Garage4hackers

Change OAuth Target URL & Domain Description [ UI redress attack ]

Tue, 14 May 2013 22:02:00 -0500

To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability .

Status: Fixed

OAuth is cool and simple to understand developer can integrate with Google 's OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.

Vulnerable URL :

Code:

https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com

On the page there two input

File Uploading Issue in BillMeLater.com- paypal worth $5000

Wed, 13 Mar 2013 05:27:00 -0500

I want to share my finding on a recent issue I found in a subdomain of BillMeLater.com (a Paypal service).

On 1st March, during my regular course of bug hunting in Paypal services, I found a file uploading issue that allowed me to upload files of certain extensions on the BillMeLater server.

Initially I noticed the website was running an outdated version of DotNetNuke (an ASP.NET based CMS) with the file uploader enabled. Allowed extensions were:

*. docx, *.xlsx, *.pptx, *.swf, *.jpg, *.jpeg, *.jpe, *.gif, *.bmp, *.png, *.doc, *.xls, *.ppt, *.pdf, *.txt, *.xml, *.xsl, *.css, *.zip, *.spin

Paypal Zong Service Credit card & Billing Info Update CSRF

Tue, 12 Mar 2013 05:50:00 -0500

Vendor product Brief Information : Zong aim Frictionless Mobile Payments to the world. Zong processing millions of payments a month in over 40 countries worldwide.

CSRF Vulnerable URL : https://my.zong.com/ZPlusConsumerCon...creditCardLink

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated(OWASP).

POC:

Code:

DEP ASLR bypass without ROP JIT : CanSecWest2013 Slides and Analysis

Fri, 08 Mar 2013 01:45:00 -0600

I have my own talk from CanSecwest to blog about but this one is more interesting and the most awaited one. So here are the slides, I will add my own analysis and test cases to this blog entry later. Interesting thing is we had this technique discussed on garage in november http://www.garage4hackers.com/f22/wi...innu-3080.html .

Yu Yang @tombkeeper did a demo of his technique on Ms013-08 and it does not ever need a heap spray for his ASLR/DEP bypass technique .

And the exploit is scary, its a quick kaboom with out heap spray.
He calls his method GIFT

Facebook Mobile Open Redirection Vulnerability

Fri, 22 Feb 2013 05:57:00 -0600

Sometime back, I found an open redirect vulnerability in Facebook mobile site (http://m.facebook.com)

According to OWASP:

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it

Fuzzing DTMF Detection Algorithms .

Mon, 04 Feb 2013 03:06:00 -0600

My ekoparty.org [Argentina] and NU[Delhi] talk and also Ruxcon [Australia] and BlackHat [Abhudabi] which I could't make it .
Attachment 589

What is this paper about:

Input validation attacks and memory corruption attacks are common, and the
criticality of finding a DOS attack on a service like HTTP is consider a lot critical
considering the attack surface and easiness of attack. Even if we could trigger an
exception in an Apache Web