Topic: [ CWE-79 ] *.nastyfans.org is vulnerable to script injection (Read 1084 times)

So because he logs in infrequently you decided to publicly disclose it ?
Because you need the attention and can't wait a month or two for it to be fixed ?




All you can do is obviously to use the free version of the burp suite and make popups.
You found a reflected XSS, not a persistent one.

You like your low-level examples, i understood this already.

For example, this:

This is only possible, if the HttpOnly flag is not set.
Otherwise the cookie can not be accessed by a script.

All you can do with that is to craft an own URL, and send it to someone to have the script being executed.

How would you exploit that on such a site, where no valuable or sensitive information is being stored/entered anyway?
Short answer: You can't.


You are obviously a script kiddy, breaking laws and being a dick, just to gain some attention.
You don't understand what you actually found and don't know how this could be exploited.

So, OG lied when he cried extortion?  Not surprised.

So here is the gist of chat:

Me: Hi I found (XYZ) vulnerability, here is the POC.
OG: I don't run the particular site, BTW he has forwarded the message to nonakip.
Me: Is there any vulnerability bounty award ?? Can we disclose it in public??
OG: I don't run the mentioned site, so Boris007 must contact the naypalm.
Me: Thanks for clarifying that this is not your website.
I do not know who naypalm is and it seems he last logged a week back is very infrequent here.
So I would disclose the vulnerability to the forum(only).

--------------------------
ENd of PM
--------------------------

I don't know how it is extortion?? The thread Vod is a liar must change its title to Base64 (RFC 3548, RFC 4648) T2dOYXN0eQ== is a Liar.

Anyone who thinks I hate Og and created this thread, then answer is NO. I did not know who is OgNasty before a week back. I contacted him as I do with many services. He clearly says he doesn't own the site so I don't know how he comes in between. BTW thankyou for notifying this to naypalm on the very first day before this post.

Bottom line: What much one can do with reflected XSS? It is shit..and again one more shit reflected XSS by boris007 --Bob123456, Cat meow.
Top Line: https://www.dionach.com/blog/the-real-impact-of-cross-site-scripting/  --Security Community
_______________________________________________________________________________ ________

I believe that this thread is losing the path and now taking path hatred, Jealous, personal vendetta. I would close this thread after 12 hours. In case anyone has anything else than hatred and jealousy to post are do welcome.

Not yet !

Who was the person OP contacted with? Did he even knew the current owner of the website he is testing on and his contact info ? What is the use of making the vulnerability public ?

I don't think anyone/owner of the any website would just avoid acting on the vulnerability when reported. It's even unacceptable that someone denied to act on it once informed.

I am not the owner of the server. This doesn’t effect the NastyFans server. It effects the Uberbills server operated by naypalm and I don’t believe contact was properly made with him prior to any disclosure.

By the sound of it, either the user contacted you to disclose the vulnerability which you ignored as insignificant (I'll take your word for it) and this is what you considered extortion, or they didn't contact you in advance in an attempt to notify the owner and therefore there was no extortion. I'm a bit confused as to what actually occurred here, as many are claiming that they didn't attempt to notify the owner, whereas you appear to be claiming otherwise. You surely can't extort someone if you've already publicly published the findings.

OP, Boris007: did you contact OG before posting this, in an attempt to notify the owner? If this was the case, and Og ignored it, then they had the right to publish their findings. If the server isn't vulnerable anyway, there is no offence in the actions of the OP.  It's not breaking & entering if the house is already broken and the doors wide open


This is true:


End of story.

Not only for 40 seconds, I had difficulty hearing. I mean I can write, but my listening skills are very bad, because I rarely communicate with people through this language, listening to a song is really harder than normal communication. I had to listen to so many times  But anyway, I like the way you guys put a song here 

I will call it "dodge the law"  Here, we jokingly say that learning to dodge law  The law always has a loophole, if you understand it well, you can take advantage of it 

Not really. It's a well layed out and written OP. The subject was thorough and complete. These are the types of things that will get a post merited regardless of someone agreeing with or disagreeing with the idea.

Now if they are adding them to trust lists then that's where you would start to question someones judgment.

So, who extorted you, you liar?   

And what happened to the 2,600 BTC you owed your depositors when you collapsed your ponzi?

Stop playing the victim. 

Yes, a script kiddy move to do it, and an attention whore move to try and publicize it as anything else. People should also take note of the merit sources who merited the behavior as they clearly showed bad judgement in doing so.

I have no intention to attack someone personally.

These attacks on OGNasty are getting increasingly desperate. As others have pointed out, it is well established in the hacking community (white and grey hat) that you first notify the owners of a site/code before making a public release. This was unethical, and IMO intended as an attack against OGNasty.

Well we can do, It depends.
How about transferring to p*rnhub.com or to your bitcointalk.org profile page instead of popup??

He did exploit the vulnerability by creating the PoC popup.
There is not much more you can do with a reflected XSS on such a site. That's basically it.



An ethical hacker would not start to pentest a site/server without the permission of the owner and hoster.
It's more of a script kiddy move. And a pretty dumb one.

Leaking security information? Your plain text connection performs the leaking not the server. If nastyfans members go always to nastyfans.org to sign in then they will use TLS and the credentials will be secure.

I maintain nastyfans.org and have responsibility for the security on it.

analyzer.nastyfans.org is a different server and is maintains by naypalm. Users must always be careful of phishing attacks. This is not the first time his server has vulnerabilities. Perhaps it is unwise to allow analyzer.nastyfans.org to point to naypalm's server. Users can be misleading to think it is the nastyfans server.

No one extorted you,you idiot.    

Edit:  Actually, I don't know that. OG - who contacted you about this and demanded money to not post it? Post their PMs and support your claim of extortion.   What I see is a new hacker trying to prove himself, and doing the right thing by not exploiting what he found.  I know nothing of him, but if I were in his shoes, I wouldn't respect a person who doesn't respect others. 

Warning to future ethical hackers:   Do not contact OG about vulnerabilities - he will accuse you of a crime.   

The Minted Seat Analyzer is a 3rd party site run by naypalm. This was a poor extortion attempt targeting the wrong person.

@Vod, I don't get your logic here.
What could be the intent behind pentesting and scanning a website without the consent of its owner!
and why did he disclose the vulnerability publicly before it got patched!
Maybe OP's intentionts are good, but by doing this, isn't he just making things easier for hackers?

Your legal system would be a mess.  "I didn't B&E, the window was left open!" 

I'll give you some examples:
- enter a house for protection/shelter/aid or other emergency - not a crime
- enter a house you thought was abandoned to smoke weed - trespassing
- go into an understaffed hospital ward to gather supplies - B&E

The "break" is not literal.   

That's absurd. The law is literally "Breaking and Entering" which would be broken as they did so with the intent to commit an offence. Trespassing would fit this as well, if we want to use silly comparisons for this matter. Wouldn't it have made more sense to look at Computer Crime Laws to attempt to defend OP.

I read this a few days ago, and first thought was probably should have posted this well after contacting OG about it. Maybe even posting in conjunction. Should have probably stated you were going to perform test before going ahead and doing so. I don't know shit about website design and security so I can't speak to much else here apart from general courtesies and socially acceptable practices.

Of course you can.  Justice takes "intent" into account. It's not against the law to break into a house unless you intend to do something illegal.

If he doesn't want visitors to his website, he should take it offline. 

bob123 is right on this one, OP just by trying to alter anything on nastfans' website without any kind of permission to the owner can be considered as hacking in itself. It doesn't matter if OP has good intentions or not, someone else's property (nastyfan website) was altered/tested by someone who doesn't have any kind of permission too. Posting this earlier without any kind of replies back from either OGnasty or nonnakip is also a bad move made in his part frankly the OP didn't do any kind of good intention by posting this right away.

Nothing of that sort, it's just called ethics.

That's not responsible disclosure.

How much time did you give him to fix any vulnerabilities before publicly disclose them?




Without the approval of the owner of the site and the hoster, it definitely is illegal. Depending on the country, maybe "just" a gray area.
You can't just start doing pentests on any website/service you encounter.

Is that an objective standard?  A hacker's opinion?  Or maybe just mutual respect and consideration? 

OP could have done damage if he wanted - or sold the info.  He did the moral thing, and there is nothing illegal about it.

The requested person was informed before disclosing it here.

According to this:


I believe he initially posted it here and calls that a "responsible disclosure".

I wonder whether he got the permission to look for vulnerabilities from the server owner/administrator and hoster.




It is not just "not good", but illegal.

This question still matter's as it's not good look or practice at testing vulnerabilities on such website's without the owner's knowledge.

OP should have atleast notified OgNasty before injecting any scripts.

I sent a PM to naypalm last night, in case he is not aware of this thread.

The analyzer site appears to be run by naypalm who was active in the last week.

In any case, I don’t think someone not logging in for a long time is a reason to not make an attempt to disclose the vulnerability, even if they don’t actually receive the message or act on it.

Do we know who is administrating the nastyfans.org site right now? The NastyFans service is being run by OgNasty but his thread says someone else made that website:


nonnakip has been inactive since last April so I'm not sure whether he's still managing the site today.

Did you responsibly disclose the vulnerability to the site owner? Or did you first publish this report publicly?

That's a decent explanation but I prefer this one. You have to listen to at least 40 seconds of it to get its full implication.

Very sloppy work.   While spending a few minutes, I clicked on his analyzer link, and it nicely analyzed some of the projects he was involved with over the years.

http://www.uberbills.com/

It's all explained in great detail here.


True. It's not quite as simple as I made it sound.

What you have shown is "just" a reflected XSS, not a persistent one.
You would need to send the URL with the injected code as a parameter to a person. That person would need to click on that link and have JS enabled for the script to be executed.

You can't inject a script into the server this way. And you definitely can't steal data from the server with this method.




This still depends on whether and how the same-origin-policy is implemented.

It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? 

Nastyfans is vulnerable to  CWE 601 open redirect vulnerability too.

To anawer your question , tgey dont have 2fa or even a email.confirmation system.

It does exist. To take advantage of it the attacker would have to coerce someone to visit attacker's site and nastyfans site at the same time (in the same browser session) and obviously have JS enabled. This is a serious hole. I hope there are e-mail confirmations or 2FA for any withdrawals etc.

Why don't you try it yourself??

1. Go to: https://analyzer.nastyfans.org/?s=1

2. Inside the search, paste:  
3. Press submit and see the XXS being execute.
___________________________________________________

You simply cannot go to every search button and paste the script to check if the pop up comes or not, you need to dig inside the code to find if there is any reflected parameter or not, how does the sanitizer for the current website works..etc.

That is why I pasted so many screenshots as I was doing research on the website for the vulnerability bounty, but all in vain.

So far what I have tried on bitcointalk, believe me bitcointalk has some of great script protection. I have tried a lot to execute all kinds of XSS but it blocks me. I hope theymos is paying too much to cloudflare.
Bitcointalk has some smart sanitization for every input but just not for merit where 1ds as merit amount will surely let you spend 1 merit but ds1 won't.
On top of all, it is the attitude of a person, theymos has always entertained me for any problem that I have ever reported to me, unlike saying don't tell me I don't operate the site.

I am curious to know what OG will do after this thread  I am also concerned that if what OP says really exists, has anyone taken advantage of it? Specifically this

---

I thought that you and OG weren't really close, there was some conflict between you and him. Are you still talking to each other? 

Good on you for exposing this before some hacker took advantage.

OG has been reminding me how I couldn't secure my hobby site, and he makes the same mistake while holding other people's coin.  :/

Hi Guys!

I hope you are doing great in this difficult time of pandemic. I just want to bring attention to that website https://nastyfans.org/ and https://analyzer.nastyfans.org/ are leaking security information and are vulnerable to script injection.
As an honest disclosure, I would like to share some requests and responses to the server that proves my point and after that a POC.

In Action : https://youtu.be/PVaS2x9IK14

Request:



Response:



The response clearly shows that s parameter is reflected here and could be vulnerable to cross site scripting, but wait we are not confirmed yet. Let's move to another part i.e. https://analyzer.nastyfans.org/ , here we have search function which leaks the search code as below:


Ohh...wait a minute do you see the s parameter here too , yes it is there '?s=1 , so we are now 60 percent confirmed that there is XSS vulnerability site.

But as the legends say if you cannot execute a pop-up, you cannot prove that there is XSS to a layman.

So here is the POC:

In request of search add the following simple script to confirm the execution of the external script:

request from burp suit:



Manual script injection:

Enter the below script in the search box :


Press submit and see the pop-up.



Effect:

A malicious person can inject a shell script and get the personal deposit address of respected accounts, email..etc along with server information. If the website as claimed to operate 1000s of BTC then the vulnerability is intensified.

related bounty was resolved recently on HackerOne: https://hackerone.com/reports/449351

for the above vulnerability, the severity was moderate as the website was only vulnerable on IE but in this case it is vulnerable in all browsers including chrome, firefox, edge(latest version).

As per today the server was last updated on:





regards,
Borris007