Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
•
0 j'aime•1,439 vues
Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.
Recommandé
Contenu connexe
Similaire à Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Similaire à Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях (20)
Plus de DefconRussia
Plus de DefconRussia (20)
Dernier
Dernier (20)
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
- 1. Покажите нам Impact! Доказываем угрозу в сложных условиях 30/08/2014 DCG #7812 Г. Санкт-Петербург @sergeybelove
- 2. Work/Activity BugHuting Speaker/CTF Hey Defcon Russia (DCG #7812) 2
- 3. Bug Bounty Defcon Russia (DCG #7812) 3
- 4. Bug Bounty Defcon Russia (DCG #7812) 4
- 5. Something wrong but i don't know what Defcon Russia (DCG #7812) 5
- 6. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 6
- 7. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 7 XXXYYYZZZ.target.com => 127.0.0.1 What’s wrong?
- 8. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 8
- 9. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 9 External IP – 12.34.56.78 Loopback – 127.0.0.1
- 10. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 10 Attacker: 1)nc –lv 10024 2)email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim: 1)Open email and... 2)Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)
- 11. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 11 http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml
- 12. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 12
- 13. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 13 XXXYYYZZZ.target.com => 10.0.0.22 http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
- 14. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 14 https://hackerone.com/reports/1509 - $100
- 15. Defcon Russia (DCG #7812) 15 Situation #2 – Self XSS
- 16. Situation #2 – Self XSS Defcon Russia (DCG #7812) 16 XSS only for you – no impact?
- 17. Situation #2 – Self XSS Defcon Russia (DCG #7812) 17
- 18. Situation #2 – Self XSS Defcon Russia (DCG #7812) 18 Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O
- 19. Situation #2 – Self XSS Defcon Russia (DCG #7812) 19 Steps: 1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window 5) Catch user’s creds!
- 20. Situation #2 – Self XSS Defcon Russia (DCG #7812) 20 Google and self-XSS
- 21. Situation #2 – Self XSS Defcon Russia (DCG #7812) 21 Share account and attack your victim
- 22. Situation #3 – evil HTTP referers Defcon Russia (DCG #7812) 22
- 23. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 23 <a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?
- 24. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 24 http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics-are-awesome.com/howto-choose- password.jpg> ... Owner of comics-are-awesome.com know all _SECRET_ tokens (from referer)!
- 25. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 25 https://hackerone.com/reports/738 - $100
- 26. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 26
- 27. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 27
- 28. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 28 CSP only for some browsers! Is it ok?
- 29. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 29 1)Forks with diff UA 2)Proxy cache 3)Load balancer... Bug hunter got $100, but...
- 30. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 30 Fail! Why: •‘Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header. •Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages. •Chrome for iOS fails to render pages without a connect-src 'self' policy. •Old FF problems (some versions between XX and YY)
- 31. Situation #6 - Usernames Defcon Russia (DCG #7812) 31
- 32. Situation #6 - Usernames Defcon Russia (DCG #7812) 32 http://website.com/username
- 33. Situation #6 - Usernames Defcon Russia (DCG #7812) 33 Okay! Let’s register: http://website.com/robots.txt http://website.com/sitemap.xml ...
- 34. Situations XXX Defcon Russia (DCG #7812) 34
- 35. Situations XXX Defcon Russia (DCG #7812) 35 •Info disclose via CSS files (full path disclosure while compilation - file:///applications/hackerone/releases/20140221175929/app/assets/stylesheets/application/browser-not- supported.scss (bug #2221) •SPF and same records •Short tokens •Pixel flood attack •CSRF for login/logout!? (hi Michal Zalewski!) •... - https://hackerone.com/security?show_all=true
- 36. Defcon Russia (DCG #7812) 36 Thanks! Questions? @sergeybelove