Menu

bug bounty

How I was able to find firebase database takeover vulnerability in a company

Introduction

This is my bug bounty write up about firebase database takeover vulnerability which I found in android app. There are just a few resources about android hacking. This article aims to briefly documents about one of the android vulnerability called firebase database takeover vulnerability. For this purpose I will share my finding about this vulnerability. I will blur some of the company information. Being said that , let’s get jump in.

Steps To Reproduce

1. Download application from google playstore.

2. Use apk extractor to extract apk.

3. I used bluestack emulator.

4. Use apktool to decompile the application.

5. Go to res/values/strings/xml

6.Look for firebase url

7.I wrote a python script to insert data

8.POC(Proof Of Concept)

Impact

This application doesn’t need any access _token to insert data to the firebase database. It is completely open and anybody can access it without any credentials.

Timeline

Vulnerability Reported – 15 October, 2020 3:37 AM.

Replied – 15 October, 2020 12:31 PM

Rewarded $100 for two reports – 21 October, 2020 11:21 AM.

Conclusion

I really appreciate the company for very fast reply when I was submitting the vulnerability and they replied me to disclose this vulnerability. I really enjoy finding bugs in their organization and thanks for agreeing to disclose this report and rewarding me a bounty.

References

https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1

Story of Playstation(Sony) XSS

Hello all!!! Today i decided to share my finding of xss on subdomain of playstation. It was 1 year ago i think, i started hunting bug on sony websites and first i found directory indexing on [ https://blog.latam.playstation.com/wp-content/ https://blog.latam.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp-content/ https://blog.br.playstation.com/wp/wp-includes/ https://blog.br.playstation.com/wp-content/ https://rd.playstation.com/ ]

Then i reported to sony and they didn’t accept because they could not find any impact.I didnt understand why they said that :3 and i was like okay.Then I tried to dig more into the folders and found this page [ https://blog.latam.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html ]. I found Qunit 1.21.0 on the page and i decided to find exploit on google. Then i found this page.

There are two pocs and the 2nd poc shows that the parameter testId is vulnerable to xss.So i decided to give it a try.First i injected payload <svg onload=alert(1)> and waf filters it.Then i fuzzed a lot and at last boom! double url encoding bypass the waf.

So the POC link is [ https://blog.us.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html?testId=%25%33%63%25%37%33%25%37%36%25%36%37%25%32%30%25%36%66%25%36%65%25%36%63%25%36%66%25%36%31%25%36%34%25%33%64%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%36%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%66%25%36%64%25%36%31%25%36%39%25%36%65%25%32%39%25%33%65 ].

Then i reported the bug and they replied back after 3 months and rewarded a swag that was never shipped to me :V .

Thats my story of xss on playstation. Hope you like it. Thanks!!!

Scroll to top