Express Language(EL) Injection vulnerability in Paypal's subsidiary

An Indian Security researcher Piyush Malik has discovered an Expression Language(EL) Injection security flaw in Zong, a subsidiary of Paypal.

According to OWASP, EL Injection is a vulnerability that allows hacker to control data passed to the EL Interpreter.  In some cases, it allows attackers to execute arbitrary code on the server.

Researcher Malik said in his blog that Zong was running an outdated version of Clearspace(Now known as Jive software) on a subdomain.

"Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug." Malik explained in his blog.

He found two forms in the site which are vulnerable to this bug. He was able to perform some arithmetic operations using the vulnerable field.

One of the vulnerable urls:
https://clearspace.zong.com/login!input.jspa?unauth=${custom command here}

An attacker can inject a Express Language command on the 'unauth' field which will be executed in the server.  In his demo, researcher inject an arithmetic command(https://clearspace.zong.com/login!input.jspa?unauth=${100*3}) and able to executed it.

Paypal has offered some bounty amount for his finding.  Researcher didn't disclose the bounty amount.

About EL Injection vulnerability is first documented by security researchers from Minded Security in 2011.  You can find the document here: https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

Exclusive Interview with Security Researcher Prakhar Prasad

Today, E Hacking News had a chance to interview one of the Indian Security researcher, Prakhar Prasad, who recently received $5000 reward from Paypal for a file uploading vulnerability.

1. Introduce yourself
I'm Prakhar Prasad, 19 years old from Ranchi, Jharkhand.I love playing and breaking Web Applications' Security. I've found critical vulnerabilities in majority of popular websites like Google, Facebook, Twitter, PayPal, Adobe, Apple, Symantec, Nokia-Siemens Networks and etc.

Athough I'm also working on Exploit Writing, Anti-Virus evasion techniques and Malware Analysis.

2. How did you get into Information security field?

I got into Information Security when I was in class 10th, because of an incident. One fine morning I was reading my local newspaper and on the main page of newspaper it was a screenshot of my state government's website showing - "Hacked by Ashiyane Digital Security Team". This incident facinated me completely like - How someone can change the website's homepage with his own message. I started Googling around and then learnt how websites and stuff worked from security point of view.

Then the love for information security took me to a whole new level. Sleepless nights, with a burning desire to learn as much as possible.


3. When did you start Bug hunting?

I started bug hunting back in July 2012.


4. What is your first finding , how did you feel at that time?

My first finding was a clickjacking bug in Google Website Translator Toolkit, that allowed me to add arbitrary "Admin/Editor" on someone's account by redressing page.

5.What is the favorite vulnerability found by you?

Umm.. My favorite one is the Blind SQL Injection bug I found on PayPal's Notifications website. But I also like a permission bug I found in a PayPal acquisition that allowed me to unsubscribe any user of my choice from their mailing list.

6. How much have you earned so far from Bug hunting?

I'd keep it private :) But it's more than enough !

7. You're hunting bugs for fun, for profit, or to make the world a safer place?

I hunt bugs, basically for fun and keeping world a safer place. But now various bug bounty programs have started that allows me to earn alongside with the points I mentioned.

8.What is your future plans?

Can't say anything right now, I'm still learning things. But I want to do something really big for my country, India

9. How did you feel when you received $5000 from Paypal?

It was a huge surprise. When my bug got validated I was expecting some big amount. But when I was paid the exact, it was enormous.

10. What is your advice for new bug hunters?
Just use Google to learn everything from scratch, it is the most powerful tool to gain knowledge of ANY KIND.  Don't opt for some Tom, Dick and Harry Ethical Hacking courses, they teach half-baked concepts and suck your money. Google is the best thing to get things started, don't be like a spoon-feeding child. I'd recommend a book called the Web Application Hacker's Handbook, to start off.

One must watch Nir Goldshlager's HITBAMS2012 talk on Killing a Bug Bounty Program Twice. It's the best video out there regarding bug hunting.

Remember always, hunt bugs for fun, to learn more not just for money. If you are honest with your work, you'll get fame, money and all success. But if you just use automated tools, then you're gonna have a hard time finding bugs and success in InfoSec world.

Automated tools just can't find bugs in big websites, plus it kills the fun of finding bugs manually. Semi-automated/Manual tools are cool to work with like Burp Suite and Zed Attack Proxy.


11. What do you think about E Hacking News?

It's a very good news source, keeps me updated about happenings of InfoSec world. I appreciate the work done by the team.

BreakTheSecurity is also doing a great job, in providing tutorials and similar stuff.

Keep the Good Work Up !


12. Thank you, Is there anything else you want to add?

I'm very thankful to EHackingNews for providing me the platform to share my views and experiences !

If anyone wants to connect with me, then I'm on Twitter - @prakharprasad

My best wishes to all learners and EHackingNews.



E Hacking News Exclusive Interview with Aditya Gupta, co-founder of XY Security


Today, E Hacking News interviewed Aditya Gupta, one of the Famous Indian Security Researcher and co-founder of XY Security.  He got listed in a number of Hall of fame pages for hunting bugs.

*. Hi, Please introduce yourself to EHN readers.

Hello I'm Aditya Gupta. I'm a security researcher and also the co-founder of a security firm named as XY Security. I also like hunting for bugs, whenever i get time, and have found serious vulnerabilities in websites such as Google, Microsoft, Facebook, Apple, Adobe, Paypal, Webkit, iOS (webkit and iOS patch yet to be released) and so on.
I've also developed the mobile exploitation framework, Android Framework for Exploitation (AFE) along with my partner Subho Halder. That, i think says much about me.

*.How did you stepped in this InfoSec field?

Well, i stepped into this field few years back when i was preparing for my IIT-JEE in Kota.

So, instead of attending my classes in Bansal Classes, Kota, I ended up having nightouts in cyber cafes there, and learning more and more about hacking.

Even when i got admission to my college KIIT, Bhubaneswar in Electronics, most of my time went into Exploit Writing, Programming and finding new ways to break security of various devices and platforms.

It just started as a curiosity, and for fun experience, but now it has turned into my full time profession.

And you know, you should always do what you love. Thats what i recommend to everyone.

*. cool, you are ECE student?!
Yep. Mainly because apart from hacking, i am also interested in Electronics. And it turns out, that if you combine hacking and electronics, its an amazing duo.

you get to learn about the internals of everything, and it becomes more interesting to find security holes.

Thats why, i have recently published a research paper on ARM Exploitation titled "A Short Guide to ARM Exploitation" along with my friend Gaurav Kumar

*. You have discovered security flaws in a number of high profile websites, what's the most memorable vulnerability you've discovered?
You know, the most interesting vulnerability i discovered was the Facebook one.
It allowed the hacker, to remotely and silently record videos from victim's webcam and post it to his timeline, without the victim even knowing about it.
And one more interesting one was, on Google +. It wasn't much severe, but it allowed the hackers to trick victims to update their status. That was when Google+ had just started. And I think, I may have saved it from a lot of spam campaign, which you used to see on other social networks like Facebook earlier.

*. what is favorite part of InfoSec ,  WebApp Pentesting or Mobile Hacking?
I would say that WebApp sec is surely the most interesting one, and you get a lot of satisfaction when you find high level bugs in a client's website or get bugs in a website offering bug bounty.

But my personal opinion would be Mobile Hacking. And i believe that mobile would be one of the most growing areas in security soon. And you know, thats why i started working on AFE, and i plan to make it really big in the coming future, one of the de-facto for mobile exploitation.

For that, will need a lot of contribution from the infosec field. That is one of the things i'm looking forward for.

I would also like to point out one of the upcoming features of AFE, if you don't mind, which will be included in the next update on March 5th, is exploitation of vulnerabilities in applications.

So, it would be like, you just specify the name of the application - say Facebook Android app, and it would show you, if there is any available exploit for it, and boom, the next second, you will be exploiting the vulnerability.

Also, one could find a lot of vulnerabilities in android apps using the framework, so that i believe is one of the reason the infosec community would be interested in it.

*. Really interesting one , is AFE open source ,where can i find futher details?

Its completely open source. You could find it at github here http://github.com/xysec/

Also, you could have a look at some details : http://afe-framework.com


*. Tell me something about your company XY Security

Its a company i've co-founded with two more of my friends : Subho Halder and Gopinath Danda.

We provide services like Penetration Testing, Application Audits and especially trainings.

We also present our research and give trainings at international security conferences such as BlackHat, Toorcon, OWASP AppSec, SysCan, Nullcon, Clubhack and so on.

We are based in Bhubaneswar right now and we have a small and amazing team with people who are really passionate about security.

*.Recently, you conducted Advanced Android and iOS Hands-on Exploitation Course at OWASP AppSec AsiaPac2013,How is your experience with AppSecAsiaPac2013 ?

Well yeah, i had a training over there. Its a nice conference, after all its OWASP AppSec.

They are more of a global conference, with international speakers, so i got in touch with other security researchers in person and its a nice experience overall.

Unlike my earlier trainings, this one was more of a hands-on one, for which we provided virtual labs and code samples for all Android, ARM and iOS.
Also, Jeju Island (the place where this conference was held) is an amazing place.

*.What's your research that makes you especially proud?
Well, I think i have contributed and researched more than anything else, on Mobile Security, especially Android.
That is one of things i'm really proud of have done.
But, you know one has to keep doing new stuffs, and trying out new things everyday.
That is how i keep myself busy all the time. But yea, its fun.

*.What is your advice for newbie who interested in infosec field?
All i would say them is to be really passionate and dedicated about whatever you are trying to achieve.

Keep learning something new everyday, through blogs, forums, articles and websites.

Don't settle for using tools to find vulnerabilities, unless you will learn manual hacking methods, you won't learn anything new.

A tool is really helpful, but only when you understand the functionality behind it.
And yeah, My best wishes to all the ones who are new in this field. Just work hard, and nothing is impossible.

One last thing, you'll surely get criticised at some point or the other in whatever you're doing, just don't give up, and prove yourself!

*.Students used to ask me how to become ethical hacker and get jobs related to information security, so can you give me some advice to them?

To become an ethical hacker, i would suggest you to learn about hacking and exploitation, and try it out on various vulnerable targets such as Webgoat, Mutillidae or Metasploitable.

And then one could always go for certifications such as OSCP, SANS and so on.
The only thing that matters if you apply for job, is how much knowledge you have. Also, choose a language of your choice, be it Python, C++ or C#, anything, and code in that language. It will help you a lot if you're looking for jobs.

Because,
Good Programmer + Good Hacker >> Good Hacker

*. It is nice to talk to you. What do you think about E Hacking News?
Well, its a great website and keeps me updated with all the security news all over the world.

Also, a media partner of most of the top conferences in the world, its surely one of the websites i would recommend to everyone.
Really a nice job.

*. EHN really thank you for spending your precious time. Is there anything else you like to add?
I think i told most of the things i wanted to, with my really long answers.
Thanks a lot for your time as well.

Clickjacking vulnerability in Microsoft Social Network Socl

clickjacking

An Indian Security Researcher , Nikhil P Kulkarni, has discovered Clickjacking vulnerability in the Microsoft's Social network SOCL(so.cl).
Clickjacking, also referred as "User Interface redress attack" and "UI redress attack", is one type of website hacking technique where hacker use multiple transparent layers to trick a user into clicking on something different to what the user perceives they are clicking on.


In a POC provided to EHN, the researcher demonstrated the clickjacking vulnerability.  In a html file, the top layer says "click below to win your prize money". But , in background, the SOCL page was loaded. When a user click the "click here" button, it will post message in the victim's wall.

The researcher discovered the vulnerability in August and sent notification to Microsoft. Initially, Microsoft rejected it nearly 5 times and told researcher that it was not a vulnerability.

But recently, they realized that all his POC's were right and have rectified that vulnerability. They have decided to put his name in their hall of fame page.