Mahmoud Gamal - Security Blogs

This article was originally posted on Seekurity Blog: https://www.seekurity.com/blog/general/lets-steal-some-tokens/  Hey There, How you doing? Good? Cool! In this blog post I will be talking about my experience with minor bugs chained together to steal sensitive tokens. #1. Stealing CSRF tokens through Google Analytics. While randomly testing things on apps.shopify.com, I landed at some random app page and hit the  Write a review  button, I wasn’t logged in so I was redirected to the login page and after logging in I was redirected to the application page again. Ok, that’s normal. However, what wasn’t normal is that the URL I got redirected to contained this GET parameter  authenticity_token=[CSRF_TOKEN] . Yummy!!! I know Shopify allow you to add rich text to your application’s description,so I just thought I will load an image from my server and get the token from the referer header, or add a link to it and trick the victim to click it. Yup...

What's up whoever reading this! been a long time since I last posted something here. Today, I will be writing about a SQL injection vulnerability I recently found. As usual, at a hacking night after drinking my favorite cookie frappe I picked up a bug bounty program and started testing. Like any other researcher, I was throwing XSS payloads randomly everywhere. (I usually use '"><img src=x onerror=alert(2) x= with a single quote at the beginning) and while doing so one of the endpoints returned a 500 error saying A SQL error was encountered which definitely attracted my attention. The field returned that error was my `full name` so I went back there and immediately tried test'test which returned the same error which means that the single quote is what is causing the problem here. Realizing that, it seemed to me that single quotes weren't escaped at the SQL query, so I tried to escape it for them(by doubling it) and see what happens...