SlideShare uma empresa Scribd logo

HES 2012- Killing a Bug Bounty Program by Itzhak Zuk Avraham&Nir Goldshlager

Nir Goldshlager
Nir Goldshlager

Hackito Ergo Sum 2012

TecnologiaNegócios
1 de 65
Baixar para ler offline
Hackito  Ergo  Sum   Killing  a  bounty  program   By  :  Itzhak  (Zuk)  Avraham;  Nir  Goldshlager;  
#  whoami  |  presentation   Itzhak  Avraham  (Zuk)   Founder  &  CEO           Twitter:  @ihackbanme   Blog  :  http://imthezuk.blogspot.com     zuk @ zimperium.com   s(+ @ (+ (+     #  root  
#  whoami  |  presentation   Nir  Goldshlager   Senior  Web  Applications  Researcher             Twitter:  @nirgoldshlager     Blog  :  http://nirgoldshlager.com     #  root  
Reasons  for  bug  bounty   ü  Money   ü  Fame  
Reasons  for  bug  bounty   ü  Money   ü  Fame   ü  Okay,  mostly  fame,  they  don’t  pay  much  :P  
Bug  bounty  programs   ü  1995  –  Netscape   ü  2004  –  Firefox   ü  2005  –  ZDI   ü  2007  –  Pwn2own   ü  2010  –  Google   ü  2011  –  Facebook  
Know  your  enemy  
Know  your  enemy   •  Nope.  Your  enemies  might  be  :   •  Masato  Kinugawa   •  Neal  Poole   •  Nils  Juenemann   •  Szymon  Gruszecki   •  Wladimir  Palant   •  …  
Know  your  enemy   •  Nope.  Your  enemies  might  be  :   •  Masato  Kinugawa   •  Neal  Poole   •  Nils  Juenemann   •  Szymon  Gruszecki   •  Wladimir  Palant   •  …   •  ...   •  ???   •  TIME!  
Learn  your  target  Overview   •  Spy  on  their  blogs   •  New  bugs  –  new  ideas  to  detect  different  vulnerabilities.   •  Learn  the  company   •  Unchecked  services   •  Successful  acquisitions   •  Untested/Less  secured  web  applications   •  Multi  vector   •  Unknown  vectors  /  logical  techniques   •  Repetitive  of  weak  spots  
Google  Overview   •  Learn  the  company   •  Successful  acquisitions   http://en.wikipedia.org/wiki/ List_of_acquisitions_by_Google     •  New  services  –  Knol(???),    Friends  Connect   •  Subdomains     •  Learn  all  the  functions  of  the  application  you  are  going  to  test   •  Multi  vector   •  Unknown  vectors  /  logical  techniques   •  Repetitive  of  weak  spots  
Google  Overview   •  Successful  acquisitions   http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google   •  More  than  1  acquisition  per  week  since  2010!    
Google  Overview   •  Approach   •  Logical  /  mixed  issues  
XSS  for  fun  and  …  profit?   •  XSS  is  not  just  for  account  hijacking   •  Trusted  website,  runs  malicious  javascript…   •  Client  Side  Exploit  anyone?  
Google  Overview   •  Convention   •  Calender   •  Google.com/calender   •  Friends  Connect   •  google.com/friendconnect   •  Knol   •  Google.com/knol   •  Analytics   •  Google.com/analytics   •  Blogger   •  Google.com/blogger  
Google  Support  Overview   •  Convention   •  Knol   •  Google.com/knol   •  No   •  Friends  Connect   •  Support.google.com/friendconnect   •  Calendar   •  Support.google.com/calendar   •  Analytics   •  Support.google.com/analytics   •  Blogger   •  Support.google.com/blogger   •  Admob   •  Support.google.com/admob  
Google  Calender  Stored  XSS  
Stored  XSS  (Error  based)   •  Calendar  name  field  is  vulnerable  
Google  Calendar  Error  based   •  On  delete  of  the  calendar,  XSS  popped  out.   •  We  need  to  find  a  way  to  trigger  it  for  REMOTE   users.    
Google  Calendar  Error  based   •  How  can  one  see  our  calendar  name?  
Google  Calendar  Error  based   •  Let’s  share  our  malicious  calendar  with  the  target  (!!)   •  Approve  is  not  needed  for  sharing  calendars   •  Ohh  hello.  
Google  Calendar  Error  based   •  Let’s  share  our  malicious  calendar  with  the  target  (!!)   •  Approve  is  not  needed  for  sharing  calendars  
Google  Calendar  Error  based   •  user  must  delete  his  calendar.  
Google  Calendar  Error  based   •  user  must  delete  his  calendar.   •  Let’s  FORCE  our  target  to  DELETE!  
Google  Calendar  Error  based   •  Calendar  SPAM  !!!  
Google  Calendar  Error  based   •  Let’s  share  again  
Google  Calendar  Error  based   •  And  again  
Google  Calendar  Error  based   •  And  again  …  
Google  Calendar  Error  based   •  No  sharing  limit   •  User  gets  email  for  each  share  
Google  Calendar  Error  based   •  User  gets  email  for  each  share  
Google  Calendar  Error  based   •  After  Calendar  delete  :       •  Achievement  Unlocked.  
Google  Calendar  Error  based   •  After  Calendar  delete  :       •  Achievement  Unlocked.  
Google  FeedBurner  Stored  XSS  
Google  Feedburner  Unsubscribe   XSS   §  1.Victim  perform    subscribe  to  malicious  feedburner   ú  Well  it  doesn’t  have  to  be  malicious      Feed  title  is  vulnerable  
Google  Feedburner  Unsubscribe   XSS   §  Feed  title  is  vulnerable  
Google  Feedburner  Unsubscribe   XSS   §  When  the  victim  will  decide  to  unsubscribe  the   malicious  feedburner  a  stored  xss  will  be  run  on  his   client.  
Google  Feedburner  Unsubscribe   XSS   §  2  Methods  to  exploit  this  scenario:   1.  Send  a  malicious  unsubscribe  link  (no   permission  needed)  
Google  Feedburner  Unsubscribe   XSS   §  2  Methods  to  exploit  this  scenario:   1.  Send  a  malicious  unsubscribe  link  (no   permission  needed)   2.  Victim  subscribe,  unsubscribe  the  malicious   feedburner.
Google  Feedburner  Unsubscribe   XSS   §  User  unsubscribe  –  achievement  unlocked
Google  FriendConnect  Error  based   •  Meet  your  new  best  friend  :  
Google  FriendConnect  Error  based   •  The  target  approved  our  request.    
Google  FriendConnect  Error  based   •  The  target  approved  our  request.     •  Now,  let’s  force  him  to  delete  us,  not  before  we’re   going  to  change  our  name  to  :   •  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA  ….  “><XSS  Payload>  
Google  FriendConnect  Error  based  
Google  FriendConnect  Error  based   •  After  User  delete  :       •  Achievement  Unlocked.  
Google  Analytics  –  Stored  XSS  
Google  Analytics   •  In-­‐page  analytics  doesn’t  escape  incoming  requests:   •  Meaning,  an  attacker  can  send  XSS  to  the  administrator   by  sending  a  URL  
Google  Analytics   •  In-­‐page  analytics  doesn’t  escape  incoming  requests:   •  Meaning,  an  attacker  can  send  XSS  to  the  administrator   by  sending  a  URL  
Google  Analytics  
Google  Analytics   •  Let’s  exploit  this  vulnerability  in  2  creative  ways:   •  In-­‐Page  Analytics  –  When  the  administrator  logins  boom.   •  Sharing  –  Infect  ourselves  and  do  share  our  Analytics  with   the  victim  (the  link  would  be  directly  to  in-­‐page  analytics)  
Google  Analytics   •  Let’s  wait  for  our  administrator  to  login   •  Achievement  unlocked,  we  can  run  JS  on  any  web   administrator  using  Analytics  
Google  Analytics  
Google  Analytics   •  Second  method  :  Sharing  with  the  victim  our   analytics   •  We  will  add  the  victim  with  read-­‐only  permission   and  will  submit  the  link  for  google.com/analytics   account  with  our  ID  
Google  Analytics  
Google  Analytics   §  Achievement  unlocked  
Permission  bypass  –  Google  Knol  
Permission  bypass   Unpublished  document  
Permission  bypass   •  This  document  isn’t  accessible  via  URL  
Permission  bypass   •  We  don’t  have  permission  to  view  the  document   •  Knol  Translate  does,  let’s  use  the  service  to   show  us  what  we  want  and  cannot  access  
Permission  bypass  
Permission  bypass   •  Private  document  accessed  using  translate  service.   •  Achievement  unlocked  
Permission  bypass   •  Blogger  
Summary   §  Think  different   §  Information  gathering   §  Mixed  services   §  Permissions  
Reference   ●  http://www.nirgoldshlager.com/2011/03/blogger-­‐get-­‐administrator-­‐privilege-­‐on.html  -­‐   Blogger  admin  privileges  bypass     ●  http://www.google.com/about/company/rewardprogram.html  -­‐  Google  Reward   program   ●  http://www.google.com/about/company/halloffame.html  -­‐  Google  Hall  of  Fame   ●  http://www.slideshare.net/michael_coates/bug-­‐bounty-­‐programs-­‐for-­‐the-­‐web  -­‐   Michael  Coates  -­‐  Bug  Bounty  Program  –  OWASP  2011  
Thank  you!             Itzhak  “Zuk”  Avraham  -­‐  @ihackbanme   Nir  Goldshlager  -­‐  @nirgoldshlager  

Recomendados

Ungagged UK Talk - Google in a Post Update and Mobile First World.
Ungagged UK Talk - Google in a Post Update and Mobile First World.Ungagged UK Talk - Google in a Post Update and Mobile First World.
Ungagged UK Talk - Google in a Post Update and Mobile First World.Kristine Schachinger SEO and Online Marketing
 
Inbound Marketing Tools - SearchFest
Inbound Marketing Tools - SearchFestInbound Marketing Tools - SearchFest
Inbound Marketing Tools - SearchFestJustin Briggs
 
Tom Capper Mozcon 2021 - Core Web Vitals - The Fast & The Spurious
Tom Capper Mozcon 2021 - Core Web Vitals - The Fast & The SpuriousTom Capper Mozcon 2021 - Core Web Vitals - The Fast & The Spurious
Tom Capper Mozcon 2021 - Core Web Vitals - The Fast & The SpuriousTom Capper
 
Google Authorship Kidnapping: Why Authorship Photos Disappeared from Search
Google Authorship Kidnapping: Why Authorship Photos Disappeared from SearchGoogle Authorship Kidnapping: Why Authorship Photos Disappeared from Search
Google Authorship Kidnapping: Why Authorship Photos Disappeared from SearchMark Traphagen
 
Understanding SEO For Photographers
Understanding SEO For PhotographersUnderstanding SEO For Photographers
Understanding SEO For PhotographersEvolving SEO
 
Analytics For SEOs - Mozcation Portsmouth 11/7/12
Analytics For SEOs - Mozcation Portsmouth 11/7/12Analytics For SEOs - Mozcation Portsmouth 11/7/12
Analytics For SEOs - Mozcation Portsmouth 11/7/12Evolving SEO
 
Hands On WordPress SEO Mozinar - June 4, 2013
Hands On WordPress SEO Mozinar - June 4, 2013Hands On WordPress SEO Mozinar - June 4, 2013
Hands On WordPress SEO Mozinar - June 4, 2013Evolving SEO
 
SearchLove Boston 2016 | Mike King | Developer Thinking for SEOs
SearchLove Boston 2016 | Mike King | Developer Thinking for SEOsSearchLove Boston 2016 | Mike King | Developer Thinking for SEOs
SearchLove Boston 2016 | Mike King | Developer Thinking for SEOsDistilled
 

Recomendados

Ungagged UK Talk - Google in a Post Update and Mobile First World.
Ungagged UK Talk - Google in a Post Update and Mobile First World.Ungagged UK Talk - Google in a Post Update and Mobile First World.
Ungagged UK Talk - Google in a Post Update and Mobile First World.Kristine Schachinger SEO and Online Marketing
 
Inbound Marketing Tools - SearchFest
Inbound Marketing Tools - SearchFestInbound Marketing Tools - SearchFest
Inbound Marketing Tools - SearchFestJustin Briggs
 
Tom Capper Mozcon 2021 - Core Web Vitals - The Fast & The Spurious
Tom Capper Mozcon 2021 - Core Web Vitals - The Fast & The SpuriousTom Capper Mozcon 2021 - Core Web Vitals - The Fast & The Spurious
Tom Capper Mozcon 2021 - Core Web Vitals - The Fast & The SpuriousTom Capper
 
Google Authorship Kidnapping: Why Authorship Photos Disappeared from Search
Google Authorship Kidnapping: Why Authorship Photos Disappeared from SearchGoogle Authorship Kidnapping: Why Authorship Photos Disappeared from Search
Google Authorship Kidnapping: Why Authorship Photos Disappeared from SearchMark Traphagen
 
Understanding SEO For Photographers
Understanding SEO For PhotographersUnderstanding SEO For Photographers
Understanding SEO For PhotographersEvolving SEO
 
Analytics For SEOs - Mozcation Portsmouth 11/7/12
Analytics For SEOs - Mozcation Portsmouth 11/7/12Analytics For SEOs - Mozcation Portsmouth 11/7/12
Analytics For SEOs - Mozcation Portsmouth 11/7/12Evolving SEO
 
Hands On WordPress SEO Mozinar - June 4, 2013
Hands On WordPress SEO Mozinar - June 4, 2013Hands On WordPress SEO Mozinar - June 4, 2013
Hands On WordPress SEO Mozinar - June 4, 2013Evolving SEO
 
SearchLove Boston 2016 | Mike King | Developer Thinking for SEOs
SearchLove Boston 2016 | Mike King | Developer Thinking for SEOsSearchLove Boston 2016 | Mike King | Developer Thinking for SEOs
SearchLove Boston 2016 | Mike King | Developer Thinking for SEOsDistilled
 
We love seo 2019 - Tom Capper
We love seo 2019 - Tom CapperWe love seo 2019 - Tom Capper
We love seo 2019 - Tom CapperTom Capper
 
History of Panda Google Algorithm Updates
History of Panda Google Algorithm UpdatesHistory of Panda Google Algorithm Updates
History of Panda Google Algorithm UpdatesAfycon Technologies
 
LinkedIn Marketing - The White, Grey, and Black Techniques
LinkedIn Marketing - The White, Grey, and Black Techniques LinkedIn Marketing - The White, Grey, and Black Techniques
LinkedIn Marketing - The White, Grey, and Black Techniques Jabez LeBret
 
Turning Passion to Profit - Online Marketing - Session 3
Turning Passion to Profit - Online Marketing - Session 3Turning Passion to Profit - Online Marketing - Session 3
Turning Passion to Profit - Online Marketing - Session 3Birgit Pauli-Haack
 
How to Expand your Library's Online & Mobile Presence Using Twitter
How to Expand your Library's Online & Mobile Presence Using TwitterHow to Expand your Library's Online & Mobile Presence Using Twitter
How to Expand your Library's Online & Mobile Presence Using TwitterCheryl Burnette
 
Search and Social Media Content Strategy - PubCon Las Vegas 2015
Search and Social Media Content Strategy - PubCon Las Vegas 2015Search and Social Media Content Strategy - PubCon Las Vegas 2015
Search and Social Media Content Strategy - PubCon Las Vegas 2015Bill Hartzer
 
Scrape box presentation
Scrape box presentationScrape box presentation
Scrape box presentationElephate1
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
2011 fitbloggin analytics
2011 fitbloggin analytics2011 fitbloggin analytics
2011 fitbloggin analyticsScott Stawarz
 
Fail at Scale: Large Enterprises and the Challenges of In-House SEO
Fail at Scale: Large Enterprises and the Challenges of In-House SEOFail at Scale: Large Enterprises and the Challenges of In-House SEO
Fail at Scale: Large Enterprises and the Challenges of In-House SEOKeith Goode
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri
 
How to Enhance Findability of Library Web Content via SEO
How to Enhance Findability of Library Web Content via SEOHow to Enhance Findability of Library Web Content via SEO
How to Enhance Findability of Library Web Content via SEOVincci Kwong
 
Google Algorithm Chaos: Panda, Penguin, and Other Google Updates
Google Algorithm Chaos: Panda, Penguin, and Other Google UpdatesGoogle Algorithm Chaos: Panda, Penguin, and Other Google Updates
Google Algorithm Chaos: Panda, Penguin, and Other Google UpdatesBill Hartzer
 
Think vis 2013
Think vis 2013Think vis 2013
Think vis 2013Ed Beardsell
 
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...Search Engine Journal
 
What You Need to Know About Google Penguin 2.0
What You Need to Know About Google Penguin 2.0What You Need to Know About Google Penguin 2.0
What You Need to Know About Google Penguin 2.0DNN
 
Rawnet Lightning Talk - Negative SEO - A Dirty Business!
Rawnet Lightning Talk - Negative SEO - A Dirty Business!Rawnet Lightning Talk - Negative SEO - A Dirty Business!
Rawnet Lightning Talk - Negative SEO - A Dirty Business!Rawnet
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptxssuser152aeb
 
D3 unit 2 explorer
D3 unit 2 explorerD3 unit 2 explorer
D3 unit 2 explorerSimona Sglavo
 
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4Comercio Electronico
 
Mark Farmer - Google Analytics: Business Intelligence for Non-profits
Mark Farmer - Google Analytics: Business Intelligence for Non-profitsMark Farmer - Google Analytics: Business Intelligence for Non-profits
Mark Farmer - Google Analytics: Business Intelligence for Non-profitsCanadaHelps / MyCharityConnects
 
Disavow Process
Disavow Process Disavow Process
Disavow Process SysComm international
 

Mais conteúdo relacionado

Mais procurados

We love seo 2019 - Tom Capper
We love seo 2019 - Tom CapperWe love seo 2019 - Tom Capper
We love seo 2019 - Tom CapperTom Capper
 
History of Panda Google Algorithm Updates
History of Panda Google Algorithm UpdatesHistory of Panda Google Algorithm Updates
History of Panda Google Algorithm UpdatesAfycon Technologies
 
LinkedIn Marketing - The White, Grey, and Black Techniques
LinkedIn Marketing - The White, Grey, and Black Techniques LinkedIn Marketing - The White, Grey, and Black Techniques
LinkedIn Marketing - The White, Grey, and Black Techniques Jabez LeBret
 
Turning Passion to Profit - Online Marketing - Session 3
Turning Passion to Profit - Online Marketing - Session 3Turning Passion to Profit - Online Marketing - Session 3
Turning Passion to Profit - Online Marketing - Session 3Birgit Pauli-Haack
 
How to Expand your Library's Online & Mobile Presence Using Twitter
How to Expand your Library's Online & Mobile Presence Using TwitterHow to Expand your Library's Online & Mobile Presence Using Twitter
How to Expand your Library's Online & Mobile Presence Using TwitterCheryl Burnette
 
Search and Social Media Content Strategy - PubCon Las Vegas 2015
Search and Social Media Content Strategy - PubCon Las Vegas 2015Search and Social Media Content Strategy - PubCon Las Vegas 2015
Search and Social Media Content Strategy - PubCon Las Vegas 2015Bill Hartzer
 
Scrape box presentation
Scrape box presentationScrape box presentation
Scrape box presentationElephate1
 

Mais procurados (7)

We love seo 2019 - Tom Capper
We love seo 2019 - Tom CapperWe love seo 2019 - Tom Capper
We love seo 2019 - Tom Capper
 
History of Panda Google Algorithm Updates
History of Panda Google Algorithm UpdatesHistory of Panda Google Algorithm Updates
History of Panda Google Algorithm Updates
 
LinkedIn Marketing - The White, Grey, and Black Techniques
LinkedIn Marketing - The White, Grey, and Black Techniques LinkedIn Marketing - The White, Grey, and Black Techniques
LinkedIn Marketing - The White, Grey, and Black Techniques
 
Turning Passion to Profit - Online Marketing - Session 3
Turning Passion to Profit - Online Marketing - Session 3Turning Passion to Profit - Online Marketing - Session 3
Turning Passion to Profit - Online Marketing - Session 3
 
How to Expand your Library's Online & Mobile Presence Using Twitter
How to Expand your Library's Online & Mobile Presence Using TwitterHow to Expand your Library's Online & Mobile Presence Using Twitter
How to Expand your Library's Online & Mobile Presence Using Twitter
 
Search and Social Media Content Strategy - PubCon Las Vegas 2015
Search and Social Media Content Strategy - PubCon Las Vegas 2015Search and Social Media Content Strategy - PubCon Las Vegas 2015
Search and Social Media Content Strategy - PubCon Las Vegas 2015
 
Scrape box presentation
Scrape box presentationScrape box presentation
Scrape box presentation
 

Semelhante a HES 2012- Killing a Bug Bounty Program by Itzhak Zuk Avraham&Nir Goldshlager

Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
2011 fitbloggin analytics
2011 fitbloggin analytics2011 fitbloggin analytics
2011 fitbloggin analyticsScott Stawarz
 
Fail at Scale: Large Enterprises and the Challenges of In-House SEO
Fail at Scale: Large Enterprises and the Challenges of In-House SEOFail at Scale: Large Enterprises and the Challenges of In-House SEO
Fail at Scale: Large Enterprises and the Challenges of In-House SEOKeith Goode
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri
 
How to Enhance Findability of Library Web Content via SEO
How to Enhance Findability of Library Web Content via SEOHow to Enhance Findability of Library Web Content via SEO
How to Enhance Findability of Library Web Content via SEOVincci Kwong
 
Google Algorithm Chaos: Panda, Penguin, and Other Google Updates
Google Algorithm Chaos: Panda, Penguin, and Other Google UpdatesGoogle Algorithm Chaos: Panda, Penguin, and Other Google Updates
Google Algorithm Chaos: Panda, Penguin, and Other Google UpdatesBill Hartzer
 
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...Search Engine Journal
 
What You Need to Know About Google Penguin 2.0
What You Need to Know About Google Penguin 2.0What You Need to Know About Google Penguin 2.0
What You Need to Know About Google Penguin 2.0DNN
 
Rawnet Lightning Talk - Negative SEO - A Dirty Business!
Rawnet Lightning Talk - Negative SEO - A Dirty Business!Rawnet Lightning Talk - Negative SEO - A Dirty Business!
Rawnet Lightning Talk - Negative SEO - A Dirty Business!Rawnet
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptxssuser152aeb
 
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4Comercio Electronico
 
Mark Farmer - Google Analytics: Business Intelligence for Non-profits
Mark Farmer - Google Analytics: Business Intelligence for Non-profitsMark Farmer - Google Analytics: Business Intelligence for Non-profits
Mark Farmer - Google Analytics: Business Intelligence for Non-profitsCanadaHelps / MyCharityConnects
 
Google cloud study jam 2018 #cloud studyjam
Google cloud study jam 2018 #cloud studyjamGoogle cloud study jam 2018 #cloud studyjam
Google cloud study jam 2018 #cloud studyjamWessam ElSharawy
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
How to Make the Most of Google Analytics on Your Evoq Site
How to Make the Most of Google Analytics on Your Evoq SiteHow to Make the Most of Google Analytics on Your Evoq Site
How to Make the Most of Google Analytics on Your Evoq SiteDNN
 
Tech4Africa Google Workshop 1
Tech4Africa Google Workshop 1Tech4Africa Google Workshop 1
Tech4Africa Google Workshop 1Sarah Blake
 
Meeting of the Minds 2010
Meeting of the Minds 2010Meeting of the Minds 2010
Meeting of the Minds 2010Our Kids Media
 

Semelhante a HES 2012- Killing a Bug Bounty Program by Itzhak Zuk Avraham&Nir Goldshlager (20)

Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
 
2011 fitbloggin analytics
2011 fitbloggin analytics2011 fitbloggin analytics
2011 fitbloggin analytics
 
Fail at Scale: Large Enterprises and the Challenges of In-House SEO
Fail at Scale: Large Enterprises and the Challenges of In-House SEOFail at Scale: Large Enterprises and the Challenges of In-House SEO
Fail at Scale: Large Enterprises and the Challenges of In-House SEO
 
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist WarningsSucuri Webinar: Understand and Fix Google Blacklist Warnings
Sucuri Webinar: Understand and Fix Google Blacklist Warnings
 
How to Enhance Findability of Library Web Content via SEO
How to Enhance Findability of Library Web Content via SEOHow to Enhance Findability of Library Web Content via SEO
How to Enhance Findability of Library Web Content via SEO
 
Google Algorithm Chaos: Panda, Penguin, and Other Google Updates
Google Algorithm Chaos: Panda, Penguin, and Other Google UpdatesGoogle Algorithm Chaos: Panda, Penguin, and Other Google Updates
Google Algorithm Chaos: Panda, Penguin, and Other Google Updates
 
Think vis 2013
Think vis 2013Think vis 2013
Think vis 2013
 
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...
What the Doctor Ordered: Your Yearly Google Algorithm Update Checkup (2016 Ed...
 
What You Need to Know About Google Penguin 2.0
What You Need to Know About Google Penguin 2.0What You Need to Know About Google Penguin 2.0
What You Need to Know About Google Penguin 2.0
 
Rawnet Lightning Talk - Negative SEO - A Dirty Business!
Rawnet Lightning Talk - Negative SEO - A Dirty Business!Rawnet Lightning Talk - Negative SEO - A Dirty Business!
Rawnet Lightning Talk - Negative SEO - A Dirty Business!
 
brighton final.pptx
brighton final.pptxbrighton final.pptx
brighton final.pptx
 
D3 unit 2 explorer
D3 unit 2 explorerD3 unit 2 explorer
D3 unit 2 explorer
 
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4
Google Analytics Bootcamp Bogota Junio 28 2012 Dia 4
 
Mark Farmer - Google Analytics: Business Intelligence for Non-profits
Mark Farmer - Google Analytics: Business Intelligence for Non-profitsMark Farmer - Google Analytics: Business Intelligence for Non-profits
Mark Farmer - Google Analytics: Business Intelligence for Non-profits
 
Disavow Process
Disavow Process Disavow Process
Disavow Process
 
Google cloud study jam 2018 #cloud studyjam
Google cloud study jam 2018 #cloud studyjamGoogle cloud study jam 2018 #cloud studyjam
Google cloud study jam 2018 #cloud studyjam
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
 
How to Make the Most of Google Analytics on Your Evoq Site
How to Make the Most of Google Analytics on Your Evoq SiteHow to Make the Most of Google Analytics on Your Evoq Site
How to Make the Most of Google Analytics on Your Evoq Site
 
Tech4Africa Google Workshop 1
Tech4Africa Google Workshop 1Tech4Africa Google Workshop 1
Tech4Africa Google Workshop 1
 
Meeting of the Minds 2010
Meeting of the Minds 2010Meeting of the Minds 2010
Meeting of the Minds 2010
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 

HES 2012- Killing a Bug Bounty Program by Itzhak Zuk Avraham&Nir Goldshlager

  • 1. Hackito  Ergo  Sum   Killing  a  bounty  program   By  :  Itzhak  (Zuk)  Avraham;  Nir  Goldshlager;  
  • 2. #  whoami  |  presentation   Itzhak  Avraham  (Zuk)   Founder  &  CEO           Twitter:  @ihackbanme   Blog  :  http://imthezuk.blogspot.com     zuk @ zimperium.com   s(+ @ (+ (+     #  root  
  • 3. #  whoami  |  presentation   Nir  Goldshlager   Senior  Web  Applications  Researcher             Twitter:  @nirgoldshlager     Blog  :  http://nirgoldshlager.com     #  root  
  • 4.
  • 5. Reasons  for  bug  bounty   ü  Money   ü  Fame  
  • 6. Reasons  for  bug  bounty   ü  Money   ü  Fame   ü  Okay,  mostly  fame,  they  don’t  pay  much  :P  
  • 7. Bug  bounty  programs   ü  1995  –  Netscape   ü  2004  –  Firefox   ü  2005  –  ZDI   ü  2007  –  Pwn2own   ü  2010  –  Google   ü  2011  –  Facebook  
  • 9. Know  your  enemy   •  Nope.  Your  enemies  might  be  :   •  Masato  Kinugawa   •  Neal  Poole   •  Nils  Juenemann   •  Szymon  Gruszecki   •  Wladimir  Palant   •  …  
  • 10. Know  your  enemy   •  Nope.  Your  enemies  might  be  :   •  Masato  Kinugawa   •  Neal  Poole   •  Nils  Juenemann   •  Szymon  Gruszecki   •  Wladimir  Palant   •  …   •  ...   •  ???   •  TIME!  
  • 11. Learn  your  target  Overview   •  Spy  on  their  blogs   •  New  bugs  –  new  ideas  to  detect  different  vulnerabilities.   •  Learn  the  company   •  Unchecked  services   •  Successful  acquisitions   •  Untested/Less  secured  web  applications   •  Multi  vector   •  Unknown  vectors  /  logical  techniques   •  Repetitive  of  weak  spots  
  • 12. Google  Overview   •  Learn  the  company   •  Successful  acquisitions   http://en.wikipedia.org/wiki/ List_of_acquisitions_by_Google     •  New  services  –  Knol(???),    Friends  Connect   •  Subdomains     •  Learn  all  the  functions  of  the  application  you  are  going  to  test   •  Multi  vector   •  Unknown  vectors  /  logical  techniques   •  Repetitive  of  weak  spots  
  • 13. Google  Overview   •  Successful  acquisitions   http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google   •  More  than  1  acquisition  per  week  since  2010!    
  • 14. Google  Overview   •  Approach   •  Logical  /  mixed  issues  
  • 15. XSS  for  fun  and  …  profit?   •  XSS  is  not  just  for  account  hijacking   •  Trusted  website,  runs  malicious  javascript…   •  Client  Side  Exploit  anyone?  
  • 16. Google  Overview   •  Convention   •  Calender   •  Google.com/calender   •  Friends  Connect   •  google.com/friendconnect   •  Knol   •  Google.com/knol   •  Analytics   •  Google.com/analytics   •  Blogger   •  Google.com/blogger  
  • 17. Google  Support  Overview   •  Convention   •  Knol   •  Google.com/knol   •  No   •  Friends  Connect   •  Support.google.com/friendconnect   •  Calendar   •  Support.google.com/calendar   •  Analytics   •  Support.google.com/analytics   •  Blogger   •  Support.google.com/blogger   •  Admob   •  Support.google.com/admob  
  • 19. Stored  XSS  (Error  based)   •  Calendar  name  field  is  vulnerable  
  • 20. Google  Calendar  Error  based   •  On  delete  of  the  calendar,  XSS  popped  out.   •  We  need  to  find  a  way  to  trigger  it  for  REMOTE   users.    
  • 21. Google  Calendar  Error  based   •  How  can  one  see  our  calendar  name?  
  • 22. Google  Calendar  Error  based   •  Let’s  share  our  malicious  calendar  with  the  target  (!!)   •  Approve  is  not  needed  for  sharing  calendars   •  Ohh  hello.  
  • 23. Google  Calendar  Error  based   •  Let’s  share  our  malicious  calendar  with  the  target  (!!)   •  Approve  is  not  needed  for  sharing  calendars  
  • 24. Google  Calendar  Error  based   •  user  must  delete  his  calendar.  
  • 25. Google  Calendar  Error  based   •  user  must  delete  his  calendar.   •  Let’s  FORCE  our  target  to  DELETE!  
  • 26. Google  Calendar  Error  based   •  Calendar  SPAM  !!!  
  • 27. Google  Calendar  Error  based   •  Let’s  share  again  
  • 28. Google  Calendar  Error  based   •  And  again  
  • 29. Google  Calendar  Error  based   •  And  again  …  
  • 30. Google  Calendar  Error  based   •  No  sharing  limit   •  User  gets  email  for  each  share  
  • 31. Google  Calendar  Error  based   •  User  gets  email  for  each  share  
  • 32. Google  Calendar  Error  based   •  After  Calendar  delete  :       •  Achievement  Unlocked.  
  • 33. Google  Calendar  Error  based   •  After  Calendar  delete  :       •  Achievement  Unlocked.  
  • 35. Google  Feedburner  Unsubscribe   XSS   §  1.Victim  perform    subscribe  to  malicious  feedburner   ú  Well  it  doesn’t  have  to  be  malicious      Feed  title  is  vulnerable  
  • 36. Google  Feedburner  Unsubscribe   XSS   §  Feed  title  is  vulnerable  
  • 37. Google  Feedburner  Unsubscribe   XSS   §  When  the  victim  will  decide  to  unsubscribe  the   malicious  feedburner  a  stored  xss  will  be  run  on  his   client.  
  • 38. Google  Feedburner  Unsubscribe   XSS   §  2  Methods  to  exploit  this  scenario:   1.  Send  a  malicious  unsubscribe  link  (no   permission  needed)  
  • 39. Google  Feedburner  Unsubscribe   XSS   §  2  Methods  to  exploit  this  scenario:   1.  Send  a  malicious  unsubscribe  link  (no   permission  needed)   2.  Victim  subscribe,  unsubscribe  the  malicious   feedburner.
  • 40. Google  Feedburner  Unsubscribe   XSS   §  User  unsubscribe  –  achievement  unlocked
  • 41. Google  FriendConnect  Error  based   •  Meet  your  new  best  friend  :  
  • 42. Google  FriendConnect  Error  based   •  The  target  approved  our  request.    
  • 43. Google  FriendConnect  Error  based   •  The  target  approved  our  request.     •  Now,  let’s  force  him  to  delete  us,  not  before  we’re   going  to  change  our  name  to  :   •  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA  ….  “><XSS  Payload>  
  • 45. Google  FriendConnect  Error  based   •  After  User  delete  :       •  Achievement  Unlocked.  
  • 46. Google  Analytics  –  Stored  XSS  
  • 47. Google  Analytics   •  In-­‐page  analytics  doesn’t  escape  incoming  requests:   •  Meaning,  an  attacker  can  send  XSS  to  the  administrator   by  sending  a  URL  
  • 48. Google  Analytics   •  In-­‐page  analytics  doesn’t  escape  incoming  requests:   •  Meaning,  an  attacker  can  send  XSS  to  the  administrator   by  sending  a  URL  
  • 50. Google  Analytics   •  Let’s  exploit  this  vulnerability  in  2  creative  ways:   •  In-­‐Page  Analytics  –  When  the  administrator  logins  boom.   •  Sharing  –  Infect  ourselves  and  do  share  our  Analytics  with   the  victim  (the  link  would  be  directly  to  in-­‐page  analytics)  
  • 51. Google  Analytics   •  Let’s  wait  for  our  administrator  to  login   •  Achievement  unlocked,  we  can  run  JS  on  any  web   administrator  using  Analytics  
  • 53. Google  Analytics   •  Second  method  :  Sharing  with  the  victim  our   analytics   •  We  will  add  the  victim  with  read-­‐only  permission   and  will  submit  the  link  for  google.com/analytics   account  with  our  ID  
  • 55. Google  Analytics   §  Achievement  unlocked  
  • 56. Permission  bypass  –  Google  Knol  
  • 57. Permission  bypass   Unpublished  document  
  • 58. Permission  bypass   •  This  document  isn’t  accessible  via  URL  
  • 59. Permission  bypass   •  We  don’t  have  permission  to  view  the  document   •  Knol  Translate  does,  let’s  use  the  service  to   show  us  what  we  want  and  cannot  access  
  • 61. Permission  bypass   •  Private  document  accessed  using  translate  service.   •  Achievement  unlocked  
  • 63. Summary   §  Think  different   §  Information  gathering   §  Mixed  services   §  Permissions  
  • 64. Reference   ●  http://www.nirgoldshlager.com/2011/03/blogger-­‐get-­‐administrator-­‐privilege-­‐on.html  -­‐   Blogger  admin  privileges  bypass     ●  http://www.google.com/about/company/rewardprogram.html  -­‐  Google  Reward   program   ●  http://www.google.com/about/company/halloffame.html  -­‐  Google  Hall  of  Fame   ●  http://www.slideshare.net/michael_coates/bug-­‐bounty-­‐programs-­‐for-­‐the-­‐web  -­‐   Michael  Coates  -­‐  Bug  Bounty  Program  –  OWASP  2011  
  • 65. Thank  you!             Itzhak  “Zuk”  Avraham  -­‐  @ihackbanme   Nir  Goldshlager  -­‐  @nirgoldshlager