Per the vendor’s request, I will not fully disclose these bugs. Given that it’s been 4 years since the bugs were fixed, I think it time for everyone to see some redacted details. They may be irrelevant now but you’ll be surprised that there’re some real bad web developers out there up to this day😜.

Anyway, here the story. I found the subdomain of an UNNAMED vendor (spoiler alert: they’re pretty popular among people with bad eyesight) using sublist3r brute-forcing tool from therook. This subdomain was an admin portal that hosted their marketing campaign reports. It required logins but if…


There are many topics about database security to talk about, but I’m not going to do that today. I came across an interesting way to purchase my contact lenses last year at ****.com (it’s my secret ^^). The web store lets you buy high quality lenses at an affordable price. However, just like other people, I searched around multiple stores to find a better price, and I took my time to do it. One day at work, I used my phone instead of my PC to see if the price of this product changed and noticed the price dropped significantly…


XSS is the most popular vulnerability in the web. Introducing new technology e.g. HTML5, CORS, Jinja2… also introduces new attack vectors. However, many people underestimate the abilities of XSS. XSS can be easy to find, yet not so easy to mitigate. So, what an XSS is actually able to do:

  1. Steal user cookie
  2. Retrieve forms data, including CSRF token
  3. Retrieve the content of the DOM
  4. Retrieve local/session storage
  5. Capture user’s key pressed
  6. Capture the full DOM
  7. Capture the page screenshot
  8. Take a webcam snapshot
  9. and more

To be stealthy, XHR should be used to exfiltrate the data. In this case…


VMs:
• malicious script in shared folder
• worm propagates in the same/connected networks
• VMs and host machine don’t share kernel: each has its own (VM has to break its own kernel → hypervisor (vmware) → host machine

Containers:
• Containers can share memory
• Users are not namespaced by default: if a user gains access to other containers or host, he will have the same privilege (root in container will be root in host if breaking out)
• All containers and host share the same kernel: if a container causes a kernel panic, it will take down the whole machine
• DoS in containers: containers share kernel resource: if a container can manage to lock a resource, it will starve other containers


So I had a phone interview with an iCISM’s recruiter for a security engineer position, but it didn’t go anywhere because she didn’t really focus on what I can do. It didn’t bother me a lot. However, I was impressed that a big company like iCIMS doesn’t have a security team (sounds interesting!!!). For anyone who is looking for job, you’ll see many big names like Amazon, Uber, Dollar General, etc. are using iCIMS Application Tracking System, which is way better than Taleo, so it’s pretty interesting to take a deeper look at their systems.

I explored iCIMS’ subdomains by…


A month ago, I found someone’s instance on DigitalOcean with RCE vulnerability. This happens when I was poking around Shodan. I did a quick search for Werkzeug Debugger, then a list of hosts with the debugger running showed up. To anyone not familiar with this, Werkzeug Debugger is an in-browser debugger used by Flask. The debug option allows developer to run command line on localhost:5000 (by default). It is recommended to disable this option in production server, and lock the debugger with a PIN. However, someone just ignores it anyway.

Here are some thing that you can do:

>>> print(os.getuid())>>> os.popen(“cat .bash_history”)>>> os.popen(“cat /etc/passwd”)

By doing so, I was able to identify the owner of the instance. It belongs to a hunting map service.


The email delivery service Sparkpost was vulnerable to subdomain takeover. The subdomain go.sparkpost.com pointed to Unbounce service, but I thought their plan was expired. I registered a trial on Unbounce and successfully created a landing page and added go.sparkpost.com as the URL for the page. Here is the proof:

Then I reported the issue to sparkpost customer service. I thought they would reach out to me regarding this critical issue but then I found out the vulnerability was fixed, and I didn’t receive a single email from them! That how they do business I guess.

Here is the timeline:

09/21/2016…


XSS is the most popular vulnerability in the web. Introducing new technology e.g. HTML5, CORS, Jinja2… also introduces new attack vectors. However, many people underestimate the abilities of XSS. XSS can be easy to find, yet not so easy to mitigate. So, what an XSS is actually able to do:

  1. Steal user cookie
  2. Retrieve forms data, including CSRF token
  3. Retrieve the content of the DOM
  4. Retrieve local/session storage
  5. Capture user’s key pressed
  6. Capture the full DOM
  7. Capture the page screenshot
  8. Take a webcam snapshot
  9. and more

To be stealthy, XHR should be used to exfiltrate the data. In this case…


VMs:
• malicious script in shared folder
• worm propagates in the same/connected networks
• VMs and host machine don’t share kernel: each has its own (VM has to break its own kernel → hypervisor (vmware) → host machine

Containers:
• Containers can share memory
• Users are not namespaced by default: if a user gains access to other containers or host, he will have the same privilege (root in container will be root in host if breaking out)
• All containers and host share the same kernel: if a container causes a kernel panic, it will take down the whole machine
• DoS in containers: containers share kernel resource: if a container can manage to lock a resource, it will starve other containers


So I had a phone interview with an iCISM’s recruiter for a security engineer position, but it didn’t go anywhere because she didn’t really focus on what I can do. It didn’t bother me a lot. However, I was impressed that a big company like iCIMS doesn’t have a security team (sounds interesting!!!). For anyone who is looking for job, you’ll see many big names like Amazon, Uber, Dollar General, etc. are using iCIMS Application Tracking System, which is way better than Taleo, so it’s pretty interesting to take a deeper look at their systems.

I explored iCIMS’ subdomains by…

Preston T

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store