emailexpert.org XSS vulnerability

[andrewbonar]

Issue was Resolved at 18:53

[charleycelice]

Can this be marked as patched? I requested yesterday but still showing up as "no".

[charleycelice]

Pressed check again and still shows as unpatched...

[x1admin]

marked as patched

[andrewbonar]

Nice concept, but xss fails in its execution.

It is a shame that XSS seem none too fussed about accuracy of reporting. Despite both myself and the researcher advising the problem was resolved on the same day, within the hour, as opposed to marking as resolved xss exposed the report, by which time it was already incorrect. The Security Grading for SSL was also incorrect. XSS pulls a cached copy from htbridge and then caches that forever more. At the time of exposure I had already followed the recommendations and the site was listed as A grade.

The stated claims " to create an open, transparent and unbiased platform to connect security researchers wishing to help and website administrators" seems to fall short.

The statement "We never remove any information about vulnerabilities from the website for political or business reasons. Within the scope of Open Bug Bounty, security researchers can delete the vulnerabilities until public disclosure, but it's only the researcher who decides what to do." is also untrue. XSS choose arbitrarily it seems when to state a bug is patched and when to update the site. The researcher advising that a bug is patched is not accepted at face value.

"our role is strictly limited to independent vulnerability verification - we never act as intermediary between the researchers and website owners." well you overstep that role when you publish incorrect out dated security assessments, then fail to retest at the time of exposing a vulnerability that was already patched. Woo knows what value to place on the homepage listings, or how it is that they were able to reported and resolved and updated all within an hour, where others are left with incorrect listings for 2 days.

[x1admin]

Few points:

a) Instead of writing novels here, you can just ask to change the time of patch (if it's incorrect) - and we will update it

b) there were indeed a small glitch with the time of patch, if during the check the website is inaccessible. fixed now.

c) synchronization with SSL checker is in our to-do list, as XSSPosed is non-profit project, we work mainly on weekends and nights. If you want to code for free - ping us.

[andrewbonar]

First allow me to cut to the chase

For the record the timeline of events in respect of my specific incident is close if not exactly as below:

https://twitter.com/andrewbonar/status/ ... 1478625280
The Timeline of Events:
18:15 Vulnerability reported
18:17 Notification sent
18:37 ACK'd notification
18:54 resolved vulnerability
19:53 publicly exposed
20:01 notified that the issue was fixed and thanked stmerry on twitter, as I figured I had been exposed due to not reaching out to stmerry and simply fixing the issue, a flaw I was aware of and was on my todo list, but not a priority, I will not describe it as a vulnerability, a susceptibility or flaw yes.

Instead of writing novels here

In response, 207 words does not an essay make never mind a novel.
You frame your site as you do and openly invite visitors to offer critique, you should expect a little and maybe be a little less defensive. That said a short essay will now ensue.

you can just ask to change the time of patch (if it's incorrect) - and we will update it

Nonsense, I reached out. I tweeted, I emailed, I posted in this forum. On the 26th, on the 27th and the 28th you were advised of the error, and again on April the 4th. It is now the 7th and the false claims about my .org remain published on your .org.
@stmerry (thanks!) posted on the 27th stating he had asked the day before for it to be removed. It still says the 28th.

Now that we have established your response is wholly without merit, and before I launch into a wider discussion. Here is a strange thing. @StMerry Posted dozens of reports that day, and none of them were publicly visible, shortly after I resolved my issue, within minutes, mine was exposed. I naturally assumed @stmerry was responsible, but that seems unlikely. But I have noticed that looking through those that are publicly exposed many of those sites have already resolved the issue. Maybe 25 out of 28 checked. Then we have another post on this forum, pointing out the same strange occurrence. That a site was publicly exposed but not by the security researcher, and only after the bug was resolved.

It does rather appear that someone with elevated status at the site is trying to punish those they feel should be offering thanks.

Back to your points..

b) there were indeed a small glitch with the time of patch, if during the check the website is inaccessible. fixed now.

The site still states it took two days to resolve as opposed to less than an hour. You are saying that the site was unavailable for 2 days, I think not. DO you mean you were getting an error 500 on attempting to run the script. That is quite different to inaccessible. Is the issue fixed at your end or is it simply that I was returning a 404 two days later? If a script that is identified and is disabled and that results in a 500 error on attempting to reach it, that would make the issue resolved.

As for your invitation. I am not really a coder, I can hack together what I need and have too many projects I am already involved with for no financial reward to bring another into the mix. Yes some are wholly about making the interwebs a better place http://senderintelligence.com/
To assume coding is the only area in which you would benefit from support is a mistake imo.

You could gain much from a little better PR management. You have the cloak of anonymity, so you can afford to be a little more honest. The issue with a white lie here and a white lie there is you lose credibility and whether I support full disclosure or believe in security through obscurity is neither here nor there, you leave yourself exposed to potential ridicule when your lack of transparency is so evident, yet you talk of transparency on the site.

You state in your emails "The Open Bug Bounty project (http://www.xssposed.org) has no direct or indirect relations with security researchers. " Yet elsewhere you state "“We are a group of security professionals from several countries (mainly EU). All of us participated in various Bug Bounty Programs, but we believe that all, or almost all, of them fail for one reason or another.”

By laying the seeds in the way that you have it then becomes easy to present the argument issues like that "20,000 vulnerabilities have been fixed is to overstate your case. that on the most part it is nothing more than 19,900 minor flaws found.

I don't want you to feel under attack and that I am raising hell for no reason.
The fact is you have built something that gains a significant amount of traffic and thereby interest.
Your web front end comes across as rhetoric and your attitude glib when you dismiss people in the way you have. You intimate that I have expended too much effort into communication yet you invest your evenings and weekends on this project. I can see lots of posts congratulating you and the site, lots of cheerleaders, maybe its worth listening to some of the dissent occasionally, I was not being disparaging after all.

I have one suggestion for you, one that came from loyal researchers originally, those who work on your site.

Your twitter stream would be a whole lot more popular if you did what they requested which was to include their twitter handle. I know you stated it was not possible because there was not enough space. That is clearly a mistake. Your tweets average 114 Characters leaving 26. A small change will I guarantee result in more retweets and follows and more publicity.

Vulnerability found by @tbmnull on notebookreview.com on hold for coordinated disclosure https:XXt.co/kjkljlkj #BugBounty

Better yet swap out the URL for the twitter handle if you have it (ask the researcher to submit it) and include their handle. Or if you really do not want to change your tweet format at all, then use Cards, insert an image and you can tag 10 @handles. Like so:

[Spam404Online]

As far as I know, the date and time listed as when the vulnerability was patched is when Open Bug Bounty (OBB) verifies the patch.

Maybe to improve this, a snapshot of the date and time can be saved when the patch verification request is made. So for example -

9/9/2016 13:37 - Researcher makes patch verification request (time and date saved)
10/9/2016 18:28 - OBB verifies the patch and the incident displays "Patched: Yes, at 9/9/2016"

I think this is a solution to get it as close to the patch time as possible. This would also make the "Quickest Patched" list (on the homepage) more achievable

on the most part it is nothing more than 19,900 minor flaws found.

XSS shouldn't be underestimated

[andrewbonar]

Thanks @Spam404online yes your suggestion would would make sense and certainly results in more clarity and transparency.

I still thinks xssposed or OBB want to identify:

• does a 500 http response result in the vulnerability remaining identified as unpatched. That would be an error imo. I suspect that the patch was identified only when I served a 404
• what causes vulnerabilities to be exposed when it was not the researcher who exposed it. If an admin is responsible that is not good, if its a bug in code that is not good either. Not sure which is worse.
• The issue was first brought to light as far as I can see on March 24th and as yet no response
  viewtopic.php?f=10&t=132

XSS shouldn't be underestimated

Your are of course correct. Equally the power of leveraging social channels should not be underestimated. My suggestion reference Twitter would further the stated aims of OBB as is proven by my single erroneous tweet (I added the wrong link) that resulted in NotebookReview.com acknowledging the issue within the hour. Albeit with a poorly worded tweet that did not give @tbmnull the credit and thanks deserved

[Spam404Online]

does a 500 http response result in the vulnerability remaining identified as unpatched. That would be an error imo. I suspect that the patch was identified only when I served a 404

More information here from OBB would be great as I've ran into issues with this in the past.

Here's some examples -

https://www.openbugbounty.org/incidents/142988/ - new firewall catches the vector so the page is not rendered and instead the request is timed out but the report is not marked as fixed.

https://www.openbugbounty.org/incidents/134516/ - OBB said they could not mark this one as patched despite the page no longer being public (in response to my report, Vodafone made the page only available internally).

what causes vulnerabilities to be exposed when it was not the researcher who exposed it. If an admin is responsible that is not good, if its a bug in code that is not good either. Not sure which is worse.

While this one sounds worrying I have never ran into this issue with over 15k submissions to OBB. Only researchers can make the report public earlier than the premeditated disclosure time. Some website maintainers have been known to check their logs instead of communicating with the researcher but even if the website is patched in this manner it shouldn't make the report public earlier than the premeditated disclosure date.

I'm not saying TBM is wrong on the thread posted here but I just haven't had this issue with over 15k submissions so I find it hard to believe OBB was at fault.

Equally the power of leveraging social channels should not be underestimated. My suggestion reference Twitter would further the stated aims of OBB as is proven by my single erroneous tweet (I added the wrong link) that resulted in NotebookReview.com acknowledging the issue within the hour. Albeit with a poorly worded tweet that did not give @tbmnull the credit and thanks deserved

I can't disagree with you here. This was one of the earliest suggestions and would most definitely be cool