Showing posts with label web hacking and security. Show all posts
Showing posts with label web hacking and security. Show all posts
Tuesday, September 10, 2013

Wordfence Bug Bounty Program - DOM Based XSS on Main Site! Patched Without Even Reply!

Few days ago, i read about the new Bug Bounty Program started by Wordfence. Link

Wordfence is the Leading CyberSecurity solution for WordPress. They provide a Complete Anti-Virus and Firewall Package for your WordPress Website including Two Factor Authentication, a Firewall incorporating Machine Learning and Tools to help Recover from a Hack. Wordfence is available free. Simply sign into your WordPress website, Go to Plugins > Add New > And search for 'wordfence' without quotes. Our premium version includes enterprise features like Two Factor Authentication and Country Blocking. 
As a Bounty they were offering Wordfence 5 year Premium license per bug reported. These licenses are priced at $146.25. Its Cool. I thought why not to try my hands on this bounty program.

When i visited the site, i noticed that the site is using a WordPress CMS. The version was 3.6 and almost all the known vulnerabilities seems to be patched. Then i checked the page source and Plugins. I found that the site is integrated with a plugin named WordPress prettyPhoto. I reviewed the JavaScript source of the Plugin and Found that it is vulnerable to DOM based Cross Site Scripting as it is accepting the input without sanitizing. So i generated  my payload and crafted the URL as follows:!prettyPhoto/<a onclick="alert(/XSS by Tushar Kumbhare/);">/
I typed this URL in address bar and hit Enter and Bang!!! I Got a prompt showing XSS Vulnerability. I Immediately reported the vulnerability and they patched the vulnerability within a hour. They are really very fast as compared to Others. 

But these days, cant trust any one. Leave about the Bounty, they patched the vulnerability without even reply or a message of thanks. I don't know why these Bug Bounty Vendors doesn't play a fair game. They are just using our talent to secure their vulnerable ass and didn't even give a reply of thanks. To be very frank, i am loosing trust on these bug bounty programs due to some recent experiences which i got in these few days.

Let it be, but fortunately, i recorded the video as a Proof Of Concept. Its attached as follows:

After reporting 3 times and no reply my message to wordfence team. I have still 1 sqli and 2 XSS on your site and this time i will not report but do only one thing.

Reach me at Facebook -

Reach me at twitter -

Reach me at LinkedIn -


Sunday, September 8, 2013

Wordpress W3-Total-Cache Plugin Persistant XSS Vulnerability.

WordPress Plugin w3-total-cache 0-day Stored Cross site Scripting Vulnerability.

Vulnerable Plugin - W3-total-cache Plugin
Vulnerable Version  - Version and Prior.
Tested On - WordPress 3.6 on Windows 7, Linux.

Vulnerability:  Stored Cross Site Scripting.

W3-Total-Cache Plugin is Most defamed for its Poor Security.  Version of W3-total-cache Plugin ie Version, it is being hit by another major vulnerability which exploited Cleverly and Successfully can compromise the Admin Account of WordPress Site.

Following are the Steps:

1) Go to Dashboard.

 2) Click on Installed Plugins.

3) Go to W3-Total-Cache Plugin and Click on settings.

4) Go to Reverse Proxy and Click on page cache settings.

 5) Go to Cache Preload and Type Vector - "><img src=x onerror=prompt(0);>. in Sitemap URL and     Click on Save.

6) You will get a Prompt.

Here is a Video Demonstration of this Vulnerability.

Reach me at Facebook -

Reach me at twitter -

Reach me at LinkedIn -


Happy Hacking :)

Receive All Free Updates Via Facebook.