Every thing can be Hacked . If we are Noops

Every thing can be Hacked . If we are Noops
Powered by Blogger.

Latest Updates

Sunday, July 31, 2016

Europ CERT- Hall of Fame

Posted By: Lawrence Amer - 4:45 AM




Since Eurpo CERT has Released a Hall of Fame program to handle reported issue by Security Researchers.
 Lawrence Amer has reported Cross Site scripting Vulnerability into Europ CERT Security Team . and got Confirmation Response via email with name included in
Hall of Fame .

after confirming A fix , A vulnerability Description  is Disclosed via Security Researcher Official Site
to discuss it .

Vulnerability Description :
=================================

The security issue allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service module. 
the vulnerability is located in the module "/scripts/wa-enisa.exe" in the affected domain "lists.enisa.europa.eu" . the vulnerable parameter is "A0" allow remote attacker to execute xss payload through the vulnerable parameter 

Vulnerable Request 
==================
[+] GET 

Vulnerable module 
======================
[+]/scripts/wa-enisa.exe
======================= 
vulnerable parameter 
[+] A0 

proof of concept : 

attacker are able to successfully produce the issue by using the following url : 
https://lists.enisa.europa.eu/scripts/wa-enisa.exe?A0=%../%27%3E%3Ciframe%20src=http://vulnerability-lab.com%3E


Vulnerability State : Patched 





Monday, April 25, 2016

Microsoft MSDN CSRF Vulnerability

Posted By: Lawrence Amer - 2:40 PM





Remote attackers are able to perform a cross site request forgery on MSDN users to force them
to do unwanted action.

the vulnerability is located in the module for personal user information . allowing hackers to do reset email address .lead to comprise MSDN Account .


Microsoft Development Team push a Fix for this issue . and my name as Lawrence Amer will be Added to April 2016 Hall of Fame



video POC is listed below :




Wednesday, March 23, 2016

Yahoo Sender Email spoofing Vulnerability by Lawrence Amer

Posted By: Lawrence Amer - 3:35 AM



Product & Service Introduction:
===============================
Yahoo Inc. (styled as Yahoo!) is an American multinational technology company headquartered in Sunnyvale, California. It is globally known 
for its Web portal, search engine Yahoo! Search, and related services, including Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Finance, 
Yahoo! Groups, Yahoo! Answers, advertising, online mapping, video sharing, fantasy sports and its social media website. It is one of the most 
popular sites in the United States.[9] According to third-party web analytics providers, Alexa and SimilarWeb, Yahoo! is the highest-read news 
and media website, with over 7 billion readers per month, being the fourth most visited website globally, as of June 2015.[8][10][11] According 
to news sources, roughly 700 million people visit Yahoo websites every month. Yahoo itself claims it attracts "more than half a billion consumers 
every month in more than 30 languages. Yahoo was founded by Jerry Yang and David Filo in January 1994 and was incorporated on March 1, 1995. Marissa 
Mayer, a former Google executive, serves as CEO and President of the company.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Yahoo! )




About founder : 
========================

Lawrence Amer is Syrian Ethical Hacker . known for helping many companies across cyberspace 
to secure their online services . to ensure closing every vulnerability Disclosed by Him 

for more information about the vulnerability 
========================================
http://hackerone.com/lawrenceamer
http://www.vulnerability-lab.com/get_content.php?id=1777




Video POC : 
===========================


Monday, February 1, 2016

AOL Vulnerability | Lawrence Amer

Posted By: Lawrence Amer - 12:01 PM




Abstract information
-----------------------
Discoverd and reported by Lawrence Amer



Technique
------------------
Remote

Technical Description
------------------------------------

Remote attackers are able to bypass the verification process of signup functionality at AOl registration page .
considered as a security flow described the affected parameter [human verification by replacing it with blankfield .
ffurthermore the current module [reg/signup] is submitted over [POST Request] without a current CSRF token to prevent the damage
of Cross site request frogery



Affected module
----------------------------

[+] [reg/signup]
[+] Domain : i.aol.com


proof of concept :
---------------------------------------

1. attacker user POST request

POST /reg/signup HTTP /1.1
HOST : i.aol.com


------- -------
parameters : firstname + lastname + security question + username + password + birth +gender + zip+av=[Expired one works fine ]




statue :
-----------------------
PATCHED


disclosed :
------------------------
1/2/2016


follow me :
https://www.facebook.com/lawrence.aamor
https://www.facebook.com/lawrenceamer/



Friday, December 18, 2015

Hauwei Vulnerability | Lawrence Amer

Posted By: Lawrence Amer - 5:22 PM


wiki :



Huawei Technologies Co. Ltd. (/ˈhwɑːˌw/) is a Chinese multinational networking and telecommunications equipment and services company headquartered in ShenzhenGuangdong.[3] It is the largest telecommunications equipment manufacturer in the world, having overtaken Ericsson in 2012.[4]
Huawei was founded in 1987 by Ren Zhengfei, a former engineer in the People's Liberation Army. At the time of its establishment Huawei was focused on manufacturing phone switches, but has since expanded its business to include building telecommunications networks; providing operational and consulting services and equipment to enterprises inside and outside of China; and manufacturing communications devices for the consumer market.[5][6] Huawei has over 170,000 employees as of September 2015, around 76,000 of whom are engaged in research and development (R&D).[7][8] It has 21 R&D institutes in countries including China, the United States,[9] Canada,[10] the United Kingdom,[11] PakistanFranceBelgiumGermany,ColombiaSwedenIrelandIndiaRussia, and Turkey,[12][13] and in 2013 invested US$5 billion in R&D,[14] increased to $6.4bn in 2014.
In 2014, Huawei recorded profit of 34.2 billion CNY (5.5 billion USD).[15] Its products and services have been deployed in more than 140 countries and it currently serves 45 of the world's 50 largest telecoms operators.[16]


Description of Exploit : 
Attacker is able to inject a malicious code in the parameters of registration page . so the user of email registered in Site of Hauwei got an infect Email of redirection . 

Discovered by : Lawrence Amer 





Sunday, December 13, 2015

http.net | Hall of Fame

Posted By: Lawrence Amer - 4:52 PM


http.net is a German site responsible for providing a good and secure solution for your network with amazing customers support Lawrence Amer a Security Researcher started to do a penetration testing on it's site . and discovered a click jacking vulnerability in webmail login page after contacting the webmaster . he thanks me and add my name to Hall of fame



Friday, December 4, 2015

ebay Hall of Fame

Posted By: Lawrence Amer - 5:46 PM




eBay Inc. (stylized as "ebay") is an American multinational corporation and e-commerce company, providing consumer to consumer &business to consumer sales services via Internet. It is headquartered in San JoseCalifornia. eBay was founded by Pierre Omidyar in 1995, and became a notable success story of the dot-com bubble. Today, it is a multibillion-dollar business with operations localized in over thirty countries[5]


So ebay started their program for white hat hackers . to get some help to secure their site and customers . So i have found a risky CSRF vulnerability in ebay allowing me to delete any user profile photo .


and i after a fix i got listed in hall of fame



and here is a video POC


Vulnerabilities

Copyright © Lawrence Amer | Ethical Hacker ™ is a registered trademark.

Designed by Templateism. Hosted on Blogger Platform.