Wednesday, March 2, 2016

Finding a XSS in Microsoft OAuth Interface, a major risk for the security of the users' account

8:43 AM Posted by Alexandru Coltuneac (dekeeu) , , , , No comments
Summary In this article, I want to talk about one of my latest vulnerabilities that I found during my research, namely a Stored XSS(Cross Site Scripting) flaw in Microsoft OAuth Interface. My experience as a researcher with this company started two years ago when, out of curiosity, I began to look...

Friday, August 28, 2015

How I found the sweets inside Google servers. Local File Inclusion Write-up @ 2015

1:49 AM Posted by Alexandru Coltuneac (dekeeu) , , , , , , , 6 comments
Hello there. In this blog post I'll tell you how I've managed to read arbitrary files from the Google servers by finding/exploiting a Local-File-Inclusion vulnerability. This flaw was found in one of the Google products, Google Feedburner, and was fastly fixed by Google Security Team. As Wikipedia...

Thursday, April 16, 2015

Avangate eCommerce Platform - XSS Vulnerabilities

7:17 PM Posted by Alexandru Coltuneac (dekeeu) , , , 1 comment
Description: Avangate eCommerce Platform suffer from Reflected-XSS(Cross-Site-Scripting) vulnerabilities which can be easily exploited and could allow an attacker to threaten users safety . What is XSS(Cross-Site-Scripting) vulnerability ? Reflected cross-site-scripting vulnerabilities arise when...

Sunday, September 14, 2014

Google Feedburner - Reflected XSS

11:03 PM Posted by Alexandru Coltuneac (dekeeu) , , , No comments
The base URL for this vulnerability will be : http://feedburner.google.com/fb/a/emailFlare?itemTitle=test&uri=test If you open the link above in browser you can see that the basic form which allows you to email a "Flare" to a random e-mail address. So, if you complete that form with random...

Tuesday, October 29, 2013

Bitdefender Security Breakdown - LFI/OAuth/XSS vulnerabilities

5:21 PM Posted by Alexandru Coltuneac (dekeeu) , , , , , , No comments
Summary Bitdefender websites were vulnerable to some web flaws that could allow an attacker to obtain arbitrary local files from the web server or hijack users sensitive information. Vulnerability Details LFI (Local File Inclusion) The vulnerable script was located here : http://www.bitdefender.com/downloadFile.php?language=in&fileName=pok.txt&filePath=../../../../../../etc/passwd Usually...