Open ssl security issue(vulnerabilities,ssl v 3 encryption,bug report) #3

 

Poodle Bleed Vulnerability Found in Relateiq.com

 

 

Poodlebleed Issue POC Report :

This vulnerability found by mtk .

What is Poodle Bleed Vulnerability in website?

Ans : A vulnerability in SSL 3.0/ssl v3/ssl v 3 (commonly known as Poodlebleed) could allow information disclosure.  This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and it is not specific to the Windows operating system or PlateSpin products or . PlateSpin servers leverage Microsoft IIS, which implements the SSL 3.0 protocol.

How to Test your Own Website ?

Ans : Goto Poodlebleed.com and test your own website .if there is any vulnerability so fix it as soon as possible.

 

Question is How to fix this SSL v 3 Vulnerabilities , So here is the way :

Disable SSLv3 in web browsers ? Answer is Below

Firefox

• Install the Mozilla add-on called “SSL Version Control”

Or

• Type about:config into the navigation bar and press [Enter]
• Accept the warning and proceed
• Search for tls
• Change the value of security.tls.version.min from 0 to 1 (0 = SSL 3.0; 1 = TLS 1.0)

Chrome

• Upgrade to the latest version of Chrome

Or

• Run Chrome with the following command-line flag: –ssl-version-min=tls1

Internet Explorer

• Go to Settings -> Internet Options -> Advanced Tab -> Uncheck “SSLv3″ under “Security”.

If you wanna ask any question so feel free to comment .

Read more ...

Bug bounty program websites List for ethical hackers

What is Bug Bounty Program for penetration Websites?

Bug bounty program offered by many Famous and Private Static and Dynamic websites and software developers by which individuals can receive recognition programs and compensation for reporting bugs And Security Researchers comes in website for penetration testing and then Report Ethically. 

What is Ethical Hacker ?

There are four types of Hackers are : 

WhiteHats : Mean Ethical Hacker , Security Researcher , Penetration .

BlackHats : Mean Negative , If BlackHats Find the Vulnerability then they will go for Exploit rather then Ethical Report.
GrayHats : Mean Power of two , They are Positive and also Negative well its depend on Situation.
Anonymous : Mean Only work for patriotism.

Bug Bounty Program  / Private and Famous Website List:

• http://www.123contactform.com/security-acknowledgements.htm
• https://hackerone.com/4chan/thanks
• http://www.activecampaign.com/security/
• http://helpx.adobe.com/security/acknowledgements.html
• https://www.airbnb.com/help/policies/responsible_disclosure#responsible_disclosure_policy
• https://www.appcelerator.com/privacy/responsible-disclosure-of-security-vulnerabilities/
• http://support.apple.com/kb/HT1318
• http://www.androidfreeapp.net/security-researcher-acknowledgments/ (May 2014)
• https://www.apptentive.com/contact/
• https://www.appointlet.com/
• https://artsy.net/security
• http://www.audiomack.com/about
• https://barracudalabs.com/research-resources/bug-bounty-program/bug-bounty-hall-of-fame-2/
• https://getbase.com/security/
• http://ca.blackberry.com/business/enterprise-mobility/mobile-security/incident-response-team/collaborations.html (2014)
• http://www.blesta.com/responsible-disclosure/(CORE-931)
• • Bidmail — http://www.bidmail.com/index.php/contact/
• • Big Commerce — http://www.bigcommerce.com/about-us/
• • Birst — http://www.birst.com/security-reporting
• • Bitcasa — https://support.bitcasa.com/hc/en-us/articles/202210658-How-To-Responsibly-Report-Security-Concerns
• • Bufferapp — https://bufferapp.com/security
• • Bugcrowd — https://bugcrowd.com/bugcrowd/hall-of-fame
• • Bugherd — http://bugherd.com/security
• • Calameo — http://en.calameo.com/content/about_calameo-about-calameo.htm
• • Calendar Budget — https://calendarbudget.com/support2/open.php
• • Cisco — http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
• • Cloudflare — https://hackerone.com/cloudflare/thanks
• • Colupon — https://bugcrowd.com/c028
• • Commando IO — https://commando.io/security.html#hall-of-fame-section
• • Compilr — https://compilr.com/forum/security-thanks
• • Comodo Dragon — http://www.comodo.com/contact-comodo/contact-us.php
• • Coinbase — https://hackerone.com/coinbase/thanks
• • Constant Contact — http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
• • Crowdrise — http://www.crowdrise.com/UnitedRelief-ARC (Reward ($100) Donated to Typhoon Haiyan Victims in the Philippines [2013])
• • Deutsche Telekom — http://www.telekom.com/security/acknowledgements
• • Dell Secureworks — http://www.secureworks.co.uk/contact/disclosure/
• • Digital Fire — http://digitalfire.com/services/contact.php
• • Dropbox — https://www.dropbox.com/special_thanks
• • Dropcam — https://www.dropcam.com/security
• • DuckDuckGo — https://duck.co/feedback/bug/-
• • Duo Security — https://www.duosecurity.com/security
• • Ecstasy Data — http://www.ecstasydata.org/contact.php
• • EMC Corporation — http://www.emc.com/contact-us/contact/product-security-response-center.htm
• • File Pigeon — http://www.filepigeon.com/faq/
• • Ford Motor Company (Fleet Department) — http://www.fleet.ford.com/contact-us/
• • Form Assembly — http://www3.formassembly.com/blog/formassembly-vulnerability-and-security-reporting/
• • FoxyCart — http://www.foxycart.com/security-contact/
• • Freelancer — https://www.freelancer.com/u/evanricafort.html
• • Friendster — http://www.friendster.com/contact_us
• • Game Institute — https://www.gameinstitute.com/contact.php
• • Gapminder — http://www.gapminder.org/about-gapminder/contact/
• • Geonode — https://github.com/GeoNode/geonode/commit/f48b14e26894c21006c165beb62a9a13265dba0e
• • GF Overflow — http://www.gfoverflow.com/contact.php
• • GitLab — https://about.gitlab.com/vulnerability-acknowledgements/ (2014)
• • Gizmo Host — http://www.gizmohost.com/contact
• • Gizmo Quip — http://gizmoquip.com/#contact
• • Gli.PH — https://gli.ph/security.html
• • Google — http://www.google.com/about/appsecurity/hall-of-fame/reward/ (Quarter 3 - 2014)
• • Hackerearth — http://www.hackerearth.com/recruit/faq/
• • HackForCause — http://hackforcause.com/hall-of-fame/
• • Harvard University — http://about.worldmap.harvard.edu/icb/icb.do?pageid=icb.page481343
• • Honeybadger — http://docs.honeybadger.io/article/181-security
• • Hotgloo — http://www.hotgloo.com/security/hall-of-fame
• • HTC — http://www.htc.com/us/terms/product-security/
• • Huawei — http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
• • Hubdia — https://hackerone.com/hubdia/thanks
• • IBM Corporation — http://www-03.ibm.com/security/secure-engineering/report.html
• • iBuildApp — http://ibuildapp.com/about-us/
• • Icecoder — https://bugcrowd.com/icecoder/hall-of-fame
• • iDevAffiliate — http://www.idevdirect.com/contact.php
• • Intel — https://www-ssl.intel.com/content/www/us/en/forms/webmaster-contact-us.html
• • Internetwache — https://en.internetwache.org/security/
• • Juniper Networks — https://www.juniper.net/us/en/security/report-vulnerability/
• • Kayako — https://my.kayako.com/Knowledgebase/Article/View/853/0/security-vulnerability-fix-and-patch-policy
• • Khan Academy — https://hackerone.com/khanacademy/thanks
• • Lavasoft — http://lavasoft.com/mylavasoft/company/about.php
• • Lleida — http://www.lleida.net/en/company/about-us
• • LG Developers — http://developer.lge.com/footer/footer/RetrieveContactInfo.dev
• • LinkedIn — http://help.linkedin.com/app/safety/answers/detail/a_id/37022
• • Logentries — https://logentries.com/doc/security/
• • Joomlart — http://www.joomlart.com/joomlart/contact-us
• • JotForm — http://www.jotform.com/about/
• • Magix AG — http://research.magix.com/(May 2014)
• • MailChimp — http://mailchimp.com/about/security-response/
• • Mastercoin Foundation — https://bugcrowd.com/mastercoin/hall-of-fame
• • MaxCDN — http://www.maxcdn.com/company/security/
• • Meldium — https://www.meldium.com/security
• • Metrodeal — http://www.metrodeal.com/about-us
• • Microsoft — http://technet.microsoft.com/en-us/security/cc308575#0114 (January 2014)
• • Moment.Me — http://www.moment.me/
• • Motorola — http://www.motorolasolutions.com/US-EN/About/Security%20Vulnerability
• • Movember — https://bugcrowd.com/movember/hall-of-fame
• • My News Desk — http://www.mynewsdesk.com/about
• • National Cyber Security Center (Netherlands) — https://www.ncsc.nl/security
• • Nitrous I/O — http://help.nitrous.io/admin-security-response/ (2014)
• • Oculus VR — https://www.oculusvr.com/bug-submission/
• • OpenDrive — https://www.opendrive.com/security
• • OpenText — http://www.opentext.com/Who-We-Are/Copyright-Information/Security-Acknowledgements
• • Pagerduty — http://www.pagerduty.com/security/disclosure/
• • PayPal — https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention (Quarter 2 of 2014)
• • Perfectcloud — https://www.perfectcloud.io/about.html
• • PhpNuke — https://downloads.phpnuke.org/en/email/contact_us.htm
• • Pwnie Express — https://www.pwnieexpress.com/contact-us/
• • Rackspace — http://www.rackspace.com/information/legal/rsdp
• • Rainedout — http://www.rainedout.com/contact
• • Rapid7 — https://www.rapid7.com/disclosure.jsp
• • Rebelmouse — https://about.rebelmouse.com/company
• • RelateIQ — https://hackerone.com/relateiq/thanks
• • Ribose — https://www.ribose.com/security/hall_of_fame
• • Rietta — http://rietta.com/contact/security/
• • Risk I/O — https://www.risk.io/security
• • Samsung — https://samsungtvbounty.com/HallOfFame.aspx
• • Search on Zippy — http://www.searchonzippy.com/contact
• • Sellfy — https://sellfy.com/security/
• • Shaukk — http://shaukk.com/developers.php
• • Site Liner — http://www.siteliner.com/contact
• • Slack — https://hackerone.com/slack/thanks
• • SmartQ — http://www.getsmartq.com/support.php
• • Sony — https://secure.sony.net/hallofthanks
• • Sourceforge Japan — http://sourceforge.jp/docs/SourceForge.JP%E3%81%AE%E9%80%A3%E7%B5%A1%E5%85%88
• • SoundCloud — http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure
• • Splitwise — http://blog.splitwise.com/about/responsible-disclosure-special-thanks/
• • StarHub — http://www.starhub.com/personal/support/contact-us.html
• • Survey Gizmo — http://surveygizmo.helpgizmo.com/help/contact-us
• • Sprout Social — http://sproutsocial.com/responsible-disclosure-policy
• • Steam — https://support.steampowered.com/index.php
• • StoptheHacker — https://hackerone.com/stopthehacker/thanks
• • Student CRM - Data Harvesting U.K — http://www.student-crm.co.uk/about/security/
• • Swipe Identity — https://bugcrowd.com/c030/hall-of-fame
• • Tagged — http://safety.tagged.com/security/
• • Thumbr — http://www.thumbr.io/tos
• • Tresorit — https://tresorit.com/hacking-challenge
• • Tumblr — http://www.tumblr.com/security
• • Twitch TV — http://www.twitch.tv/p/security
• • Twilio — https://bugcrowd.com/twilio/hall-of-fame
• • Twitter — https://about.twitter.com/company/security (2013 and 2014)
• • Typo3 — http://typo3.org/teams/security/
• • Uber — https://www.uber.com/security
• • United States Naval Academy — http://www.usna.edu/About/
• • UK Secure Web Hosting — http://www.uksecurewebhosting.co.uk/contact.php
• • US Unlocked — https://www.usunlocked.com/contact_us.php
• • Valve Software — http://www.valvesoftware.com/security/
• • Via Forensics — https://viaforensics.com/company/contact/
• • Visa Incorporation — http://www.visa.com/globalgateway/
• • Vox Analytics — https://www.voxanalytics.com/contact
• • WePay — https://hackerone.com/wepay/thanks
• • Wizehive — https://www.wizehive.com/security/
• • Wordpress — http://codex.wordpress.org/Security_FAQ
• • World Vision Philippines — http://worldvision.org.ph/contact-us
• • WPEngine — http://wpengine.com/contact/
• • Yahoo! — https://hackerone.com/yahoo/thanks
• • Yamaha Club Philippines — https://www.yamahaclub.com.ph/contact/
• • Yandex — http://company.yandex.com/security/hall-of-fame.xml (March 2014)
• • Yesware — http://www.yesware.com/security/
• • Zendesk — http://www.zendesk.com/company/responsible-disclosure-policy
• • Zynga — http://company.zynga.com/security/whitehats (2014)

Read more ...

Vulnerability Reports disclosure timeline [bugs,poc,tutorial,2015]

 Here is the Bugs/Vulnerability Reports

      

Sql Injection Vulnerability Found by Security Researcher in MyBB [tamperdata,test,examples] <<click here

=============================================================================

 

 What is Broken Authentication – Session Token bug? Bug
<< click here

 

 

=============================================================================

 

 Logical Bug in Humblebundle.com website Bug<<click here

=============================================================================

 Open ssl security issue(vulnerabilities,ssl v 3 encryption,bug report)

 

=============================================================================

 

 

Logout Cross site Request Forgery CSRF Vulnerability [worth bug 250$ ]

 

=============================================================================

 

Full path disclosure at ads.twitter.com [Vulnerability , Reward 140$]

 

=======================================================================

 

 

 

 

Read more ...

Free fake sms with any number

How to Spoof a SMS

People Loves Social Engineering and People want high priority work in short time so i am going to share Someone idea that how they spoof sms for free through a simple technique.

Let see how it works :

Requirement : 

• Online Sms Sender Website.
• Temper Data Addon (work in Mozila Firfox) 

I am Using this Website http://freesmsland.com/ for sending free fake sms to anywhere in the world and it works well.

1. First open the Free fake sms website so i am open this website http://freesmsland.com/
2. Fill up the complete Form e.g phone number,  Message , captcha and everything. (you can check screenshot too)
   
3. Dont click on Send Button right Yet , Now Open TamperData in FireFox from Menu > Tools > Tamper Data.
4. After Opening Tamper Data Just Click on  " Start Tamper ".
5. After Clicking on this Immediately click on Send Button to Send SMS.
6. Now another box will appear with asking you to tamper the http request or not just simply click on Tamper.
   
7. Yet Another Box will Appear with details E.g sender id , name , sms , phone number etc.
   
8. In this just replace the sender ID with the number you want to spoof or any name which you want to use as a sender ID ( note: please use short name if you are want to use alphabets) 
9. Yet Click on OK and See the Magic. 

After follow these Steps you can Clicking on OK this will send the message to the given number with your customize sender id or name.

I am Going to Explain the Trick and What is the Logic Behind this Trick?

When you are going to click on Send button on website , it sends data through HTTP request and what we have did it and we have tampered the HTTP request using tamper Data Addon/Plugin.

 If you are not able to use Tamper Data ?

Alternative for Tamper Data Plugin/Addone is Live Http Headers and Burp which is also like a tamper data you can google this for firefox but i suggest you to use tamper data because it easy to use and its really work But if you want Live Http header or Burp plugin so you can comment , i will share .

I Hope you will like this Article , Feel Free to Comment .

Read more ...