Posts

Showing posts from May, 2018

How To Test Cross Origin Resource Sharing Vulnerability (OTG-CLIENT-007)

Hello Everyone, This blog is all about Cross Origin Resource Sharing (CORS) Vulnerability. In my one year of research, I found various type of bypass, that I would like to discuss. I will keep this blog to the point without discussing backend reason, so that beginner can find it an easy one. If a site is allowing access control header at the output response then play with all the request and capture it on burp or any proxy you use. After getting all directory on burp -> target -> sitemap, then this is a good time to test !! Most of the people just test it on one point, but each directory has its own way to set access control header. So, test it on every directory. For example -dir1        -sub_dir1        -sub_dir2 -dir2        -sub_dir1        -sub_dir2 Here you need to test on dir1 and dir2. How To Test First, put any random character at origin header at the input and see the output response. POST/GET  /page/etc Host: example.com ...... origin: areyo

How I found 5 store XSS on a private program. Each worth "1,016.66$"

Hello everyone, This is my second blog of the series " Sharing Is Caring ". What I have learnt until now because of those guys who believe in that 'methodology' :) The site is private, so call it private-site.com. 1- Store XSS using comment body I found that on a private-site.com, the comment body was reflecting on user own profile. So, I started hunting in a way to find something special. After many tried and tested with each and every payload I got nothing. But, I believe in a sentence "There is always a way to bypass" {Thanks to zahid ali  who once said this and proved it on facebook, when bypassed same feature three times} Anyway, I didn't give up and thinking to bypass. Later, an idea clicked on my mind to use payload on second or third line as I have read in other researcher posts. The xss got store when I used my favourite payload <svg/onload=alert(1337)> on the second line of the body. Time spent: 9-10 hours 2- Store XSS usi

How i was able to get admin panel on a private program

Hello everyone, I would like to disclose one of my recent finding in which I was able to get the admin panel on a private program. The program is private, so call it private-site.com. As many researchers believe in recon beforae hunting a target, same this law apply to me. Around two months ago I was invited in a private program, the first step I did to know all about the target. I strongly believe that recon is incomplete without using censys and shodan search engine. I always use it at first whenever choose a target. Same on that day I searched about the private-site.com. I was lucky by using the certificate base query as below https://censys.io/ipv4/help?q=80.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names%3Aprivate-site.com When using the above query i got many open ports. So i directly hit the target with port and thinking something special will come in response. But with all ports i was getting reponse "ERR_CONNECTION_TIMED_OUT&