Posts

Showing posts from 2014

How I was able to send a mail with Your Email Id?

Image
How I was able to send a mail with Your Email Id? Is it possible? Yes. It is. If you are using Gmail, until yesterday, I can send email with your email id. Do u want to know how? Read my story then.... Hi Friends, This is Mohan Kallepalli, again with another bug in gmail ... Thanks to facebook, another day started with frustration. I will tell u that story another time. Anyway, with the frustration on facebook, i turned my focus to my favorite Google one more time. While I was going through the Gmail settings, thanks to my low speed internet, my browser suggested me to use "Basic HTML". Once i opened my settings in Basic HTML, i went to Accounts section and there i saw the functionality for adding another users email id to your " send email as " list. This functionality is protected by a verification code authentication mechanism. which means, Gmail will send a verification code (9digits) to the target email id and you need to enter that code in your v

Youtube URL Redirection..

Image
Hi Guys, Another bug in Google.. This time is with youtube.com Hmm.. Found a bug in Youtube.. but unfortunately, this bug is out of scope.. Anyway, a bug is a bug.. Lets see.. The issue is an URL redirection vulnerability that existing in upload.youtube.com. When you upload a video which is not proper (invalid), the application redirects you to error URL. This URL is being sent to the server as a parameter, error_redirect . I tried changing the url to some random domain, and guess what, it redirected as i have uploaded an invalid video. Then, in the request i observed there are two user specific tokens going to the server. They are nothing but anti-csrf tokens and working properly with a valid video. But in the case of an invalid video, they are no longer validated and are being ignored. So i tried to send the request with invalid file, but this time i removed the user specific tokens user_token and session_token . And as i expected, the application issued an 302 redirection

g00gle Spreadsheet XSS

Tailoring Custom Javascript Payloads for a successful XSS...

Hey Guys, Today I would like to show you, how i was able to create custom XSS payloads based on existing javascripts in various websites. Note that this write-up does not show you how to get XSS in various websites, but it covers various ways to create custom xss payloads. The approach i follow to create a successful xss payload involves in 3 steps. 1. Analyse the native code 2. Construct the correct syntax 3. Execute the payload For explanation purpose i considered GET based user input, however, this method will work on POST method also. 1. Analyse : This stage involves the analysis of the web-page code in which we are creating a payload. It is important that the main limitation in this stage is that, the user input we entering should be returned in between script tags. index.php?name=test  should return the payload as follows. <script> ........... .. test .. ........... </script> If the user input is not rendering in between

How I Got My First Bounty.. " A Tale of GMAIL Stored XSS "

Image
Hey Guys, This bug i reported a longback and fixed now. Lets jump into the story. In GMAIL settings general tab, there is an option for creating an automatic mail responder, in case if we go on a vacation and if we dont want to be disturbed. While going through gmail, like all the others, i also ignored that feature and tried here and there. At the same time one of my goood friend @iampr3m was also testing Gmail and he was trying hard to find something in the same settings page. However that guy begin his testing from the top and testing in the Signature feature. So i started testing the settings page from bottom and i got lucky to have the vacation responder in the bottom of the page. So, while testing, I observed that the vacation message is going in between a div tag. So as usual, i used a simple payload with img tag (   <img src=a onerror=alert(1)>  ) to test my luck. As soon as the payload entered with < and >, the server invalidated the in

Simple Login Page Bypass..

Simple Login Page Bypass Using SQLi.. The following code is being used in a login check page. Find the proper credentials for getting a successful authentication alert. $result = mysql_query($sql); if(mysql_num_rows($result) == 0){ echo "<script>alert('failed')</script>"; } else { $res = mysql_fetch_array($result); if($res[2]==$pwd&&((!$res[7])&&($res[3]))) { echo "<script>alert('success');</script>"; } else { echo "<script>alert('failed');</script>"; } } Find USERNAME & PASSWORD or find the answers here username : ' UNION SELECT 'TEST','FOR','SQLI',1,'N','USER','NAME',0 -- - password : SQLI

Cross Site Scripting through callback functionality

Image
Hello Guys, Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story. The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application. This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value. https://www.DUMMY-WEBSITE.com/users/ajaxonforgotpassword.php?callback=<script>alert(document.cookie)</script>&l

Cross Site Scripting Filter Bypassing using Header Injection (CRLF).....

Image
Cross Site Scripting Filter Bypassing using CRLF..... This is my first technical writing. So please share your reviews and suggestions.. I would like to share a cross site scripting vulnerability found in one of the application I was testing. Usually xss is very common in the websites. However I found this one interesting, as this vulnerability is triggered using another known vulnerability CRLF. The application I was testing is very secured in case of xss as it is having restrictions on both input and output. 1. whenever a tag with "<" and ">" together (like <script>)is used in input, the application will filter and redirect to an error page. 2. If you use either "<" or ">" without the other then it'll encode the input to html entity encoded form. So I find this irritating and tried all known attack vectors, found nothing but logged out forcibly. So I stopped hunting for xss and concentrated mor