Pages:
Author

Topic: [ CWE-79 ] *.nastyfans.org is vulnerable to script injection - page 3. (Read 1092 times)

hero member
Activity: 1372
Merit: 783
better everyday ♥
I am curious to know what OG will do after this thread  Cheesy I am also concerned that if what OP says really exists, has anyone taken advantage of it? Specifically this
A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

OG has been reminding me how I couldn't secure my hobby site, and he makes the same mistake while holding other people's coin.  :/
I thought that you and OG weren't really close, there was some conflict between you and him. Are you still talking to each other?  Cheesy
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
Good on you for exposing this before some hacker took advantage.

OG has been reminding me how I couldn't secure my hobby site, and he makes the same mistake while holding other people's coin.  :/
member
Activity: 192
Merit: 72
Security
Hi Guys!

I hope you are doing great in this difficult time of pandemic. I just want to bring attention to that website https://nastyfans.org/ and https://analyzer.nastyfans.org/ are leaking security information and are vulnerable to script injection.
As an honest disclosure, I would like to share some requests and responses to the server that proves my point and after that a POC.

In Action : https://youtu.be/PVaS2x9IK14

Request:



Response:



The response clearly shows that s parameter is reflected here and could be vulnerable to cross site scripting, but wait we are not confirmed yet. Let's move to another part i.e. https://analyzer.nastyfans.org/ , here we have search function which leaks the search code as below:

Code:




Ohh...wait a minute do you see the s parameter here too Huh , yes it is there '?s=1 , so we are now 60 percent confirmed that there is XSS vulnerability site.

But as the legends say if you cannot execute a pop-up, you cannot prove that there is XSS to a layman.

So here is the POC:

In request of search add the following simple script to confirm the execution of the external script:

request from burp suit:



Manual script injection:

Enter the below script in the search box :
Code:
">



Press submit and see the pop-up.



Effect:

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

related bounty was resolved recently on HackerOne: https://hackerone.com/reports/449351


for the above vulnerability, the severity was moderate as the website was only vulnerable on IE but in this case it is vulnerable in all browsers including chrome, firefox, edge(latest version).

As per today the server was last updated on:

Code:
 Logged At  ⇧	Not Before	Not After		
2020-06-06 2020-06-06




regards,
Borris007
Pages:
Jump to: