Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defcon Russia 30 Aug 2014 - Plz guys show Impact!

1,388 views

Published on

http://defcon-russia.ru/news/38/
http://www.youtube.com/watch?v=13aAI4evFBw&feature=youtu.be

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Defcon Russia 30 Aug 2014 - Plz guys show Impact!

  1. 1. Покажите нам Impact! Доказываем угрозу в сложных условиях 30/08/2014 DCG #7812 Г. Санкт-Петербург @sergeybelove
  2. 2. Work/Activity BugHuting Speaker/CTF Hey Defcon Russia (DCG #7812) 2
  3. 3. Bug Bounty Defcon Russia (DCG #7812) 3
  4. 4. Bug Bounty Defcon Russia (DCG #7812) 4
  5. 5. Something wrong but i don't know what Defcon Russia (DCG #7812) 5
  6. 6. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 6
  7. 7. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 7 XXXYYYZZZ.target.com => 127.0.0.1 What’s wrong?
  8. 8. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 8
  9. 9. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 9 External IP – 12.34.56.78 Loopback – 127.0.0.1
  10. 10. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 10 Attacker: 1)nc –lv 10024 2)email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim: 1)Open email and... 2)Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)
  11. 11. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 11 http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml
  12. 12. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 12
  13. 13. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 13 XXXYYYZZZ.target.com => 10.0.0.22 http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
  14. 14. Situation #1 – Same Site Scripting Defcon Russia (DCG #7812) 14 https://hackerone.com/reports/1509 - $100
  15. 15. Defcon Russia (DCG #7812) 15 Situation #2 – Self XSS
  16. 16. Situation #2 – Self XSS Defcon Russia (DCG #7812) 16 XSS only for you – no impact?
  17. 17. Situation #2 – Self XSS Defcon Russia (DCG #7812) 17
  18. 18. Situation #2 – Self XSS Defcon Russia (DCG #7812) 18 Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O
  19. 19. Situation #2 – Self XSS Defcon Russia (DCG #7812) 19 Steps: 1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window 5) Catch user’s creds!
  20. 20. Situation #2 – Self XSS Defcon Russia (DCG #7812) 20 Google and self-XSS
  21. 21. Situation #2 – Self XSS Defcon Russia (DCG #7812) 21 Share account and attack your victim
  22. 22. Situation #3 – evil HTTP referers Defcon Russia (DCG #7812) 22
  23. 23. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 23 <a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?
  24. 24. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 24 http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics-are-awesome.com/howto-choose- password.jpg> ... Owner of comics-are-awesome.com know all _SECRET_ tokens (from referer)!
  25. 25. Situation #3 - HTTP referer Defcon Russia (DCG #7812) 25 https://hackerone.com/reports/738 - $100
  26. 26. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 26
  27. 27. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 27
  28. 28. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 28 CSP only for some browsers! Is it ok?
  29. 29. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 29 1)Forks with diff UA 2)Proxy cache 3)Load balancer... Bug hunter got $100, but...
  30. 30. Situation #5 - Content-Security-Policy Defcon Russia (DCG #7812) 30 Fail! Why: •‘Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header. •Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages. •Chrome for iOS fails to render pages without a connect-src 'self' policy. •Old FF problems (some versions between XX and YY)
  31. 31. Situation #6 - Usernames Defcon Russia (DCG #7812) 31
  32. 32. Situation #6 - Usernames Defcon Russia (DCG #7812) 32 http://website.com/username
  33. 33. Situation #6 - Usernames Defcon Russia (DCG #7812) 33 Okay! Let’s register: http://website.com/robots.txt http://website.com/sitemap.xml ...
  34. 34. Situations XXX Defcon Russia (DCG #7812) 34
  35. 35. Situations XXX Defcon Russia (DCG #7812) 35 •Info disclose via CSS files (full path disclosure while compilation - file:///applications/hackerone/releases/20140221175929/app/assets/stylesheets/application/browser-not- supported.scss (bug #2221) •SPF and same records •Short tokens •Pixel flood attack •CSRF for login/logout!? (hi Michal Zalewski!) •... - https://hackerone.com/security?show_all=true
  36. 36. Defcon Russia (DCG #7812) 36 Thanks! Questions? @sergeybelove

×