Reflective Cross Site Scripting (XSS) Bug in Apple iCloud.com/#Mail



Apple is one of biggest companies in IT, and personally because of Steve Jobs, Apple was one of my favorite companies to be acknowledged by. As Apple is a very big organization and it has many products, therefore it wasn't very hard to find a bug in Apple Products to be enlisted on Apple HOF.

Steps to reproduce the Non-Persistent XSS Vulnerability:
1: Login to http://icloud.com
2: Navigate to mail [https://www.icloud.com/#mail]
3: Create a folder with a payload as name
4: Create another Folder with same payload name.
4.1 When two folders with same name will be created, there will be an error message to alert about existing folder with same name. However that part wasn't properly sanitized. So, in error it showed something like

"A folder with the name "> already exists" and a pop-up message executes as well.
Non-Persistent Cross Site Scripting in iCloud #Mail #Apple
And Apple fixed the bug by properly sanitizing the part, so now results for the same inputs are as following:
XSS Fixed by Apple for iCloud #Mail

Reward:

Reported: June  17, 2013
Confirmation for Bug Fixed: September 06, 2013
HOF Date: August 14, 2013 (Though the HOF wasn't updated till mid of December, when I last checked)
I checked HOF: January 06, 2014

Tuesday, January 7, 2014
Posted by Saqib Kamran
Tag :

P-XSS Vulnerability in Freelancer



Recently, Freelancer has announced a Bug Bounty Program. Details are available here: Freelancer Vulnerability Submission. Well, as Freelancer has newly announced the program to reward Security Researchers for Responsible Disclosure of Security Vulnerability in Freelancer.com, so I am damn sure that it would be vulnerable to many attacks as Security Researchers haven't headed towards it yet.

However, simple and fastest vulnerability to find is Cross site Scripting aka XSS vulnerability in Freelancer. So I just did the following steps to successfully discover the hidden pop-up message. 
1: I created a new project with my Account (as employer).
1-1:  I used payload in Project Description and details, but nothing happened and the worst that my project was declined by Freelancer, as it goes for approval first.
1-2:  I upgraded my account to Plus, where I had option of priority project, which could be posted immediately without any review first. So I created Test Project to find XSS Vulnerability in Freelancer. 
2: I created another Freelancer Account for the testing as a freelancer to submit proposals/ bids.
3: I submitted a bid from freelancer account(second account) using payload in description and message as well.

4: I checked freelancer's message, who recently bid on the project. In Employer's inbox, when I opened the message, I got the pop-up.
To re-test the vulnerability, I refreshed/reloaded that webpage. when I reloaded the page, the pop-up didn't appear. So, I realized that the message field wasn't vulnerable to Cross Site Scripting aka XSS in Freelancer, but then why my first message was successful to get the pop-up?
You got it! That's Description Field, which was vulnerable to XSS in Freelancer.
Well, to find out this, I retracted/ cancelled my bid (as freelancer) from the project. And again submitted bid on same project, but this time, I slightly modified the payload in description, and a different one in message field while submission.

Then from employer Account, I moved mouse pointer to message box as shown in above image. A drop down messages list were appeared. I moved pointer to most recent message (That contained payload in Description). Another side box appeared that loaded the Bid Details (Description too, were in details). And Guess what happened next?
The Payload (that I used) is visible in Message field. Same payload was used in Description, and when the preview Bid Details loads the description field, the payload was executed, hence the pop-up appeared as described in payload.



Rewards: 300$ Reward, HOF, "The Hacker" Badge on Freelancer Profile and a T-Shirt from Freelancer.
Wednesday, July 24, 2013
Posted by Saqib Kamran
Tag :

Persistent XSS Vulnerabilities in Yahoo


I received some gadgets and T-shirts from Yahoo. Why? Here is what I did. I found Persistent XSS (Cross Site Scripting) Vulnerabilities in Yahoo Calender. 

Steps to Reproduce XSS Vulnerability in Yahoo Calender

1: I Logged into Yahoo Account and Navigated to Calender.
2: Created two Calenders.
-On left hand side, (you will find option to Create new Calender)I named them as Calender 1 and Calender 2.
3: Created a new event and filled the rest of things, but Location Field was the vulnerable one, so I used a payload for that field.
And clicked SAVE the event.
4: Then I  re-opened the event, nothing happened :(
I edited it, moved it to different calender. And re-opened the event. That's it! I got T-Shirt  in pop-up :D. It was stored one, so whenever I opened the event, the results were pop-up, the same.

Steps to Reproduce XSS Vulnerability on Yahoo Site via Yahoo Mail
For this I used two email accounts. One should be Yahoo Account and other can be from any other or Yahoo as well.
1: I sent an email to my Yahoo Account and in subject field I used a payload to execute the alert message.
2: Logged into Yahoo Account, and then navigate to any local site of yahoo. For example: http://au.yahoo.com/
-- The alert was executed on Yahoo site in which it allowed Latest emails preview.
3: Once the site is loaded, it will also load emails, and so the alert message will be executed as soon as it will load the email which was sent with the payload in subject field. To verify, I rechecked the subject field from the main site (not in mail.yahoo.com) and it was just "> and rest of code wasn't shown that means it took the payload as an injection.

I reported the vulnerabilities in time to Yahoo Security team, and they were very quick at fixing it.


This is first time that I am writing an Article about my findings on XSS (Cross Site Scripting). I hope this will be helpful, especially for the beginners like me into the field of Web Application Security Researching. As I said the XSS Vulnerability has been reported to Security team, so fixed well in time.

Updated-- Recently Yahoo has started Bug Bounty program, and now they are rewarding monetary rewards as well as HOF. As my findings were before the bug bounty program started by yahoo, so I think to get listed in HOF, I need to get back to Yahoo once again :)
Tuesday, July 9, 2013
Posted by Saqib Kamran
Tag :

What this Blog is all about?



Everyone's life is combination of experiences, happiness, sadness, learning, memorable moments and lots of practical, so mine. Normally, a person starts learning from home, then he goes through the school and universities process, then he enters into a practical life and learning still continuous unless he stops struggling. At each step of life, everybody is learning something new, they might not aware of before and that's the process of learning.

There are different categories and sub-categories for our educational system, which redirects a person to a specific type of learning and to get expertise in that particular part or section, like some people become scientist, some doctors, engineers, professors etc. My field or category is Information Technology, that means I have been redirected to get expertise only in this category, now there are many sub-categories again that I had to choose from, like Software Engineering, Website Developer, Hardware, Networking, Security etc. I chose all for basic understanding and Network & Security as my expertise.

This blog is about my researches, findings, experiences and learning that I got from those experiences, findings or researches about something. This blog is related to Information Technology (IT) stuff. It not only includes my own words, but it also includes the posts from those who I follow, which I would like to share with others and also as part saved copy of those resourceful articles, however, I'll surely be adding original links and writer's name with it as per my best knowledge.

I hope it will be a resourceful place for people like me, who are curious to learn about stuff related to IT specifically Web Development, WordPress, Web Application Security, Networking and Operating Systems. Purpose of this blog is not only to keep these articles save online, but to help other n00bs to be a g33k who love to follow IT and loves to learn more about related stuff.
Tuesday, January 1, 2013
Posted by Saqib Kamran
Tag :

About Me

- Copyright © 2014 Saqib Kamran