crash.software
Projects
Pull Requests
Issues
Builds
AllAboutBugBounty
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY AllAboutBugBounty Commits 6e79a428
🤬
  • ■ ■ ■ ■ ■ ■
    CVEs/2021/CVE-2021-36873.md
    1 1  # CVE-2021-36873
    2 2   
    3 3  ## Description
    4  -Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage.
     4 +Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: `&blockcountry_blockmessage`.
    5 5   
    6 6  ## CVSS (Vector and Score)
    7 7  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM
    skipped 9 lines
    17 17   
    18 18  ## Steps to Reproduce
    19 19  1. Login as administrator
    20  -2.
     20 +2. Go to http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php
     21 +3. Find `Message to display when people are blocked:` form
     22 +4. Input `</textarea><script>alert(1)</script>`
     23 +5. Scroll down and press `Save Changes` button
    21 24   
     25 +## Proof of Concept
     26 +- Video
    22 27   
    23  -## Proof of Concept
     28 + > https://youtu.be/WtOiHY5R-t0
    24 29  - Image
    25  -- Video
     30 +![image](https://user-images.githubusercontent.com/36522826/202700374-52d36350-adff-4fe3-b46d-21f08955e8c6.png)
  • ■ ■ ■ ■ ■ ■
    OAuth Misconfiguration.md
    skipped 3 lines
    4 4  The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users’ accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.
    5 5   
    6 6  ## Where to find
    7  -In the SSO feature. For example `Log in with google` or `Log in with facebook`.
     7 +In the SSO feature. For example the URL will be looks like this
     8 +```
     9 +https://example/signin?response_type=code&redirect_uri=https://callback_url/auth&client_id=FQ9RGtMkztAgmAApKOqACrBNq&state=7tvPJiv8StrAqo9IQE9xsJaDso4&scope=+profile+email+phone+group+role+resource
     10 +```
    8 11   
    9 12  ## How to exploit
    10  -1. OAuth token stealing: Changing redirect_uri to attacker.com(Use IDN Homograph or common bypasses).
    11  -2. Change Referral header to attacker.com while requesting OAuth.
    12  -3. Create an account with [email protected] with normal functionality. Create account with [email protected] using OAuth functionality. Now try to login using previous credentials.
    13  -4. OAuth Token Re-use.
    14  -5. Missing or broken state parameter.
    15  -6. Lack of origin check.
    16  -7. Open Redirection on another endpoint > Use it in redirect_uri
    17  -8. If there is an email parameter after signin then try to change the email parameter to victim's one.
    18  -9. Try to remove email from the scope and add victim's email manually.
    19  -10. Only company's email is allowed? > Try to replace hd=company.com to hd=gmail.com
    20  -11. Check if its leaking client_secret parameter.
    21  -12. Go to the browser history and check if the token is there.
     13 +1. OAuth token stealing by changing `redirect_uri` and Use IDN Homograph
     14 + * Normal parameter
     15 + ```
     16 + &redirect_uri=https://example.com
     17 + ```
     18 + * IDN Homograph
     19 + ```
     20 + &redirect_uri=https://еxamplе.com
     21 + ```
     22 + If you notice, im not using the normal `e`
     23 +2. Create an account with [email protected] with normal functionality. Create account with [email protected] using OAuth functionality. Now try to login using previous credentials.
     24 +3. OAuth Token Re-use.
     25 +4. Improper handling of state parameter
     26 + 
     27 + To exploit this, go through the authorization process under your account and pause immediately after authorization. Then send this URL to the logged-in victim
     28 + * CSRF Attack
     29 + ```html
     30 + <a href="https://example.com/authorize?client_id=client1&response_type=code&redirect_uri=http://callback&scope=openid+email+profile">Press Here</a>
     31 + ```
     32 +5. Lack of origin check.
     33 +6. Open Redirection on `redirect_uri` parameter
     34 + * Normal parameter
     35 + ```
     36 + &redirect_uri=https://example.com
     37 + ```
     38 + * Open Redirect
     39 + ```
     40 + &redirect_uri=https://evil.com
     41 + &redirect_uri=https://example.com.evil.com
     42 + etc.
     43 + ```
     44 +7. If there is an email parameter after signin then try to change the email parameter to victim's one.
     45 +8. Try to remove email from the scope and add victim's email manually.
     46 +9. Check if its leaking `client_secret`
    22 47   
    23 48  ## References
    24 49  * [tuhin1729_](https://twitter.com/tuhin1729_/status/1417843523177484292)
    skipped 1 lines
Please wait...
Page is in error, reload to recover