This document summarizes the career of a bug bounty hunter named Masato Kinugawa. It discusses Kinugawa's work finding security vulnerabilities, the bug bounty programs he participates in, and some of the notable bugs he has discovered. Specific examples discussed include vulnerabilities in how different browsers handle character encodings, vulnerabilities in the location.href method, and ways to bypass restrictions on executing scripts in RSS feeds. The document emphasizes that a large portion of Kinugawa's reported bugs are in Internet Explorer and can be difficult to fix due to differences between IE versions.
15. ! QQuuiicckk RReeppoossee since the program is
launched.
! CCoonnssiiddeerr NOT ONLY seriousness, but also
tthhee lleevveell ooff ““iinntteerreessttiinngg””,, ooff tthhee bbuugg..
! Require only ssiimmppllee eexxppllaannaattiioonn ttoo hhaavvee
tthheemm uunnddeerrssttaanndd tthhee pprroobblleemm..
! PPrroovviiddee ffuunn to the reporters.
16.
17. ! TThhee MMoosstt IImmppoorrttaanntt DDoommaaiinn ooff GGooooggllee
! Bounty was $$55,,000000 (Exceeds the regulated maximum
amount at that time)
18. https://accounts.google.com/example?oe=utf-‐‑‒32
HTTP/1.1
200
OK
Alternate-‐‑‒Protocol:
443:quic,p=0.01
Cache-‐‑‒Control:
private,
max-‐‑‒age=0
Content-‐‑‒Encoding:
gzip
Content-‐‑‒Type:
text/html;
charset=UTF-‐‑‒32
...
! Character Code can be set by URL
! UUTTFF--3322 was able to be set
27. ! 2288..77%% of total number of bugs I reported
! TThhee 8877%% ooff tthheemm aarree wwiitthh IIEE
28. ! Take longer to fix
! Even if it is fixed, it is NOT likely to applied to
the different IE version.
Something is required at the Web
service level
Therefore
29. location.href is aa mmeetthhoodd ttoo ggeett tthhee UURRLL ooff
tthhee ppaaggee by JavaScript
http://example.com/
http://example.com/
location.href
31. AAllll ccooddeess iinncclluuddee llooccaattiioonn..hhrreeff ppooiinnttiinngg ttoo
sseellff--ddoommaaiinn aarree ppootteennttiiaallllyy vvuullnneerraabbllee
Added characters before “@”, then checked
any web pages if it send request to the
external sites
Therefore
33. ! Found ffaattaall bbuugg, at same time
! Exist in feed:// URL that represents RSS
! Can extract unrelated feed to any domain
by ccuussttoommiizziinngg the part of URL before @.
! Put the scripts in the unrelated feeds,
XSS works on the extracted domain
WWee ccaann eennffoorrccee XXSSSS oonn aannyy wweebb ssiitteess
\\((^^oo^^))// yyeeaahh☆☆
therefore
34. In feed:// URL, characters which can run
scripts are restricted.
(=Blacklist)
It is easy; jjuusstt ppaassssiinngg tthhrroouugghh tthhee
bbllaacckklliisstt!
Things to do
39. ! Web applications are in jeopardies caused by
character codes, browser behaviors / bugs, and so
on…
! Finding out mysteriously complicated bugs is
tthhee uullttiimmaattee ddeelliigghhtt..
You want to see more?
http://masatokinugawa.l0.cm/
40.
41. ! Grow up in touch of computers.
! Love to disassemble anything
! Debut as XSS “attacker” in the 6th grade
42. ! Grow up with in touch of computers.
➡
I
got
to
knew
what
is
binary
in
2009
! Love to disassemble anything
➡
Donʼ’t
love
to
do
(so
lot)
! Debut as XSS “attacker” in the 6th grade
➡
I
got
interested
in
security
in
2009
43. Decided to ddoo wwhhaatt II wwaanntt,, iinn mmyy wwaayy
���������������������
~2009 A lot happened
2010 Left computer vocational school
44. What I want to do: Seeking vulnerabilities
FFoouunndd ssoo lloott!!
Soon after, GGooooggllee llaauunncchheedd bug bounty program
Spent all waking hours
to find vulnerabilities.
45.
46. Bug
hunting
house-‐‑‒husband?
➡
Need
to
gain
girl
hunt
skill
also
☺
! Extension
of
what
I
want
to
do
! Found
my
self
as
bug̶—hunter,
one
day
WWiisshh ffoorr ffuuttuurree……
47. ! Must spent most of the time to repeating
unsophisticated verification test
! No income unless find anything
! FFeeeelliinngg aaccccoommpplliisshhmmeenntt iiss ggrreeaatt, as what I
achieved, directly become money
! NNootthhiinngg iinn tthhee wwoorrlldd ttoo ffeeeell ddeelliigghhtt like
treasure hunting.
! Abnormal behaviors are mmuucchh ffuunn ttoo sseeee
However…
48. TThhee ffiinnddiinngg sskkiillll iiss aallll wwhhaatt yyoouu nneeeedd
Can concentrate on to improving skill
CCaann ddoo bbyy yyoouurrsseellff
Almost no human relationship issue
CCaann ddoo aatt yyoouurr hhoommee
No commuting time
CCaann wwoorrkk aatt oowwnn ppaaccee
Can do when you want
49. “Listen music” as a hobby
“Bug-hunt” as a hobby (same as above)
““HHoobbbbyy””
Do anything you want! Then, you may
find your own way.
FFoorr tthhoossee wwhhoo aarree ttrryyiinngg ttoo ffiinndd yyoouurr wwaayy......