[ CWE-79 ] *.nastyfans.org is vulnerable to script injection - page 2.

Vod

legendary

Activity: 3668

Merit: 3010

Licking my boob since 1970

Quote from: bob123 on June 20, 2020, 07:46:01 AM

You can't just start doing pentests on any website/service you encounter.

Of course you can. Justice takes "intent" into account. It's not against the law to break into a house unless you intend to do something illegal.

If he doesn't want visitors to his website, he should take it offline.

Harlot

hero member

Activity: 1806

Merit: 671

Quote from: bob123 on June 20, 2020, 07:46:01 AM

Quote from: Boris007 on June 20, 2020, 05:16:05 AM

The requested person was informed before disclosing it here.

That's not responsible disclosure.

How much time did you give him to fix any vulnerabilities before publicly disclose them?

Quote from: Vod on June 20, 2020, 05:51:01 AM

Quote from: hacker1001101001 on June 20, 2020, 01:48:21 AM

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard? A hacker's opinion? Or maybe just mutual respect and consideration?

OP could have done damage if he wanted - or sold the info. He did the moral thing, and there is nothing illegal about it.

Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.

bob123 is right on this one, OP just by trying to alter anything on nastfans' website without any kind of permission to the owner can be considered as hacking in itself. It doesn't matter if OP has good intentions or not, someone else's property (nastyfan website) was altered/tested by someone who doesn't have any kind of permission too. Posting this earlier without any kind of replies back from either OGnasty or nonnakip is also a bad move made in his part frankly the OP didn't do any kind of good intention by posting this right away.

hacker1001101001

sr. member

Activity: 1288

Merit: 415

Quote from: Vod on June 20, 2020, 05:51:01 AM

Quote from: hacker1001101001 on June 20, 2020, 01:48:21 AM

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard? A hacker's opinion? Or maybe just mutual respect and consideration?

Nothing of that sort, it's just called ethics.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: Boris007 on June 20, 2020, 05:16:05 AM

The requested person was informed before disclosing it here.

That's not responsible disclosure.

How much time did you give him to fix any vulnerabilities before publicly disclose them?

Quote from: Vod on June 20, 2020, 05:51:01 AM

Quote from: hacker1001101001 on June 20, 2020, 01:48:21 AM

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard? A hacker's opinion? Or maybe just mutual respect and consideration?

OP could have done damage if he wanted - or sold the info. He did the moral thing, and there is nothing illegal about it.

Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.

Vod

legendary

Activity: 3668

Merit: 3010

Licking my boob since 1970

Quote from: hacker1001101001 on June 20, 2020, 01:48:21 AM

OP should have atleast notified OgNasty before injecting any scripts.

Is that an objective standard? A hacker's opinion? Or maybe just mutual respect and consideration?

OP could have done damage if he wanted - or sold the info. He did the moral thing, and there is nothing illegal about it.

Boris007

member

Activity: 192

Merit: 72

Security

Quote from: bob123 on June 20, 2020, 04:44:54 AM

Quote from: Quickseller on June 19, 2020, 01:29:42 PM

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

According to this:

Quote from: Boris007 on June 18, 2020, 09:55:19 AM

Why don't you try it yourself??
1. Go to: https://analyzer.nastyfans.org/?s=1
2. Inside the search, paste:

Code:

">

3. Press submit and see the XXS being execute.

I believe he initially posted it here and calls that a "responsible disclosure".

I wonder whether he got the permission to look for vulnerabilities from the server owner/administrator and hoster.

Quote from: hacker1001101001 on June 20, 2020, 01:48:21 AM

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

It is not just "not good", but illegal.

The requested person was informed before disclosing it here.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: Quickseller on June 19, 2020, 01:29:42 PM

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

According to this:

Quote from: Boris007 on June 18, 2020, 09:55:19 AM

Why don't you try it yourself??
1. Go to: https://analyzer.nastyfans.org/?s=1
2. Inside the search, paste:

Code:

">

3. Press submit and see the XXS being execute.

I believe he initially posted it here and calls that a "responsible disclosure".

I wonder whether he got the permission to look for vulnerabilities from the server owner/administrator and hoster.

Quote from: hacker1001101001 on June 20, 2020, 01:48:21 AM

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

It is not just "not good", but illegal.

hacker1001101001

sr. member

Activity: 1288

Merit: 415

Quote from: Quickseller on June 19, 2020, 01:29:42 PM

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

Vod

legendary

Activity: 3668

Merit: 3010

Licking my boob since 1970

Quote from: NotATether on June 19, 2020, 01:48:21 PM

Quote from: Quickseller on June 19, 2020, 01:29:42 PM

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

Do we know who is administrating the nastyfans.org site right now? The NastyFans service is being run by OgNasty but his thread says someone else made that website:

Quote from: OgNasty on June 10, 2012, 09:31:41 PM

Bitcointalk user nonnakip has started a website for NastyFans where members can trade seats using an auction.

nonnakip has been inactive since last April so I'm not sure whether he's still managing the site today.

I sent a PM to naypalm last night, in case he is not aware of this thread.

Quickseller

copper member

Activity: 2870

Merit: 2298

The analyzer site appears to be run by naypalm who was active in the last week.

In any case, I don’t think someone not logging in for a long time is a reason to not make an attempt to disclose the vulnerability, even if they don’t actually receive the message or act on it.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Quickseller on June 19, 2020, 01:29:42 PM

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

Do we know who is administrating the nastyfans.org site right now? The NastyFans service is being run by OgNasty but his thread says someone else made that website:

Quote from: OgNasty on June 10, 2012, 09:31:41 PM

Bitcointalk user nonnakip has started a website for NastyFans where members can trade seats using an auction.

nonnakip has been inactive since last April so I'm not sure whether he's still managing the site today.

Quickseller

copper member

Activity: 2870

Merit: 2298

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

nutildah

legendary

Activity: 2982

Merit: 7986

Quote from: suchmoon on June 18, 2020, 02:08:06 PM

Quote from: ChuckBuck on June 18, 2020, 11:54:08 AM

It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? Roll Eyes

It's all explained in great detail here.

That's a decent explanation but I prefer this one. You have to listen to at least 40 seconds of it to get its full implication.

Vod

legendary

Activity: 3668

Merit: 3010

Licking my boob since 1970

Very sloppy work. While spending a few minutes, I clicked on his analyzer link, and it nicely analyzed some of the projects he was involved with over the years.

http://www.uberbills.com/

suchmoon

legendary

Activity: 3654

Merit: 8909

https://bpip.org

Quote from: ChuckBuck on June 18, 2020, 11:54:08 AM

It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? Roll Eyes

It's all explained in great detail here.

Quote from: bob123 on June 18, 2020, 01:54:29 PM

This still depends on whether and how the same-origin-policy is implemented.

True. It's not quite as simple as I made it sound.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: Boris007 on June 18, 2020, 01:51:18 AM

Effect:

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

What you have shown is "just" a reflected XSS, not a persistent one.
You would need to send the URL with the injected code as a parameter to a person. That person would need to click on that link and have JS enabled for the script to be executed.

You can't inject a script into the server this way. And you definitely can't steal data from the server with this method.

Quote from: suchmoon on June 18, 2020, 10:36:24 AM

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

This still depends on whether and how the same-origin-policy is implemented.

ChuckBuck

hero member

Activity: 1372

Merit: 783

better everyday ♥

Quote from: suchmoon on June 18, 2020, 10:36:24 AM

To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled.

It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? Roll Eyes

Boris007

member

Activity: 192

Merit: 72

Security

Quote from: suchmoon on June 18, 2020, 10:36:24 AM

Quote from: ChuckBuck on June 18, 2020, 09:18:40 AM

I am also concerned that if what OP says really exists, has anyone taken advantage of it?

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

Nastyfans is vulnerable to CWE 601 open redirect vulnerability too.

To anawer your question , tgey dont have 2fa or even a email.confirmation system.

suchmoon

legendary

Activity: 3654

Merit: 8909

https://bpip.org

Quote from: ChuckBuck on June 18, 2020, 09:18:40 AM

I am also concerned that if what OP says really exists, has anyone taken advantage of it?

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

Boris007

member

Activity: 192

Merit: 72

Security

Quote from: ChuckBuck on June 18, 2020, 09:18:40 AM

I am curious to know what OG will do after this thread Cheesy

I am also concerned that if what OP says really exists, has anyone taken advantage of it? Specifically this

Quote from: Boris007 on June 18, 2020, 01:51:18 AM

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

Why don't you try it yourself??

1. Go to: https://analyzer.nastyfans.org/?s=1

2. Inside the search, paste:

Code:

">

3. Press submit and see the XXS being execute.
___________________________________________________

You simply cannot go to every search button and paste the script to check if the pop up comes or not, you need to dig inside the code to find if there is any reflected parameter or not, how does the sanitizer for the current website works..etc.

That is why I pasted so many screenshots as I was doing research on the website for the vulnerability bounty, but all in vain.

So far what I have tried on bitcointalk, believe me bitcointalk has some of great script protection. I have tried a lot to execute all kinds of XSS but it blocks me. I hope theymos is paying too much to cloudflare.
Bitcointalk has some smart sanitization for every input but just not for merit where 1ds as merit amount will surely let you spend 1 merit but ds1 won't.
On top of all, it is the attitude of a person, theymos has always entertained me for any problem that I have ever reported to me, unlike saying don't tell me I don't operate the site.

Topic: [ CWE-79 ] *.nastyfans.org is vulnerable to script injection - page 2. (Read 1051 times)