’m here with my bug  on Oculus owned by Facebook 🙂
Oculus information extracted from Wikipedia :-
Oculus VR, LLC, or simply known as Oculus, is an American virtual reality technology company founded by Palmer Luckey and Brendan Iribe, founded in June 2012 at Irvine, California.Wikipedia
What are SPF Records/Entries ?
An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. The purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.
What was the issue ?
I was looking for sub-domains of oculus.com then i noticed SPF entries of oculus.com which includes mandrill app , Sendgrid, Mailgun.
I thought that something may be fishy here, i registered an account on all the 3 services, I tried to claim oculus.com at mailgun and guess what the result ? DOMAIN GOT ADDED AND VERIFIED AND FULLY ACTIVE cause CNAME was also pointing to mailgun, i was able to claim probably because the service of oculus.com is expired from official account or they have never claimed it 🙁
I reported it via Facebook via whitehat program ang got my first Bounty from Facebook which was 1000 USD  😀
I will soon public my another bug on Instagram worth 2000$ 😀

Twitter : Mopub.com Subdomain Takeover

Hello everyone out there ! Today i’ll show you how my friend and me tookover sub-domain of http://mopub.com a property of twitter ☺

So how sub-domain takeover work ?

 If we talk in simple words it happen when domain manager point Subdomain to an external server but forget to claim on external service or expire of account in this case any one can claim it and place content on it 😮.

My friend got good skills in dorking so apart from wordlist sub domain bruter he started qith his dorking and got a sub domaim http://web.mopub.com which was pointing to DYN servers (It is service to redirect and DNS manager like features)

And then i tried to claim it via trial but DYN not accepting Indian credit card, i tested im another account of DYN then it given me an error which means domain already claim this is beacause i added it to my cart, That clearly means that they don’t claimed that subdomain (I was already pretty sure with error on Subdomain but i confirmed it ) Now i reported it on theory based report but twitter keep saying Need more info but after a clear theory explanation ans cart PoC they finally triaged😇.

But the main part start here i removed Subdomain from my DYN account and someone claimed it with US card #_#

😤😤😤 Now i have PoC also 🙂 i given this to twitter ( Bounty already rewarded )

They patched it by removing DYN entries.

My Tip to all newbie, Not always XSS and pre defined you will get. You should have an eye on what going around your target.

Thanks to that guy who claimed it 😂😆

“My Friend” = Rudra Pratap Singh

Bug Timeline

28 Feb 2016 — Bug found and Reported
29 Feb 2016 — Need more information
29 Feb 2016 — More info send by friend
01 Mar 2016 — Need more information
01 Mar 2016 — More information sent by me
02 Mar 2016 — Triaged
05 Mar 2016 — 280$ Bounty rewarded
10 Mar 2016 — Issue Resolved

Microsoft Open Redirect

Hey everyone out there ! Here i come with an open redirect vulnerability on *.Microsoft.com 🙂 so in short i’m going to tell you whole story how i got that shit.

The whole matter started when one of my best friend “Aakash Kumar” got acknowledged on Microsoft :O i decided i need to come up on that list too 😛

I was getting mad regarding HoF of MS, Then i stated getting subdomain 😀 and then i got  a subdomain where i can make a tenant page on MS  and it have open redirect but i was afraid of invalid for this issue. The URL is mentioned bellow.

http://<tenant>.mms.microsoft.com/returnUrl=anydomain.com 

Then i tried the same parameter on :-

the crafted link was :

And woah ! it got redirected and the best thing was it doesn’t require any sign in or anything, direct redirection to any domain @__@

Bug timeline 

14 Feb : Bug found and reported
15 Feb : Case opened from MS
04 March : HoF + MSDN Subscription rewarded

Funcaptcha Verification Bypass

Hey There,
How It’s Going Out There?
So
While Browsing Over The Internet I Found That (funcaptcha.com) Was Having A Bug Bounty Programme.
So When I Was Signing Up I Noticed That I Was Able To Create A Account Without Even Entering A Password.
Wanna Know How I Did It?
HOF Page–>Hall Of Fame

Yes I Know It Was Nooby But I Like To Keep It Simple <3
Thanks For Reading.

Medium Email Verification Broken Auth.

Hey There! It’s me harsh here today am gonna tell you lil niggas how i found out first bug and made the fortune out of it 😉 i’m a greenback boogie now!!! Fuck yay !!!!

What is Medium ? 

Medium is a blog-publishing platform founded by Twitter co-founder Evan Williams in August 2012,[2] The platform has evolved into a hybrid of non-professional contributions and professional, paid contributions, an example of social journalism.[3] Some of its publications include the online music magazine Cuepoint, edited by Jonathan Shecter, and the technology publication Backchannel, edited by Steven Levy.




Well, The whole furore started when a lil asshole challenged me to found out a bug in Medium and guess what ??? I took the shit out of the medium haha ! I used to be a black hat hacker but that lil asshole made me a white hat hacker 🙁 .

So lets the test of site start, Medium website was something differ from all the other website out there, firstly i tried to have some CSRF in my hand but unfortunately i aint got it then i looked forward for XSS , Open Redirect but i wasnt getting a shit, i was like “I’m gonna lose this challenge” then next day i checked the mails from Medium in my personal email account , i was like “WTF ? i registered with my main email to let them spam ?”, I immediately changed the email to my another fake email account after changing it Medium requested me to confirm New Email ( Obviously ) my mind said lets try to confirm new email with that old link on my main email account, i clicked that old link and BOOM it confirmed my new email :O i said yeah got it.

I reported it immediately, and got a fast respond in 36 Hours

Hi Harsh,

We’re looking into this. I’ll get back to you soon. Thanks for reporting it. 

Thanks,
Luke
User Happiness

and in next 48 hours 

Hi root,

Thanks again for reporting this issue. Our engineers have determined that this report meets the following criteria:

Bugs leaking or bypassing significant security controls: $250

as outlined in our Bug Bounty program policy: https://medium.com/policy/mediums-bug-bounty-disclosure-program-34b1c80764c2

We’d would like to send you a Medium t-shirt to say thanks as well. We’d also like to add you to our humans.txt page (https://medium.com/humans.txt).

Please let us know where to send a shirt and what size you wear. Also, let me know how you’d like your name to appear on humans.txt.

I’ll email you and Cc our accounting team to facilitate the money part of the reward getting to you.

Thanks,
Luke
User Happiness


😀 😀 Got my first bounty + swag + HoF 

Bug Timeline 

Jan 22 ‘ 2016 : Bug Found and reported 
Jan 26 ‘ 2016 : Triaged ( Under Investigation )
Jan 27 ‘ 2016 : Bounty+Swag Rewarded

What about that asshole ? he blocked me 🙁 🙁 

Video PoC – 

https://drive.google.com/open?id=0Bx2_guht6dHMRWVyd1JLV0JwRTg

I HOPE YOU LIKE THE WRITE ITS MY FIRST 😛