This blog is all about Cyber Security and IT

Showing posts with label bug. Show all posts
Showing posts with label bug. Show all posts

Friday, August 28, 2020

Bypassing Android SSL Pinning


Portswigger.net will give you detailed video for burp setup , But to hunt bugs on Android , Below are some important steps in order to unpin Apps for testing . To do so you need to install below apps

1. Dowload genymotion - This is Your Andoid Emulater

2. Download super su v2.46 or latest

3. Download xposed installer apk

4. download xposed sdk

5. Download ssl unpinning


first root your android fone

than download xposed apk in that fone

than install xposed sdk (Note sdk version must be same as your fone apk version)

than ssl unpinning

After all steps , Restart android phone. 


After Restarting the phone , Open SSL pinning App, Select the app you want to test and click on upin.

After that capture the requests on the Burp and have fun.







Wednesday, April 22, 2020

XSS found using host header injection


This vulnerability arise when you give any input to the host parameter and it may reflect back .

 Impact

An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

Real World Example:

Path : /billing-admin/profile/subscription/?l=de
Payload : c5obc'+alert(1)+'p7yd5
Steps to reproduce :
Request Header :
GET /billing-admin/profile/subscription/?l=de HTTP/1.1
Host: www.semrush.com
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=c5obc'+alert(1)+'p7yd5
Overview :
The payload c5obc'+alert(1)+'p7yd5 was submitted in the Referer HTTP header. Payload is copied from a request and echoed into the application's immediate response in an unsafe way.


In the above example the payload reflect back in the response causing the rise of the vulnerability.

Host Header attack


 In simple terms if a website x.com is requested and when i change the host to y.com , if I am able to open the host . Than it is a host header attack.

Vulnerability Description: 

Open Redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.

How to find this Vulnerability 

1. Change host to x.com, Than click on go . If  not able to success . than try below method.
2. Change host to x.com and Set X-Forwarded-Host to original domain.com, if still unable to get success , try the below one
3. Do the opposite to step two , Means change host to original domain.com and Set X-Forwarded-Host to original x.com

If you are unable to find success with the above written steps , Than may be the website is secured for this vulnerability.

Remediation:

If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.

Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.


Example of a Bug Reported:

Vulnerable URL:
https://wakatime.com/settings/account?apikeyrefresh=true
Payload: " X-Forwarded-Host: bing.com "
How to reproduce this vulnerability:
  1. Open this URL " https://wakatime.com/settings/account?apikeyrefresh=true " and send it to the repeater in burp suite.
  2. add the payload to the header request and forward the request.
  3. It will directly redirect to bing.com

Impact

Impact:
Whenever a user visits this URL, it will redirect them to site.com. It is used in phishing attacks.