Hack In The Box 2012Killing a bounty program, Twice.By : Itzhak (Zuk) Avraham; Nir Goldshlager;05/2012
# whoami | presentationItzhak Avraham (Zuk)Founder & CEOIhackbanmehttp://imthezuk.blogspot.comzuk@zimperum.com
# whoami | presentationNir GoldshlagerSenior Web Applications ResearcherTwitter: @nirgoldshlagerBlog : http://nirgoldshlag...
Reasons for bug bountyü  Moneyü  Credit
Reasons for bug bountyü  Moneyü  Creditü  Okay, mostly credit, they don’t pay much :P
Bug bounty programs1995 – Netscape2004 – Firefox2005 – ZDI2007 – Pwn2own2010 – Google2011 – Facebook
Know your enemy
Know your enemyNope. Your enemies might be : •  Masato Kinugawa •  Neal Poole •  Nils Juenemann •  Szymon Gruszecki •  Wla...
Know your enemyNope. Your enemies might be : •  Masato Kinugawa •  Neal Poole •  Nils Juenemann •  Szymon Gruszecki •  Wla...
Learn your target OverviewSpy on their blogs  •  New bugs – new ideas to detect different vulnerabilities.Learn the compan...
Google OverviewLearn the company •  Successful acquisitions   http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google ...
Google Overview •  Successful acquisitions   http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google •  More than 1 ac...
Google OverviewApproach •  Logical / mixed issues
XSS for fun and … profit?•  XSS is not just for account hijacking•  Trusted website, runs malicious javascript…  •  Client...
Google OverviewConvention  •  Calender    Google.com/calender  •  Friends Connect    google.com/friendconnect  •  Knol    ...
Google Support OverviewConvention  •  Knol        Google.com/knol        No  •  Friends Connect     Support.google.com/f...
Google Calendar Stored XSS
Google Calendar Error based•  General Attacks against  Google Calendar.•  Going Deep Into the  Application.•  What we foun...
Stored XSS (Error based)“Self” Xss Payload
Google Calendar Error based•  Changing the attack vector•  Resolving the Self XSS Issue By using the Sharing  Option
Google Calendar Error basedThe Sharing process:
Google Calendar Error basedWait,HOUSTON WE HAVE APROBLEM!!!user must delete his calendar1-5 times.How can we force ourTarg...
Google Calendar Error based•  Resolving the problem: No sharing limit.•  Users gets email for each share & our Calendar Is...
Google Calendar Error based•  Calendar SPAM !!!•  After the user deletes 1-5 ,   Error occurred•  Error Message Details:• ...
Google Calendar Error basedGame over! Achievement unlocked.
Google Analytics – Stored XSS
Google AnalyticsIn-page analytics doesn’t escape incoming requests:  •  Meaning, an attacker can send XSS to the administr...
Google AnalyticsIn-page analytics doesn’t escape incoming requests:  •  Meaning, an attacker can send XSS to the administr...
Google Analytics
Google AnalyticsLet’s exploit this vulnerability in 2 creative ways:  •  In-Page Analytics – When the administrator logins...
Google Analytics1st method:
Google AnalyticsLet’s wait for our administrator to login
Google AnalyticsLet’s wait for our administrator to login  •  Achievement unlocked, we can run JS on any web administrator...
Google Analytics
Google Analytics•  Second method : Sharing with the victim our analytics•  We will add the victim with read-only permissio...
Google Analytics
Google Analytics§  Game over. Achievement unlocked
Google FeedBurner Stored XSSFeedBurner	  	  provides	  custom	  RSS	  feeds	  and	  management	  tools	  to	  bloggers,pod...
Google Feedburner Stored XSSFeed title is “vulnerable” to an XSS
Google Feedburner Stored XSSWait, Nothing Happened here!!!, There is “NO” XSS
Google Feedburner Stored XSSLets look closer on the features of FeedBurner App
Google Feedburner Unsubscribe XSS§  We already know that there is a Subscription feature in    Feed burner, Right???§  W...
Google Feedburner Unsubscribe XSSWhen the victim will decide to unsubscribe from themalicious feed burner a stored xss wil...
Google Feedburner Unsubscribe XSSLets Exploit it with two methods:1. Victim subscribe to the service & Later unsubscribe f...
Google FriendConnect Error basedMeet your new best friend :
Google FriendConnect Error basedThe target approved our request.
Google FriendConnect Error basedThe target approved our request.Now, let’s force him to delete us, not before we’re goingt...
Google FriendConnect Error based
Google FriendConnect Error basedAfter User delete :  •  Achievement Unlocked.
Permission bypass – Google Knol     Knol	  is	  an	  online	  knowledge	  Portal
Permission bypass•  Privacy in Google Knol•  Function :Publish, Unpublished Docs
Permission bypassExample of Unpublished document:
Permission bypassThis document isn’t accessible via direct URL    The image cannot be displayed. Your computer may not hav...
Permission bypassGoogle Validate Permission,Block us from viewing theunpublishedDocumentWhat can we do ????
Permission bypassLets meet our new friend JGoogle Knol Translator Toolkit
Permission bypassAttacker Provide the url of the Unpublished Doc
Permission bypass And magic happens
Google Affiliate Network –Stored XSS + Administrator Priv!
Google Affiliate NetworkWhat Is Google Affiliate Network??
Google Affiliate NetworkGoogle Affiliate Network is a free program that makes iteasy for website publishers to connect wit...
Google Affiliate NetworkThe goals:1.  XSS an account.2.  Gaining Administrator Privilege
Google Affiliate NetworkFirst Attack:ConnectCommerce->Performics->DoubleClick->Google;
Google Affiliate NetworkFirst Attack:Manipulating Parameters on connectcommerce.com domain in orderto Inject XSS Payload o...
Google Affiliate NetworkPoC : Stored XSS from Google.com Domain
Google Affiliate NetworkSecond attack??Manipulate, Gaining administrator privilege on any Google Affiliate  account.
Google Affiliate NetworkManipulate UserID, Email fields
Game Over 3133.7$!!!!!
Google Picnik – Local File Inclusion
Google PicnikPicnik.com seems to be SecureSo what is the way to crack the lock?
Google Picnik1.  Execute a BruteForce to   Files, Dir Attack2. Execute a Sub domain   Brute Force Attack3. Port Scanning
Google Picnik Treasure Found!!!!!! Result: Sub domain: vpn.picnik.com
Picnik WhoIs vpn  Which	  Server	  vpn.picnik.com	    Hosted	  
Google Picnik•  So what was the story of vpn   picnik?,•  Someone installed by mistake a   older version of phpList in   P...
Google Picnik•  So what was the story of vpn   picnik?,•  Someone installed by mistake a   older version of phpList in Pic...
What Is phpList???  phplist is open source email application & suffers from well  known Vulnerabilities
Google PicnikFile Inclusion vulnerability that allow me to get a Shellwith a leet bounty $3133,7
Google PicnikGame Over
Summary§  Out-Of-The-Box (Hack-In-The-Box) Thinking§  Think different§  Information gathering§  Mixed services§  Perm...
Reference●    http://www.nirgoldshlager.com/2011/03/blogger-get-administrator-privilege-     on.html - Blogger admin privi...
One moreMaybe it’s not a good idea to follow our blogs
One moreMaybe it’s not a good idea to follow our blogs
Okay okay, one moreBlogger video…HPP Attack
Join us tonight atHack-In-The-Empire eventFor invites : RSVP@zimperium.comSubject : HITE Invite
Thank you!Itzhak “Zuk” Avraham - @IHackBanMeNir Goldshlager - @NirGoldshlager
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Upcoming SlideShare
Loading in...5
×

Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012

46,451

Published on

Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
46,451
On Slideshare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
118
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012

  1. 1. Hack In The Box 2012Killing a bounty program, Twice.By : Itzhak (Zuk) Avraham; Nir Goldshlager;05/2012
  2. 2. # whoami | presentationItzhak Avraham (Zuk)Founder & CEOIhackbanmehttp://imthezuk.blogspot.comzuk@zimperum.com
  3. 3. # whoami | presentationNir GoldshlagerSenior Web Applications ResearcherTwitter: @nirgoldshlagerBlog : http://nirgoldshlager.com
  4. 4. Reasons for bug bountyü  Moneyü  Credit
  5. 5. Reasons for bug bountyü  Moneyü  Creditü  Okay, mostly credit, they don’t pay much :P
  6. 6. Bug bounty programs1995 – Netscape2004 – Firefox2005 – ZDI2007 – Pwn2own2010 – Google2011 – Facebook
  7. 7. Know your enemy
  8. 8. Know your enemyNope. Your enemies might be : •  Masato Kinugawa •  Neal Poole •  Nils Juenemann •  Szymon Gruszecki •  Wladimir Palant
  9. 9. Know your enemyNope. Your enemies might be : •  Masato Kinugawa •  Neal Poole •  Nils Juenemann •  Szymon Gruszecki •  Wladimir Palant
  10. 10. Learn your target OverviewSpy on their blogs •  New bugs – new ideas to detect different vulnerabilities.Learn the company •  Unchecked services •  Successful acquisitions •  Untested/Less secured web applications •  Multi vector •  Unknown vectors / logical techniques •  Repetitive of weak spots
  11. 11. Google OverviewLearn the company •  Successful acquisitions http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google •  New services – Knol(???), Friends Connect •  Subdomains •  Learn all the functions of the application you are going to test •  Multi vector •  Unknown vectors / logical techniques •  Repetitive of weak spots
  12. 12. Google Overview •  Successful acquisitions http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google •  More than 1 acquisition per week since 2010!
  13. 13. Google OverviewApproach •  Logical / mixed issues
  14. 14. XSS for fun and … profit?•  XSS is not just for account hijacking•  Trusted website, runs malicious javascript… •  Client Side Exploit anyone?
  15. 15. Google OverviewConvention •  Calender Google.com/calender •  Friends Connect google.com/friendconnect •  Knol Google.com/knol •  Analytics Google.com/analytics •  Blogger Google.com/blogger
  16. 16. Google Support OverviewConvention •  Knol    Google.com/knol    No •  Friends Connect Support.google.com/friendconnect •  Calendar Support.google.com/calendar •  Analytics Support.google.com/analytics •  Blogger Support.google.com/blogger •  Admob Support.google.com/admob
  17. 17. Google Calendar Stored XSS
  18. 18. Google Calendar Error based•  General Attacks against Google Calendar.•  Going Deep Into the Application.•  What we found.•  We need to find a way to trigger it for REMOTE users.
  19. 19. Stored XSS (Error based)“Self” Xss Payload
  20. 20. Google Calendar Error based•  Changing the attack vector•  Resolving the Self XSS Issue By using the Sharing Option
  21. 21. Google Calendar Error basedThe Sharing process:
  22. 22. Google Calendar Error basedWait,HOUSTON WE HAVE APROBLEM!!!user must delete his calendar1-5 times.How can we force ourTarget to delete ourmalicious calendars?
  23. 23. Google Calendar Error based•  Resolving the problem: No sharing limit.•  Users gets email for each share & our Calendar Is added Automatically to the victim account.
  24. 24. Google Calendar Error based•  Calendar SPAM !!!•  After the user deletes 1-5 , Error occurred•  Error Message Details:•  Calendar (calendar name) not load, After that a Stored XSS will be triggerJ
  25. 25. Google Calendar Error basedGame over! Achievement unlocked.
  26. 26. Google Analytics – Stored XSS
  27. 27. Google AnalyticsIn-page analytics doesn’t escape incoming requests: •  Meaning, an attacker can send XSS to the administrator by sending a URL
  28. 28. Google AnalyticsIn-page analytics doesn’t escape incoming requests: •  Meaning, an attacker can send XSS to the administrator by sending a URL
  29. 29. Google Analytics
  30. 30. Google AnalyticsLet’s exploit this vulnerability in 2 creative ways: •  In-Page Analytics – When the administrator logins. Ouch. •  Sharing – Infect ourselves and share our Analytics with the victim (direct link to in-page analytics)
  31. 31. Google Analytics1st method:
  32. 32. Google AnalyticsLet’s wait for our administrator to login
  33. 33. Google AnalyticsLet’s wait for our administrator to login •  Achievement unlocked, we can run JS on any web administrator using Analytics
  34. 34. Google Analytics
  35. 35. Google Analytics•  Second method : Sharing with the victim our analytics•  We will add the victim with read-only permission and will submit the link for google.com/analytics account with our ID
  36. 36. Google Analytics
  37. 37. Google Analytics§  Game over. Achievement unlocked
  38. 38. Google FeedBurner Stored XSSFeedBurner    provides  custom  RSS  feeds  and  management  tools  to  bloggers,podcasters,  and  other  web-­‐based    content  publishers
  39. 39. Google Feedburner Stored XSSFeed title is “vulnerable” to an XSS
  40. 40. Google Feedburner Stored XSSWait, Nothing Happened here!!!, There is “NO” XSS
  41. 41. Google Feedburner Stored XSSLets look closer on the features of FeedBurner App
  42. 42. Google Feedburner Unsubscribe XSS§  We already know that there is a Subscription feature in Feed burner, Right???§  What about Unsubscribe option, Maybe this can help us?
  43. 43. Google Feedburner Unsubscribe XSSWhen the victim will decide to unsubscribe from themalicious feed burner a stored xss will be run on hisclient.
  44. 44. Google Feedburner Unsubscribe XSSLets Exploit it with two methods:1. Victim subscribe to the service & Later unsubscribe from the malicious FeedBurner.2.  Attacker Send a malicious unsubscribe link to the victim(Victim dont need to be subscribe to the malicious feed).
  45. 45. Google FriendConnect Error basedMeet your new best friend :
  46. 46. Google FriendConnect Error basedThe target approved our request.
  47. 47. Google FriendConnect Error basedThe target approved our request.Now, let’s force him to delete us, not before we’re goingto change our name to :AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA …. “><XSS Payload>
  48. 48. Google FriendConnect Error based
  49. 49. Google FriendConnect Error basedAfter User delete : •  Achievement Unlocked.
  50. 50. Permission bypass – Google Knol Knol  is  an  online  knowledge  Portal
  51. 51. Permission bypass•  Privacy in Google Knol•  Function :Publish, Unpublished Docs
  52. 52. Permission bypassExample of Unpublished document:
  53. 53. Permission bypassThis document isn’t accessible via direct URL The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
  54. 54. Permission bypassGoogle Validate Permission,Block us from viewing theunpublishedDocumentWhat can we do ????
  55. 55. Permission bypassLets meet our new friend JGoogle Knol Translator Toolkit
  56. 56. Permission bypassAttacker Provide the url of the Unpublished Doc
  57. 57. Permission bypass And magic happens
  58. 58. Google Affiliate Network –Stored XSS + Administrator Priv!
  59. 59. Google Affiliate NetworkWhat Is Google Affiliate Network??
  60. 60. Google Affiliate NetworkGoogle Affiliate Network is a free program that makes iteasy for website publishers to connect with qualityadvertisers and get rewarded for driving conversions.§  Discover high-performing advertisers§  Save time with a speedy and intuitive interface§  Track conversions and access real-time reporting§  Enjoy local payments via your AdSense account§  VIP and Rising Star status for top publishers
  61. 61. Google Affiliate NetworkThe goals:1.  XSS an account.2.  Gaining Administrator Privilege
  62. 62. Google Affiliate NetworkFirst Attack:ConnectCommerce->Performics->DoubleClick->Google;
  63. 63. Google Affiliate NetworkFirst Attack:Manipulating Parameters on connectcommerce.com domain in orderto Inject XSS Payload on google.com Domain
  64. 64. Google Affiliate NetworkPoC : Stored XSS from Google.com Domain
  65. 65. Google Affiliate NetworkSecond attack??Manipulate, Gaining administrator privilege on any Google Affiliate account.
  66. 66. Google Affiliate NetworkManipulate UserID, Email fields
  67. 67. Game Over 3133.7$!!!!!
  68. 68. Google Picnik – Local File Inclusion
  69. 69. Google PicnikPicnik.com seems to be SecureSo what is the way to crack the lock?
  70. 70. Google Picnik1.  Execute a BruteForce to Files, Dir Attack2. Execute a Sub domain Brute Force Attack3. Port Scanning
  71. 71. Google Picnik Treasure Found!!!!!! Result: Sub domain: vpn.picnik.com
  72. 72. Picnik WhoIs vpn Which  Server  vpn.picnik.com   Hosted  
  73. 73. Google Picnik•  So what was the story of vpn picnik?,•  Someone installed by mistake a older version of phpList in Picnik vpn sub domain
  74. 74. Google Picnik•  So what was the story of vpn picnik?,•  Someone installed by mistake a older version of phpList in Picnik vpn sub domain•  No way!!! With Default Password J ?
  75. 75. What Is phpList??? phplist is open source email application & suffers from well known Vulnerabilities
  76. 76. Google PicnikFile Inclusion vulnerability that allow me to get a Shellwith a leet bounty $3133,7
  77. 77. Google PicnikGame Over
  78. 78. Summary§  Out-Of-The-Box (Hack-In-The-Box) Thinking§  Think different§  Information gathering§  Mixed services§  Permissions
  79. 79. Reference●  http://www.nirgoldshlager.com/2011/03/blogger-get-administrator-privilege- on.html - Blogger admin privileges bypass●  http://www.google.com/about/company/rewardprogram.html - Google Reward program●  http://www.google.com/about/company/halloffame.html - Google Hall of Fame●  http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web - Michael Coates - Bug Bounty Program – OWASP 2011
  80. 80. One moreMaybe it’s not a good idea to follow our blogs
  81. 81. One moreMaybe it’s not a good idea to follow our blogs
  82. 82. Okay okay, one moreBlogger video…HPP Attack
  83. 83. Join us tonight atHack-In-The-Empire eventFor invites : RSVP@zimperium.comSubject : HITE Invite
  84. 84. Thank you!Itzhak “Zuk” Avraham - @IHackBanMeNir Goldshlager - @NirGoldshlager
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×