sergey belov - Покажите нам impact! Доказываем угрозу в сложных...
DESCRIPTION
Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.TRANSCRIPT
Покажите нам Impact! Доказываем угрозу в сложных условиях
30/08/2014 DCG #7812
Г. Санкт-Петербург
@sergeybelove
Work/Activity BugHuting Speaker/CTF
Hey
Defcon Russia (DCG #7812) 2
Bug Bounty
Defcon Russia (DCG #7812) 3
Bug Bounty
Defcon Russia (DCG #7812) 4
Something wrong but i don't know what
Defcon Russia (DCG #7812) 5
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 6
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 7
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 8
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 9
External IP – 12.34.56.78 Loopback – 127.0.0.1
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 10
Attacker: 1) nc –lv 10024 2) email to [email protected] with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 11
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 12
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 13
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 14
https://hackerone.com/reports/1509 - $100
Defcon Russia (DCG #7812) 15
Situation #2 – Self XSS
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 16
XSS only for you – no impact?
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 17
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 18
Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 19
Steps:
1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window
5) Catch user’s creds!
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 20
Google and self-XSS
Situation #2 – Self XSS
Defcon Russia (DCG #7812) 21
Share account and attack your victim
Situation #3 – evil HTTP referers
Defcon Russia (DCG #7812) 22
Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 23
<a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?
Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 24
http://super-website.com/user/passRecovery?t=SECRET
... <img src=http://comics-are-awesome.com/howto-choose-
password.jpg> ...
Owner of
comics-are-awesome.com know all _SECRET_ tokens (from referer)!
Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 25
https://hackerone.com/reports/738 - $100
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 26
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 27
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 28
CSP only for some browsers! Is it ok?
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 29
1) Forks with diff UA 2) Proxy cache 3) Load balancer...
Bug hunter got $100, but...
Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 30
Fail! Why: • ‘Partial support in Internet Explorer 10-11 refers to the
browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.
• Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.
• Chrome for iOS fails to render pages without a connect-src 'self' policy.
• Old FF problems (some versions between XX and YY)
Situation #6 - Usernames
Defcon Russia (DCG #7812) 31
Situation #6 - Usernames
Defcon Russia (DCG #7812) 32
http://website.com/username
Situation #6 - Usernames
Defcon Russia (DCG #7812) 33
Okay! Let’s register: http://website.com/robots.txt
http://website.com/sitemap.xml ...
Situations XXX
Defcon Russia (DCG #7812) 34
Situations XXX
Defcon Russia (DCG #7812) 35
• Info disclose via CSS files (full path disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\/assets\/stylesheets\/application\/browser-not-supported\.scss (bug #2221)
• SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true
Defcon Russia (DCG #7812) 36
Thanks! Questions?
@sergeybelove