7.4. show impact [bug bounties]

Download 7.4. Show impact [bug bounties]

Post on 31-Jul-2015

74 views

Category:

Internet

1 download

Embed Size (px)

TRANSCRIPT

1. Impact! 30/08/2014 DCG #7812 . - @sergeybelove 2. Work/Activity BugHuting Speaker/CTF Hey Defcon Russia (DCG #7812) 2 3. Bug Bounty Defcon Russia (DCG #7812) 3 4. Bug Bounty Defcon Russia (DCG #7812) 4 5. Something wrong but i don't know what Defcon Russia (DCG #7812) 5 6. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 6 7. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 7 XXXYYYZZZ.target.com => 127.0.0.1 Whats wrong? 8. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 8 9. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 9 External IP 12.34.56.78 Loopback 127.0.0.1 10. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 10 Attacker: 1) nc lv 10024 2) email to victim@corp.xxx with Victim: 1) Open email and... 2) Load image with *.target.com cookies! (thats is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/) 11. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 11 http://localhost.domain.com:631/.s html 12. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 12 13. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 13 XXXYYYZZZ.target.com => 10.0.0.22 http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html 14. Situation #1 Same Site Scripting Defcon Russia (DCG #7812) 14 https://hackerone.com/reports/1509 - $100 15. Defcon Russia (DCG #7812) 15 Situation #2 Self XSS 16. Situation #2 Self XSS Defcon Russia (DCG #7812) 16 XSS only for you no impact? 17. Situation #2 Self XSS Defcon Russia (DCG #7812) 17 18. Situation #2 Self XSS Defcon Russia (DCG #7812) 18 Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O 19. Situation #2 Self XSS Defcon Russia (DCG #7812) 19 Steps: 1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window 5) Catch users creds! 20. Situation #2 Self XSS Defcon Russia (DCG #7812) 20 Google and self-XSS 21. Situation #2 Self XSS Defcon Russia (DCG #7812) 21 Share account and attack your victim 22. Situation #3 evil HTTP referers Defcon Russia (DCG #7812) 22 23. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 23 Go! In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...? 24. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 24 http://super-website.com/user/passRecovery?t=SECRET ... ... Owner of comics-are-awesome.com know all _SECRET_ tokens (from referer)! 25. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 25 https://hackerone.com/reports/738 - $100 26. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 26 27. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 27 28. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 28 CSP only for some browsers! Is it ok? 29. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 29 1) Forks with diff UA 2) Proxy cache 3) Load balancer... Bug hunter got $100, but... 30. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 30 Fail! Why: Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header. Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages. Chrome for iOS fails to render pages without a connect-src 'self' policy. Old FF problems (some versions between XX and YY) 31. Situation #6 - Usernames Defcon Russia (DCG #7812) 31 32. Situation #6 - Usernames Defcon Russia (DCG #7812) 32 http://website.com/username 33. Situation #6 - Usernames Defcon Russia (DCG #7812) 33 Okay! Lets register: http://website.com/robots.txt http://website.com/sitemap.xml ... 34. Situations XXX Defcon Russia (DCG #7812) 34 35. Situations XXX Defcon Russia (DCG #7812) 35 Info disclose via CSS files (full path disclosure while compilation - file:///applications/hackerone/releases/201402211759 29/app/assets/stylesheets/application/browser-not- supported.scss (bug #2221) SPF and same records Short tokens Pixel flood attack CSRF for login/logout!? (hi Michal Zalewski!) ... - https://hackerone.com/security?show_all=true 36. Defcon Russia (DCG #7812) 36 Thanks! Questions? @sergeybelove

Recommended

View more >