Monday, February 5, 2018

How to DoS 29% of the World Wide Websites - CVE-2018-6389

According to, the WordPress platform powers 29% of the worldwide internet websites.
In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this vulnerability being exploited.
It is important to note that exploiting this vulnerability is illegal, unless you have permission from the website owner.

While browsing a WordPress website, my attention was drawn to the following URL:

The load-scripts.php file receives a parameter called load[], the parameter value is 'jquery-ui-core'. In the response, I received the JS module 'jQuery UI Core' that was requested, as demonstrated in the following image:

Thursday, February 1, 2018

Gem in a box CSRF file upload - CVE-2017-14506

In this blog post I will give a short example of exploiting CSRF vulnerability on Geminabox.
So Geminabox is an application allows you manage your internal gems was vulnerable to CSRF on upload file.
In order to exploit the CSRF vulnerability I wrote really small tool called csrFile, which allows you to generate HTML that uploads any type of file to the supplied endpoint, you can check it out in the following link:
Usage: python <url> <filePath>

So using the following command, you can easily create an HTML document that exploits the CSRF attack and uploads malicious gem file to the targeted server:
python https://geminaboxserve/upload xss.gem

Then in case the victim will browse to the attacker's link that contains the HTML generated from csrFile, his browser will automatically will upload the attacker's malicious gem to geminabox system.
Note: it is possible to exploit persistent XSS attack (CVE-2017-14506) in that way as well.

Monday, October 30, 2017

Can you trust Facebook links?

While we are on Facebook, we are often share links to external sources, like Youtube, Google Drive, Instagram, or any other websites.
Many people think that Facebook links are quite reliable, but are they?

Facebook users can send those links via post or privately over Messenger, as you can see on the following images:

So how exactly preview link feature works?

Monday, September 18, 2017

Gem in a box XSS vulnerability - CVE-2017-14506

In this short blogpost I will give a short explain of XSS vulnerability i found on geminabox v0.13.5. which is a gems manager like so you can upload and download gems
Geminabox parses the uploaded gems and gives the users list of the gems on the system as the following image:

As you can see, the system parses the gem's details and present it on the web UI.
After few times, I succeeded to create a GEM file to exploit XSS, the attack scenario goes as follows:

Tuesday, August 18, 2015

PT Vulnerabilities Manager - burp extension

Penetration test vulnerabilities manager extension for Burp Suite written in Jython developed by Barak Tawily in order to ease application security people manage vulnerabilities

alt tag

Friday, February 20, 2015

Autorize - automatic authorization enforcement detection extension for Burp Suite


Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert at AppSec Labs. Autorize was designed to help security testers by performing automatic authorization tests.
alt tag

Wednesday, December 10, 2014

AliExpress XSS vulnerability - take over any seller account

In this blog post I will discuss a XSS vulnerability I’ve found in AliExpress website.
I discovered this vulnerability while i bought items in the website, i wanted to contact with the seller so i sent him a message. As an application security expert i suspected that the messages system might be vulnerable to XSS so i started investigate it.
after a full investigation i found that it is possible to inject HTML <b> tag into the message, and it will be rendered as HTML code in the recipients' browser.
By injection the following malicious script payload in a message content parameter, the seller will browse to the message center in AliExpress website, thus, the malicious script will be executed on his browser:

Hello Seller :)<b style="position:fixed;top:0;left:0;display:block;width:100%;height:100%" onmouseover="alert('Barak Tawily, AppSec Labs')">PoC</b>

Note: the system doesn't allow send HTML tags in the content of the message, but it allows <b> tag only, thats why the payload to exploit the vulnerability is <b> tag and not any other.