By Suleman Malik About Me About Me Suleman Malik is an independent - - PowerPoint PPT Presentation

▶

Aug 26, 2023 228 likes •530 views

Huntjng Bugs in Web App By Suleman Malik About Me About Me Suleman Malik is an independent security researcher and author specializing in web applicatjon security, IOS and Android applicatjon security. He has reported many security issues

SLIDE 1

Huntjng Bugs in Web App

By Suleman Malik

SLIDE 2

About Me

About Me

Suleman Malik is an independent security researcher and author specializing in web applicatjon security, IOS and Android applicatjon security. He has reported many security issues under the industry practjce of coordinated disclosure and he is listed in more than 50 Halls of Fame including Google, Microsofu, Intel, Sony, LinkedIN, Blackberry, Apple, Oracle, Huawei, US Department of Defense and so on. He has been featured in top cyber security magazines including hakin9 & Pentest magazine and also has been declared as one of top ten highest paid security researchers in the world. HackerOne CEO also has acknowledged his work and invited him to visit the United States

f America. Donald Freese, the director of FBi's cyber crime unit (NCIJTF) has

also endorsed his skills. Suleman is currently a full tjme student working toward his degree in computer forensics and security www.sulemanmalik.com

SLIDE 3

Overview

Session Hijacking
Hacking Huawei accounts
RCE on Intel
Account takeover – Cisco
Pwd validatjon bypass in Blackberry
PostMessage vulnerability
Subdomain Takeover
Oauth token stealing

SLIDE 4

Front end Cookies
Backend Cookies
Vulnerability Chaining

(XSS+Session)

Oracle, Shopify, ICloud, SourceForge & so on.

Session Hijacking

SLIDE 5

Brup Suite
Cookies manager

Session Hijacking

SLIDE 6

Huawei Endpoint Vulnerability

htup://webaccount.huawei.com/en/PersonalPost? jsonpUpdateRegBack=&type=2

SLIDE 7

Huawei Endpoint Vulnerability

SLIDE 8

Huawei Endpoint Vulnerability

Logged in with sulemanmalik003@gmail.com

SLIDE 9

Intel - RCE/SSTI

SLIDE 10

Intel - RCE/SSTI

{php}$s=fjle_get_contents(‘/etc/passwd’);var_dump($s);{/php}

SLIDE 11

Cisco CSRF/XSRF Vulnerability

SLIDE 12

Cisco CSRF/XSRF Vulnerability

Email confjrmatjon from Cisco

SLIDE 13

Cisco CSRF/XSRF Vulnerability

SLIDE 14

Cisco CSRF/XSRF Vulnerability

Request new password & BoOm
Victjm will no longer be able to access his/her account.

SLIDE 15

Cisco CSRF/XSRF Vulnerability

SLIDE 16

Password validatjon bypass in blackberry

SLIDE 17

Password validatjon bypass in blackberry

No Param/Form – No validatjon

SLIDE 18

Password validatjon bypass in blackberry

Using Burp Suite

SLIDE 19

Password validatjon bypass in blackberry

Request new password on atuacker email and change the victjm

password with the atuacker password.

SLIDE 20

PostMessage Vulnerability

What is PostMessage ?

The postMessage API is an alternatjve to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilitjes.

SLIDE 21

PostMessage Vulnerability To send a message, an applicatjon simply calls the "postMessage" functjon on the target window: targetWindow.postMessage("hello World!", "*"); And to receive a message, a “message” event handler can be registered on the receiving end: window.addEventListener("message", functjon(message){console.log(message.data)});

SLIDE 22

PostMessage Vulnerability

Receiver must validate the origin of the message with the “message.origin” aturibute. If regex is used to validate the origin, it’s important to escape the “.” character, since this code: //Listener on htup://www.examplereceiver.com/ window.addEventListener("message", functjon(message){ if(/^htup://www.examplesender.com$/.test(message.origin)){ console.log(message.data); } }); Would not only allow messages from “www.examplesender.com“, but also “ wwwaexamplesender.com“, “wwwbexamplesender.com” etc.

SLIDE 23

PostMessage Vulnerability

You can check if a page has a registered message listener (and

which script registered it) by using Chrome Devtools, under Sources -> Global Listeners:

A lot of third party scripts use postMessage to communicate

with the third party service, so your applicatjon might be using postMessage without your knowledge.

SLIDE 24

Subdomain Takeover

1. Search all subdomains with subdomain scanner.
2. Check subdomain alias in the terminal by using

command #host example.com or #CNAME info.hacker.one

SLIDE 25

Oauth Token Stealing

OAuth is an open standard for authorizatjon, commonly used

as a way for Internet users to log into third party websites using their Microsofu, Google, Facebook, Twituer, One Network etc. accounts without exposing their password.

In this atuack, the atuacker presents the victjm with a URL to

an authentjcatjon portal that the victjm trusts (like Facebook), and by using this authentjcatjon portal the victjm's secret access token is delivered to an HTTP server controlled by the atuacker.

Authentjcatjon is about intentjon, tricking a user into allowing

access to an unintended resource is a vulnerability.

SLIDE 26

Oauth Token Stealing

Payload %2F%2F  // %5c%5c  \\ %3F  ? %23  # %40  @ The %2F%2F relates to " // " (forward slashes). The "two forward slashes" are a common shorthand for "whatever protocol is being used right now". Example request:- htup ://example.com/socialize.login?client_id=123456&redirect_uri=htup://victjm.com/& x_provider=facebook&response_type= token Forged request :- htup://example.com/socialize.login? client_id=123456&redirect_uri=htup://example.com%2f %2f.victjm.com/&x_provider=facebook&response_type=token Response :- htup://example.com//.victjm.com/?code=9999999999

SLIDE 27

Oauth Token Stealing

ANY QUESTION?

SLIDE 28

Oauth Token Stealing

ANY QUESTION?

Thanks