[PPT] - detectify Go hack yourself or someone else will Frans Rosn PowerPoint Presentation

SLIDE 1

detectify

Go hack yourself … or someone else will Frans Rosén @fransrosen

SLIDE 2

detectify

Frans Rosén

Security Advisor @detectify ( twitter: @fransrosen ) Blog at labs.detectify.com HackerOne #5 @ hackerone.com/thanks "The Swedish Ninja"

SLIDE 3

detectify

Rundown

1. Background
2. Approaching a target
3. Domain/URL validation
4. Free money + Automation
5. End

SLIDE 4

detectify

How it started

SLIDE 5

detectify

THEN I FREAKED OUT

sv…

SLIDE 6

detectify

Thailand

SLIDE 7

detectify

Thailand

SLIDE 8

detectify

Approaching a target

SLIDE 9

detectify

SWFs

SLIDE 10

detectify

SWFs

ZeroClipboard.swf flowplayer.swf swfupload.swf clippy.swf Jplayer.swf amline.swf Line.swf column3d.swf video.swf OneClipboard.swf flashmediaelement.swf plupload.swf video-js.swf …

SLIDE 11

detectify

By @nirgoldschlager and @homakov  http://homakov.blogspot.se/2013/02/hacking-facebook-with-oauth2-and-chrome.html  http://www.breaksec.com/?p=6039

Facebook Connect

SLIDE 12

detectify

https://www.facebook.com/v2.2/dialog/oauth ?scope=publish_actions,email &client_id=298315034451  &response_type=token &redirect_uri=https://www.example.com/login

Facebook Connect

SLIDE 13

detectify

https://www.facebook.com/v2.2/dialog/oauth ?scope=publish_actions,email &client_id=298315034451  &response_type=token &redirect_uri=https://xxx.example.com/yyy

No restrictions!

Facebook Connect

SLIDE 14

detectify

URL-validation is hard #1

http://y.com\@x.com

SLIDE 15

detectify

URL-validation is hard #1

http://y.com\@x.com java: new URL(d); = x.com php: parse_url(d); = x.com chrome: document.createElement('a').href=d; = y.com

SLIDE 16

detectify

RFC 3986 ABNF #RTFM

https://tools.ietf.org/html/rfc3986#page-49

SLIDE 17

detectify

PHP FIXED!

https://github.com/php/php-src/commit/ f705063e23183c073837bb76eea6a49d721b37f2#diff-8c81b7e6f1bafce737814315214a5f23R245

SLIDE 18

detectify

Open Redirects in real life

https://www.victim.com/logout?redirect_url=https://example.com\@www.victim.com

https://www.linkedin.com/uas/login?session_redirect=https://example.com%252f@www.linkedin.com%2Fsettings

https://vimeo.com/log_in?redirect=/%09/example.com

https://test6473.zendesk.com/access/login ?return_to=//example.com:%252525252f@test6473.zendesk.com/x

https://trello.com/login?returnUrl=/\example.com

SLIDE 19

detectify

Firefox…

SLIDE 20

detectify

Firefox…

Chrome: Invalid Safari: Domain not found

SLIDE 21

detectify

Firefox…

Chrome: Invalid Safari: Domain not found Firefox: example.com !

SLIDE 22

detectify

Firefox…

Chrome: Invalid Safari: Domain not found Firefox: example.com !

https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/

CVE-2015-7195

SLIDE 23

detectify

Firefox + Prezi…

https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com

SLIDE 24

detectify

Firefox + Prezi…

https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com

SLIDE 25

detectify

Firefox + Prezi…

https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com

https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email &response_type=token &redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com &client_id=298315034451

SLIDE 26

detectify

Firefox + Prezi…

https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com

https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email &response_type=token &redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com &client_id=298315034451

NOO! :(

SLIDE 27

detectify

Firefox + Prezi…

SLIDE 28

detectify

3rd-party scripts

SLIDE 29

detectify

3rd-party scripts

k.type='text/javascript'; var m,src=(m=location.href.match(/\bkxsrc=([^&]+)\b/)) && decodeURIComponent(m[1]); k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl';

SLIDE 30

detectify

3rd-party scripts

SLIDE 31

detectify

Uber XSS

k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl';

SLIDE 32

detectify

Uber XSS

k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl';

SLIDE 33

detectify

CSP bypass

script-src 'self' https://ajax.googleapis.com https://html5sec.org/minichallenges/3

SLIDE 34

detectify

CSP bypass

script-src 'self' https://ajax.googleapis.com https://html5sec.org/minichallenges/3 <script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/ angular.js></script>

SLIDE 35

detectify

CSP bypass

script-src 'self' https://cdn.mxpnl.com

SLIDE 36

detectify

CSP bypass

script-src 'self' https://cdn.mxpnl.com

SLIDE 37

detectify script-src 'self' https://www.googleadservices.com

CSP bypass

SLIDE 38

detectify script-src 'self' https://www.googleadservices.com

CSP bypass

SLIDE 39

detectify

CSP bypass

SLIDE 40

detectify

Google’s CSP evaluator

https://csp-evaluator.withgoogle.com

SLIDE 41

detectify

Gotta catch’em all!

SLIDE 42

detectify

https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

October 2014

SLIDE 43

detectify

Subdomain Takeover

campaign.site.com Campaign!

https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

SLIDE 44

detectify

Subdomain Takeover

campaign.site.com Campaign! Fake site!

https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

SLIDE 45

detectify

Customer Responses

SLIDE 46

detectify

Subdomains

SLIDE 47

detectify

Subdomains

SLIDE 48

detectify

Facebook

SLIDE 49

detectify

Facebook

SLIDE 50

detectify

Facebook

SLIDE 51

detectify

Facebook

POST /rest/v1.1/me/transactions?http_envelope=1 HTTP/1.1 Host: public-api.wordpress.com cart[blog_id]=44444444

SLIDE 52

detectify

Facebook

SLIDE 53

detectify

Facebook

SLIDE 54

detectify

Uber

SLIDE 55

detectify

Uber

SLIDE 56

detectify

Uber

SLIDE 57

detectify

Uber

SLIDE 58

detectify

September 2016

http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty

SLIDE 59

detectify

September 2016

http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty

SLIDE 60

detectify

MX-records

SLIDE 61

detectify

Conflict check + Validation

SLIDE 62

detectify

Oh, add this!

SLIDE 63

detectify

post-host-master-admin

SLIDE 64

detectify

Tadaa!

SLIDE 65

detectify

We now get postmaster!

SLIDE 66

detectify

SLIDE 67

detectify

Google XXE

https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/

SLIDE 68

detectify

Google XXE

SLIDE 69

detectify

Google XXE

SLIDE 70

detectify

Google XXE

SLIDE 71

detectify

Google XXE

SLIDE 72

detectify

Google XXE

SLIDE 73

detectify

Chrome View Source

SLIDE 74

detectify

Chrome…

SLIDE 75

detectify

Chrome…

SLIDE 76

detectify

Chrome…

SLIDE 77

detectify

Chrome…

SLIDE 78

detectify

Chrome…

SLIDE 79

detectify

Chrome…

SLIDE 80

detectify

Chrome…

SLIDE 81

detectify

Chrome…

*click something*

SLIDE 82

detectify

Chrome…

SLIDE 83

detectify

GitHub’s search OMG!

http://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/

SLIDE 84

detectify

GitHub’s search OMG!

SLIDE 85

detectify

GitHub’s search OMG!

SLIDE 86

detectify

GitHub’s search OMG!

SLIDE 87

detectify

GitHub’s search OMG!

SLIDE 88

detectify

The email, 02:35

SLIDE 89

detectify

The email, 02:35

SLIDE 90

detectify

The response

SLIDE 91

detectify

Go hack yourself … or someone else will

Frans Rosén (@fransrosen) – www.detectify.com