A German Security researcher has demonstrated a critical vulnerability on Ebay website.
He found a controller which was prone to remote-code-execution due to a type-cast issue in combination with complex curly syntax.
In a demo video, he exploited this RCE flaw on EBay website, and managed to display output of phpinfo() PHP function on the web page, just by modifying the URL and injecting code in that.
According to an explanation on his blog, he noticed a legitimate URL on EBay:
and modified the URL to pass any array values including a payload:
David has already reported the flaw responsibly to the Ebay Security Team and they have patched it early this week.
Source: eBay : Remote Code Execution
Yahoo is investigating the claims of a hacker who is selling an exploit that apparently hijacks Yahoo mail accounts.
The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a cross-site scripting (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users.
Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Demonstrating an apparent flair for marketing, the hacker, under the alias “TheHell” also posted a video on YouTube, providing a demo for potential customers. He claims it works with all browsers and does not require a bypass of XSS filters in either Chrome or Internet Explorer. He also says the exploit will be sold only to trusted individuals who are not likely to turn it over to Yahoo, which would undoubtedly develop a patch that will foil the attack.
“TheHell” claims that his exploit attacks a “stored” XSS flaw. This type of attack injects a code that is permanently stored on targeted servers until it is found and deleted. The malicious code is then passed to the victim’s machine when that particular server is accessed for legitimate download.
A standard phishing attempt is used to access the user’s cookies, from which the attacker can access the person’s email, or take full control of the account.
As of Tuesday morning, Yahoo was in the process of trying to identify the infected URL. Once the identification is successful, the malicious portion of code will be deleted.
This script uses blind SQL injection and boolean enumeration to perform INFORMATION_SCHEMA Mapping.
perl mysql5enum.pl -h [hostname] -u [url] [-q [query]]
perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q “select system_user()”
– By default, this script will first determine username, version and database name before enumerating the information_schema information.
– When the -q flag is applied, a user can supply any query that returns only a single cell.
– If the exploit or vulnerability requires a single quote, simply tack %27 to the end of the URI.
– This script contains error detection: It will only work on a mysql 5.x database, and knows when its queries have syntax errors.
– This script uses perl’s LibWhisker2 for IDS Evasion (The same as Nikto).
– This script uses the MD5 algorithm for optimization. There are other optimization methods, and this may not work on all sites.
Facebook is the most recent company to come to the bug-bounty party, officially announcing recently that-
“To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.”
Here’s how it works:
To qualify for a bounty, you must:
- Adhere to our Responsible Disclosure Policy
- Be the first person to responsibly disclose the bug
- Report a bug that could compromise the integrity or privacy of Facebook user data, such as: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Remote Code Injection.
- Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Facebook security team will assess each bug to determine if qualifies.
- A typical bounty is $500 USD
- We may increase the reward for specific bugs
- Only 1 bounty per security bug will be awarded
The following bugs aren’t eligible for a bounty:
- Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
- Security bugs in third-party websites that integrate with Facebook
- Security bugs in Facebook’s corporate infrastructure
- Denial of Service Vulnerabilities
- Spam or Social Engineering techniques
Sign Up: Facebook Official Bug Bounty Page
The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
- Intercepting Proxy
- Automated scanner
- Passive scanner
- Brute Force scanner
- Port scanner
- Dynamic SSL certificates
- Beanshell integration
- Easy to install (just requires java 1.6)
- Ease of use a priority
- Comprehensive help pages
- Fully internationalized
- Under active development
- Open source
- Free (no paid for ‘Pro’ version)
- Cross platform
- Involvement actively encouraged
Download: ZAP 1.3.1