This document summarizes the career of a bug bounty hunter named Masato Kinugawa. It discusses Kinugawa's work finding security vulnerabilities, the bug bounty programs he participates in, and some of the notable bugs he has discovered. Specific examples discussed include vulnerabilities in how different browsers handle character encodings, vulnerabilities in the location.href method, and ways to bypass restrictions on executing scripts in RSS feeds. The document emphasizes that a large portion of Kinugawa's reported bugs are in Internet Explorer and can be difficult to fix due to differences between IE versions.

1. BBuugg--hhuunntteerr’’ss
JJooyy
Masato
Kinugawa

2. Name Masato Kinugawa
Nationality Japanese(maybe)
Hobby Listening Music and XSS
Profession BBuugg--hhuunntteerr

3. FFiirrsstt
BBuugg--HHuunntteerr’’ss LLiiffee aanndd
BBoouunnttyy PPrrooggrraamm
SSeeccoonndd DDeelliigghhttffuull BBuuggss
TThhiirrdd
TThhee rreeaassoonnss wwhhyy II
bbeeccaammee BBuugg--hhuunntteerr

4. BBuugg--hhuunntteerr’’ss LLiiffee aanndd
BBoouunnttyy PPrrooggrraamm

5. Workplace Home
Working
Hours
Any time I want
Work Finding Security Bugs
Income BBuugg BBoouunnttyy
➡Does it make enough money to live?

7. 2277113355334466 ((JJPPYY))
$$114422772233
(($$11 == 112200 JJPPYY))

8. 2277113355334466 ((JJPPYY))
$$114422772233
(($$11 == 112200 JJPPYY))
((iinn OOccttaall ddiiggiittss))

9. ! GGooooggllee launched in 2010
! Followed by MMaannyy CCoommppaanniieess

10. ! GGooooggllee VVulnerability RReward PProgram
! 1 bug = $100~20,000
$$113300,,880033..77
TToottaall BBoouunnttiieess
NNuummbbeerr ooff bbuuggss rreeppoorrtteedd
112277((119911 including duplicated and/or not rewarded ones)

12. EEvveenn mmoorree mmoottiivvaatteedd bbyy tthhee
iinnccrreeaasseedd bboouunnttyy rraatteess!!$

13. II aamm aaccttuuaallllyy nniigghhtt oowwll……

15. ! QQuuiicckk RReeppoossee since the program is
launched.
! CCoonnssiiddeerr NOT ONLY seriousness, but also
tthhee lleevveell ooff ““iinntteerreessttiinngg””,, ooff tthhee bbuugg..
! Require only ssiimmppllee eexxppllaannaattiioonn ttoo hhaavvee
tthheemm uunnddeerrssttaanndd tthhee pprroobblleemm..
! PPrroovviiddee ffuunn to the reporters.

17. ! TThhee MMoosstt IImmppoorrttaanntt DDoommaaiinn ooff GGooooggllee
! Bounty was $$55,,000000 (Exceeds the regulated maximum
amount at that time)

18. https://accounts.google.com/example?oe=utf-‐‑‒32
HTTP/1.1
200
OK
Alternate-‐‑‒Protocol:
443:quic,p=0.01
Cache-‐‑‒Control:
private,
max-‐‑‒age=0
Content-‐‑‒Encoding:
gzip
Content-‐‑‒Type:
text/html;
charset=UTF-‐‑‒32
...
! Character Code can be set by URL
! UUTTFF--3322 was able to be set

19. ∀㸀㸀㰀㰀script㸀㸀alert(1)㰀㰀/script㸀㸀�

20. ➊➊ AArrrraayy ooff tthhee BByytteess
❷❷
CChhaarraacctteerr CCooddee ooff tthhee
PPaaggee
❸❸ HHaannddlliinngg 00xx0000 CChhaarraacctteerrss

21. 00
00
22
00
00
00
3E
00
00
00
3C
00
00
00
00
73
00
00
00
63
00
00
00
72
00
00
00
69
00
00
00
70
00
00
00
74
00
00
3E
00
00
00
00
61
00
00
00
6C
00
00
00
65
00
00
00
72
00
00
00
74
00
00
00
28
00
00
00
31
00
00
00
29
00
00
3C
00
00
00
00
2F
00
00
00
73
00
00
00
63
00
00
00
72
00
00
00
69
00
00
00
70
00
00
00
74
00
00
3E
00
∀㸀㸀㰀㰀�
s c r�
i p t�
㸀㸀a l�
e r t�
( 1 )�
㰀㰀/ s�
c r i�
p t 㸀㸀�
In UTF-32, 1 character requires 4 bytes
➊�

22. IE
does
not
support
UTF-‐‑‒32
➡Character
Code
shall
be
“recognized”
to
be
something
00
00
22
00
00
00
3E
00
00
00
3C
00
00
00
00
73
00
00
00
63
00
00
00
72
00
00
00
69
00
00
00
70
00
00
00
74
00
00
3E
00
00
00
00
61
00
00
00
6C
00
00
00
65
00
00
00
72
00
00
00
74
00
00
00
28
00
00
00
31
00
00
00
29
00
00
3C
00
00
00
00
2F
00
00
00
73
00
00
00
63
00
00
00
72
00
00
00
69
00
00
00
70
00
00
00
74
00
00
3E
00
∀㸀㸀㰀㰀�
s c r�
i p t�
㸀㸀a l�
e r t�
( 1 )�
㰀㰀/ s�
c r i�
p t 㸀㸀�
❷

23. This “super great” web site provides the support
status of character codes, of all web browser
http://l0.cm/encodings/table/

24. IE(<=9) ignores the characters
➡the “00” are uunnddeerrssttoooodd aass nnootthhiinngg..
00
00
22
00
00
00
3E
00
00
00
3C
00
00
00
00
73
00
00
00
63
00
00
00
72
00
00
00
69
00
00
00
70
00
00
00
74
00
00
3E
00
00
00
00
61
00
00
00
6C
00
00
00
65
00
00
00
72
00
00
00
74
00
00
00
28
00
00
00
31
00
00
00
29
00
00
3C
00
00
00
00
2F
00
00
00
73
00
00
00
63
00
00
00
72
00
00
00
69
00
00
00
70
00
00
00
74
00
00
3E
00
� > ��
s c r�
i p t�
> a l�
e r t�
( 1 )�
� / s�
c r i�
p t >�
❸

25. Message from the web page

26. Seek browser and plug-in bugs also
������1�������
������1�������
������1�������
������1�������
������1�������
������1����1��
������1��1����
������11������
������1�������
������1�������
������1��1����
������1����1��
������1���1���
������1�������������11������
������11������
������1����1��
������1�����1�
������1�������
������1�������
������1����1��
������1�������
������1�������
������1�������
������1�������
������1�������

27. ! 2288..77%% of total number of bugs I reported
! TThhee 8877%% ooff tthheemm aarree wwiitthh IIEE

28. ! Take longer to fix
! Even if it is fixed, it is NOT likely to applied to
the different IE version.
Something is required at the Web
service level
Therefore

29. location.href is aa mmeetthhoodd ttoo ggeett tthhee UURRLL ooff
tthhee ppaaggee by JavaScript
http://example.com/
http://example.com/
location.href

30. http://evil%2F@eexxaammppllee..ccoomm/
location.href is
http://eevviill/@example.com/
The URL part before @ is aauuttoommaattiiccaallllyy ddeeccooddeedd!!
➡IItt ggeenneerraatteess UURRLL ppooiinnttss ttoo eexxtteerrnnaall WWeebb ssiittee

31. AAllll ccooddeess iinncclluuddee llooccaattiioonn..hhrreeff ppooiinnttiinngg ttoo
sseellff--ddoommaaiinn aarree ppootteennttiiaallllyy vvuullnneerraabbllee
Added characters before “@”, then checked
any web pages if it send request to the
external sites
Therefore

32. http://evil%2F@www.youtube.com/

33. ! Found ffaattaall bbuugg, at same time
! Exist in feed:// URL that represents RSS
! Can extract unrelated feed to any domain
by ccuussttoommiizziinngg the part of URL before @.
! Put the scripts in the unrelated feeds,
XSS works on the extracted domain
WWee ccaann eennffoorrccee XXSSSS oonn aannyy wweebb ssiitteess
＼＼((^^oo^^))// yyeeaahh☆☆
therefore

34. In feed:// URL, characters which can run
scripts are restricted.
(=Blacklist)
It is easy; jjuusstt ppaassssiinngg tthhrroouugghh tthhee
bbllaacckklliisstt!
Things to do

35. <a href="javascript:alert(1)">XSS</a>
<a>XSS</a>
FFiinndd oouutt tthhee cchhaarraacctteerrss wwhhiicchh ccaann ppaassss tthhrroouugghh
bbaasseedd oonn tthhee cchhaarraacctteerr rreemmoovvaall ppaatttteerrnn
BBeeeeppiinngg!!

36. <svg>
<a xmlns:xlink="http://www.w3.org/1999/xlink"
xxlliinnkk::hhrreeff==""jjaavvaassccrriipptt::aalleerrtt((11))"">
<rect width="1000" height="1000" />
</a>
</svg> SSiilleennccee……

37. feed://l0.cm%2Fcb.rss%3F@codeblue.jp/

38. feed://l0.cm%2Fcb.rss%3F@codeblue.jp/
alert('CODE
BLUE、2回⽬目開催おめでとう！n'+
document.domain+'から')
(Congratulation
for
the
2nd
Code
Blue)

39. ! Web applications are in jeopardies caused by
character codes, browser behaviors / bugs, and so
on…
! Finding out mysteriously complicated bugs is
tthhee uullttiimmaattee ddeelliigghhtt..
You want to see more?
http://masatokinugawa.l0.cm/

41. ! Grow up in touch of computers.
! Love to disassemble anything
! Debut as XSS “attacker” in the 6th grade

42. ! Grow up with in touch of computers.
➡
I
got
to
knew
what
is
binary
in
2009
! Love to disassemble anything
➡
Donʼ’t
love
to
do
(so
lot)
! Debut as XSS “attacker” in the 6th grade
➡
I
got
interested
in
security
in
2009

43. Decided to ddoo wwhhaatt II wwaanntt,, iinn mmyy wwaayy
���������������������
～2009 A lot happened
2010 Left computer vocational school

44. What I want to do: Seeking vulnerabilities
FFoouunndd ssoo lloott!!
Soon after, GGooooggllee llaauunncchheedd bug bounty program
Spent all waking hours
to find vulnerabilities.

46. Bug
hunting
house-‐‑‒husband?
➡
Need
to
gain
girl
hunt
skill
also
☺
! Extension
of
what
I
want
to
do
! Found
my
self
as
bug̶—hunter,
one
day
WWiisshh ffoorr ffuuttuurree……

47. ! Must spent most of the time to repeating
unsophisticated verification test
! No income unless find anything
! FFeeeelliinngg aaccccoommpplliisshhmmeenntt iiss ggrreeaatt, as what I
achieved, directly become money
! NNootthhiinngg iinn tthhee wwoorrlldd ttoo ffeeeell ddeelliigghhtt like
treasure hunting.
! Abnormal behaviors are mmuucchh ffuunn ttoo sseeee
However…

48. TThhee ffiinnddiinngg sskkiillll iiss aallll wwhhaatt yyoouu nneeeedd
Can concentrate on to improving skill
CCaann ddoo bbyy yyoouurrsseellff
Almost no human relationship issue
CCaann ddoo aatt yyoouurr hhoommee
No commuting time
CCaann wwoorrkk aatt oowwnn ppaaccee
Can do when you want

49. “Listen music” as a hobby
“Bug-hunt” as a hobby (same as above)
““HHoobbbbyy””
Do anything you want! Then, you may
find your own way.
FFoorr tthhoossee wwhhoo aarree ttrryyiinngg ttoo ffiinndd yyoouurr wwaayy......

50. UUnnddeerrssttoooodd??!!

51. Thank
You!
@kinugawamasato
✉
masatokinugawa
[at]
gmail.com
Contact