Binary.com critical vulnerability to remotely steal users' money

Eight days ago I tweeted about hitting binary.com with a killing vulnerability and since it's fixed and publicly disclosed on HackerOne I decided to write about it here on my blog.
In the Thursday bug hunting night like other researchers I decided to have a look at the new published programs on HackerOne so I started to look for some bugs in algolia and binary.com which were the two newest published programs.
I found some bugs in both websites , but the most interesting one was a bug in cashier on binary.com.
That bug allowed me to login to any user's cashier account by just knowing the user ID.
Technical details about the bug can be found here on HackerOne , it's publicly disclosed :
https://hackerone.com/reports/98247

Your feedback is highly appreciated.

Comments

Post a Comment

Popular posts from this blog

Handlebars template injection and RCE in a Shopify app

Image
TL;DR We found a zero-day within a JavaScript template library called handlebars and used it to get Remote Code Execution in the Shopify Return Magic app. The Story: In October 2018, Shopify organized the HackerOne event "H1-514" to which some specific researchers were invited and I was one of them. Some of the Shopify apps that were in scope included an application called "Return Magic" that would automate the whole return process when a customer wants to return a product that they already purchased through a Shopify store. Looking at the application, I found that it has a feature called Email WorkFlow where shop owners can customize the email message sent to users once they return a product. Users could use variables in their template such as {{order.number}} , {{email}} ..etc. I decided to test this feature for Server Side Template injection and entered {{this}} {{self}} then sent a test email to myself and the email had [object Object] within ...
Read more

SQL Injection and A silly WAF

Image
Hi Folks, Today I'll be writing about some interesting SQL injection vulnerabilities I recently found. This is a private program so I won't be mentioning who the vendor is. #1: WAF? ok! At a lovely hacking night I started testing for a private bug bounty program, after about 30 minutes of throwing random single and double quotes inside all the parameters, one of the endpoints returned an error saying: {"error":"An unexpected error has occured"} So I looked at the request and set the value of the parameter to `23' and '1'='1` and as expected the endpoint returned valid results which means it's vulnerable to SQL injection! That's it, a lovely basic Boolean-Based SQL injection let's write the report and get a nice bounty! But... THE WAF! While further exploiting this vulnerability to extract data from the database as a proof of concept, the endpoint was returning {"error":" undergoing correct...
Read more

SQL Injection: Utilizing XML Functions in Oracle and PostgreSQL to bypass WAFs

Image
TL;DR. In this blog post we will be discussing how built-in XML functions in Oracle and PostgreSQL database management systems can be used to bypass web application firewalls (WAFs). I will be presenting two real-life examples from private bug bounty programs where traditional methods for bypassing WAFs were not effective. Introduction It's really frustrating when you find a valid SQL injection vulnerability, but there isn't much to do because of a WAF blocking most of your payloads. Many WAF rules can be bypassed using character case switching, comments, splitting the payload into multiple parameters, double URL encoding and many other methods that depend on how the target application and the WAF handle your requests.  However, In the cases we are discussing in this blog, I was not able to bypass the WAF using common WAF bypass methods.  Case 1: SQL Injection in an Oracle database - WAF bypass using REGEXP_LIKE() and DBMS_XMLGEN.GETXMLTYPE() *This is a private bug bounty prog...
Read more