Hi Haxel0rd, can you give us a short intro about you? ------------------------------------------------------ Yea sure, i'm an older guy who learned (mainly web)hacking in the early days and i chosed the GreyHat, meaning i cross borders when it comes to legality- sometimes i access stuff i am not allowed to but i only do it out of technical interest and never break things or steal data, i just see and forget. For some cases i report vulnerabilities, many i just leave as are, and others like for aliexpress, i leave a message to sysadmins with suggestions on how to improve. My twitter only represents (my sometimes childish side and) private life of hacking. Oh i and i love trolling! In my main job, i am a senior pentester and i strictly seperate work from how i act privately on my twitter. Well then, congrats on making perhaps the most creative persistent XSS. ----------------------------------------------------------------------- Thank you very much! I am not sure though how many found out that the testimonials have websites too, maybe i should have made that more clear in the .html file. This PoC demonstrated the most harmless impact, which was that you can abuse the issue for free webhosting (ali usually sells cloud space for money). But in fact, we had a persistant XSS with lots of potential to raise other attacks from there. (I still hid a persistant XSS, it occurs when clicking on the testimonials website from "Yosh Smith", at the "PiratesBase" navbar ;) Basically the open doors for XSS was used to place an own file/website on the CDN servers. Back in my days this was called a "deface page". This is something the newer generation may not know that much, as these were different times and today defaces rarely occur. Before 2012 about, almost anything in the web was hackable. Hacking was kind of more underground and much less destructive than it is today. A deface page just replaced either the index file (landing page) of a website or created a file somewhere else in pub www dirs, while leaving rest of the website fully functioning intact. It was like a fun competition between SysAdmins and Hackers. But times started to change... Some have taken it to far, especially eastern countries stupidly used defacing to represent their country flag, while hacking has nothing to do with things like nationality. They used exploits to mass-deface thousands of websites at once, or extracting sensitive data from databases, resulting in much public attention and attention of the feds to hacking in general and it didn't took long until criminals also took note of the capabilities of using hacking techniques for frauding purposes. Today it's not the hackers anymore stealing money of you, stealing your passwords or identity... it's regular criminals who just buy 0day exploits from hackers, while the hackers themselves mostly do not participate in the actual fraud anymore. The reason why hackers sell to criminals is, because unfortunately the true criminials are still the only ones that understand the real value of a vulnerability or a ready made exploit. White hatting does still often not pay out and companies try to buy hackers for cheap, or a company has an overall and fundamental wrong understanding of security and dont value the reports they receive from hackers/pentesters/researchers. Unless you are hired by a company as Pentester, or find extremly critical bugs in VRP's, you most likely have to expect to get underpaid for White Hatting. (VRP = "Vulnerability Reward Program", the more official term for "BugBounty Program"), Getting companies to take security seriously is a pain. ---------------------------------------------------------- Yes, i fully agree on this! I have been a witness myself when in the past dealing with companies that didn't understand either the impact/risk of a vulnerability posed, or what risk their customers and core business is exposed to. Back in my times it was something very unknown- i reported vulns long before platforms like H1 and Bugcrowd existed and there where no rules, no guidenlines- no nothing that decribed this process or made it transparent. It was like the "Wild West". This resulted in a lot of confusion, mostly on the side of the companies as they faced something unknown and they didn't know how to react or deal with such reports. Some hackers told that companies felt threatened by a hacking attack and involved the police. Another issue that especially Hackers and Pentesters/Researchers know about: "Thank you for reporting critical RCE in our production systems, we have fixed it, bye." (Often, researches save the company thousands or even million in dollars of damage, but in return, the researches get left with a small and simple "thank you", or only a low, inadequate ammount of procketmoney). Some concepts tried to solve this, platforms like H1 were founded, but they introduced new problems and these mostly affected the researchers. Common problems are: slow fixing times result in duplicate reports, researchers get baited with worthless swag rewards or just "points", private programs allow the stars of platform XY to get fresh attack surface with low haning bugs, while the rest of the people get access to a program after it was harvested already- or if the researchers have specific ammounts of points (meaning they have to work for free at first to get to ´the interesting stuff), and other issues like absolutely stupid set scopes that leave open doors in the full picture of a companies IT-Security concept. So Aliexpress runs a BugBounty program right? ---------------------------------------------- Yes, and talking about scope, the CDN domain was not in scope. As far as i know it was in a first round, but the time i saw it, the scope was already adjusted to have the CDN domains excluded. Maybe they know about the issue and haven't fixed it yet, or they take it as accepted risk- where we are back at the point where companies do not fully understand the risk or impact of a vulnerability. Not meaning to mock against Aliexpress- any company that decides to run a VRP is already step ahead of 95% of the other companies that don't. So i do not mean to criticise Aliexpress for their VRP, but they should improve. Also the Bounty ammounts are pretty cheap, a company of that size can easily pay more, but then we are back at when i said: "companies still try to buy hackers for cheap". ANYONE WHOS WHITE-HATTING AND READING THIS: don't sell yourself for cheap, your skills are worth more! Stop reporting for free or for points - hacking requires a broad range of knowledge that covers different topics from the complete IT sector, this is massive and takes years(!) to learn - let them pay you this time just like they pay their coders, their sysadmins, their managers. Exception: you are a young teenager that needs to collect some first few references in the IT-Sec field to get better chances when applying for a job. To Anyone else not fitting in this category but still reporting for free: How does it feel to be sold as the "lowbob" of some rich company that massively profits from the hours of time YOU have spent learning? While you get left with a "thank you"... yes a warm thank you is also nice, but at the end of the day, can you buy your family a piece of bread from this...? According to your tweets, you didn't report it then? ------------------------------------------------------ No, as soon as i spot a flawed VRP i decide to rather dump out a vuln to public and to leave the companies a message. I don't care about swag, money or "Hall of Fame" entries. In the end i have my fun and lulz and a company can benefit from it, if they atelast take some of the info and overthink their processes or handling of vulnerabilities. For Ali my suggestion would be: expand your scope, raise bounties, take impacts more serious or either be quicker at fixing (whatever of the last two applies for the CDN). What advice do you have to others dealing with such situations? Should they also go and turn a vulnerability into a piece of art to get companies to realize they need to take it serious? --------------------------------------------------------------------------------------------- Haha thank you considering my deface page as art, indeed i put lots of love and joy into it (: First of, i clearly do not encourage anyone to start defacing! While i agree a deface has much power of display and draws more attention by a company, defacing a server or website closely scratches the border of legality, so be carefull and only do it if you absolutely know what you are doing. For this case, i see myself in a safe zone as Aliexpress runs a VRP, but in theory, they could still take legal actions on me as my actions left their definition of "safe harbor". So either do it anonymously or be carefull when using a doxable identity. Make sure to remember: there is always the way to contact a sysadmin via phone or email- SOME companies are pretty up to date with security standards and may respond unexpectedly professional to your report or even may compensate you. If you have the feeling a company follows modern day it-sec processes, then maybe give it a chance. Use the other methods as last solution only. Will you be making your deface script publicly available? --------------------------------------------------------- Well in fact, it already kind of is. All the images, the styles and even the reggae music is included in the .html file, there are no external files. The websites of the testimonials are single .html files too, except for the .mp3 downloads on the "PiratesBase" website from testimonial "Yosh Smith" and the linked youtube videos. I made them seperate to demonstrate that even other filetypes are possible to upload and for the youtube video, that cross domain policicies are weak. The pages of "Jennifer Yang" and the "NSA" are also own .html files. It may look all messy though as the resources are included via base64 data urls. Back in the days each hacker had his own deface page (before the copy pasting started), and this was what it was about. I remember a dude called "Starfield", his deface page had a 3D Starfield animation (fitting to his name) which he completely coded himself with JS. So i recommend to not copy paste, rather be creative and come up with your own ideas/style. Haxel0rd, thank you for anwering questions to @Planetzuda --------------------------------------------------------- Thank you for your interest in my work and all the best to @Planetzuda! Cheers