- Listas de correo
- develop
- Report detailed about 3 bugs in your site : odoo.com // Security Vulnerability Notification| Important
Archivados
- Por conversación 468
-
Por fecha
- febrero 2021 2
- marzo 2021 3
- junio 2021 2
- julio 2021 3
- agosto 2021 2
- octubre 2021 7
- noviembre 2021 2
- diciembre 2021 19
- enero 2022 27
- febrero 2022 30
- marzo 2022 25
- abril 2022 11
- mayo 2022 21
- junio 2022 13
- julio 2022 18
- agosto 2022 25
- septiembre 2022 18
- octubre 2022 11
- noviembre 2022 23
- diciembre 2022 13
- enero 2023 96
- febrero 2023 58
- marzo 2023 75
develop
[email protected]
Report detailed about 3 bugs in your site : odoo.com // Security Vulnerability Notification| Important
Hello Dear Sir, Good Morning
i looking for bugs in my spare time to gain some money for my study
and i am here writing this email to inform you that i found a bug on your website
Bug : Frameable response (potential Clickjacking)
bug : lack of security headers
i notice lack of lots of security headers
1: Feature-Policy is not set: Feature Policy is a header that allows a site to control which features and APIs can be used in the browser
https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy
2: The Referrer-Policy is not set: Referrer Policy is a new header that allows a site to control how much information the browser includes when navigating to an other website and should be set by all site.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
3: X-XSS-Protection" header is not set: X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
4: X-Frame-Options header missing: X-Frame-Options tells the browser whether you want to allow your site to be used in i-frames or not. By preventing a browser from i-framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN"
https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options
5: The Content-Security-Policy is not set: Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets
https://en.wikipedia.org/wiki/Content_Security_Policy
6: X-Content-Type-Options header not set: X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff"
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
*************************************************************************************************************************************************
I do this work to alert you of a bug in your website and fix bugs and make your site safer
I have experience in this field for more than 6 years, I have a lot of certificates in this field and my name is included in many sites in the hall of fame
It is possible if I wanted to work with you in finding many serious bug that negatively affect your site
And I am very happy to make your site safer,
i will be very happy if you accept a request to work together to make your site secure
Really desperately need a reward in these difficult circumstances that the world is going through, to help myself with study requirements, this is the only job I work and earn money and this money I help myself in my study and my family .
I hope you can see my message and respond to me please
I need your response
only help me and appreciate me for this work in your site to make your site safer
may i request you to if it is possible ? sir, I'll be very grateful to you .
i would be very happy if you reward me
if possible that my account paypal
PayPal : [email protected]
< Please , if you read my message please tell me, so that i know you got it, please let me know if you’re interested in this and as i am a security researcher, possible if you want to work together and discover more very important bugs and dangerous for your site , to make your site more secure , i look forward to hearing from you >
Sincerely, best regards
Hatim chabik
security researcher
my account in twitter / https://twitter.com/H_chabik
I hope you are fine and in a good health you and your family
I hope that this new year 2022 will
be all success, love and respect among your family, I wish you with all
my heart good luck and a beautiful life.
I hope this message finds you well. I’m reaching out today because i found two bugs in your site : odoo.com
i'm hatim chabik student of physiotherapy and security researcher
the work i do : https://www.openbugbounty.org/researchers/H_chabik/
i looking for bugs in my spare time to gain some money for my study
and i am here writing this email to inform you that i found a bug on your website
*********************************************************************************************************
Bug :
Open Redirect
Bug : lack of security headers Bug : Frameable response (potential Clickjacking)
***********************************************************************************************************
Bug :
Open Redirect
*link vulnerable URL
: https://www.odoo.com/website/lang/vi_VN?r=https://google.com
***************************************************************************************************
bug : lack of security headers
i notice lack of lots of security headers
1: Feature-Policy is not set: Feature Policy is a header that allows a site to control which features and APIs can be used in the browser
https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy
2: The Referrer-Policy is not set: Referrer Policy is a new header that allows a site to control how much information the browser includes when navigating to an other website and should be set by all site.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
3: X-XSS-Protection" header is not set: X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
4: X-Frame-Options header missing: X-Frame-Options tells the browser whether you want to allow your site to be used in i-frames or not. By preventing a browser from i-framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN"
https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options
5: The Content-Security-Policy is not set: Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets
https://en.wikipedia.org/wiki/Content_Security_Policy
6: X-Content-Type-Options header not set: X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff"
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
*************************************************************************************************************************************************
Bug : Frameable response (potential Clickjacking)
Host: https://odoo.com
If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.
Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.
You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.
Issue remediation
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.
________________________________________________________________________________________
Host: https://odoo.com
If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.
Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.
You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application.
Issue remediation
To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.
________________________________________________________________________________________
I do this work to alert you of a bug in your website and fix bugs and make your site safer
I have experience in this field for more than 6 years, I have a lot of certificates in this field and my name is included in many sites in the hall of fame
It is possible if I wanted to work with you in finding many serious bug that negatively affect your site
And I am very happy to make your site safer,
i will be very happy if you accept a request to work together to make your site secure
Really desperately need a reward in these difficult circumstances that the world is going through, to help myself with study requirements, this is the only job I work and earn money and this money I help myself in my study and my family .
I hope you can see my message and respond to me please
I need your response
only help me and appreciate me for this work in your site to make your site safer
may i request you to if it is possible ? sir, I'll be very grateful to you .
i would be very happy if you reward me
if possible that my account paypal
PayPal : [email protected]
< Please , if you read my message please tell me, so that i know you got it, please let me know if you’re interested in this and as i am a security researcher, possible if you want to work together and discover more very important bugs and dangerous for your site , to make your site more secure , i look forward to hearing from you >
Sincerely, best regards
Hatim chabik
security researcher
my account in twitter / https://twitter.com/H_chabik
por chabik hatim <[email protected]> - 02:30 - 10 ene. 2022