tag:blogger.com,1999:blog-5696563284753666742.post4335047199971913273..comments2023-12-01T23:54:48.780-05:00Comments on h3xStream's blog: crossdomain.xml : Beware of WildcardsPhilippe Arteauhttp://www.blogger.com/profile/12830184811509526452noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-5696563284753666742.post-63264961809490759492017-12-03T16:43:11.208-05:002017-12-03T16:43:11.208-05:00Paypal have changed their crossdomain.xml as a fix...Paypal have changed their crossdomain.xml as a fix for my report. To target ebay.com from *.ebay.com, yes it is still possible but it won't work with a XSS as far as I know.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-77690784582387195852017-12-02T15:56:10.922-05:002017-12-02T15:56:10.922-05:00Having a reflected XSS over *.ebay.com this attack...Having a reflected XSS over *.ebay.com this attack can be done? or we need the swf/jpg file uploaded on it?<br /><br />thanksLifehttps://www.blogger.com/profile/04351655982498812551noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-54380367636893684372016-03-25T11:20:59.738-04:002016-03-25T11:20:59.738-04:00hello;
i have site when i try to upload the gener...hello; <br />i have site when i try to upload the generic swf file you mentioned it refused but when i upload the swf to excute xss it upload also the site use wild cards so why the site rfuse the first one and accepted the second one <br /><br />thanks t" onmouseover=alert(document.cookie); a="https://www.blogger.com/profile/14847177843600004785noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-64725502909680798972015-09-20T10:35:18.197-04:002015-09-20T10:35:18.197-04:00i'm too confuse in the code so that's why ...i'm too confuse in the code so that's why i'm asking for your code :) which really looks easy :) you can send me the code privately :p i'll not share with anyone :)Anonymoushttps://www.blogger.com/profile/00524344167556043692noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-70471634865739221332015-09-04T00:54:57.312-04:002015-09-04T00:54:57.312-04:00I used to recompile the same Flash swf.. Which is ...I used to recompile the same Flash swf.. Which is not really effective. I would recommend using generic swf like https://github.com/borisreitman/CrossXHR.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-35214076230864317012015-08-30T12:14:11.272-04:002015-08-30T12:14:11.272-04:00nice info :) how would you like to share your expl...nice info :) how would you like to share your exploit code ? :)Anonymoushttps://www.blogger.com/profile/00524344167556043692noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-87232488338469767552015-06-04T00:16:48.017-04:002015-06-04T00:16:48.017-04:00I can answer specific questions. Unfortunately, I ...I can answer specific questions. Unfortunately, I can't give one on one support even for little things. Sorry.<br /><br />I can give you this advice that would apply to flash vulnerabilities, but would apply web security. When you are digging into a vulnerability, don't hesitate to spend some time to experiment on your local environment. The big bug bounty may be tempting, but you will learn a lot by trial and error with a control environment.<br /><br />This flash/swf vector is not new. I remember reporting an equivalent problem on DropBox in 2010-2011. Many bug hunters have also reported those. The big sites are mostly aware on these issues.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-75195285490028411022015-06-03T06:04:39.484-04:002015-06-03T06:04:39.484-04:00Hello Philippe Arteau,
Its very very nice article...Hello Philippe Arteau,<br /><br />Its very very nice article with detailed explanation with video demonstration. Just an awesome work (y) . <br />I have found same type of vulnerability or crossdomain.xml file on a big website. As a bug hunter i have just started my career yet. I need some guide on this topic. Because i followed your article and also tried some other 2 3 methods. But unfortunately i can't able to exploit it. It would be appreciable for me if you will give me some time and contact via email then we can demonstrate it also. I don't wanna disclose in public. <br /><br />Thanks for your above ArticleAnonymoushttps://www.blogger.com/profile/18246863355482942169noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-10460477410432899162015-04-30T10:33:20.181-04:002015-04-30T10:33:20.181-04:00I have reported few ebay specific bugs (mostly XSS...I have reported few ebay specific bugs (mostly XSS) and I have received delay responses each time.<br />In general, the Paypal bug bounty team is pretty effective at fixing and responding. I just don't like their rickety messaging system.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-5788844230522458572015-04-30T06:55:52.157-04:002015-04-30T06:55:52.157-04:00Of course, I understand it. All is similar to my c...Of course, I understand it. All is similar to my case so it seems like paypal just work in this way ;) thanks and congratulations again. :)zoczushttps://www.blogger.com/profile/09373257974932521378noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-53964799797745065792015-04-25T22:44:29.725-04:002015-04-25T22:44:29.725-04:00There was no validation on the file attachment. It...There was no validation on the file attachment. It was only a extension verification. The malicious file uploaded was a SWF.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-26561932046721753642015-04-25T11:08:06.187-04:002015-04-25T11:08:06.187-04:00I don't get it. How do you jump from loading a...I don't get it. How do you jump from loading a jpg to loading your malicious swf?micheehttps://www.blogger.com/profile/05937230965190972040noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-91470519722164607232015-04-18T18:40:58.781-04:002015-04-18T18:40:58.781-04:00Well Done & very nice explanation
Keep hunti...Well Done & very nice explanation <br />Keep hunting Busy man ;) Musab -Th3_Piratehttps://www.blogger.com/profile/02775495759489936534noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-66663362372449163002015-04-16T19:55:05.528-04:002015-04-16T19:55:05.528-04:00I prefer to avoid mentioning the payout in the art...I prefer to avoid mentioning the payout in the article. It could be perceived as bragging. Some people will do strange calculation and come to the conclusion that bug bounty participants make millions.<br />To answer your question the bounty was just below Authentication Bypass. It's a good reward for a small complexity bug.<br /><br />The timeline is a bit chaotic.<br />[5/11/2013]<br />I initially contact ebay at the end of 2013 for labs.ebay.com. I didn't push much.<br />[16/7/2014]<br />I got a response from Ebay 8 months later saying the vulnerability was consider invalid. The vulnerable form was removed. The POC files I uploaded were also removed.<br />[21/7/2014]<br />I did the quick search for other vulnerable cases that affected Paypal. I found community.ebay.com and developper.ebay.com. I reported both.<br />[17/09/2014]<br />I received an initial payment. Also, I notice the crossdomain.xml (paypal.com) was changed shortly after. "*.ebay.com" was no longer included.<br />[3/04/2015]<br />All bugs are officially fixed. I got the final payment and authorization to publish two weeks ago.Philippe Arteauhttps://www.blogger.com/profile/12830184811509526452noreply@blogger.comtag:blogger.com,1999:blog-5696563284753666742.post-31789733195465916592015-04-16T03:42:20.874-04:002015-04-16T03:42:20.874-04:00Hi,
Great work! :)
I had really similar bug in ...Hi,<br /><br />Great work! :) <br /><br />I had really similar bug in paypal, based on their crossdomain.xml and vulnerable SWF file in other domain. Wondering how much did you got for this one? Also - can you share disclosure timeline with me? How long it took to paypal for fix it and give you full reward from initial report? <br /><br />Have a nice day! zoczushttps://www.blogger.com/profile/09373257974932521378noreply@blogger.com