Author

Topic: -- (Read 666 times)

copper member
Activity: 2044
Merit: 793
--
June 10, 2020, 12:20:04 PM
#9
Update:

Rewarded 700 USD for the bug.

Thank you.

Good platforms indeed always value these types of information, although it migh take a while to get things processed. But it's very good of stake.com to have acknowledged the bug.


It's right about time to lock the thread, you'll find the option to do so in the buttom corner of the thread, also edit the topic title and Include [SOLVED or CLOSED]
member
Activity: 192
Merit: 72
Security
June 10, 2020, 11:17:13 AM
#8
--
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
June 01, 2020, 05:12:40 AM
#7
I work as part a security analyst and finding bugs and reporting is my side hustle.
I have passed relevant information to owners and this thread is as a proof.
Good day.

Did you notify the administrators of this vulnerability? Most sites have a vulnerability disclosure program which is a process of sending them details of the vulnerability without leaking important details of it to outsiders. It's possible they will fix it faster if you notify them like that.

Here, the admin of Stake even mentions that they will pay people big money who report these kinds of exploits https://forum.stake.com/topic/15307-rewards-for-bug-reports/?do=findComment&comment=172655
3x2
legendary
Activity: 1526
Merit: 1004
June 01, 2020, 01:22:48 AM
#6
I agree with you on vulnerability but there is hardly anything that you can do over forum.stake.com with that, but if you could do some xss attack on stake.com then it might impact them and then you can get reasonable bounty.
member
Activity: 192
Merit: 72
Security
May 09, 2020, 08:53:15 AM
#5
I dont have permission to inject scripts either, yet I was able to do so.

Then.. what you did was illegal.

I don't know which country you are from. But the server is hosted by amazon in the US.
And when pentesting a service hosted by amazon, you don't only need the permission from the owner of the website, but also from amazon.

If you don't have both of them, you can be made liable for your actions.


I work as part a security analyst and finding bugs and reporting is my side hustle.
I have passed relevant information to owners and this thread is as a proof.
Good day.
legendary
Activity: 1624
Merit: 2481
May 09, 2020, 08:50:36 AM
#4
I dont have permission to inject scripts either, yet I was able to do so.

Then.. what you did was illegal.

I don't know which country you are from. But the server is hosted by amazon in the US.
And when pentesting a service hosted by amazon, you don't only need the permission from the owner of the website, but also from amazon.

If you don't have both of them, you can be made liable for your actions.

member
Activity: 192
Merit: 72
Security
May 09, 2020, 08:45:54 AM
#3
Description of subType of the issue:

X-XSS-Protection: 0

This behavior does not in itself constitute a vulnerability; in some cases XSS filters may themselves be leveraged to perform attacks against application users. However, in typical situations XSS filters do provide basic protection for application users against some XSS vulnerabilities in applications. The presence of this header should be reviewed to establish whether it affects the application's security posture.

Issue remediation

Review whether the application needs to disable XSS filters. In most cases you can gain the protection provided by XSS filters without the associated risks by using the following response header:

X-XSS-Protection: 1; mode=block

When this header is set, browsers that detect an XSS attack will simply render a blank page instead of attempting to sanitize the injected script. This behavior is considerably less likely to introduce new security issues.


The X-XSS-Protection header isn't really needed.
It isn't even implemented in firefox.

It can be quite helpful with old browsers, but is pretty much useless since such things should be handled with CSP.



I am pasting the response from the server and some part of the request.

I was able to get the list directory /.../etc/passwd with the payload though the information was encrypted as inside that folder I was not able to go.


Payload with the hidden script: https://forum.stake.com/uploads/monthly_2020_05/payload.thumb.PNG.e582e1770e4dc9fb6ee69225efdb410a.PNG

Response: https://forum.stake.com/uploads/monthly_2020_05/response.thumb.PNG.05b58139d32afc4c68f2bf7961a7e1f6.PNG

I was able to get the client IP address, Server details.

I can't verify this since a permission from the owner is required to test anything which is related to injecting scripts/commands.

I dont have permission to inject scripts either, yet I was able to do so.
legendary
Activity: 1624
Merit: 2481
May 09, 2020, 08:42:11 AM
#2
Description of subType of the issue:

X-XSS-Protection: 0

This behavior does not in itself constitute a vulnerability; in some cases XSS filters may themselves be leveraged to perform attacks against application users. However, in typical situations XSS filters do provide basic protection for application users against some XSS vulnerabilities in applications. The presence of this header should be reviewed to establish whether it affects the application's security posture.

Issue remediation

Review whether the application needs to disable XSS filters. In most cases you can gain the protection provided by XSS filters without the associated risks by using the following response header:

X-XSS-Protection: 1; mode=block

When this header is set, browsers that detect an XSS attack will simply render a blank page instead of attempting to sanitize the injected script. This behavior is considerably less likely to introduce new security issues.


The X-XSS-Protection header isn't really needed.
It isn't even implemented in firefox.

It can be quite helpful with old browsers, but is pretty much useless since such things should be handled with CSP.



I am pasting the response from the server and some part of the request.

I was able to get the list directory /.../etc/passwd with the payload though the information was encrypted as inside that folder I was not able to go.


Payload with the hidden script: https://forum.stake.com/uploads/monthly_2020_05/payload.thumb.PNG.e582e1770e4dc9fb6ee69225efdb410a.PNG

Response: https://forum.stake.com/uploads/monthly_2020_05/response.thumb.PNG.05b58139d32afc4c68f2bf7961a7e1f6.PNG

I was able to get the client IP address, Server details.

I can't verify this since a permission from the owner is required to test anything which is related to injecting scripts/commands.
member
Activity: 192
Merit: 72
Security
May 09, 2020, 03:33:00 AM
#1
--
Jump to: