Monday 24 April 2017

Navigating to non-same origin windows in browsers.

Lets do this.. Works almost in every browsers. Another Interesting Navigation trick. It is an little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file.

Video POC :

No bounty was awarded, because :
"The behavioral of the browser is legit, the same thing happens in chrome or other browsers. We will invalidate your report."

Bug Reported by : Dhiraj Mishra  
Share:

Saturday 4 March 2017

Firefox Webconsole allows arbitrary code to execute.

Lets do this....

Steps to Reproduce :

1. Open New Tab
2. Ctrl+Shft+K to open a console.
3. Run the following code on the Console

f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);f.initWithPath('c:\\Windows\\System32\\cmd.exe');f.launch()

'about:newtab' is considered a chrome privileged page, injecting code within such a context would result in automatic RCE.

Video POC :



Bug Reported by : Dhiraj Mishra  
Share:

Tuesday 24 January 2017

Tuesday 17 January 2017

Browser caching may hideout your Gmail privacy.

Lets make it simple....

Steps to Reproduce :

1. Login to your Gmail Account from "Mozilla"
2. Perform any dynamic activity.
3. Log Out (Do not Close the browser)

Now, lets view the "view-source" of Gmail from Mozilla.

Visit : view-source:https://mail.google.com/mail/u/0/

If everything went perfect, you should be able to view all the recent mails which was send and receive for that logged in user.

However when we reported this to Google this is what they replied :

Google :
Hello,

We've investigated and determined that this is a caching bug in Firefox. Firefox uses the cached version of a page when viewing the source, and it appears that Firefox is not respecting the caching headers that Gmail is sending. This isn't reproducible on Chrome,
which reloads a page when viewing the source.
You should be able to file a bug with Firefox at Bugzilla.Mozilla.org.


Regards,
Michael, Google Security Team
==

and when reported to Mozilla they removed the security flag from the bug by saying "this is not remotely exploitable"

Then again reverted back to Google and this is what they said :

Google :
 Hey,

Thanks for the bug report.

We've investigated your submission and made the decision not to track it as a security bug. It will also not be accepted as part of our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and unfortunately we feel the issue you mention does not meet that bar :(

In order to conduct the attack the evildoer needs to reuse the same local user account. Because the operating systems themselves do not protect against attackers with this level of access, any fix we could implement would be easy to bypass, and we don't want to offer a false sense of security to our users. Check out https://sites.google.com/site/bughunteruniversity/nonvuln/attacks-working-only-when-sharing-local-account-with-the-attacker where we have written about this case.

If you think we've misunderstood, please do let us know!
==

It is a simple bug, that can have significant consequences, but google simply said,Who cares ?
Where Mozilla is still working on this.
Note: This works on all OS and any versions of Mozilla in Mobile as well.

Video POC :




Bug reported by : Sebastian Grünwald, Dhiraj Mishra, Japz Divino.
Share: