Davinder Tutorials

This blog is all about Cyber Security and IT

Wednesday, March 3, 2021

E-mail MFA mode allows bypassing MFA from victim’s device when the device trust is not expired

  March 03, 2021    

While reading challenges to bypass 2FA , I came to see how l1nkworld submitted a report to Grammarly.


Aug 2nd (2 years ago)

Summary:
It is possible bypass MFA without the need to have the phone code.

Description:
When we turn on the MFA and we have the user and password of the user, it is possible bypass the MFA only changing some values the endpoint POST auth.grammarly.com//v3/api/login

Steps To Reproduce:

Note:

  • Use burp suite or another tool to intercept the requests
  1. Turn on and configure your MFA
  2. Login with your email and password
  3. The page of MFA is going to appear
  4. Enter any random number
  5. when you press the button "sign in securely" intercept the request POST auth.grammarly.com/v3/api/login and in the POST message change the fields:
    • "mode":"sms" by "mode":"email"
    • "secureLogin":true by "secureLogin":false
    • send the modification and check, you are in your account! It was not necessary to enter the phone code.

Impact

The attacker can bypass the experimental MFA, If the attacker has the email and password, the attacker can login in the account without the need of the phone code.

  No Comments

Saturday, February 27, 2021

Misconfigured CORS Exploitation (Cross Origin Resource Sharing)

  February 27, 2021    

 

Hello Friends!

few days before noticed a blog post for exploiting Facebook chat and reading all the chats of users so that made me to interested to know about the issues, and basically it was misconfigured CORS configuration where null origin is allowed with credentials true,  it was not something heard for the 1st time, @albinowax from the portswigger explained it very well in his blog post, so after reading that messenger blog post I went to test for the same issue for some targets where I allowed to test it.

but before that here are some tips about CORS where it can be exploitable from the attacker’s point of view:

  • POORLY IMPLEMENTED, BEST CASE FOR ATTACK:

Access-Control-Allow-Origin: https://attacker.com

Access-Control-Allow-Credentials: true

  • POORLY IMPLEMENTED, EXPLOITABLE:

Access-Control-Allow-Origin: null

Access-Control-Allow-Credentials: true

  • BAD IMPLEMENTATION BUT NOT EXPLOITABLE:

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials: true

or just

Access-Control-Allow-Origin: *

even this is not good from the development point of view but due to its own rules of CORS if Access-Control-Allow-Origin set to * we don’t get benefit Access-Control-Allow-Credentials: true means no cookie access of the victim.

When you can’t exploit even if above misconfigurations are present:

  • Presence of any custom header in the request which is getting used to authenticate the user.
  • Presence of any unique/authentication/key in the request URI 

  No Comments

Saturday, August 29, 2020

Buffer Overflow - Simply Explained with real world Example

  August 29, 2020    

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.

For better reference:


https://www.hackingtutorials.org/exploit-tutorials/buffer-overflow-explained-basics/

Lets say , we visit a signup page of a website and we entered email and password and click on signup . But before clicking sign up , I am capturing request in the Burp Suite . So when i captured the request , I changed email to some long string , like if email is "davinder@gmail.com" , i changed that to "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@gmail.com" or even more in size

If i am able to proceed further without any restriction and or boundation, that this vulnerability exists.

Another example of code

buffer overflow strcpy code



Steps to resolve:

Restrict size limit on input parameter.

Impact

Category:Availability: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Access control (instruction processing): Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program’s implicit security policy.
Other: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

  • 1 attachment:

   /

  No Comments

Friday, August 28, 2020

List of Top Wireless hacking Tools for bug hunting

  August 28, 2020    

http://www.aircrack-ng.org/

http://www.stumbler.net/

http://www.kismetwireless.net/

http://sourceforge.net/projects/airsnort/

http://www.oxid.it/cain.html

http://wepattack.sourceforge.net/

http://www.inssider.com/

http://sourceforge.net/projects/airjack/

http://sourceforge.net/projects/cowpatty/

https://www.cloudcracker.com/

http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer

https://github.com/esc0rtd3w/wifi-hacker

https://github.com/philcryer/wpa2own

https://github.com/hash3liZer/WiFiBroot

https://github.com/kennyn510/wpa2-wordlists

https://github.com/chunkingz/linsetmv1-2

https://github.com/DominikStyp/WPA-Attack

https://github.com/wifiphisher/wifiphisher

https://github.com/krtzer/WPA2-Wireless-Network-LabVIEW-FPGA-Testing

https://github.com/soxrok2212/PSKracker

https://github.com/r-a-w/DriveShake

https://github.com/wi-fi-analyzer/eaphammer

https://github.com/Hackndo/krack-poc

https://github.com/jgamblin/hackAPie

https://github.com/derv82/wifite

   /

  No Comments

Bypassing Android SSL Pinning

  August 28, 2020    

Portswigger.net will give you detailed video for burp setup , But to hunt bugs on Android , Below are some important steps in order to unpin Apps for testing . To do so you need to install below apps

1. Dowload genymotion - This is Your Andoid Emulater

2. Download super su v2.46 or latest

3. Download xposed installer apk

4. download xposed sdk

5. Download ssl unpinning


first root your android fone

than download xposed apk in that fone

than install xposed sdk (Note sdk version must be same as your fone apk version)

than ssl unpinning

After all steps , Restart android phone. 


After Restarting the phone , Open SSL pinning App, Select the app you want to test and click on upin.

After that capture the requests on the Burp and have fun.







   / / /

  No Comments

Wednesday, August 5, 2020

No Restriction on Password length - Bug Bounty

  August 05, 2020    

About this Vulnerability 

This is something when we are able to sign up on any web application using a long 100000 characters password which may lead  website becoming unavailable or unresponsive.


When you supply a long password , Generally what happens applications are implementing password hashing algorithms , So when we supply long password than server will get busy doing that and website becomes unavailable or unresponsive . When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

Prevention

Normally all sites have a password minimum to maximum length like 72 words limit or 48 limit to prevent Denial Of Service attack.

The password hashing implementation must be fixed to limit the maximum length of accepted passwords.


Example Password used during testing

123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 123456789 




   /

  No Comments

Tuesday, July 7, 2020

No Rate Limit Bug on Forgot password

  July 07, 2020    


Overview of this BUG:

A rate limiting is used to check if the user session has to be limited based on the information in the session cache. If user make too many requests within a given time , HTTP-Servers has to respond with status code 

429: Too Many Requests.

Description:-

I have identified that when Forgetting Password for account , the request has no rate limit which then can be used to loop through one request. Which can be annoying to the root users sending mass password to one email.

Steps To Reproduce The Issue

Go to Forget Password page

Enter the mail where you want to receive the link

Capture that request in BURP.

Send this to Intruder and set  parameter at"Accept-Language: en-US,en;q=0.5

Now go to payload and select number from 1 to 100.

Click on start attack.


If you will receive 100 mails with this , than this is a bug which have to be reported.


Solution -

I Will Recommend to Add A ReCaptcha & Sort Of Something Which Requires Manual Human Interaction To Proceed Like You Can Add Captcha Like 2+2=___ so that it cannot be brute forced and you also can have a limit at the backend for particular number upto 5 times a day user can request Forget Password Email or Link something like that will prevent you from someone exploiting this vulnerability

Impact

If You Are Using Any Email Service Software API Or Some Tool Which Costs You For Your Email This Type Of Attack Can Result You In Financial Lose And It Can Also Slow Down Your Services It Can Take Bulk Of Storage In Sent Mail Although If Users Are Affected By This Vulnerability They Can Stop Using Your Services Which Can Lead To Business Risk

   / /

  No Comments

Sunday, July 5, 2020

Recon like a king for Bug Bounty

  July 05, 2020    

As we all know , If we want to hunt bugs , we have to get more and more information. With Recon we can:
  • Increase Target
  • Unpopular subdomains
1. Tool: SubBrute
https://github.com/TheRook/subbrute
usage: ./subbrute.py target.com > subdomain.txt



Now After having subdomains , I need to find further subdomains of subdomains

2. Tool: altdns
https://github.com/infosec-au/altdns
usage: .altdns.py -i subdomains.txt -o -w words.txt -s output.txt


Using above tool , you will get lot of subdomains

now we need to get all http status code for all subdomains

for that ;
go to https://httpstatus.io

now you have to check for all the domains that are redirecting , as all those domains are really important 


   / /

  No Comments

Subscribe to: Posts (Atom)