Nilesh Kumar

Yes, I know Open Redircetion Vulnerablities are abundant on various sites and can be found easily. However I take this opportunity to populate my blog with various flaws found by me just for record. Who cares thousands of redirection flaws found on many sites but when the vendor is so prominent and didn't pay attention to the problem even when notified to them many days back..and still remains unfixed..it is surprising. The Open redirection vulnerability may be an easily dectectable one but when it comes to exploit it..it can lead to serious consequences like..misdirecting users to any malicious site ,which in turn, can download malwares on user's PC, Phishing attack or even DOS in certain cases and that too on cost of Vendor's reputation. That's why waiting for the vendor to fix it I am going to publish it here. The following URL: http://images.google.co.in/imgres?imgurl=http://aaa.com/a.jpg&imgrefurl=http://www.aaa.com can be used to redirect a user to another sit...

These days there is much noise about a new term "Clickjacking". I think the term is new in itself not the the way it executes. Clickjacking is a form of UI redressing attack and equivalent to XSRF attack. Like XSRF attack it also uses the credentials of already authenticated user to execute the request successfully because the server can't differentiate between user's request and an extranal hacker's link. Then came the mitigation to this XSRF attack to use page-nonces,randomly generated one time hashes or values, which are included in every page request-response uniquely. The main risk imposed by Clickjacking is the ability to bypass nonce-based XSRF defence. In the Clickjacking attack, the user interacts directly with the target Web page, which is visually hidden , so all transactions include a valid nonce and the attack is left undetected.Clickjacking has proved that our theory about nonce-based defense and where its weaknesses lies is true.The main risk impose...

Although the attack is not severe in nature but can create interruption in user's logged in session. Yahoomail doesn't use any button to log the user out. It simply provides a link 'Sign-Out' for the logging out the current session. If the link is encoded in any form (or say disguised in tinyurl) and mailed to any logged in user in yahoomail and if he clicks it,the user who is visiting that page would immediately be logged out. From the webserver's perspective, there is no difference whatsoever between a real user initiated browser request and the above URL retrieval. It doesn't carry necessary credentials(e.g. anti XSRF tokens,or any uniquely token generated for the logged in user) with itself to tell the server that it's an extrenal request.Rather it will be using logged in user's credentials to complete the request! The time discovered it , the other functions of yahoomail was not vulnerable except this "Sign-Out" function. I had informed th...

Open Redirection Vulnerability has been found on Cisco site cisco.com. The URL: http://www.cisco.com/survey/exit.html?http://blogs.cisco.com/ is suffering form the flaw. Threat: DOS Attack, Phishing. The following URL will redirect a user to another site(eg: rediff.com). The URL can be used for Phishing attack http://www.cisco.com/survey/exit.html?http://rediff.com This can be further escalated by mal-forming the link. Something like the following can be used to cause the Denial of Service Attack: http://www.cisco.com/survey/exit.html?//www.cisco.com/survey/exi t.html?http://www.cisco.com/survey/exit.html?http://www.cisco.com/surve y/exit.html?http://www.cisco.com/survey/exit.html?http://www.cisco.com/ survey/exit.html?http://rediff.com Vendor Notification: Vendor was notified on January 03,2009. They assured me that they will look in the matter but few days before it was 'unfixed'.

Website/Vendor: Freshersworld.com Vendor notified at: 31/12/2008 URL: http://freshersworld.com/jobs/catjobs.asp?cat=Software Description: Description: If a query like http://freshersworld.com/jobs/catjobs.asp?cat='"zzz

Website/Vendor: Freshersworld.com Vendor notified at: 31/12/2008 URL: http://freshersworld.com/jobs/catjobs.asp?cat=Software Description: The nature of the XSS was very simple and that's why very easily exploitable. If a query like http://freshersworld.com/jobs/catjobs.asp?cat=>'><ScRiPt%20%0a%0d>alert('Testing')%3B</ScRiPt> is supplied the XSS is executed on the page. Now exploiting it is a play for any 'Hacker's Child' ! ;) It has been listed on www.xssed.com