Bug-hunter's Sorrow

Masato Kinugawa
Masato Kinugawa
Bug-hunter's Sorrow Masato Kinugawa
Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
Last year Income
Last year Income 41050707 Yen 💰
Last year Income 41050707 Yen (Octal notation) 💰
Good story is that all!
Topics 1st half Story of blocked internet 2nd half Sorrow of bug
Story of blocked internet
Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 http://masatokinugawa.l0.cm/2013/09/u2028 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
then I found ordinary DOM based XSS on Benesse site. https://web.archive.org/web/20130723155109/http://manabi.benes se.ne.jp/#"><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
Same time Suddenly I became not to access to manabi.benesse.ne.jp I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
And 2013/9/7 Evening, Incident happened!
What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... http://masatokinugawa.l0.cm/2013/09/xss.benesse.html Disconnected from Internet maybe because of XSS
The Tokumaru !
Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
Yes Daily, I tested browser behavior in my domain (vulnerabledoma.in), I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
God Tokumaru's books are on sale! http://www.amazon.co.jp/dp/ 4822279987/ http://www.amazon.co.jp/dp/ 4797361190/ Buy now!!
I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
Lessons learned: The world Things that should not be poked
Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
World is harsh ...
Sorrow of bug
After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
DOM based XSS ❶ https://web.archive.org/web/20130904143057/http://www. benesse.co.jp/s/land/pass/ jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ ...
Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a, a.tab-link") All links to #
Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from http://www.benesse.co.jp/s/land/pass/ !
DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/ contents/oyashindan/answer.html?
No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
DEMO http://vulnerabledoma.in/avtokyo2015/
Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)
@kinugawamasato masatokinugawa [at]gmail.com Thanks! 💰💰💰
1 of 59

Bug-hunter's Sorrow

Download to read offline
Technology

AVTOKYO2015

Masato Kinugawa
Masato Kinugawa

Recommended

規格書で読むC++11のスレッド by
規格書で読むC++11のスレッド規格書で読むC++11のスレッド
規格書で読むC++11のスレッドKohsuke Yuasa
17.6K views94 slides
NDC 2017 하재승 NEXON ZERO (넥슨 제로) 점검없이 실시간으로 코드 수정 및 게임 정보 수집하기 by
NDC 2017 하재승 NEXON ZERO (넥슨 제로) 점검없이 실시간으로 코드 수정 및 게임 정보 수집하기NDC 2017 하재승 NEXON ZERO (넥슨 제로) 점검없이 실시간으로 코드 수정 및 게임 정보 수집하기
NDC 2017 하재승 NEXON ZERO (넥슨 제로) 점검없이 실시간으로 코드 수정 및 게임 정보 수집하기Jaeseung Ha
4.8K views100 slides
浮動小数点(IEEE754)を圧縮したい@dsirnlp#4 by
浮動小数点(IEEE754)を圧縮したい@dsirnlp#4浮動小数点(IEEE754)を圧縮したい@dsirnlp#4
浮動小数点(IEEE754)を圧縮したい@dsirnlp#4Takeshi Yamamuro
3.9K views23 slides
WASM(WebAssembly)入門 ペアリング演算やってみた by
WASM(WebAssembly)入門 ペアリング演算やってみたWASM(WebAssembly)入門 ペアリング演算やってみた
WASM(WebAssembly)入門 ペアリング演算やってみたMITSUNARI Shigeo
3.3K views16 slides
イベント駆動プログラミングとI/O多重化 by
イベント駆動プログラミングとI/O多重化イベント駆動プログラミングとI/O多重化
イベント駆動プログラミングとI/O多重化Gosuke Miyashita
15.4K views78 slides
Symbol Table, Error Handler & Code Generation by
Symbol Table, Error Handler & Code GenerationSymbol Table, Error Handler & Code Generation
Symbol Table, Error Handler & Code GenerationAkhil Kaushik
259 views49 slides

More Related Content

What's hot

Haswellサーベイと有限体クラスの紹介 by
Haswellサーベイと有限体クラスの紹介Haswellサーベイと有限体クラスの紹介
Haswellサーベイと有限体クラスの紹介MITSUNARI Shigeo
5.4K views43 slides
Processing XML and Spreadsheet data in Go by
Processing XML and Spreadsheet data in GoProcessing XML and Spreadsheet data in Go
Processing XML and Spreadsheet data in GoRi Xu
287 views35 slides
게임 프레임워크의 아키텍쳐와 디자인 패턴 by
게임 프레임워크의 아키텍쳐와 디자인 패턴게임 프레임워크의 아키텍쳐와 디자인 패턴
게임 프레임워크의 아키텍쳐와 디자인 패턴MinGeun Park
13.7K views24 slides
入門 シェル実装 by
入門 シェル実装入門 シェル実装
入門 シェル実装Yusuke Sangenya
19.8K views37 slides
PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅) by
PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅)PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅)
PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅)Haezoom Inc.
9.5K views141 slides
GoによるWebアプリ開発のキホン by
GoによるWebアプリ開発のキホンGoによるWebアプリ開発のキホン
GoによるWebアプリ開発のキホンAkihiko Horiuchi
61K views33 slides

What's hot(20)

Haswellサーベイと有限体クラスの紹介 by MITSUNARI Shigeo
Haswellサーベイと有限体クラスの紹介Haswellサーベイと有限体クラスの紹介
Haswellサーベイと有限体クラスの紹介
MITSUNARI Shigeo5.4K views
Processing XML and Spreadsheet data in Go by Ri Xu
Processing XML and Spreadsheet data in GoProcessing XML and Spreadsheet data in Go
Processing XML and Spreadsheet data in Go
Ri Xu287 views
게임 프레임워크의 아키텍쳐와 디자인 패턴 by MinGeun Park
게임 프레임워크의 아키텍쳐와 디자인 패턴게임 프레임워크의 아키텍쳐와 디자인 패턴
게임 프레임워크의 아키텍쳐와 디자인 패턴
MinGeun Park13.7K views
入門 シェル実装 by Yusuke Sangenya
入門 シェル実装入門 シェル実装
入門 シェル実装
Yusuke Sangenya19.8K views
PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅) by Haezoom Inc.
PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅)PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅)
PYCON KR 2017 - 구름이 하늘의 일이라면 (윤상웅)
Haezoom Inc.9.5K views
GoによるWebアプリ開発のキホン by Akihiko Horiuchi
GoによるWebアプリ開発のキホンGoによるWebアプリ開発のキホン
GoによるWebアプリ開発のキホン
Akihiko Horiuchi61K views
イマドキC++erのモテカワリソース管理術 by Kohsuke Yuasa
イマドキC++erのモテカワリソース管理術イマドキC++erのモテカワリソース管理術
イマドキC++erのモテカワリソース管理術
Kohsuke Yuasa10.6K views
Qt5 の Input Method by Takumi Asaki
Qt5 の Input MethodQt5 の Input Method
Qt5 の Input Method
Takumi Asaki11.2K views
IdrisでWebアプリを書く by Hideyuki Tanaka
IdrisでWebアプリを書くIdrisでWebアプリを書く
IdrisでWebアプリを書く
Hideyuki Tanaka19.4K views
GPUをJavaで使う話(Java Casual Talks #1) by なおき きしだ
GPUをJavaで使う話(Java Casual Talks #1)GPUをJavaで使う話(Java Casual Talks #1)
GPUをJavaで使う話(Java Casual Talks #1)
なおき きしだ9.1K views
TVMの次期グラフIR Relayの紹介 by Takeo Imai
TVMの次期グラフIR Relayの紹介TVMの次期グラフIR Relayの紹介
TVMの次期グラフIR Relayの紹介
Takeo Imai5.4K views
CVE-2021-3156 Baron samedit (sudoの脆弱性) by Tetsuya Hasegawa
CVE-2021-3156 Baron samedit (sudoの脆弱性)CVE-2021-3156 Baron samedit (sudoの脆弱性)
CVE-2021-3156 Baron samedit (sudoの脆弱性)
Tetsuya Hasegawa1.1K views
Introduction to Mongodb execution plan and optimizer by Mydbops
Introduction to Mongodb execution plan and optimizerIntroduction to Mongodb execution plan and optimizer
Introduction to Mongodb execution plan and optimizer
Mydbops979 views
TVM の紹介 by Masahiro Masuda
TVM の紹介TVM の紹介
TVM の紹介
Masahiro Masuda5.5K views
Scalaエンジニアのためのモナド入門 by Takashi Imahiro
Scalaエンジニアのためのモナド入門Scalaエンジニアのためのモナド入門
Scalaエンジニアのためのモナド入門
Takashi Imahiro3.7K views
今更C++でiOSアプリを作る話 by 5mingame2
今更C++でiOSアプリを作る話今更C++でiOSアプリを作る話
今更C++でiOSアプリを作る話
5mingame25.6K views
BoostAsioで可読性を求めるのは間違っているだろうか by Yuki Miyatake
BoostAsioで可読性を求めるのは間違っているだろうかBoostAsioで可読性を求めるのは間違っているだろうか
BoostAsioで可読性を求めるのは間違っているだろうか
Yuki Miyatake14.3K views
청강대 특강 - 프로젝트 제대로 해보기 by Chris Ohk
청강대 특강 - 프로젝트 제대로 해보기청강대 특강 - 프로젝트 제대로 해보기
청강대 특강 - 프로젝트 제대로 해보기
Chris Ohk3.2K views
코딩 테스트 및 알고리즘 문제해결 공부 방법 (고려대학교 KUCC, 2022년 4월) by Suhyun Park
코딩 테스트 및 알고리즘 문제해결 공부 방법 (고려대학교 KUCC, 2022년 4월)코딩 테스트 및 알고리즘 문제해결 공부 방법 (고려대학교 KUCC, 2022년 4월)
코딩 테스트 및 알고리즘 문제해결 공부 방법 (고려대학교 KUCC, 2022년 4월)
Suhyun Park31.7K views
Scala 初心者が米田の補題を Scala で考えてみた by Kazuyuki TAKASE
Scala 初心者が米田の補題を Scala で考えてみたScala 初心者が米田の補題を Scala で考えてみた
Scala 初心者が米田の補題を Scala で考えてみた
Kazuyuki TAKASE5.7K views

Similar to Bug-hunter's Sorrow

What Are We Still Doing Wrong by
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrongafa reg
1.1K views55 slides
Security testing for web developers by
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
587 views31 slides
Xss is more than a simple threat by
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatRomanian Cyber Conference
1.1K views41 slides
Xss is more than a simple threat by
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
5K views41 slides
Blockchain Info _ in Simple english to understand more easily by
Blockchain Info _ in Simple english to understand more easilyBlockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easilyAdam Yorkshire
87 views25 slides
Beyond xss by
Beyond xssBeyond xss
Beyond xssJudy Ngure
58 views17 slides

Similar to Bug-hunter's Sorrow(20)

What Are We Still Doing Wrong by afa reg
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrong
afa reg1.1K views
Security testing for web developers by matthewhughes
Security testing for web developersSecurity testing for web developers
Security testing for web developers
matthewhughes587 views
Xss is more than a simple threat by Romanian Cyber Conference
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Romanian Cyber Conference1.1K views
Xss is more than a simple threat by Avădănei Andrei
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
Avădănei Andrei5K views
Blockchain Info _ in Simple english to understand more easily by Adam Yorkshire
Blockchain Info _ in Simple english to understand more easilyBlockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easily
Adam Yorkshire87 views
Beyond xss by Judy Ngure
Beyond xssBeyond xss
Beyond xss
Judy Ngure58 views
Things that go bump on the web - Web Application Security by Christian Heilmann
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
Christian Heilmann29.1K views
Hack for security by Siddharth Solanki
Hack for securityHack for security
Hack for security
Siddharth Solanki428 views
Blizzards Research Paper by Ashley Lovato
Blizzards Research PaperBlizzards Research Paper
Blizzards Research Paper
Ashley Lovato2 views
Hacking with experts (by anurag dwivedi) by Esteban Bedoya
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
Esteban Bedoya9K views
Empowerment Technologies - Module 2 by Jesus Rances
Empowerment Technologies - Module 2Empowerment Technologies - Module 2
Empowerment Technologies - Module 2
Jesus Rances15.2K views
Beyond xss (SheHacks Nairobi 2018) by Munir Njiru
Beyond xss (SheHacks Nairobi 2018)Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)
Munir Njiru149 views
OpenID Security by eugenet
OpenID SecurityOpenID Security
OpenID Security
eugenet1.9K views
Dmitry sharkov - Maturing Your Cucumber Suites by QA or the Highway
Dmitry sharkov - Maturing Your Cucumber SuitesDmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber Suites
QA or the Highway1K views
How well are you delivering your experience? by Andrew Fisher
How well are you delivering your experience?How well are you delivering your experience?
How well are you delivering your experience?
Andrew Fisher968 views
Cross-Site Scripting course made by Cristian Alexandrescu by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
Cristian Alexandrescu92 views
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib... by John Fink
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
John Fink812 views
Cyber security-awareness-for-social-media-users - Devsena Mishra by Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena MishraCyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena Mishra
Devsena Mishra960 views
Thoughts on Defensive Development for Sitecore by PINT Inc
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
PINT Inc3.1K views
The internet is a dangerous place by emsisoft
The internet is a dangerous placeThe internet is a dangerous place
The internet is a dangerous place
emsisoft611 views

More from Masato Kinugawa

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter by
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
38.8K views141 slides
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~ by
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~Masato Kinugawa
21.1K views141 slides
バグハンターの哀しみ by
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみMasato Kinugawa
48K views59 slides
SecurityCamp2015「バグハンティング入門」 by
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」Masato Kinugawa
31.7K views94 slides
SecurityCamp2015「CVE-2015-4483解説」 by
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」Masato Kinugawa
12.3K views20 slides
いでよ、電卓! by
いでよ、電卓!いでよ、電卓!
いでよ、電卓!Masato Kinugawa
16.2K views75 slides

More from Masato Kinugawa(7)

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter by Masato Kinugawa
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa38.8K views
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~ by Masato Kinugawa
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
Masato Kinugawa21.1K views
バグハンターの哀しみ by Masato Kinugawa
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみ
Masato Kinugawa48K views
SecurityCamp2015「バグハンティング入門」 by Masato Kinugawa
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」
Masato Kinugawa31.7K views
SecurityCamp2015「CVE-2015-4483解説」 by Masato Kinugawa
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」
Masato Kinugawa12.3K views
いでよ、電卓! by Masato Kinugawa
いでよ、電卓!いでよ、電卓!
いでよ、電卓!
Masato Kinugawa16.2K views
見つけた脆弱性について(cybozu.com Security Challenge) by Masato Kinugawa
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)
Masato Kinugawa10.4K views

Recently uploaded

Evolving the Network Automation Journey from Python to Platforms by
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to PlatformsNetwork Automation Forum
13 views21 slides
Mini-Track: AI and ML in Network Operations Applications by
Mini-Track: AI and ML in Network Operations ApplicationsMini-Track: AI and ML in Network Operations Applications
Mini-Track: AI and ML in Network Operations ApplicationsNetwork Automation Forum
10 views24 slides
PRODUCT PRESENTATION.pptx by
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptxangelicacueva6
15 views1 slide
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfDr. Jimmy Schwarzkopf
20 views29 slides
Powerful Google developer tools for immediate impact! (2023-24) by
Powerful Google developer tools for immediate impact! (2023-24)Powerful Google developer tools for immediate impact! (2023-24)
Powerful Google developer tools for immediate impact! (2023-24)wesley chun
10 views38 slides
Future of Indian ConsumerTech by
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTechKapil Khandelwal (KK)
22 views68 slides

Recently uploaded(20)

Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum13 views
Mini-Track: AI and ML in Network Operations Applications by Network Automation Forum
Mini-Track: AI and ML in Network Operations ApplicationsMini-Track: AI and ML in Network Operations Applications
Mini-Track: AI and ML in Network Operations Applications
Network Automation Forum10 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva615 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf20 views
Powerful Google developer tools for immediate impact! (2023-24) by wesley chun
Powerful Google developer tools for immediate impact! (2023-24)Powerful Google developer tools for immediate impact! (2023-24)
Powerful Google developer tools for immediate impact! (2023-24)
wesley chun10 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)22 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.53 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva616 views
Future of AR - Facebook Presentation by ssuserb54b561
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
ssuserb54b56115 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb14 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp59 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14131 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc11 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH41 views
Mini-Track: Challenges to Network Automation Adoption by Network Automation Forum
Mini-Track: Challenges to Network Automation AdoptionMini-Track: Challenges to Network Automation Adoption
Mini-Track: Challenges to Network Automation Adoption
Network Automation Forum13 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez14 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker40 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays17 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal14 views

Bug-hunter's Sorrow

  • 2. Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
  • 3. Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
  • 6. Last year Income 41050707 Yen (Octal notation) 💰
  • 10. Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
  • 11. In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 http://masatokinugawa.l0.cm/2013/09/u2028 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
  • 12. How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
  • 13. then I found ordinary DOM based XSS on Benesse site. https://web.archive.org/web/20130723155109/http://manabi.benes se.ne.jp/#"><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
  • 14. after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
  • 15. After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
  • 16. found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
  • 17. Same time Suddenly I became not to access to manabi.benesse.ne.jp I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
  • 18. There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
  • 19. continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
  • 21. What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
  • 22. Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
  • 23. Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
  • 24. Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
  • 25. Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
  • 26. It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... http://masatokinugawa.l0.cm/2013/09/xss.benesse.html Disconnected from Internet maybe because of XSS
  • 28. Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
  • 29. afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
  • 30. afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
  • 31. afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
  • 32. Yes Daily, I tested browser behavior in my domain (vulnerabledoma.in), I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
  • 33. After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
  • 34. Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
  • 35. Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
  • 36. God Tokumaru's books are on sale! http://www.amazon.co.jp/dp/ 4822279987/ http://www.amazon.co.jp/dp/ 4797361190/ Buy now!!
  • 37. I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
  • 38. Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
  • 39. Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
  • 40. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
  • 41. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
  • 42. Lessons learned: The world Things that should not be poked
  • 43. Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
  • 46. After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
  • 47. DOM based XSS ❶ https://web.archive.org/web/20130904143057/http://www. benesse.co.jp/s/land/pass/ jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
  • 48. DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ ...
  • 49. Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a, a.tab-link") All links to #
  • 50. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
  • 51. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
  • 52. Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from http://www.benesse.co.jp/s/land/pass/ !
  • 53. DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
  • 54. DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/ contents/oyashindan/answer.html?
  • 55. No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
  • 56. In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
  • 58. Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)