Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.
6. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
6
7. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
7
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?
8. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
8
9. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
9
External IP – 12.34.56.78
Loopback – 127.0.0.1
10. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
10
Attacker:
1)nc –lv 10024
2)email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim:
1)Open email and...
2)Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)
11. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
11
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml
12. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
12
13. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
13
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
14. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
14
https://hackerone.com/reports/1509 - $100
23. Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
23
<a href=“http://external.com”>Go!</a>
In request headers:
...
Referer: http://yoursite.com/
...
But what about external resources on web page such as images, styles...?
24. Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
24
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics-are-awesome.com/howto-choose- password.jpg>
...
Owner of
comics-are-awesome.com
know all _SECRET_ tokens (from referer)!
26. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
26
27. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
27
28. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
28
CSP only for some browsers!
Is it ok?
29. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
29
1)Forks with diff UA
2)Proxy cache
3)Load balancer... Bug hunter got $100, but...
30. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
30
Fail! Why:
•‘Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.
•Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.
•Chrome for iOS fails to render pages without a connect-src 'self' policy.
•Old FF problems (some versions between XX and YY)