Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hackito	  Ergo	  Sum	  Killing	  a	  bounty	  program	  By	  :	  Itzhak	  (Zuk)	  Avraham;	  Nir	  Goldshlager;	  
#	  whoami	  |	  presentation	  Itzhak	  Avraham	  (Zuk)	  Founder	  &	  CEO	  	  	  	  	  Twitter:	  @ihackbanme	  Blog	 ...
#	  whoami	  |	  presentation	  Nir	  Goldshlager	  Senior	  Web	  Applications	  Researcher	  	  	  	  	  	  Twitter:	  @...
Reasons	  for	  bug	  bounty	  ü  Money	  ü  Fame	  
Reasons	  for	  bug	  bounty	  ü  Money	  ü  Fame	  ü  Okay,	  mostly	  fame,	  they	  don’t	  pay	  much	  :P	  
Bug	  bounty	  programs	  ü  1995	  –	  Netscape	  ü  2004	  –	  Firefox	  ü  2005	  –	  ZDI	  ü  2007	  –	  Pwn2own	 ...
Know	  your	  enemy	  
Know	  your	  enemy	  •  Nope.	  Your	  enemies	  might	  be	  :	     •  Masato	  Kinugawa	     •  Neal	  Poole	     •  Ni...
Know	  your	  enemy	  •  Nope.	  Your	  enemies	  might	  be	  :	     •  Masato	  Kinugawa	     •  Neal	  Poole	     •  Ni...
Learn	  your	  target	  Overview	  •  Spy	  on	  their	  blogs	     •  New	  bugs	  –	  new	  ideas	  to	  detect	  differe...
Google	  Overview	  •  Learn	  the	  company	     •  Successful	  acquisitions	        http://en.wikipedia.org/wiki/      ...
Google	  Overview	    •  Successful	  acquisitions	       http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google	    ...
Google	  Overview	  •  Approach	     •  Logical	  /	  mixed	  issues	  
XSS	  for	  fun	  and	  …	  profit?	  •  XSS	  is	  not	  just	  for	  account	  hijacking	  •  Trusted	  website,	  runs	...
Google	  Overview	  •  Convention	     •  Calender	        •  Google.com/calender	     •  Friends	  Connect	        •  goo...
Google	  Support	  Overview	  •  Convention	     •  Knol	        •  Google.com/knol	        •  No	     •  Friends	  Connec...
Google	  Calender	  Stored	  XSS	  
Stored	  XSS	  (Error	  based)	  •  Calendar	  name	  field	  is	  vulnerable	  
Google	  Calendar	  Error	  based	  •  On	  delete	  of	  the	  calendar,	  XSS	  popped	  out.	  •  We	  need	  to	  find	...
Google	  Calendar	  Error	  based	  •  How	  can	  one	  see	  our	  calendar	  name?	  
Google	  Calendar	  Error	  based	  •  Let’s	  share	  our	  malicious	  calendar	  with	  the	  target	  (!!)	  •  Approv...
Google	  Calendar	  Error	  based	  •  Let’s	  share	  our	  malicious	  calendar	  with	  the	  target	  (!!)	  •  Approv...
Google	  Calendar	  Error	  based	  •  user	  must	  delete	  his	  calendar.	  
Google	  Calendar	  Error	  based	  •  user	  must	  delete	  his	  calendar.	  •  Let’s	  FORCE	  our	  target	  to	  DEL...
Google	  Calendar	  Error	  based	  •  Calendar	  SPAM	  !!!	  
Google	  Calendar	  Error	  based	  •  Let’s	  share	  again	  
Google	  Calendar	  Error	  based	  •  And	  again	  
Google	  Calendar	  Error	  based	  •  And	  again	  …	  
Google	  Calendar	  Error	  based	  •  No	  sharing	  limit	  •  User	  gets	  email	  for	  each	  share	  
Google	  Calendar	  Error	  based	  •  User	  gets	  email	  for	  each	  share	  
Google	  Calendar	  Error	  based	  •  After	  Calendar	  delete	  :	  	  	      •  Achievement	  Unlocked.	  
Google	  Calendar	  Error	  based	  •  After	  Calendar	  delete	  :	  	  	      •  Achievement	  Unlocked.	  
Google	  FeedBurner	  Stored	  XSS	  
Google	  Feedburner	  Unsubscribe	  XSS	  	§  1.Victim	  perform	  	  subscribe	  to	  malicious	  feedburner	      ú  W...
Google	  Feedburner	  Unsubscribe	  XSS	  	§  Feed	  title	  is	  vulnerable	  
Google	  Feedburner	  Unsubscribe	  XSS	  	§  When	  the	  victim	  will	  decide	  to	  unsubscribe	  the	     malicious...
Google	  Feedburner	  Unsubscribe	  XSS	  	 §  2	  Methods	  to	  exploit	  this	  scenario:	      1.  Send	  a	  malicio...
Google	  Feedburner	  Unsubscribe	  XSS	  	 §  2	  Methods	  to	  exploit	  this	  scenario:	      1.  Send	  a	  malicio...
Google	  Feedburner	  Unsubscribe	  XSS	  	§  User	  unsubscribe	  –	  achievement	  unlocked
Google	  FriendConnect	  Error	  based	  •  Meet	  your	  new	  best	  friend	  :	  
Google	  FriendConnect	  Error	  based	  •  The	  target	  approved	  our	  request.	  	  
Google	  FriendConnect	  Error	  based	  •  The	  target	  approved	  our	  request.	  	  •  Now,	  let’s	  force	  him	  ...
Google	  FriendConnect	  Error	  based	  
Google	  FriendConnect	  Error	  based	  •  After	  User	  delete	  :	  	  	       •  Achievement	  Unlocked.	  
Google	  Analytics	  –	  Stored	  XSS	  
Google	  Analytics	  •  In-­‐page	  analytics	  doesn’t	  escape	  incoming	  requests:	     •  Meaning,	  an	  attacker	 ...
Google	  Analytics	  •  In-­‐page	  analytics	  doesn’t	  escape	  incoming	  requests:	     •  Meaning,	  an	  attacker	 ...
Google	  Analytics	  
Google	  Analytics	  •  Let’s	  exploit	  this	  vulnerability	  in	  2	  creative	  ways:	      •  In-­‐Page	  Analytics	...
Google	  Analytics	  •  Let’s	  wait	  for	  our	  administrator	  to	  login	      •  Achievement	  unlocked,	  we	  can	...
Google	  Analytics	  
Google	  Analytics	  •  Second	  method	  :	  Sharing	  with	  the	  victim	  our	     analytics	  •  We	  will	  add	  th...
Google	  Analytics	  
Google	  Analytics	  §  Achievement	  unlocked	  
Permission	  bypass	  –	  Google	  Knol	  
Permission	  bypass	     Unpublished	  document	  
Permission	  bypass	  •  This	  document	  isn’t	  accessible	  via	  URL	  
Permission	  bypass	  •  We	  don’t	  have	  permission	  to	  view	  the	  document	  •  Knol	  Translate	  does,	  let’s...
Permission	  bypass	  
Permission	  bypass	  •  Private	  document	  accessed	  using	  translate	  service.	  •  Achievement	  unlocked	  
Permission	  bypass	  •  Blogger	  
Summary	  §  Think	  different	  §  Information	  gathering	  §  Mixed	  services	  §  Permissions	  
Reference	  ●    http://www.nirgoldshlager.com/2011/03/blogger-­‐get-­‐administrator-­‐privilege-­‐on.html	  -­‐	       Bl...
Thank	  you!	  	  	  	  	  	  Itzhak	  “Zuk”	  Avraham	  -­‐	  @ihackbanme	  Nir	  Goldshlager	  -­‐	  @nirgoldshlager	  
HES 2012- Killing a Bug Bounty Program by Itzhak Zuk Avraham&Nir Goldshlager
Upcoming SlideShare
Loading in …5
×

HES 2012- Killing a Bug Bounty Program by Itzhak Zuk Avraham&Nir Goldshlager

3,824 views

Published on

Hackito Ergo Sum 2012

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

HES 2012- Killing a Bug Bounty Program by Itzhak Zuk Avraham&Nir Goldshlager

  1. 1. Hackito  Ergo  Sum  Killing  a  bounty  program  By  :  Itzhak  (Zuk)  Avraham;  Nir  Goldshlager;  
  2. 2. #  whoami  |  presentation  Itzhak  Avraham  (Zuk)  Founder  &  CEO          Twitter:  @ihackbanme  Blog  :  http://imthezuk.blogspot.com    zuk @ zimperium.com   s(+ @ (+ (+    #  root  
  3. 3. #  whoami  |  presentation  Nir  Goldshlager  Senior  Web  Applications  Researcher            Twitter:  @nirgoldshlager    Blog  :  http://nirgoldshlager.com    #  root  
  4. 4. Reasons  for  bug  bounty  ü  Money  ü  Fame  
  5. 5. Reasons  for  bug  bounty  ü  Money  ü  Fame  ü  Okay,  mostly  fame,  they  don’t  pay  much  :P  
  6. 6. Bug  bounty  programs  ü  1995  –  Netscape  ü  2004  –  Firefox  ü  2005  –  ZDI  ü  2007  –  Pwn2own  ü  2010  –  Google  ü  2011  –  Facebook  
  7. 7. Know  your  enemy  
  8. 8. Know  your  enemy  •  Nope.  Your  enemies  might  be  :   •  Masato  Kinugawa   •  Neal  Poole   •  Nils  Juenemann   •  Szymon  Gruszecki   •  Wladimir  Palant   •  …  
  9. 9. Know  your  enemy  •  Nope.  Your  enemies  might  be  :   •  Masato  Kinugawa   •  Neal  Poole   •  Nils  Juenemann   •  Szymon  Gruszecki   •  Wladimir  Palant   •  …   •  ...   •  ???   •  TIME!  
  10. 10. Learn  your  target  Overview  •  Spy  on  their  blogs   •  New  bugs  –  new  ideas  to  detect  different  vulnerabilities.  •  Learn  the  company   •  Unchecked  services   •  Successful  acquisitions   •  Untested/Less  secured  web  applications   •  Multi  vector   •  Unknown  vectors  /  logical  techniques   •  Repetitive  of  weak  spots  
  11. 11. Google  Overview  •  Learn  the  company   •  Successful  acquisitions   http://en.wikipedia.org/wiki/ List_of_acquisitions_by_Google     •  New  services  –  Knol(???),    Friends  Connect   •  Subdomains     •  Learn  all  the  functions  of  the  application  you  are  going  to  test   •  Multi  vector   •  Unknown  vectors  /  logical  techniques   •  Repetitive  of  weak  spots  
  12. 12. Google  Overview   •  Successful  acquisitions   http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google   •  More  than  1  acquisition  per  week  since  2010!    
  13. 13. Google  Overview  •  Approach   •  Logical  /  mixed  issues  
  14. 14. XSS  for  fun  and  …  profit?  •  XSS  is  not  just  for  account  hijacking  •  Trusted  website,  runs  malicious  javascript…   •  Client  Side  Exploit  anyone?  
  15. 15. Google  Overview  •  Convention   •  Calender   •  Google.com/calender   •  Friends  Connect   •  google.com/friendconnect   •  Knol   •  Google.com/knol   •  Analytics   •  Google.com/analytics   •  Blogger   •  Google.com/blogger  
  16. 16. Google  Support  Overview  •  Convention   •  Knol   •  Google.com/knol   •  No   •  Friends  Connect   •  Support.google.com/friendconnect   •  Calendar   •  Support.google.com/calendar   •  Analytics   •  Support.google.com/analytics   •  Blogger   •  Support.google.com/blogger   •  Admob   •  Support.google.com/admob  
  17. 17. Google  Calender  Stored  XSS  
  18. 18. Stored  XSS  (Error  based)  •  Calendar  name  field  is  vulnerable  
  19. 19. Google  Calendar  Error  based  •  On  delete  of  the  calendar,  XSS  popped  out.  •  We  need  to  find  a  way  to  trigger  it  for  REMOTE   users.    
  20. 20. Google  Calendar  Error  based  •  How  can  one  see  our  calendar  name?  
  21. 21. Google  Calendar  Error  based  •  Let’s  share  our  malicious  calendar  with  the  target  (!!)  •  Approve  is  not  needed  for  sharing  calendars  •  Ohh  hello.  
  22. 22. Google  Calendar  Error  based  •  Let’s  share  our  malicious  calendar  with  the  target  (!!)  •  Approve  is  not  needed  for  sharing  calendars  
  23. 23. Google  Calendar  Error  based  •  user  must  delete  his  calendar.  
  24. 24. Google  Calendar  Error  based  •  user  must  delete  his  calendar.  •  Let’s  FORCE  our  target  to  DELETE!  
  25. 25. Google  Calendar  Error  based  •  Calendar  SPAM  !!!  
  26. 26. Google  Calendar  Error  based  •  Let’s  share  again  
  27. 27. Google  Calendar  Error  based  •  And  again  
  28. 28. Google  Calendar  Error  based  •  And  again  …  
  29. 29. Google  Calendar  Error  based  •  No  sharing  limit  •  User  gets  email  for  each  share  
  30. 30. Google  Calendar  Error  based  •  User  gets  email  for  each  share  
  31. 31. Google  Calendar  Error  based  •  After  Calendar  delete  :       •  Achievement  Unlocked.  
  32. 32. Google  Calendar  Error  based  •  After  Calendar  delete  :       •  Achievement  Unlocked.  
  33. 33. Google  FeedBurner  Stored  XSS  
  34. 34. Google  Feedburner  Unsubscribe  XSS   §  1.Victim  perform    subscribe  to  malicious  feedburner   ú  Well  it  doesn’t  have  to  be  malicious      Feed  title  is  vulnerable  
  35. 35. Google  Feedburner  Unsubscribe  XSS   §  Feed  title  is  vulnerable  
  36. 36. Google  Feedburner  Unsubscribe  XSS   §  When  the  victim  will  decide  to  unsubscribe  the   malicious  feedburner  a  stored  xss  will  be  run  on  his   client.  
  37. 37. Google  Feedburner  Unsubscribe  XSS   §  2  Methods  to  exploit  this  scenario:   1.  Send  a  malicious  unsubscribe  link  (no   permission  needed)  
  38. 38. Google  Feedburner  Unsubscribe  XSS   §  2  Methods  to  exploit  this  scenario:   1.  Send  a  malicious  unsubscribe  link  (no   permission  needed)   2.  Victim  subscribe,  unsubscribe  the  malicious   feedburner.
  39. 39. Google  Feedburner  Unsubscribe  XSS   §  User  unsubscribe  –  achievement  unlocked
  40. 40. Google  FriendConnect  Error  based  •  Meet  your  new  best  friend  :  
  41. 41. Google  FriendConnect  Error  based  •  The  target  approved  our  request.    
  42. 42. Google  FriendConnect  Error  based  •  The  target  approved  our  request.    •  Now,  let’s  force  him  to  delete  us,  not  before  we’re   going  to  change  our  name  to  :  •  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA  ….  “><XSS  Payload>  
  43. 43. Google  FriendConnect  Error  based  
  44. 44. Google  FriendConnect  Error  based  •  After  User  delete  :       •  Achievement  Unlocked.  
  45. 45. Google  Analytics  –  Stored  XSS  
  46. 46. Google  Analytics  •  In-­‐page  analytics  doesn’t  escape  incoming  requests:   •  Meaning,  an  attacker  can  send  XSS  to  the  administrator   by  sending  a  URL  
  47. 47. Google  Analytics  •  In-­‐page  analytics  doesn’t  escape  incoming  requests:   •  Meaning,  an  attacker  can  send  XSS  to  the  administrator   by  sending  a  URL  
  48. 48. Google  Analytics  
  49. 49. Google  Analytics  •  Let’s  exploit  this  vulnerability  in  2  creative  ways:   •  In-­‐Page  Analytics  –  When  the  administrator  logins  boom.   •  Sharing  –  Infect  ourselves  and  do  share  our  Analytics  with   the  victim  (the  link  would  be  directly  to  in-­‐page  analytics)  
  50. 50. Google  Analytics  •  Let’s  wait  for  our  administrator  to  login   •  Achievement  unlocked,  we  can  run  JS  on  any  web   administrator  using  Analytics  
  51. 51. Google  Analytics  
  52. 52. Google  Analytics  •  Second  method  :  Sharing  with  the  victim  our   analytics  •  We  will  add  the  victim  with  read-­‐only  permission   and  will  submit  the  link  for  google.com/analytics   account  with  our  ID  
  53. 53. Google  Analytics  
  54. 54. Google  Analytics  §  Achievement  unlocked  
  55. 55. Permission  bypass  –  Google  Knol  
  56. 56. Permission  bypass   Unpublished  document  
  57. 57. Permission  bypass  •  This  document  isn’t  accessible  via  URL  
  58. 58. Permission  bypass  •  We  don’t  have  permission  to  view  the  document  •  Knol  Translate  does,  let’s  use  the  service  to   show  us  what  we  want  and  cannot  access  
  59. 59. Permission  bypass  
  60. 60. Permission  bypass  •  Private  document  accessed  using  translate  service.  •  Achievement  unlocked  
  61. 61. Permission  bypass  •  Blogger  
  62. 62. Summary  §  Think  different  §  Information  gathering  §  Mixed  services  §  Permissions  
  63. 63. Reference  ●  http://www.nirgoldshlager.com/2011/03/blogger-­‐get-­‐administrator-­‐privilege-­‐on.html  -­‐   Blogger  admin  privileges  bypass    ●  http://www.google.com/about/company/rewardprogram.html  -­‐  Google  Reward   program  ●  http://www.google.com/about/company/halloffame.html  -­‐  Google  Hall  of  Fame  ●  http://www.slideshare.net/michael_coates/bug-­‐bounty-­‐programs-­‐for-­‐the-­‐web  -­‐   Michael  Coates  -­‐  Bug  Bounty  Program  –  OWASP  2011  
  64. 64. Thank  you!            Itzhak  “Zuk”  Avraham  -­‐  @ihackbanme  Nir  Goldshlager  -­‐  @nirgoldshlager  

×