defcon russia 30 aug 2014 - plz guys show impact!

Покажите нам Impact! Доказываем угрозу в сложных условиях

30/08/2014 DCG #7812

Г. Санкт-Петербург

@sergeybelove

Work/Activity BugHuting Speaker/CTF

Hey

Defcon Russia (DCG #7812) 2

Bug Bounty


Something wrong but i don't know what


Situation #1 – Same Site Scripting




XXXYYYZZZ.target.com => 127.0.0.1

What’s wrong?



External IP – 12.34.56.78 Loopback – 127.0.0.1



Attacker: 1) nc –lv 10024 2) email to [email protected] with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

mailto:[email protected]



http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml



XXXYYYZZZ.target.com => 10.0.0.22

http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html



https://hackerone.com/reports/1509 - $100

https://hackerone.com/reports/1509



Situation #2 – Self XSS



XSS only for you – no impact?



Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O



Steps:

1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window

5) Catch user’s creds!



Google and self-XSS



Share account and attack your victim

Situation #3 – evil HTTP referers


Situation #3 - HTTP referer


<a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?

http://external.com/

http://yoursite.com/



http://super-website.com/user/passRecovery?t=SECRET

... <img src=http://comics-are-awesome.com/howto-choose-

password.jpg> ...

Owner of

comics-are-awesome.com know all _SECRET_ tokens (from referer)!

http://comics-are-awesome.com/howto-choose-password.jpg











https://hackerone.com/reports/738 - $100




Situation #5 - Content-Security-Policy




CSP only for some browsers! Is it ok?



1) Forks with diff UA 2) Proxy cache 3) Load balancer...

Bug hunter got $100, but...



Fail! Why: • ‘Partial support in Internet Explorer 10-11 refers to the

browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.

• Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.

• Chrome for iOS fails to render pages without a connect-src 'self' policy.

• Old FF problems (some versions between XX and YY)

https://code.google.com/p/chromium/issues/detail?id=322497




Situation #6 - Usernames




http://website.com/username

http://website.com/username



Okay! Let’s register: http://website.com/robots.txt

http://website.com/sitemap.xml ...

http://website.com/robots.txt

http://website.com/robots.txt

http://website.com/sitemap.xml

http://website.com/sitemap.xml

Situations XXX


Situations XXX


• Info disclose via CSS files (full path disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\/assets\/stylesheets\/application\/browser-not-supported\.scss (bug #2221)

• SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true


Thanks! Questions?

@sergeybelove