I offers security consulting services within the space of Penetration Testing , Ethical Hacking , Vulnerability Assessments and Security Code and Configuration Reviews ~

SquareUp Open Redirection

During Password resetting, I observe something, that Password token link is redirected first through subscriptions link. where 'r' is the parameter and value can be any website.
Steps To Reproduce:
1- After Password Reset email, Copy Link Address.


2- Address URI look like this: 
https://squareup.com/subscriptions/r?d=VHZ0CwTM5CMAwfX4&e=/html/body/table/tr/td/table[1]/tr[2]/td/table/tr[2]/td/table/tr[2]/td[2]/table/tr[5]/td/div/a&n=emailClick&r=https://squareup.com/password/reset/Token

Video PoC: 



READ FULL POST

Remote Presentation Auth_key Issue In Prezi

Remote Presentation Auth_key Problem


Let me explain this issue with the following example.






Suppose:


abc is the presentation _ (1)
123 is second presentation. _ (2)

I start remote Presentation of abc. with constant parameter of all presentations ?follow=r_rk7caxdncs , and Auth_key ngwd219. Now I found someone Auth_key, Even every active Auth_key can start Remote Presentation of every work.
The Impact is so clear from the example. I can use Auth_key of abc with 123 presentation or vice versa. or any Active Auth_key can start the presentation.


One more issue is constant follow parameter in every post.

Gist: https://gist.github.com/zsellera/4fe26ee7c546a4d136f4




READ FULL POST