19 matches found
WePay: Active mixed content issues on the site https://stage-go.wepay.com.
Hello. Summary: Page https://stage-go.wepay.com/static/ contains active mixed content: Description: Passive mixed content is content sent over HTTP that is contained on the HTTPS page, but which can not change other parts of the page. For example, an attacker can replace a picture sent via HTTP...
WePay: Reflected XSS in the IE 11 / Edge (latest versions) on the stage-go.wepay.com
Description Hello. I discovered Reflected XSS on the stage-go.wepay.com. Browsers & OS tested The XSS checked in the latest IE 11 and Edge on Windows 7. Not checked on Windows 10. POC IE 11 or Edge...
WePay: open 80 port of internal host leaking some configuration info
A testing stage server was accessible from the internet leaking some debug info. Thanks @ruvlol for reporting this to us. A testing stage was accessible to everyone in internet, leaking some debug info...
WePay: [stage-go.wepay.com] XSS via Request URI
PoC Open URL in Internet Explorer. This vulnerability only works in Internet Explorer and possibly in Edge, since it is necessary to send a Request-URI without a URL Encode, which is only possible in this browser via redirect...
WePay: Enumeration of registered email addresses using bruteforce search on userIds
Hi, It is possible to access the emails and some other information of all users and potentially modify details of any user, resulting in a mass exposure of sensitive user information. This is as a result of the https://www.wepay.com/accountajax/member/161257089?form=changepermission endpoint. POC...
WePay: Invited users can modify and/or remove account owner
Summary -------------- If an invited user in an account has "can modify" privileges, he can modify the privileges of the owner of the account or even just completely remove him. Steps to reproduce -------------- 1. Create an account and got to...
WePay: 2-step Verification bypass
Overview -------------- Value of cookie wepay-device-uid, which allows login without 2-step not linked to used, so an attacker can turn on 2-step verification on his own account, get this cookie and login to victim's account only with password without second step. Steps to reproduce...
WePay: Unauthenticated Stored XSS in API Panel
There is an unauthenticated stored XSS in the API Panel of the app administration e.g. https://stage.wepay.com/apps/manage/12873/apikeys When an user is created via the API, the call log does not sanitize the output correctly see screenshot 1. So it is possible to execute arbitrary scripts in the...
WePay: Subdomain Takeover in http://staging.wepay.com/ pointing to Fastly
Hi. One of your subdomain http://staging.wepay.com/ is vulnerable to subdomain takeover. Since if you visit the site, it will be saying "unknown domain" which indicates that there are no currently deployed services set up with the specified domain and attackers can copy that domain in any hosting...
WePay: Broken Authentication – Session Token bug
Hi I found a broken authentitication vuln POC: 1- Create a Wepay account 2- Confirm your email 3- Now request a password reset for your account. 4- Don’t use the password reset link that was sent to your email. 5- Login to your account, remember don’t use first the reset password link you request...
WePay: Horizontal Privilege Escalation
An attacker can update the subscription details of the victim without any action from the victim. Following are the steps to reproduce: 1. Login into account with any set of credentials, say [email protected] 2. Click on "Create an Account", Click on Organization, Fill in all the details. Complete...
WePay: Critical : Account removing using CSRF attack
I have found that delete action is vulnerable to CSRF and could lead to the principal account to be deleted once the victim visit the attacker's fake page. Proof Of Concept : WARNING: I am submitting the form using JS, so only by accessing a page with the code below will lead to account deletion...
WePay: CSRF (Make email primary) may lead to account compromise
Hello, Make email primary doesn't have a csrf protection. Proof Of Concept : =============== I copied this form from site. Make primary You can clearly see there is no csrf protection. Hacking a secondary email of user and then doing this csrf attack against the user will result in compromising o...
WePay: oauth redirect uri validation bug leads to open redirect and account compromise
according to: https://stage.wepay.com/developer/reference/oauth2 "redirecturi - The uri the user will be redirected to after authorization. Must have the same domain as the application." your current validation of this domain value is not sufficient. i setup my app with a website url of...
WePay: CSRF on email address operations. Also performing unintended operations.
After authentication in the WePay application, a user can navigate to the "My Settings" tab and perform operations like makeprimary and resend on the email addresses. These operations do not have any CSRF tokens present in the request. The only value unknown to an attacker present in the request ...
WePay: Session Fixation
So, this is not the usual session fixation vulnerability but a slightly weird version of it. Nevertheless, I believe this should be fixed. Please follow the instructions below to repro this: 1. Start a proxy tool such as Burp. 2. Authenticate to the application. 3. Capture a request to the URL...
WePay: Typical form vulnerable to csrf attack
See the form you give here. This is provided by you to change settings without logging in. You have supplied a 'csrf token' and 'ounce'. eg. https://stage.wepay.com/email/manage/170395/hash But, i bypassed your csrf by just removing values of tokens and submitting it blank. And it worked. Hope, y...
WePay: Open Redirect
Hello, this report is a copy of my previous reports sent to your email [email protected] some days ago. Please note that everything written below are copied and pasted from the report. Ticket 437224 : Here is the affected URL:...
WePay: Session fixation in wepay.com
Hey there i found out that your cookies are actually being fixed before an after login this allows an attacker to perform a sessino fixation attack and hijack the user's session by capturing the cookies before logging in of the user and replaying it afterwars. Here are my fixed cookies...