This document discusses several security vulnerabilities and situations: 1. Same-site scripting involving loading an image from an external site that can read cookie data from the original site. 2. Self-XSS that could be used to log a victim out and hijack their account by drawing a pop-up window to steal credentials. 3. HTTP referrer headers leaking sensitive information when external resources like images are loaded from other sites. 4. Incomplete browser support for content security policies potentially leaving some users vulnerable to XSS. 5. Username enumeration through guessing common names in the URL space. It encourages thinking broadly about attack vectors and thanks the audience for their questions.

1. Покажите нам Impact!
Доказываем угрозу в сложных условиях
30/08/2014
DCG #7812
Г. Санкт-Петербург
@sergeybelove

2. Work/Activity
BugHuting
Speaker/CTF
Hey
Defcon Russia (DCG #7812) 2

3. Bug Bounty
Defcon Russia (DCG #7812) 3

4. Bug Bounty
Defcon Russia (DCG #7812) 4

5. Something wrong but i don't know what
Defcon Russia (DCG #7812) 5

6. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 6

7. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 7
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?

8. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 8

9. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 9
External IP – 12.34.56.78
Loopback – 127.0.0.1

10. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 10
Attacker:
1) nc –lv 10024
2) email to victim@corp.xxx with
<img src = http://xxyyzz.target.com:10024 >
Victim:
1) Open email and...
2) Load image with *.target.com cookies!
(that’s is why important to know howto correctly set cookies -
http://habrahabr.ru/post/143276/)

11. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 11
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.s
html

12. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 12

13. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 13
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

14. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812) 14
https://hackerone.com/reports/1509 - $100

15. Defcon Russia (DCG #7812) 15
Situation #2 – Self XSS

16. Situation #2 – Self XSS
Defcon Russia (DCG #7812) 16
XSS only for you – no impact?

17. Situation #2 – Self XSS
Defcon Russia (DCG #7812) 17

18. Situation #2 – Self XSS
Defcon Russia (DCG #7812) 18
Requirements:
1)CSRF for logout O_o
2)CSRF for login o_O

19. Situation #2 – Self XSS
Defcon Russia (DCG #7812) 19
Steps:
1) Save (self)XSS for you
2) Logout victim
3) Login victim w/ your creds
4) Draw window
5) Catch user’s creds!

20. Situation #2 – Self XSS
Defcon Russia (DCG #7812) 20
Google and self-XSS

21. Situation #2 – Self XSS
Defcon Russia (DCG #7812) 21
Share account and attack your victim

22. Situation #3 – evil HTTP referers
Defcon Russia (DCG #7812) 22

23. Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 23
<a href=“http://external.com”>Go!</a>
In request headers:
...
Referer: http://yoursite.com/
...
But what about external resources on web page
such as images, styles...?

24. Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 24
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics-are-awesome.com/howto-choose-
password.jpg>
...
Owner of
comics-are-awesome.com
know all _SECRET_ tokens (from referer)!

25. Situation #3 - HTTP referer
Defcon Russia (DCG #7812) 25
https://hackerone.com/reports/738 - $100

26. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 26

27. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 27

28. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 28
CSP only for some browsers!
Is it ok?

29. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 29
1) Forks with diff UA
2) Proxy cache
3) Load balancer...
Bug hunter got $100, but...

30. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812) 30
Fail! Why:
• ‘Partial support in Internet Explorer 10-11 refers to the
browser only supporting the 'sandbox' directive by using the
'X-Content-Security-Policy' header.
• Partial support in iOS Safari 5.0-5.1 refers to the browser
recognizing the X-Webkit-CSP header but failing to handle
complex cases correctly, often resulting in broken pages.
• Chrome for iOS fails to render pages without a connect-src
'self' policy.
• Old FF problems (some versions between XX and YY)

31. Situation #6 - Usernames
Defcon Russia (DCG #7812) 31

32. Situation #6 - Usernames
Defcon Russia (DCG #7812) 32
http://website.com/username

33. Situation #6 - Usernames
Defcon Russia (DCG #7812) 33
Okay! Let’s register:
http://website.com/robots.txt
http://website.com/sitemap.xml
...

34. Situations XXX
Defcon Russia (DCG #7812) 34

35. Situations XXX
Defcon Russia (DCG #7812) 35
• Info disclose via CSS files (full path disclosure while
compilation -
file:///applications/hackerone/releases/201402211759
29/app/assets/stylesheets/application/browser-not-
supported.scss (bug #2221)
• SPF and same records
• Short tokens
• Pixel flood attack
• CSRF for login/logout!? (hi Michal Zalewski!)
• ... - https://hackerone.com/security?show_all=true

36. Defcon Russia (DCG #7812) 36
Thanks! Questions?
@sergeybelove