O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Bug-hunter's
Sorrow
Masato Kinugawa
Introduction
Masato Kinugawa
Lonely bug hunter
Only XSS is my friend.
Daily job
Office Home
Duty Up to my motivation
Job Looking for security bugs
Income Bug Bounty
➡Is it enough for living?
Last year Income
Last year Income
41050707 Yen
💰
Last year Income
41050707 Yen
(Octal notation)
💰
Good story is
that all!
Topics
1st
half
Story of blocked
internet
2nd
half
Sorrow of bug
Story of blocked
internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
➡Why did I look for XSS on Benesse?
In summer 2013
I found a possibility of DOM based
XSS using U+2028/2029
http://masatokinugawa.l0.cm/2013/09/u2028
u2029.do...
How to test
❶ Added U+2028 and text that
may cause DOM based XSS after #
in URL.
❷ Check the strange error happens
http://...
then
I found ordinary DOM based XSS on
Benesse site.
https://web.archive.org/web/20130723155109/http://manabi.benes
se.ne....
after that
2013/08/05 Report
2013/08/06 Response
"Thank you very much for your bug report of
"Benesse Manabision". we will...
After this response
I feel their appreciation to the bug
report and their attitude to fix it.
Let's find more and report t...
found
Easy to find regular Reflected XSS.
We received the 3 of new XSS vulnerability from you.
Thank you very much. At thi...
Same time
Suddenly I became not to access to
manabi.benesse.ne.jp
I can access to it after changing IP.
Investigate furthe...
There will be such a thing
(with bug report)I added a comment:
".. maybe blocked due to my testing
requests... Best regard...
continue to report
Reported many time that the fix is
incomplete.
Access denied at every confirmation
testing...
Repeat te...
And
2013/9/7 Evening, Incident happened!
What happened?!
At first I thought it was a trouble or a
failure of equipment
but it was not
I found a warning email
from ...
Suspicious Access
I can just make sense of it.
Checked vulnerability before and
after warning mail.
reported: Google, exci...
Contortion
Thank you very much for your point-out. We will
check your email received on 6th and 7th Sep.
We will proceed w...
Letter from @nifty
with a Pledge letter "Do not attack"
Wait wait, it's misunderstanding…
Call to Benesse/@nifty
Both "We can not answer for
a security reason!"
Me "I'm in trouble, my home internet was
stopped. I...
It is no use!!
Got a WiMAX mobile wifi router as I can’t do a
stroke of work
Using tethering, I wrote a blog as a last hop...
The Tokumaru !
Received DM
I read your blog. I am contacting to
Benesse about it. Could you let me
know your E-mail address?
Oh God!
afterwards
Benesse entrusted the operation
of intrusion detection system to a
security company who block the
network and/o...
afterwards
In the flow, it seems
detected by IPS(Intrusion
Prevention System)
➡ Monitoring by security company
➡ contact t...
afterwards
After some exchanges, I was told
Benesse can contact to ISP.
If you send them your IP address
at the reporting ...
Yes
Daily, I tested browser behavior in my
domain (vulnerabledoma.in),
I have my IP access logs on a daily
basis!
28th Aug...
After reporting IP
I heard they did "withdrawal of the
unauthorized access information"
and "request for block release" to...
Finally
Tears of
gratitude
13th Sep. evening(About 1
week from being blocked),
Internet is back!
Re-Acknowledgment
It would be difficult for me to explain
the situation to companies without Mr.
Tokumaru's cooperation.
T...
God Tokumaru's books
are on sale!
http://www.amazon.co.jp/dp/
4822279987/
http://www.amazon.co.jp/dp/
4797361190/
Buy now!!
I felt through the problem
I wonder inside of big
company is complicated...
I felt through the problem
I can imagine that
...
Not others problem
I send you a link that make you
XSS-like request to Benesse site.
http://manabi.beness・・・/?<script>aler...
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question t...
Threat of XSS
Execute arbitrary script/manipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary script/manipulation
Confidential information leak
The phishing by page contents change
...
Lessons learned: The world
Things that should not be poked
Recently blocked again!
Non-payment of
charge
(not completed payment transaction by
misunderstanding)
World is
harsh ...
Sorrow of bug
After Internet resume
If telling IP address in advance,
Benesse allows my testing.
Reported nearly 100 vulns
(All were fix...
DOM based XSS ❶
https://web.archive.org/web/20130904143057/http://www.
benesse.co.jp/s/land/pass/
jQuery("#nav-pw li a, a....
DOM based XSS ❶
To run the event at the time of
clicking a special link
jQuery("#nav-pw li a, a.tab-link")
.bind("click to...
Specific link
<div id="nav-pw">
<ul>
<li id="nav-first"><a href="#first-login"><img
src="img/nav_pw_01.png" width="260" he...
Based on this
jQuery("#nav-pw li a, a.tab-link")
.bind("click touchstart", function(event){
setTimeout(function(){
hash = ...
Based on this
jQuery("#nav-pw li a, a.tab-link")
.bind("click touchstart", function(event){
setTimeout(function(){
hash = ...
Current source
hash = location.hash;
// 2013.10.4 fix XSS
if(hash == "#first-login"||
hash == "#passmodif" ||
hash == "#pa...
DOM based XSS ❷
<script type="text/javascript">
$(document).ready(function(){
result = "./answer/answer_" +
$.query.get('r...
DOM based XSS ❷
The path is limited within the same domain, safe?
<script type="text/javascript">
$(document).ready(functi...
No!
Uploadable user avatar image
host in the same domain.
If you write <script>.... in the image
comment area, it will upl...
In this way
/vulnpage?result=/../../../../uploads/profile/icon.jpg%23
$(document).ready(function(){
result = "./answer/ans...
DEMO
http://vulnerabledoma.in/avtokyo2015/
Conclusion
I will continue finding bugs by trying
not to bother anyone.
Thank you very much (Yoroshiku!)
@kinugawamasato
masatokinugawa
[at]gmail.com
Thanks!
💰💰💰
Próximos SlideShares
Carregando em…5
×

Bug-hunter's Sorrow

6.484 visualizações

Publicada em

AVTOKYO2015

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Bug-hunter's Sorrow

  1. 1. Bug-hunter's Sorrow Masato Kinugawa
  2. 2. Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
  3. 3. Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
  4. 4. Last year Income
  5. 5. Last year Income 41050707 Yen 💰
  6. 6. Last year Income 41050707 Yen (Octal notation) 💰
  7. 7. Good story is that all!
  8. 8. Topics 1st half Story of blocked internet 2nd half Sorrow of bug
  9. 9. Story of blocked internet
  10. 10. Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
  11. 11. In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 http://masatokinugawa.l0.cm/2013/09/u2028 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
  12. 12. How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
  13. 13. then I found ordinary DOM based XSS on Benesse site. https://web.archive.org/web/20130723155109/http://manabi.benes se.ne.jp/#"><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
  14. 14. after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
  15. 15. After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
  16. 16. found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
  17. 17. Same time Suddenly I became not to access to manabi.benesse.ne.jp I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
  18. 18. There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
  19. 19. continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
  20. 20. And 2013/9/7 Evening, Incident happened!
  21. 21. What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
  22. 22. Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
  23. 23. Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
  24. 24. Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
  25. 25. Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
  26. 26. It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... http://masatokinugawa.l0.cm/2013/09/xss.benesse.html Disconnected from Internet maybe because of XSS
  27. 27. The Tokumaru !
  28. 28. Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
  29. 29. afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
  30. 30. afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
  31. 31. afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
  32. 32. Yes Daily, I tested browser behavior in my domain (vulnerabledoma.in), I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
  33. 33. After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
  34. 34. Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
  35. 35. Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
  36. 36. God Tokumaru's books are on sale! http://www.amazon.co.jp/dp/ 4822279987/ http://www.amazon.co.jp/dp/ 4797361190/ Buy now!!
  37. 37. I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
  38. 38. Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
  39. 39. Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
  40. 40. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
  41. 41. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
  42. 42. Lessons learned: The world Things that should not be poked
  43. 43. Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
  44. 44. World is harsh ...
  45. 45. Sorrow of bug
  46. 46. After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
  47. 47. DOM based XSS ❶ https://web.archive.org/web/20130904143057/http://www. benesse.co.jp/s/land/pass/ jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
  48. 48. DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ ...
  49. 49. Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a, a.tab-link") All links to #
  50. 50. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
  51. 51. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
  52. 52. Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from http://www.benesse.co.jp/s/land/pass/ !
  53. 53. DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
  54. 54. DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/ contents/oyashindan/answer.html?
  55. 55. No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
  56. 56. In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
  57. 57. DEMO http://vulnerabledoma.in/avtokyo2015/
  58. 58. Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)
  59. 59. @kinugawamasato masatokinugawa [at]gmail.com Thanks! 💰💰💰

×