Pages:
Author

Topic: [ CWE-79 ] *.nastyfans.org is vulnerable to script injection - page 2. (Read 1092 times)

Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
You can't just start doing pentests on any website/service you encounter.

Of course you can.  Justice takes "intent" into account. It's not against the law to break into a house unless you intend to do something illegal.

If he doesn't want visitors to his website, he should take it offline. 
hero member
Activity: 1806
Merit: 672
The requested person was informed before disclosing it here.

That's not responsible disclosure.

How much time did you give him to fix any vulnerabilities before publicly disclose them?



OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

OP could have done damage if he wanted - or sold the info.  He did the moral thing, and there is nothing illegal about it.

Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.

bob123 is right on this one, OP just by trying to alter anything on nastfans' website without any kind of permission to the owner can be considered as hacking in itself. It doesn't matter if OP has good intentions or not, someone else's property (nastyfan website) was altered/tested by someone who doesn't have any kind of permission too. Posting this earlier without any kind of replies back from either OGnasty or nonnakip is also a bad move made in his part frankly the OP didn't do any kind of good intention by posting this right away.
sr. member
Activity: 1288
Merit: 415
OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

Nothing of that sort, it's just called ethics.
legendary
Activity: 1624
Merit: 2481
The requested person was informed before disclosing it here.

That's not responsible disclosure.

How much time did you give him to fix any vulnerabilities before publicly disclose them?



OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

OP could have done damage if he wanted - or sold the info.  He did the moral thing, and there is nothing illegal about it.

Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

OP could have done damage if he wanted - or sold the info.  He did the moral thing, and there is nothing illegal about it.

member
Activity: 192
Merit: 72
Security
Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

According to this:

Why don't you try it yourself??
1. Go to: https://analyzer.nastyfans.org/?s=1
2. Inside the search, paste:   
Code:
">
3. Press submit and see the XXS being execute.

I believe he initially posted it here and calls that a "responsible disclosure".

I wonder whether he got the permission to look for vulnerabilities from the server owner/administrator and hoster.



This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

It is not just "not good", but illegal.
The requested person was informed before disclosing it here.
legendary
Activity: 1624
Merit: 2481
Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

According to this:

Why don't you try it yourself??
1. Go to: https://analyzer.nastyfans.org/?s=1
2. Inside the search, paste:   
Code:
">
3. Press submit and see the XXS being execute.

I believe he initially posted it here and calls that a "responsible disclosure".

I wonder whether he got the permission to look for vulnerabilities from the server owner/administrator and hoster.



This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

It is not just "not good", but illegal.
sr. member
Activity: 1288
Merit: 415
Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

Do we know who is administrating the nastyfans.org site right now? The NastyFans service is being run by OgNasty but his thread says someone else made that website:

Bitcointalk user nonnakip has started a website for NastyFans where members can trade seats using an auction.

nonnakip has been inactive since last April so I'm not sure whether he's still managing the site today.

I sent a PM to naypalm last night, in case he is not aware of this thread.
copper member
Activity: 2996
Merit: 2374
The analyzer site appears to be run by naypalm who was active in the last week.

In any case, I don’t think someone not logging in for a long time is a reason to not make an attempt to disclose the vulnerability, even if they don’t actually receive the message or act on it.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

Do we know who is administrating the nastyfans.org site right now? The NastyFans service is being run by OgNasty but his thread says someone else made that website:

Bitcointalk user nonnakip has started a website for NastyFans where members can trade seats using an auction.

nonnakip has been inactive since last April so I'm not sure whether he's still managing the site today.
copper member
Activity: 2996
Merit: 2374
Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?
legendary
Activity: 3010
Merit: 8114
It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right?  Roll Eyes

It's all explained in great detail here.

That's a decent explanation but I prefer this one. You have to listen to at least 40 seconds of it to get its full implication.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
Very sloppy work.   While spending a few minutes, I clicked on his analyzer link, and it nicely analyzed some of the projects he was involved with over the years.

http://www.uberbills.com/
legendary
Activity: 3654
Merit: 8909
https://bpip.org
It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right?  Roll Eyes

It's all explained in great detail here.

This still depends on whether and how the same-origin-policy is implemented.

True. It's not quite as simple as I made it sound.
legendary
Activity: 1624
Merit: 2481
Effect:

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

What you have shown is "just" a reflected XSS, not a persistent one.
You would need to send the URL with the injected code as a parameter to a person. That person would need to click on that link and have JS enabled for the script to be executed.

You can't inject a script into the server this way. And you definitely can't steal data from the server with this method.



It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

This still depends on whether and how the same-origin-policy is implemented.
hero member
Activity: 1372
Merit: 783
better everyday ♥
To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled.
It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right?  Roll Eyes
member
Activity: 192
Merit: 72
Security
I am also concerned that if what OP says really exists, has anyone taken advantage of it?

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

Nastyfans is vulnerable to  CWE 601 open redirect vulnerability too.

To anawer your question , tgey dont have 2fa or even a email.confirmation system.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
I am also concerned that if what OP says really exists, has anyone taken advantage of it?

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.
member
Activity: 192
Merit: 72
Security
I am curious to know what OG will do after this thread  Cheesy I am also concerned that if what OP says really exists, has anyone taken advantage of it? Specifically this
A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

Why don't you try it yourself??

1. Go to: https://analyzer.nastyfans.org/?s=1

2. Inside the search, paste:  
Code:
">

3. Press submit and see the XXS being execute.
___________________________________________________

You simply cannot go to every search button and paste the script to check if the pop up comes or not, you need to dig inside the code to find if there is any reflected parameter or not, how does the sanitizer for the current website works..etc.

That is why I pasted so many screenshots as I was doing research on the website for the vulnerability bounty, but all in vain.

So far what I have tried on bitcointalk, believe me bitcointalk has some of great script protection. I have tried a lot to execute all kinds of XSS but it blocks me. I hope theymos is paying too much to cloudflare.
Bitcointalk has some smart sanitization for every input but just not for merit where 1ds as merit amount will surely let you spend 1 merit but ds1 won't.
On top of all, it is the attitude of a person, theymos has always entertained me for any problem that I have ever reported to me, unlike saying don't tell me I don't operate the site.
Pages:
Jump to: