XSS vulnerabilities discovered in ServiceNow – CVE-2022-38463

Hey everyone, This is a blog related to my recent CVE on ServiceNow.It was found while testing a bug bounty program that was using ServiceNow and their in-scope domain was ‘redacted.service-now.com’. I searched the ServiceNow exploits on google and found that the domain was vulnerable to CVE-2019-20768 and CVE-2021-45901. I reported them and the reports…

Turning cookie-based XSS into account takeover

The cookie-based XSS One evening I started hunting on the Terrahost Bug Bounty program. I was testing the terrahost.no main domain. There was a functionality where I could choose the service, then register an account and place an order. So I did that. I chose Virtual Hosting and put all the data – username, address,…

CVE 2022-29455 is still affecting millions of WordPress sites

– The DOM-based Reflected Cross-Site Scripting (XSS) vulnerability is in Elementor’s Elementor Website Builder plugin <= 3.5.5 versions.  This issue leads to: CVE 2022-29455 4websecurity.com already reported the vulnerability to tens of thousands websites that are using WordPress and this version of the plugin.  Reference:    – https://nvd.nist.gov/vuln/detail/CVE-2022-29455    – https://rotem-bar.com/hacking-65-million-websites-greater-cve-2022-29455-elementor    – https://www.rotem-bar.com/elementor * POC (Proof Of Concept): The payload is Base64 encoded: https://example.com/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwOi8vIiwidmlkZW9UeXBlIjoiaG9zdGVkIiwidmlkZW9QYXJhbXMiOnsib25lcnJvciI6ImFsZXJ0KGRvY3VtZW50LmRvbWFpbikifX0= Decoded from Base64: https://example.com/#elementor-action:action=lightbox&settings={“type”:”video”,”url”:”http://”,”videoType”:”hosted”,”videoParams”:{“onerror”:”alert(document.domain)”}} Impact: XSS can cause…

Zabbix – SAML SSO Authentication Bypass

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Dork: usage refrences https://nvd.nist.gov/vuln/detail/CVE-2022-23131 https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage https://github.com/Mr-xn/cve-2022-23131 https://github.com/projectdiscovery/nuclei-templates

The Time Machine — Weaponizing WaybackUrls for Recon, BugBounties , OSINT, Sensitive Endpoints and what not

You must have heard about time travel in movies, series and comics. Well here we are Nah i’m not joking you can travel back in time and can fetch the endpoints from web applications to do further exploitation, don’t believe me xD You will after Travelling from TheTimeMachine, PS Doesn’t work offline you need internet…

The Most used Chrome Extensions are Used For Penetration Testing.

Mostly, penetration testing can use the extensions for the purpose to locate the broken links and inform the client, and these extensions also help to determine whether a target website contains vulnerabilities that can lead to adversarial exploitations and sensitive information theft. Here are the different chrome extensions that are used by penetration testing…. Wappalyzer…

eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)

Improper Access Control to Remote Code Execution (CVE-2020-8591)

In this post. I will explain how I hacked a whole system by exploiting improper access control vulnerability in the popular java-based MaaS software “eG Manager” and how I can escalated it to execute code remotely.

Impact

The Improper Access Control weakness describes a case where software fails to restrict access to an object properly. A malicious user can compromise security of the software and perform certain unauthorized actions by gaining elevated privileges, reading otherwise restricted information, executing commands, bypassing implemented security mechanisms, etc.