Monday, October 30, 2017

Can you trust Facebook links?

While we are on Facebook, we are often share links to external sources, like Youtube, Google Drive, Instagram, or any other websites.
Many people think that Facebook links are quite reliable, but are they?

Facebook users can send those links via post or privately over Messenger, as you can see on the following images:






So how exactly preview link feature works?

Monday, September 18, 2017

Gem in a box XSS vulnerability - CVE-2017-14506

In this short blogpost I will give a short explain of XSS vulnerability i found on geminabox v0.13.5. which is a gems manager like rubygems.org so you can upload and download gems
Geminabox parses the uploaded gems and gives the users list of the gems on the system as the following image:


As you can see, the system parses the gem's details and present it on the web UI.
After few times, I succeeded to create a GEM file to exploit XSS, the attack scenario goes as follows: