Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

•

0 gefällt mir•1,439 views

Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.

Bildung

Покажите нам Impact! Доказываем угрозу в сложных условиях
30/08/2014
DCG #7812
Г. Санкт-Петербург
@sergeybelove

Work/Activity BugHuting Speaker/CTF
Hey
Defcon Russia (DCG #7812)
2

Something wrong but i don't know what
Defcon Russia (DCG #7812)
5

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
6

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
7
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
8

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
9
External IP – 12.34.56.78
Loopback – 127.0.0.1

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
10
Attacker:
1)nc –lv 10024
2)email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim:
1)Open email and...
2)Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
11
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
12

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
13
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
14
https://hackerone.com/reports/1509 - $100

Defcon Russia (DCG #7812)
15
Situation #2 – Self XSS

Situation #2 – Self XSS
Defcon Russia (DCG #7812)
16
XSS only for you – no impact?

Situation #2 – Self XSS
Defcon Russia (DCG #7812)
17

Situation #2 – Self XSS
Defcon Russia (DCG #7812)
18
Requirements:
1)CSRF for logout O_o
2)CSRF for login o_O

Situation #2 – Self XSS
Defcon Russia (DCG #7812)
19
Steps:
1) Save (self)XSS for you
2) Logout victim
3) Login victim w/ your creds
4) Draw window
5) Catch user’s creds!

Situation #2 – Self XSS
Defcon Russia (DCG #7812)
20
Google and self-XSS

Situation #2 – Self XSS
Defcon Russia (DCG #7812)
21
Share account and attack your victim

Situation #3 – evil HTTP referers
Defcon Russia (DCG #7812)
22

Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
23
<a href=“http://external.com”>Go!</a>
In request headers:
...
Referer: http://yoursite.com/
...
But what about external resources on web page such as images, styles...?

Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
24
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics-are-awesome.com/howto-choose- password.jpg>
...
Owner of
comics-are-awesome.com
know all _SECRET_ tokens (from referer)!

Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
25
https://hackerone.com/reports/738 - $100

Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
26

Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
27

Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
28
CSP only for some browsers!
Is it ok?

Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
29
1)Forks with diff UA
2)Proxy cache
3)Load balancer... Bug hunter got $100, but...

Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
30
Fail! Why:
•‘Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.
•Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.
•Chrome for iOS fails to render pages without a connect-src 'self' policy.
•Old FF problems (some versions between XX and YY)

Situation #6 - Usernames
Defcon Russia (DCG #7812)
31

Situation #6 - Usernames
Defcon Russia (DCG #7812)
32
http://website.com/username

Situation #6 - Usernames
Defcon Russia (DCG #7812)
33
Okay! Let’s register:
http://website.com/robots.txt
http://website.com/sitemap.xml
...

Situations XXX
Defcon Russia (DCG #7812)
34

Situations XXX
Defcon Russia (DCG #7812)
35
•Info disclose via CSS files (full path disclosure while compilation - file:///applications/hackerone/releases/20140221175929/app/assets/stylesheets/application/browser-not- supported.scss (bug #2221)
•SPF and same records
•Short tokens
•Pixel flood attack
•CSRF for login/logout!? (hi Michal Zalewski!)
•... - https://hackerone.com/security?show_all=true

Defcon Russia (DCG #7812)
36
Thanks! Questions?
@sergeybelove

Weitere ähnliche Inhalte

Ähnlich wie Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

7.4. Show impact [bug bounties]

defconmoscow

Under the hood of modern HIPS-es and Windows access control mechanisms

ReCrypt

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...

OWASP Russia

Grails vs XSS: Defending Grails against XSS attacks

Rafael Luque Leiva

XSS Countermeasures in Grails

OSOCO

XSS Countermeasures in Grails

theratpack

XSS Countermeasures in Grails

Rafael Luque Leiva

The boom of artificial intelligence brought to the market a set of impressive solutions both on hardware and software sides. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns. The speaker will present results of hands-on vulnerability research of different components of AI infrastructure, including NVIDIA DGX GPU servers, ML frameworks, such as PyTorch, Keras, and TensorFlow, data processing pipelines and specific applications, including medical imaging and face recognition–powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.

Vulnerabilities of machine learning infrastructure

Sergey Gordeychik

Grails vs XSS: Defending Grails against XSS attacks

theratpack

Yandex rewards. ONsec experience

Ivan Novikov

In recent years it became the norm to wake up to news about hackers, cyber attacks, ransom campaigns and NSA. Since 2003 the Open Web Application Security Project (OWASP) is the go-to reference to learn more about security vulnerabilities. OWASP published a list of the Top 10 most common security issues for Web. In this talk, we will review the list to learn the details and discuss how to harden and defend our Web applications from those vulnerabilities. If you care about your product and customer's data, want to become a better developer or are simply interested in the kind of cyber attacks delinquents use to compromise websites, this talk is for you.

Security Vulnerabilities: How to Defend Against Them

Martin Vigo

The presentation focuses on the whole process of security testing and present it by analogies to the web applications which are quite well-known. It covers the whole SDLC and show the similarities and differences in the arsenal of vulnerabilities, security tools and standards between the smart contracts and web applications on each step. Even though there exist a lot of great security projects for smart contracts, we do not have single, widely accepted security standard (such as ASVS in web apps world). That is why we introduce SCSVS (Smart Contract Security Verification Standard), a open-source 13-part checklist created to standardize the security of smart contracts for developers, architects, security reviewers and vendors.

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

SecuRing

WebGoat.SDWAN.Net in Depth

yalegko

Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020. In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.

WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment

Sergey Gordeychik

Phd III - defending enterprise

F _

Application Security for RIAs

johnwilander

Cyber-security

Qasim Zaidi

Common Browser Hijacking Methods

David Barroso

Minor Mistakes In Web Portals

msobiegraj

Hitbkl 2012

F _

Ähnlich wie Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях (20)

7.4. Show impact [bug bounties]

Under the hood of modern HIPS-es and Windows access control mechanisms

[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...

Grails vs XSS: Defending Grails against XSS attacks

XSS Countermeasures in Grails

Vulnerabilities of machine learning infrastructure

Grails vs XSS: Defending Grails against XSS attacks

Yandex rewards. ONsec experience

Security Vulnerabilities: How to Defend Against Them

WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards

WebGoat.SDWAN.Net in Depth

WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment

Phd III - defending enterprise

Application Security for RIAs

Cyber-security

Common Browser Hijacking Methods

Minor Mistakes In Web Portals

Hitbkl 2012

Mehr von DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...

DefconRussia

Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...

DefconRussia

В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html

[Defcon Russia #29] Алексей Тюрин - Spring autobinding

DefconRussia

Руткиты в мире основанных на ядре Linux операционных систем уже не являются редкостью. Рассказ будет о том, как попытки в современных реалиях определить то, скомпрометирована ли система, привели к неожиданному результату.

[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux

DefconRussia

Георгий Зайцев - Reversing golang

DefconRussia

Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса. В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC

DefconRussia

Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security. This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing. This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation. We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.

Cisco IOS shellcode: All-in-one

DefconRussia

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...

DefconRussia

HTTP HOST header attacks

DefconRussia

Attacks on tacacs - Алексей Тюрин

DefconRussia

Weakpass - defcon russia 23

DefconRussia

nosymbols - defcon russia 20

DefconRussia

static - defcon russia 20

DefconRussia

Zn task - defcon russia 20

DefconRussia

Vm ware fuzzing - defcon russia 20

DefconRussia

Nedospasov defcon russia 23

DefconRussia

Advanced cfg bypass on adobe flash player 18 defcon russia 23

DefconRussia

Miasm defcon russia 23

DefconRussia

Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.

Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...

DefconRussia

Мои последние исселодования показали, что у SharePoint есть определенное количество вэб сервисов, которые могут помочь аудитору собрать крайне полезную информацию с сайта (списки пользователей, групп, ролей и т д). Также данные сервисы, в комбинации с хранимыми XSS, могут быть использованы для вертикального повышения привилегий или предоставить информацию для компрометации доменных записей AD.

George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...

DefconRussia

Mehr von DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...

[Defcon Russia #29] Алексей Тюрин - Spring autobinding

[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux

Георгий Зайцев - Reversing golang

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC

Cisco IOS shellcode: All-in-one

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...

HTTP HOST header attacks

Attacks on tacacs - Алексей Тюрин

Weakpass - defcon russia 23

nosymbols - defcon russia 20

static - defcon russia 20

Zn task - defcon russia 20

Vm ware fuzzing - defcon russia 20

Nedospasov defcon russia 23

Advanced cfg bypass on adobe flash player 18 defcon russia 23

Miasm defcon russia 23

Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...

George Lagoda - Альтернативное использование вэб сервисов SharePoint со сторо...

Kürzlich hochgeladen

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...

christianmathematics

Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes

Celine George

On National Teacher Day, meet the 2024-25 Kenan Fellows

Mebane Rash

Magic bus Group work1and 2 (Team 3).pptx

dhanalakshmis0310

Seal of Good Local Governance (SGLG) 2024Final.pptx

negromaestrong

Unit-V; Pricing (Pharma Marketing Management).pptx

VishalSingh1417

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi Welcome to VIP Call Girl In Delhi Hello! Delhi Call Girls is one of the most popular cities in India. Girls who call in Delhi frequently Advertise their services in small promgons in magazines, as well as on the Internet but We do not act as a direct-promoter. We will do everything we can to make sure that you're safe to the max to the best of our abilities and making sure of our ability and ensuring that you're obtained to the best of our abilities and making sure that you get what you want. Sexuality of our females is recognized by our Business proposals. Top-of-the-line, fully-featured Delhi girl call number and we offer To be aware of it is a major reason in deciding to use our services to ensure that our customers realize the worth of their lives swiftly and in a pleasant manner by engaging with web series performers for a cost of 10000.Here you are able to be Relax knowing that personal information is stored in the business proposals, giving an appearance of like you're as if you are a full affirmation. Call Girls Service Now Delhi +91-9899900591 *********** N.M.************* 01/04/2024 ▬█⓿▀█▀ 𝐈𝐍𝐃𝐄𝐏𝐄𝐍𝐃𝐄𝐍𝐓 CALL 𝐆𝐈𝐑𝐋 𝐕𝐈𝐏 𝐄𝐒𝐂𝐎𝐑𝐓 SERVICE ✅ ❣️ ⭐➡️HOT & SEXY MODELS // COLLEGE GIRLS AVAILABLE FOR COMPLETE ENJOYMENT WITH HIGH PROFILE INDIAN MODEL AVAILABLE HOTEL & HOME ★ SAFE AND SECURE HIGH CLASS SERVICE AFFORDABLE RATE ★ SATISFACTION,UNLIMITED ENJOYMENT. ★ All Meetings are confidential and no information is provided to any one at any cost. ★ EXCLUSIVE PROFILes Are Safe and Consensual with Most Limits Respected ★ Service Available In: - HOME & HOTEL Star Hotel Service .In Call & Out call SeRvIcEs : ★ A-Level (star escort) ★ Strip-tease ★ BBBJ (Bareback Blowjob)Receive advanced sexual techniques in different mode make their life more pleasurable. ★ Spending time in hotel rooms ★ BJ (Blowjob Without a Condom) ★ Completion (Oral to completion) ★ Covered (Covered blowjob Without condom SAFE AND SECURE

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi

kauryashika82

𝐋𝐞𝐬𝐬𝐨𝐧 𝐎𝐮𝐭𝐜𝐨𝐦𝐞𝐬: -Discern accommodations and modifications within inclusive classroom environments, distinguishing between their respective roles and applications. -Through critical analysis of hypothetical scenarios, learners will adeptly select appropriate accommodations and modifications, honing their ability to foster an inclusive learning environment for students with disabilities or unique challenges.

Understanding Accommodations and Modifications

MJDuyan

psychiatric nursing HISTORY COLLECTION .docx

PoojaSen20

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

Nguyen Thanh Tu Collection

Spatium Project Simulation student brief

Association for Project Management

PROCESS RECORDING FORMAT.docx

PoojaSen20

Asian American Pacific Islander Month DDSD 2024.pptx

David Douglas School District

The basics of sentences session 3pptx.pptx

heathfieldcps1

Food safety_Challenges food safety laboratories_.pdf

Sherif Taha

Making communications land - Are they received and understood as intended? webinar Thursday 2 May 2024 A joint webinar created by the APM Enabling Change and APM People Interest Networks, this is the third of our three part series on Making Communications Land. presented by Ian Cribbes, Director, IMC&T Ltd @cribbesheet The link to the write up page and resources of this webinar: https://www.apm.org.uk/news/making-communications-land-are-they-received-and-understood-as-intended-webinar/ Content description: How do we ensure that what we have communicated was received and understood as we intended and how do we course correct if it has not.

Making communications land - Are they received and understood as intended? we...

Association for Project Management

Python Notes for mca i year students osmania university.docx

Ramakrishna Reddy Bijjam

Explore the world of IT certification with CompTIA. Discover how the CompTIA Security+ Book SY0-701 can elevate your cybersecurity expertise and open doors to new career opportunities. This PDF provides essential insights into the CompTIA Security+ certification, guiding you through exam preparation and showcasing the benefits of becoming CompTIA-certified. Download now to embark on your journey to IT excellence with CompTIA.

ComPTIA Overview | Comptia Security+ Book SY0-701

bronxfugly43

Accessible Digital Futures project (20/03/2024)

Jisc

microwave assisted reaction. General introduction

Maksud Ahmed

Kürzlich hochgeladen (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...

Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes

On National Teacher Day, meet the 2024-25 Kenan Fellows

Magic bus Group work1and 2 (Team 3).pptx

Seal of Good Local Governance (SGLG) 2024Final.pptx

Unit-V; Pricing (Pharma Marketing Management).pptx

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi

Understanding Accommodations and Modifications

psychiatric nursing HISTORY COLLECTION .docx

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

Spatium Project Simulation student brief

PROCESS RECORDING FORMAT.docx

Asian American Pacific Islander Month DDSD 2024.pptx

The basics of sentences session 3pptx.pptx

Food safety_Challenges food safety laboratories_.pdf

Making communications land - Are they received and understood as intended? we...

Python Notes for mca i year students osmania university.docx

ComPTIA Overview | Comptia Security+ Book SY0-701

Accessible Digital Futures project (20/03/2024)

microwave assisted reaction. General introduction

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

1. Покажите нам Impact! Доказываем угрозу в сложных условиях 30/08/2014 DCG #7812 Г. Санкт-Петербург @sergeybelove

2. Work/Activity BugHuting Speaker/CTF Hey Defcon Russia (DCG #7812) 2

3. Bug Bounty Defcon Russia (DCG #7812) 3

4. Bug Bounty Defcon Russia (DCG #7812) 4

5. Something wrong but i don't know what Defcon Russia (DCG #7812) 5

6. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 6

7. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 7 XXXYYYZZZ.target.com => 127.0.0.1 What’s wrong?

8. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 8

9. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 9 External IP – 12.34.56.78 Loopback – 127.0.0.1

10. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 10 Attacker: 1)nc –lv 10024 2)email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim: 1)Open email and... 2)Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

11. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 11 http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml

12. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 12

13. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 13 XXXYYYZZZ.target.com => 10.0.0.22 http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

14. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 14 https://hackerone.com/reports/1509 - $100

15. Defcon Russia (DCG #7812) 15 Situation #2 – Self XSS

16. Situation #2 – Self XSS Defcon Russia (DCG #7812) 16 XSS only for you – no impact?

17. Situation #2 – Self XSS Defcon Russia (DCG #7812) 17

18. Situation #2 – Self XSS Defcon Russia (DCG #7812) 18 Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O

19. Situation #2 – Self XSS Defcon Russia (DCG #7812) 19 Steps: 1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window 5) Catch user’s creds!

20. Situation #2 – Self XSS Defcon Russia (DCG #7812) 20 Google and self-XSS

21. Situation #2 – Self XSS Defcon Russia (DCG #7812) 21 Share account and attack your victim

22. Situation #3 – evil HTTP referers Defcon Russia (DCG #7812) 22

23. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 23 <a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?

24. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 24 http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics-are-awesome.com/howto-choose- password.jpg> ... Owner of comics-are-awesome.com know all _SECRET_ tokens (from referer)!

25. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 25 https://hackerone.com/reports/738 - $100

26. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 26

27. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 27

28. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 28 CSP only for some browsers! Is it ok?

29. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 29 1)Forks with diff UA 2)Proxy cache 3)Load balancer... Bug hunter got $100, but...

30. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 30 Fail! Why: •‘Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header. •Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages. •Chrome for iOS fails to render pages without a connect-src 'self' policy. •Old FF problems (some versions between XX and YY)

31. Situation #6 - Usernames Defcon Russia (DCG #7812) 31

32. Situation #6 - Usernames Defcon Russia (DCG #7812) 32 http://website.com/username

33. Situation #6 - Usernames Defcon Russia (DCG #7812) 33 Okay! Let’s register: http://website.com/robots.txt http://website.com/sitemap.xml ...

34. Situations XXX Defcon Russia (DCG #7812) 34

35. Situations XXX Defcon Russia (DCG #7812) 35 •Info disclose via CSS files (full path disclosure while compilation - file:///applications/hackerone/releases/20140221175929/app/assets/stylesheets/application/browser-not- supported.scss (bug #2221) •SPF and same records •Short tokens •Pixel flood attack •CSRF for login/logout!? (hi Michal Zalewski!) •... - https://hackerone.com/security?show_all=true

36. Defcon Russia (DCG #7812) 36 Thanks! Questions? @sergeybelove

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

Ähnlich wie Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях (20)

Mehr von DefconRussia

Mehr von DefconRussia (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях