Topic: [ CWE-79 ] *.nastyfans.org is vulnerable to script injection (Read 1092 times)

So because he logs in infrequently you decided to publicly disclose it ?
Because you need the attention and can't wait a month or two for it to be fixed ?




All you can do is obviously to use the free version of the burp suite and make popups.
You found a reflected XSS, not a persistent one.

You like your low-level examples, i understood this already.

For example, this:

This is only possible, if the HttpOnly flag is not set.
Otherwise the cookie can not be accessed by a script.

All you can do with that is to craft an own URL, and send it to someone to have the script being executed.

How would you exploit that on such a site, where no valuable or sensitive information is being stored/entered anyway?
Short answer: You can't.


You are obviously a script kiddy, breaking laws and being a dick, just to gain some attention.
You don't understand what you actually found and don't know how this could be exploited.

So, OG lied when he cried extortion?  Not surprised.

So here is the gist of chat:

Me: Hi I found (XYZ) vulnerability, here is the POC.
OG: I don't run the particular site, BTW he has forwarded the message to nonakip.
Me: Is there any vulnerability bounty award ?? Can we disclose it in public??
OG: I don't run the mentioned site, so Boris007 must contact the naypalm.
Me: Thanks for clarifying that this is not your website.
I do not know who naypalm is and it seems he last logged a week back is very infrequent here.
So I would disclose the vulnerability to the forum(only).

--------------------------
ENd of PM
--------------------------

I don't know how it is extortion?? The thread Vod is a liar must change its title to Base64 (RFC 3548, RFC 4648) T2dOYXN0eQ== is a Liar.

Anyone who thinks I hate Og and created this thread, then answer is NO. I did not know who is OgNasty before a week back. I contacted him as I do with many services. He clearly says he doesn't own the site so I don't know how he comes in between. BTW thankyou for notifying this to naypalm on the very first day before this post.

Bottom line: What much one can do with reflected XSS? It is shit..and again one more shit reflected XSS by boris007 --Bob123456, Cat meow.
Top Line: https://www.dionach.com/blog/the-real-impact-of-cross-site-scripting/  --Security Community
_______________________________________________________________________________ ________

I believe that this thread is losing the path and now taking path hatred, Jealous, personal vendetta. I would close this thread after 12 hours. In case anyone has anything else than hatred and jealousy to post are do welcome.

Not yet !

Who was the person OP contacted with? Did he even knew the current owner of the website he is testing on and his contact info ? What is the use of making the vulnerability public ?

I don't think anyone/owner of the any website would just avoid acting on the vulnerability when reported. It's even unacceptable that someone denied to act on it once informed.

I am not the owner of the server. This doesn’t effect the NastyFans server. It effects the Uberbills server operated by naypalm and I don’t believe contact was properly made with him prior to any disclosure.

By the sound of it, either the user contacted you to disclose the vulnerability which you ignored as insignificant (I'll take your word for it) and this is what you considered extortion, or they didn't contact you in advance in an attempt to notify the owner and therefore there was no extortion. I'm a bit confused as to what actually occurred here, as many are claiming that they didn't attempt to notify the owner, whereas you appear to be claiming otherwise. You surely can't extort someone if you've already publicly published the findings.

OP, Boris007: did you contact OG before posting this, in an attempt to notify the owner? If this was the case, and Og ignored it, then they had the right to publish their findings. If the server isn't vulnerable anyway, there is no offence in the actions of the OP.  It's not breaking & entering if the house is already broken and the doors wide open


This is true:


End of story.

Not only for 40 seconds, I had difficulty hearing. I mean I can write, but my listening skills are very bad, because I rarely communicate with people through this language, listening to a song is really harder than normal communication. I had to listen to so many times  But anyway, I like the way you guys put a song here 

I will call it "dodge the law"  Here, we jokingly say that learning to dodge law  The law always has a loophole, if you understand it well, you can take advantage of it 

Not really. It's a well layed out and written OP. The subject was thorough and complete. These are the types of things that will get a post merited regardless of someone agreeing with or disagreeing with the idea.

Now if they are adding them to trust lists then that's where you would start to question someones judgment.

So, who extorted you, you liar?   

And what happened to the 2,600 BTC you owed your depositors when you collapsed your ponzi?

Stop playing the victim. 

Yes, a script kiddy move to do it, and an attention whore move to try and publicize it as anything else. People should also take note of the merit sources who merited the behavior as they clearly showed bad judgement in doing so.

I have no intention to attack someone personally.

These attacks on OGNasty are getting increasingly desperate. As others have pointed out, it is well established in the hacking community (white and grey hat) that you first notify the owners of a site/code before making a public release. This was unethical, and IMO intended as an attack against OGNasty.

Well we can do, It depends.
How about transferring to p*rnhub.com or to your bitcointalk.org profile page instead of popup??

He did exploit the vulnerability by creating the PoC popup.
There is not much more you can do with a reflected XSS on such a site. That's basically it.



An ethical hacker would not start to pentest a site/server without the permission of the owner and hoster.
It's more of a script kiddy move. And a pretty dumb one.

Leaking security information? Your plain text connection performs the leaking not the server. If nastyfans members go always to nastyfans.org to sign in then they will use TLS and the credentials will be secure.

I maintain nastyfans.org and have responsibility for the security on it.

analyzer.nastyfans.org is a different server and is maintains by naypalm. Users must always be careful of phishing attacks. This is not the first time his server has vulnerabilities. Perhaps it is unwise to allow analyzer.nastyfans.org to point to naypalm's server. Users can be misleading to think it is the nastyfans server.

No one extorted you,you idiot.    

Edit:  Actually, I don't know that. OG - who contacted you about this and demanded money to not post it? Post their PMs and support your claim of extortion.   What I see is a new hacker trying to prove himself, and doing the right thing by not exploiting what he found.  I know nothing of him, but if I were in his shoes, I wouldn't respect a person who doesn't respect others. 

Warning to future ethical hackers:   Do not contact OG about vulnerabilities - he will accuse you of a crime.   

The Minted Seat Analyzer is a 3rd party site run by naypalm. This was a poor extortion attempt targeting the wrong person.

@Vod, I don't get your logic here.
What could be the intent behind pentesting and scanning a website without the consent of its owner!
and why did he disclose the vulnerability publicly before it got patched!
Maybe OP's intentionts are good, but by doing this, isn't he just making things easier for hackers?

Your legal system would be a mess.  "I didn't B&E, the window was left open!" 

I'll give you some examples:
- enter a house for protection/shelter/aid or other emergency - not a crime
- enter a house you thought was abandoned to smoke weed - trespassing
- go into an understaffed hospital ward to gather supplies - B&E

The "break" is not literal.   

That's absurd. The law is literally "Breaking and Entering" which would be broken as they did so with the intent to commit an offence. Trespassing would fit this as well, if we want to use silly comparisons for this matter. Wouldn't it have made more sense to look at Computer Crime Laws to attempt to defend OP.

I read this a few days ago, and first thought was probably should have posted this well after contacting OG about it. Maybe even posting in conjunction. Should have probably stated you were going to perform test before going ahead and doing so. I don't know shit about website design and security so I can't speak to much else here apart from general courtesies and socially acceptable practices.