SlideShare una empresa de Scribd logo

Bug-hunter's Sorrow

Masato Kinugawa
Masato Kinugawa

AVTOKYO2015

Tecnología
1 de 59
Descargar para leer sin conexión
Bug-hunter's Sorrow Masato Kinugawa
Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
Last year Income
Last year Income 41050707 Yen 💰
Last year Income 41050707 Yen (Octal notation) 💰
Good story is that all!
Topics 1st half Story of blocked internet 2nd half Sorrow of bug
Story of blocked internet
Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 http://masatokinugawa.l0.cm/2013/09/u2028 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
then I found ordinary DOM based XSS on Benesse site. https://web.archive.org/web/20130723155109/http://manabi.benes se.ne.jp/#"><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
Same time Suddenly I became not to access to manabi.benesse.ne.jp I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
And 2013/9/7 Evening, Incident happened!
What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... http://masatokinugawa.l0.cm/2013/09/xss.benesse.html Disconnected from Internet maybe because of XSS
The Tokumaru !
Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
Yes Daily, I tested browser behavior in my domain (vulnerabledoma.in), I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
God Tokumaru's books are on sale! http://www.amazon.co.jp/dp/ 4822279987/ http://www.amazon.co.jp/dp/ 4797361190/ Buy now!!
I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
Lessons learned: The world Things that should not be poked
Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
World is harsh ...
Sorrow of bug
After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
DOM based XSS ❶ https://web.archive.org/web/20130904143057/http://www. benesse.co.jp/s/land/pass/ jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ ...
Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a, a.tab-link") All links to #
Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from http://www.benesse.co.jp/s/land/pass/ !
DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/ contents/oyashindan/answer.html?
No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
DEMO http://vulnerabledoma.in/avtokyo2015/
Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)
@kinugawamasato masatokinugawa [at]gmail.com Thanks! 💰💰💰

Recomendados

Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 

Recomendados

Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
Атаки на видеоконвертеры: год спустя
Атаки на видеоконвертеры: год спустяАтаки на видеоконвертеры: год спустя
Атаки на видеоконвертеры: год спустяPositive Hack Days
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Google Dorks
Google DorksGoogle Dorks
Google DorksAndrea D'Ubaldo
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Angular Interview Questions & Answers
Angular Interview Questions & AnswersAngular Interview Questions & Answers
Angular Interview Questions & AnswersRatnala Charan kumar
 
What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrongafa reg
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 

Más contenido relacionado

La actualidad más candente

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
Атаки на видеоконвертеры: год спустя
Атаки на видеоконвертеры: год спустяАтаки на видеоконвертеры: год спустя
Атаки на видеоконвертеры: год спустяPositive Hack Days
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Angular Interview Questions & Answers
Angular Interview Questions & AnswersAngular Interview Questions & Answers
Angular Interview Questions & AnswersRatnala Charan kumar
 

La actualidad más candente (20)

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
 
Атаки на видеоконвертеры: год спустя
Атаки на видеоконвертеры: год спустяАтаки на видеоконвертеры: год спустя
Атаки на видеоконвертеры: год спустя
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Google Dorks
Google DorksGoogle Dorks
Google Dorks
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Angular Interview Questions & Answers
Angular Interview Questions & AnswersAngular Interview Questions & Answers
Angular Interview Questions & Answers
 

Similar a Bug-hunter's Sorrow

What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrongafa reg
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Blockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easilyBlockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easilyAdam Yorkshire
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityChristian Heilmann
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Esteban Bedoya
 
Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Jesus Rances
 
Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)Munir Njiru
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Securityeugenet
 
Dmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber SuitesDmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber SuitesQA or the Highway
 
How well are you delivering your experience?
How well are you delivering your experience?How well are you delivering your experience?
How well are you delivering your experience?Andrew Fisher
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...John Fink
 
Cyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena MishraCyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena MishraDevsena Mishra
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Money Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay IntroductionMoney Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay IntroductionMimi Young
 

Similar a Bug-hunter's Sorrow (20)

What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrong
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Blockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easilyBlockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easily
 
Beyond xss
Beyond xssBeyond xss
Beyond xss
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 
Hack for security
Hack for securityHack for security
Hack for security
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
 
Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Empowerment Technologies - Module 2
Empowerment Technologies - Module 2
 
Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Security
 
Dmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber SuitesDmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber Suites
 
How well are you delivering your experience?
How well are you delivering your experience?How well are you delivering your experience?
How well are you delivering your experience?
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
 
Bear Writing Paper
Bear Writing PaperBear Writing Paper
Bear Writing Paper
 
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
 
Cyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena MishraCyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena Mishra
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
 
Money Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay IntroductionMoney Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay Introduction
 

Más de Masato Kinugawa

X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~Masato Kinugawa
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみMasato Kinugawa
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」Masato Kinugawa
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」Masato Kinugawa
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)Masato Kinugawa
 

Más de Masato Kinugawa (6)

X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみ
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」
 
いでよ、電卓!
いでよ、電卓!いでよ、電卓!
いでよ、電卓!
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)
 

Último

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Último (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Bug-hunter's Sorrow

  • 2. Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
  • 3. Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
  • 6. Last year Income 41050707 Yen (Octal notation) 💰
  • 10. Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
  • 11. In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 http://masatokinugawa.l0.cm/2013/09/u2028 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
  • 12. How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
  • 13. then I found ordinary DOM based XSS on Benesse site. https://web.archive.org/web/20130723155109/http://manabi.benes se.ne.jp/#"><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
  • 14. after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
  • 15. After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
  • 16. found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
  • 17. Same time Suddenly I became not to access to manabi.benesse.ne.jp I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
  • 18. There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
  • 19. continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
  • 21. What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
  • 22. Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
  • 23. Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
  • 24. Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
  • 25. Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
  • 26. It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... http://masatokinugawa.l0.cm/2013/09/xss.benesse.html Disconnected from Internet maybe because of XSS
  • 28. Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
  • 29. afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
  • 30. afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
  • 31. afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
  • 32. Yes Daily, I tested browser behavior in my domain (vulnerabledoma.in), I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
  • 33. After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
  • 34. Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
  • 35. Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
  • 36. God Tokumaru's books are on sale! http://www.amazon.co.jp/dp/ 4822279987/ http://www.amazon.co.jp/dp/ 4797361190/ Buy now!!
  • 37. I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
  • 38. Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
  • 39. Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
  • 40. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
  • 41. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
  • 42. Lessons learned: The world Things that should not be poked
  • 43. Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
  • 46. After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
  • 47. DOM based XSS ❶ https://web.archive.org/web/20130904143057/http://www. benesse.co.jp/s/land/pass/ jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
  • 48. DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ ...
  • 49. Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a, a.tab-link") All links to #
  • 50. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
  • 51. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
  • 52. Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from http://www.benesse.co.jp/s/land/pass/ !
  • 53. DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
  • 54. DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/ contents/oyashindan/answer.html?
  • 55. No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
  • 56. In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
  • 58. Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)