The document discusses various security vulnerabilities demonstrated during the Defcon Russia conference, specifically focusing on issues like Cross-Site Scripting (XSS), CSRF, and the impact of improper cookie settings. Several real-world scenarios are provided to illustrate these vulnerabilities, including the consequences of self-XSS and HTTP referer misuse. It also highlights the partial support of Content Security Policy across different browsers and concludes with an invitation for questions from the audience.

1. Покажите нам Impact! Доказываем угрозу в сложных условиях
30/08/2014
DCG #7812
Г. Санкт-Петербург
@sergeybelove

2. Work/Activity BugHuting Speaker/CTF
Hey
Defcon Russia (DCG #7812)
2

3. Bug Bounty
Defcon Russia (DCG #7812)
3

4. Bug Bounty
Defcon Russia (DCG #7812)
4

5. Something wrong but i don't know what
Defcon Russia (DCG #7812)
5

6. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
6

7. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
7
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?

8. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
8

9. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
9
External IP – 12.34.56.78
Loopback – 127.0.0.1

10. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
10
Attacker:
1)nc –lv 10024
2)email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim:
1)Open email and...
2)Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

11. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
11
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml

12. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
12

13. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
13
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

14. Situation #1 – Same Site Scripting
Defcon Russia (DCG #7812)
14
https://hackerone.com/reports/1509 - $100

15. Defcon Russia (DCG #7812)
15
Situation #2 – Self XSS

16. Situation #2 – Self XSS
Defcon Russia (DCG #7812)
16
XSS only for you – no impact?

17. Situation #2 – Self XSS
Defcon Russia (DCG #7812)
17

18. Situation #2 – Self XSS
Defcon Russia (DCG #7812)
18
Requirements:
1)CSRF for logout O_o
2)CSRF for login o_O

19. Situation #2 – Self XSS
Defcon Russia (DCG #7812)
19
Steps:
1) Save (self)XSS for you
2) Logout victim
3) Login victim w/ your creds
4) Draw window
5) Catch user’s creds!

20. Situation #2 – Self XSS
Defcon Russia (DCG #7812)
20
Google and self-XSS

21. Situation #2 – Self XSS
Defcon Russia (DCG #7812)
21
Share account and attack your victim

22. Situation #3 – evil HTTP referers
Defcon Russia (DCG #7812)
22

23. Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
23
<a href=“http://external.com”>Go!</a>
In request headers:
...
Referer: http://yoursite.com/
...
But what about external resources on web page such as images, styles...?

24. Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
24
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics-are-awesome.com/howto-choose- password.jpg>
...
Owner of
comics-are-awesome.com
know all _SECRET_ tokens (from referer)!

25. Situation #3 - HTTP referer
Defcon Russia (DCG #7812)
25
https://hackerone.com/reports/738 - $100

26. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
26

27. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
27

28. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
28
CSP only for some browsers!
Is it ok?

29. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
29
1)Forks with diff UA
2)Proxy cache
3)Load balancer... Bug hunter got $100, but...

30. Situation #5 - Content-Security-Policy
Defcon Russia (DCG #7812)
30
Fail! Why:
•‘Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.
•Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.
•Chrome for iOS fails to render pages without a connect-src 'self' policy.
•Old FF problems (some versions between XX and YY)

31. Situation #6 - Usernames
Defcon Russia (DCG #7812)
31

32. Situation #6 - Usernames
Defcon Russia (DCG #7812)
32
http://website.com/username

33. Situation #6 - Usernames
Defcon Russia (DCG #7812)
33
Okay! Let’s register:
http://website.com/robots.txt
http://website.com/sitemap.xml
...

34. Situations XXX
Defcon Russia (DCG #7812)
34

35. Situations XXX
Defcon Russia (DCG #7812)
35
•Info disclose via CSS files (full path disclosure while compilation - file:///applications/hackerone/releases/20140221175929/app/assets/stylesheets/application/browser-not- supported.scss (bug #2221)
•SPF and same records
•Short tokens
•Pixel flood attack
•CSRF for login/logout!? (hi Michal Zalewski!)
•... - https://hackerone.com/security?show_all=true

36. Defcon Russia (DCG #7812)
36
Thanks! Questions?
@sergeybelove