I got acknowledged by AT&T for reporting 26 XSS vulnerabilities in their website. I was the first Sri Lankan to get acknowledged.
https://developer.att.com/developer/apiDetailPage.jsp?passedItemId=13400790
This was the E-Mail :
Thank you AT&T very much! Proud to get acknowledged! 😉
Today was a awesome day! I got rewarded with a brand new Nokia Lumia 920 for all my findings and my responsible disclosure done to Nokia!
This was the E-mail :
Thank you Nokia very much for the reward! I won’t forget you guys 🙂
Yeah! For the second time my name got published in Adobe Security Acknowledgements page! This time I found a vulnerable version of PHP of their servers 😉
http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
I found a POST XSS vulnerability in the Salesforce web site. For reporting it I was rewarded with a Amazon gift card. Special thanks Mr.Suchit Mishra 🙂
Lumosity had a undiscovered DOM XSS vulnerability during their signup process. By injecting our payload into the name field we were able to get javascript interpreted back nicely in the edit page. Here is a screenshot. Also we can change our name parameter to our XSS payload and get javascript interpreted back the same way. This is a persistent DOM XSS vulnerability. (more…)
The blog of Constant Contact was hosted on a vulnerable version of PHP in which their was a public exploitable bug. It was confirmed that it was hosted by a third party and after patching their bug they wanted my name to get published in the Thanks section. So here you go.
http://www.constantcontact.com/security/report-vulnerability
In this vacation I thought of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreter reverse_tcp shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.
Download the vulnerable Kalbri server: http://www.exploit-db.com/wp-content/themes/exploit/applications/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip
I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.
I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.
As I mentioned earlier this is very brief write up. The offset is at 515 bytes . Our plan is to overwrite the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside the memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.
Finally I was mentioned in Oracle for reporting a double query SQL injection vulnerability and 2 reflected XSS bugs bypassing filters.
I was mentioned in their On-Line Presence Security Contributors under the Credit Statement:
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
Also mentioned in the Common Vulnerability Reporting Format (CVRF) document over here:
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1865183.xml
Received thanks from Magisto.com for reporting a cross site scripting and a content spoofing issue in their blog.
