Google.com – Mobile Feedback URL Redirect Regex/Validation Flaw

Back in October of last year I discovered a JavaScript flaw on Google.com that bypassed protocol validation by abusing an if check against a URL parsed by regex. I was unable to find a way to attack this vector, but was still rewarded a bounty of $500 due to Google knowing of an active browser vulnerability that allowed them to exploit it successfully.

Continue reading

Flickr API Explorer – Force users to execute any API request.

Flickr has a developer application section called The App Garden. Developers are able to create apps that make API calls to Flickr as an authenticated user via OAuth. I discovered a Cross-Site Request Forgery (CSRF) attack vector that allowed you to attack any user on Flickr.

Continue reading

Steam Vulnerabilities – Part 1

image

I decided to take a look at the security of Valve’s websites recently after noticing Valve put up a security disclosure page two weeks ago. Although I did take a look at non-Steam websites, I focused almost entirely on the Steam Community and store because of how widely it is used via the Steam client.

I submit these issues and most of them were fixed within a week. So if you know of any Steam or Valve related product exploits and haven’t had a chance or are not sure how to report them, you can send the vulnerabilities in an email to security@valvesoftware.com.

Continue reading

Detecting Burp Suite – Part 1 of 3: Info Leak

image

I recently started to review the automated vulnerability scanner Burp Suite because of its widespread usage. The tool is used by many security bounty hunters, security professionals, and blackhat hackers for automated scanning and vulnerability detection. While I was using Burp, I was wondering to myself how easy it is for a server to detect that I am using this tool.

Continue reading

Increasing Your Company’s Security by Encouraging Responsible Disclosures.

image

There’s always a gamble for security researchers when reporting vulnerability disclosures to companies. Is the company going to read your report? How will they react to me testing their security? Where can I send this report anyway? These are some of the questions the researcher is going to contemplate before making a decision that can financially impact the company they are trying to help.

Continue reading

Facebook – Stored Cross-Site Scripting (XSS) – Badges

The Facebook badges page was vulnerable to stored Cross-Site Scripting (XSS). This was initially reported back in August 2013, but due to communication problems over e-mail it wasn’t fixed until early January. Neither party is to blame, but this shows some of the difficulties that companies can face communicating with security researchers.

Continue reading