Successfully reported this slideshow.

Bug-hunter's Sorrow



Upcoming SlideShare
Beyond xss
Beyond xss
Loading in …3
1 of 59
1 of 59

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Bug-hunter's Sorrow

  1. 1. Bug-hunter's Sorrow Masato Kinugawa
  2. 2. Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
  3. 3. Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
  4. 4. Last year Income
  5. 5. Last year Income 41050707 Yen 💰
  6. 6. Last year Income 41050707 Yen (Octal notation) 💰
  7. 7. Good story is that all!
  8. 8. Topics 1st half Story of blocked internet 2nd half Sorrow of bug
  9. 9. Story of blocked internet
  10. 10. Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
  11. 11. In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
  12. 12. How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
  13. 13. then I found ordinary DOM based XSS on Benesse site."><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
  14. 14. after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
  15. 15. After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
  16. 16. found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
  17. 17. Same time Suddenly I became not to access to I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
  18. 18. There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
  19. 19. continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
  20. 20. And 2013/9/7 Evening, Incident happened!
  21. 21. What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
  22. 22. Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
  23. 23. Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
  24. 24. Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
  25. 25. Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
  26. 26. It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... Disconnected from Internet maybe because of XSS
  27. 27. The Tokumaru !
  28. 28. Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
  29. 29. afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
  30. 30. afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
  31. 31. afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
  32. 32. Yes Daily, I tested browser behavior in my domain (, I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
  33. 33. After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
  34. 34. Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
  35. 35. Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
  36. 36. God Tokumaru's books are on sale! 4822279987/ 4797361190/ Buy now!!
  37. 37. I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
  38. 38. Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
  39. 39. Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
  40. 40. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
  41. 41. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
  42. 42. Lessons learned: The world Things that should not be poked
  43. 43. Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
  44. 44. World is harsh ...
  45. 45. Sorrow of bug
  46. 46. After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
  47. 47. DOM based XSS ❶ jQuery("#nav-pw li a,") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
  48. 48. DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a,") .bind("click touchstart", function(event){ ...
  49. 49. Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a,") All links to #
  50. 50. Based on this jQuery("#nav-pw li a,") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
  51. 51. Based on this jQuery("#nav-pw li a,") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
  52. 52. Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from !
  53. 53. DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
  54. 54. DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> contents/oyashindan/answer.html?
  55. 55. No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
  56. 56. In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
  57. 57. DEMO
  58. 58. Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)
  59. 59. @kinugawamasato masatokinugawa [at] Thanks! 💰💰💰