Imagine that you already have some valid SSL certificate (e.g. from Lets Encrypt with auto-renew, check https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04) and want to use it for your Pritun’s web panel.

Just open main app.py file

Find next strings (lines number 146-149)

And replace them (or just comment with #) with

And that is all.

March 19th, 2016

Posted In: tricks

Leave a Comment

Intro

Seems it’s time to disclose 21 zero day XSS on Yahoo.
I do not break any rules, any laws of any country (I hope lol) posting this to public (Yahoo officially said that they need only 90 days to rollout fix for any vuln, please visit https://hackerone.com/yahoo – Yahoo’s bugbounty rules). This vuln affect 21 different Yahoo domains and not fixed for a one year.

I reported this issue 9 months ago (https://hackerone.com/reports/77385), tried to bump it but no luck. They said that my report is dup of https://hackerone.com/reports/54625 (reported at ~march 2015).

Main purpose of this post – just pay attention of Yahoo security team to this ticket again (and finally fix!).

XSS

Facts:

  • Reflected
  • Works only in IE (tested in IE 10/Win 7; Should works in 7,8,9)
  • Bypassing IE XSS filter

Based on https://twitter.com/Black2Fan technique that helps to inject XSS payload into HOST header of user’s requests (read more here).

PoC: https://sergeybelove.ru/exploits/yahoo_ie.php (IE only! Just inject H1 tag)

Screen Shot 2015-07-21 at 10.54.58 PM

Screen Shot 2015-07-21 at 11.00.50 PM

This XSS caused is by balancer and… affect other domains! I wrote a simple scanner:

For mass checking and found that other domains (include flickr.com) also vulnerable:

Why 21? Some other domains like mail on first screen should to be checked manually.

One more fact: I added check for XSS thru HOST header to my small and free one-button-scan – http://sergeybelove.ru/one-button-scan/

P.S. I found exactly same vuln on wikipedia and they fixed it just in few days – feel the difference.

UPD: BlackFan twitted that he reported this issue 2 years ago! And it was a dup
H1 report by BlackFan

February 28th, 2016

Posted In: bugbounty

10 Comments

Slides from my talk at OWASP Poland about different attacks to modern frontend

OWASP EEE (Krakow) – It's only about frontend from Sergey Belov

And video:

Text – click
Huge thanks to Mario for help while preparing this presentation.

February 28th, 2016

Posted In: Public talks

Leave a Comment

If you have following error after installing hamachi on raspberry pi

Just type

November 15th, 2015

Posted In: Uncategorized

Leave a Comment

Today I want to reborn my blog and share a little and very simple (and new?) trick – how to get RCE on the client side via jsonp in IE (any verison). This technique looks like on “reflected file download” from last BlackHat.

JSONP – a json data with «padding» – some callback function that allows to interact with received data on the client side. It usually needed in situation when we have 2 domains and due SOP we can’t read response from domain B while sending request from domain A.
 A typical example:
What we know about JSONP threats?
  1. JSONP leaks
  2. XSS via JSON / JSONP callbacks
  3. Advanced vector: “rosetta flash”
  4. ?

(more…)

January 24th, 2015

Posted In: tricks

5 Comments

Bug Bounty—vulnerability reward programs for vendors—become more and more widespread. And sometimes, vulnerabilities search detects some evidently insecure areas (e.g., self-XSS) the threat of which is hard to prove. But the larger (or even the smarter) is the vendor (e.g., Google), the more willing it is to discuss, to detect the indicated vulnerability and to reward if successful. This article is a collating of complex situations and the ways to prove a threat and to make the Internet more secure.

(more…)

December 9th, 2014

Posted In: bugbounty

Leave a Comment