Tuesday, September 17, 2013

My Achievements - Hall Of Fames, Bounties And Swags !


I Am So Lucky that GOD Gave Me ability to find Vulnerabilities On Almost All Big And Highly Secured (So Called) Giants Of  IT Field. It includes:

Facebook, Google, Twitter, Apple, Microsoft, Adobe, Blackberry, Nokia, Symantec, Yahoo, Friendster, GoDaddy, Avira,  Avast, Ifixit, Android, Barracuda, MailChimp, LinkedIn etc and list goes On. 

Following are the Companies who have responsible disclosure policy listed my name on their Hall Of Fame Page for finding Security Vulnerabilities On their Sites. 


Got 5000 $$ from PayPal and Acknowledgement As Security Researcher.

 
Got 500 $$ from Facebook and Acknowledgement As Security Researcher.


Got 300 $$ from Meraki and Acknowledgement As Security Researcher.




1) My first International Acknowledgement. Recognized by Microsoft as a Security Researcher. link

2) Got listed in Adobe Security Researcher Acknowledgement Page for 1st time. link

3) Acknowledge from ifixit. Got listed in ifixit responsible disclosure Page for 2012. link

4) Once again Got listed in ifixit responsible disclosure Page - This time for year 2013. link

5) Listed in Adobe Security Researcher Acknowledgement Page for 2nd time and thus become the 1st Person Over the Globe to be Acknowledged by Adobe twice. link

6) Listed in Owncloud Security acknowledgement page. link

7) Listed in Red Hat Vulnerability Acknowledgements Page. link

8) Got Listed in Zendesk Vulnerability Acknowledge page with all my Leet Friends. link

9) Got listed in ConstantContact Hall Of Fame. link

10) Listed in Apple Hall Of Fame for reporting cross-site scripting Vulnerability. link

11) No Offense.. Listed in Apple Hall Of Fame for the second time in a Week. link

12) Listed in Nokia Hall Of Fame for first Time. link

13) Finally, I am In Google Hall Of Fame. link

14) Listed in Bugcrowd Contributors List with all My friends. 

15) Got Listed In Blackberry Hall Of Fame. :) link 

16) Finally Got My White Hat Hacker Badge On My Freelancer Account. Feeling Special :) <3 link


17) Listed in Google Hall Of Fame for Second Time :) :) Feeling Happy :) link

18) Listed in Microsoft Hall Of Fame for Second Time :) link

19) Listed in Sprout Social Hall Of Fame. link

20) Listed in Android Hall Of Fame. link  

21) Listed in Acquia Hall Of Fame. link

22) Listed in MailChimp Security Response Page. link  

23) Listed in Blackberry Hall of Fame for second time. link

24) Listed in HackSecurity Special Thanks Page. link  

25) Listed in Adobe Hall Of Fame fro 3rd Time! Feeling Special :) link

26) Listed in Schuberg Philis Hall Of Fame. link

27) Listed in Barracuda Hall Of Fame. link

28) Listed in NetFlix Hall Of Fame. link

29) Listed in Facebook White-hat Page. link

30) Acknowledgement From Avira as a Security Researcher.  

31) Acknowledgement From Altassin as a Security Researcher And received Cool Swag .  



32) Listed in Google Hall Of Fame for third time :) link

33) Acknowledgement From Appentative as a Security Researcher And received Cool Swag.  

34) Listed in Google Hall Of fame for forth time :) link 

35) Acknowledgement From BugCrowd as a Security Researcher And received Cool Swag .  

36) Listed in Nokia Hall Of Fame for Second Time. link

37) Listed in Freelancer Hall Of Fame. link

38) Acknowledgement From PayPal as a Security Researcher And received Some Bounty. 

 Reach me at Facebook - https://www.facebook.com/heartstlear

Reach me at twitter - https://www.twitter.com/tush2388

Reach me at LinkedIn - http://www.linkedin.com/pub/tushar-kumbhare/69/8a7/9b8

Thanks.

Happy Hacking :)

List Of Bug Bounty Sites


   

       PRODUCTS AND SERVICES (REWARD OFFERED)

       PRODUCT AND SERVICES (HALL OF FAME + SWAG)
       PRODUCT AND SERVICES (HALL OF FAME ONLY)
      PRODUCTS AND SERVICES (NO REWARD)
      BROKERS AND SECURITY COMPANIES
Tuesday, September 10, 2013

Wordfence Bug Bounty Program - DOM Based XSS on Main Site! Patched Without Even Reply!


Few days ago, i read about the new Bug Bounty Program started by Wordfence. Link



Wordfence is the Leading CyberSecurity solution for WordPress. They provide a Complete Anti-Virus and Firewall Package for your WordPress Website including Two Factor Authentication, a Firewall incorporating Machine Learning and Tools to help Recover from a Hack. Wordfence is available free. Simply sign into your WordPress website, Go to Plugins > Add New > And search for 'wordfence' without quotes. Our premium version includes enterprise features like Two Factor Authentication and Country Blocking. 
As a Bounty they were offering Wordfence 5 year Premium license per bug reported. These licenses are priced at $146.25. Its Cool. I thought why not to try my hands on this bounty program.

When i visited the site, i noticed that the site is using a WordPress CMS. The version was 3.6 and almost all the known vulnerabilities seems to be patched. Then i checked the page source and Plugins. I found that the site is integrated with a plugin named WordPress prettyPhoto. I reviewed the JavaScript source of the Plugin and Found that it is vulnerable to DOM based Cross Site Scripting as it is accepting the input without sanitizing. So i generated  my payload and crafted the URL as follows:

http://www.wordfence.com/#!prettyPhoto/<a onclick="alert(/XSS by Tushar Kumbhare/);">/
I typed this URL in address bar and hit Enter and Bang!!! I Got a prompt showing XSS Vulnerability. I Immediately reported the vulnerability and they patched the vulnerability within a hour. They are really very fast as compared to Others. 

But these days, cant trust any one. Leave about the Bounty, they patched the vulnerability without even reply or a message of thanks. I don't know why these Bug Bounty Vendors doesn't play a fair game. They are just using our talent to secure their vulnerable ass and didn't even give a reply of thanks. To be very frank, i am loosing trust on these bug bounty programs due to some recent experiences which i got in these few days.

Let it be, but fortunately, i recorded the video as a Proof Of Concept. Its attached as follows:



After reporting 3 times and no reply my message to wordfence team. I have still 1 sqli and 2 XSS on your site and this time i will not report but do only one thing.



Reach me at Facebook - https://www.facebook.com/heartstlear

Reach me at twitter - https://www.twitter.com/tush2388

Reach me at LinkedIn - http://www.linkedin.com/pub/tushar-kumbhare/69/8a7/9b8

Thanks.


Sunday, September 8, 2013

Wordpress W3-Total-Cache Plugin 0.9.2.11 Persistant XSS Vulnerability.



WordPress Plugin w3-total-cache 0-day Stored Cross site Scripting Vulnerability.


Vulnerable Plugin - W3-total-cache Plugin
Vulnerable Version  - Version 0.9.2.11 and Prior.
Tested On - WordPress 3.6 on Windows 7, Linux.

Vulnerability:  Stored Cross Site Scripting.

W3-Total-Cache Plugin is Most defamed for its Poor Security.  Version of W3-total-cache Plugin ie Version 0.9.2.11, it is being hit by another major vulnerability which exploited Cleverly and Successfully can compromise the Admin Account of WordPress Site.

Following are the Steps:

1) Go to Dashboard.

 2) Click on Installed Plugins.


3) Go to W3-Total-Cache Plugin and Click on settings.


4) Go to Reverse Proxy and Click on page cache settings.

 5) Go to Cache Preload and Type Vector - "><img src=x onerror=prompt(0);>. in Sitemap URL and     Click on Save.


6) You will get a Prompt.


Here is a Video Demonstration of this Vulnerability.



Reach me at Facebook - https://www.facebook.com/heartstlear

Reach me at twitter - https://www.twitter.com/tush2388

Reach me at LinkedIn - http://www.linkedin.com/pub/tushar-kumbhare/69/8a7/9b8


Thanks.

Happy Hacking :)
 

Receive All Free Updates Via Facebook.