CSAW 2015 – Web 500 (Weebdate) Writeup

Challenge Info

  • CTF: CSAW 2015
  • Challenge: Weebdate
  • Category: Web
  • Points: 500

Challenge Description

    Since the Ashley Madison hack, a lot of high profile socialites have scrambled to find the hottest new dating sites. Unfortunately for us, that means they're taking more safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site called "weebdate" and also selling cocaine to fund his presidential campaign. We need you to get both his password and his 2 factor TOTP key so we can break into his profile and investigate.

    Flag is md5($totpkey.$password)

    http://54.210.118.179/

Continue reading

Google.com – Mobile Feedback URL Redirect Regex/Validation Flaw

Back in October of last year I discovered a JavaScript flaw on Google.com that bypassed protocol validation by abusing an if check against a URL parsed by regex. I was unable to find a way to attack this vector, but was still rewarded a bounty of $500 due to Google knowing of an active browser vulnerability that allowed them to exploit it successfully.

Continue reading

Flickr API Explorer – Force users to execute any API request.

Flickr has a developer application section called The App Garden. Developers are able to create apps that make API calls to Flickr as an authenticated user via OAuth. I discovered a Cross-Site Request Forgery (CSRF) attack vector that allowed you to attack any user on Flickr.

Continue reading

Detecting Burp Suite – Part 1 of 3: Info Leak

image

I recently started to review the automated vulnerability scanner Burp Suite because of its widespread usage. The tool is used by many security bounty hunters, security professionals, and blackhat hackers for automated scanning and vulnerability detection. While I was using Burp, I was wondering to myself how easy it is for a server to detect that I am using this tool.

Continue reading

Facebook – Stored Cross-Site Scripting (XSS) – Badges

The Facebook badges page was vulnerable to stored Cross-Site Scripting (XSS). This was initially reported back in August 2013, but due to communication problems over e-mail it wasn't fixed until early January. Neither party is to blame, but this shows some of the difficulties that companies can face communicating with security researchers.

Continue reading