62 matches found
Design/Logic Flaw
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user...
CVE-2021-30120 2FA bypass in Kaseya VSA <= v9.5.6
Kaseya VSA before 9.5.7 allows attackers to bypass the 2FA requirement. The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless. Detailed description --- During the login process, after the user...
h1-ctf: Hacky Holidays CTF Writeup
Intro: 12 days of challenges - some more challenging than others! This holiday CTF had all 12 challenges hosted on the website https://hackyholidays.h1ctf.com/ F1129112 Challenge 1: I started by significantly overthinking all of the early challenges in this competition. When this CTF started the...
BlogEngine 3.3.8 - 'Content' Stored XSS
Exploit Title: BlogEngine 3.3.8 - 'Content' Stored XSS Date: 11/2020 Exploit Author: Andrey Stoykov Vendor Homepage: https://blogengine.io/ Software Link: https://github.com/BlogEngine/BlogEngine.NET/releases/download/v3.3.8.0/3380.zip Version: 3.3.8 Tested on: Windows Server 2016 Exploit and...
BlogEngine 3.3.8 Cross Site Scripting
Exploit Title: BlogEngine 3.3.8 - 'Content' Stored XSS Date: 11/2020 Exploit Author: Andrey Stoykov Vendor Homepage: https://blogengine.io/ Software Link: https://github.com/BlogEngine/BlogEngine.NET/releases/download/v3.3.8.0/3380.zip Version: 3.3.8 Tested on: Windows Server 2016 Exploit and...
U.S. Dept Of Defense: Followup - SQL Injection - https://██████████/██████/MSI.portal
Summary: Time based blind sql injection for parameter MSIadditionalFilterType1, at the following URL: https://███/███/MSI.portal?nfpb=true&pageLabel=msiportalpage61 Description: This is a follow up to a previous report I submitted: https://hackerone.com/reports/674838 The following page has a for...
U.S. Dept Of Defense: SQL Injection - https://███/█████████/MSI.portal
Summary: https://███████/███████/MSI.portal has a form page which is vulnerable to SQL injection. Description: URL: https://████/██████/MSI.portal?nfpb=true&pageLabel=msiportalpage61query The above url has a form where the field MSIqueryType is vulnerable to time based blind SQL injection. I...
ZEIT: Access control bypass leads to domain information disclosure
Summary: By leveraging the domain verification endpoint I can obtain sensitive information about the user who registered the domain within the zeit UI including username, email address, userId, and customerId. In addition, some high level information about the domain is included as well such as...
HackerOne: Self DOM-Based XSS in www.hackerone.com
Summary: There is a 'self' DOM-based cross-site scripting vulnerability in the contact form available on the www.hackerone.com website. This could allow an attacker to perform cross-site scripting, or other client-side attacks, against users of the application. However, the risk presented by this...
New Relic: User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions
Details The endpoints POST /v2/accounts/:accountid/alerts/conditions create new and PUT /v2/accounts/:accountid/alerts/conditions/:conditionid update existing on infrastructure-alert.service.newrelic.com are vulnerable to privilege escalation. As per the screenshot below, an account with regular...
A WebSocket Manipulation Proxy: WSSiP
Short for “WebSocket/Socket.io Proxy”, this tool, written in Node.js, provides a user interface to capture, intercept, send custom messages and view all WebSocket and Socket.IO communications between the client and server. Upstream proxy support also means you can forward HTTP/HTTPS traffic to an...
Web Application Vulnerability Testing: ZAProxy
Web Application Vulnerability Testing The OWASP Zed Attack Proxy ZAP is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are...
wafpass - WAF Security Benchmark
██╗ ██╗ █████╗ ███████╗██████╗ █████╗ ███████╗███████╗ ██║ ██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝ ██║ █╗ ██║███████║█████╗ ██████╔╝███████║███████╗███████╗ ██║███╗██║██╔══██║██╔══╝ ██╔═══╝ ██╔══██║╚════██║╚════██║ ╚███╔███╔╝██║ ██║██║ ██║ ██║ ██║███████║███████║ ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚...
WAF Security Benchmark: WAFPASS
WAF Security Benchmark WAFPASS Analysing parameters with all payloads’ bypass methods, aiming at benchmarking security solutions like WAF. Today a great number of website owners around the globe use “Web Application Firewalls” to improve their security. However, these security applications suffer...
Slack: Eavesdropping on private Slack calls
A vulnerability exists in Slack's call functionality that allows a team member to eavesdrop on private ongoing Slack calls by inviting themselves into the conversation without the permission from either participant. By doing so they can eavesdrop on co-workers' private conversations as well as...
Intercepting Proxy for Performing Web Application Security Testing: The Pappy Proxy
Intercepting Proxy for Performing Web application security testing The Pappy P roxy A ttack P roxy P rox Y Proxy is an intercepting proxy for performing web application security testing. Its features are often similar, or straight up rippoffs from Burp Suite . However, Burp Suite is neither open...
Mantis Bug Tracker 1.2.19 - Host Header
Exploit Title: MantisBT 1.2.19 - Host header attack vulnerability Date: 07-09-2015 Exploit Author: Pier-Luc Maltais Centre opérationnel de sécurité informatique gouvernemental COSIG Vendor Homepage: https://www.mantisbt.org/ Software Link:...
Udemy: Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.
Authenticated user can register for some course paid or free. After registering and taking couple of lectures "Rate course" functional becomes active. Malicious user can fill the rating form and submit it. By intercepting request to the server's API by using intercepting proxy tool and modify...
Slack: Link vulnerability leads to phishing attacks
Hello Guys, Hope you are doing great. I'm sending this email to let you know about a vulnerability i stumbled upon while using slack it's a great app!. While copy-pasting a link from a pdf to slack desktop/web, i noticed that the resulting links looked a bit messed up 1.png Firing up burp and...
Vimeo: Adding profile picture to anyone on Vimeo
Hi! Brief The profile picture upload feature at https://vimeo.com/settings/profile contains a bug where an access control is missing for uploading a profile picture to a profile ID. This leads to the possibility of uploading a profile picture to any account on Vimeo. Furthermore, since the upload...