SlideShare una empresa de Scribd logo

Bug-hunter's Sorrow

Masato Kinugawa
Masato Kinugawa

AVTOKYO2015

Tecnología
1 de 59
Descargar para leer sin conexión
Bug-hunter's Sorrow Masato Kinugawa
Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
Last year Income
Last year Income 41050707 Yen 💰
Last year Income 41050707 Yen (Octal notation) 💰
Good story is that all!
Topics 1st half Story of blocked internet 2nd half Sorrow of bug
Story of blocked internet
Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 http://masatokinugawa.l0.cm/2013/09/u2028 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
then I found ordinary DOM based XSS on Benesse site. https://web.archive.org/web/20130723155109/http://manabi.benes se.ne.jp/#"><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
Same time Suddenly I became not to access to manabi.benesse.ne.jp I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
And 2013/9/7 Evening, Incident happened!
What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... http://masatokinugawa.l0.cm/2013/09/xss.benesse.html Disconnected from Internet maybe because of XSS
The Tokumaru !
Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
Yes Daily, I tested browser behavior in my domain (vulnerabledoma.in), I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
God Tokumaru's books are on sale! http://www.amazon.co.jp/dp/ 4822279987/ http://www.amazon.co.jp/dp/ 4797361190/ Buy now!!
I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
Lessons learned: The world Things that should not be poked
Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
World is harsh ...
Sorrow of bug
After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
DOM based XSS ❶ https://web.archive.org/web/20130904143057/http://www. benesse.co.jp/s/land/pass/ jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ ...
Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a, a.tab-link") All links to #
Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from http://www.benesse.co.jp/s/land/pass/ !
DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/ contents/oyashindan/answer.html?
No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
DEMO http://vulnerabledoma.in/avtokyo2015/
Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)
@kinugawamasato masatokinugawa [at]gmail.com Thanks! 💰💰💰

Recomendados

CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato KinugawaCODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato KinugawaCODE BLUE
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 

Recomendados

CODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato KinugawaCODE BLUE 2014 : Joy of a bug hunter by Masato Kinugawa
CODE BLUE 2014 : Joy of a bug hunter by Masato KinugawaCODE BLUE
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterMasato Kinugawa
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptxPeter Yaworski
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferayArmel Nene
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
WordPress Website Design Proposal Template PowerPoint Presentation Slides
WordPress Website Design Proposal Template PowerPoint Presentation SlidesWordPress Website Design Proposal Template PowerPoint Presentation Slides
WordPress Website Design Proposal Template PowerPoint Presentation SlidesSlideTeam
 
Challenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceChallenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceGiacomo Zecchini
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
SEO Audits that Maximize Growth #SMXL19
SEO Audits that Maximize Growth #SMXL19SEO Audits that Maximize Growth #SMXL19
SEO Audits that Maximize Growth #SMXL19Aleyda Solís
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Aleyda Solis: How to develop actionable and impactful SEO audits
Aleyda Solis: How to develop actionable and impactful SEO auditsAleyda Solis: How to develop actionable and impactful SEO audits
Aleyda Solis: How to develop actionable and impactful SEO auditsSearchNorwich
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Hreflang tags: everything you need to know to start implementing them
Hreflang tags: everything you need to know to start implementing themHreflang tags: everything you need to know to start implementing them
Hreflang tags: everything you need to know to start implementing themSara Moccand-Sayegh
 
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]Tammy Everts
 
Core Web Vitals - Why You Need to Pay Attention
Core Web Vitals - Why You Need to Pay AttentionCore Web Vitals - Why You Need to Pay Attention
Core Web Vitals - Why You Need to Pay AttentionTAC Marketing Group
 
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021Sophie Gibson
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Brighton SEO April 2022 - Automate the technical SEO stuff
Brighton SEO April 2022 - Automate the technical SEO stuffBrighton SEO April 2022 - Automate the technical SEO stuff
Brighton SEO April 2022 - Automate the technical SEO stuffMichael Van Den Reym
 
What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrongafa reg
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 

Más contenido relacionado

La actualidad más candente

Hacking liferay
Hacking liferayHacking liferay
Hacking liferayArmel Nene
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
WordPress Website Design Proposal Template PowerPoint Presentation Slides
WordPress Website Design Proposal Template PowerPoint Presentation SlidesWordPress Website Design Proposal Template PowerPoint Presentation Slides
WordPress Website Design Proposal Template PowerPoint Presentation SlidesSlideTeam
 
Challenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceChallenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceGiacomo Zecchini
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
SEO Audits that Maximize Growth #SMXL19
SEO Audits that Maximize Growth #SMXL19SEO Audits that Maximize Growth #SMXL19
SEO Audits that Maximize Growth #SMXL19Aleyda Solís
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handoutsBCC
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
Aleyda Solis: How to develop actionable and impactful SEO audits
Aleyda Solis: How to develop actionable and impactful SEO auditsAleyda Solis: How to develop actionable and impactful SEO audits
Aleyda Solis: How to develop actionable and impactful SEO auditsSearchNorwich
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Hreflang tags: everything you need to know to start implementing them
Hreflang tags: everything you need to know to start implementing themHreflang tags: everything you need to know to start implementing them
Hreflang tags: everything you need to know to start implementing themSara Moccand-Sayegh
 
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]Tammy Everts
 
Core Web Vitals - Why You Need to Pay Attention
Core Web Vitals - Why You Need to Pay AttentionCore Web Vitals - Why You Need to Pay Attention
Core Web Vitals - Why You Need to Pay AttentionTAC Marketing Group
 
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021Sophie Gibson
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Brighton SEO April 2022 - Automate the technical SEO stuff
Brighton SEO April 2022 - Automate the technical SEO stuffBrighton SEO April 2022 - Automate the technical SEO stuff
Brighton SEO April 2022 - Automate the technical SEO stuffMichael Van Den Reym
 

La actualidad más candente (20)

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferay
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
WordPress Website Design Proposal Template PowerPoint Presentation Slides
WordPress Website Design Proposal Template PowerPoint Presentation SlidesWordPress Website Design Proposal Template PowerPoint Presentation Slides
WordPress Website Design Proposal Template PowerPoint Presentation Slides
 
Challenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering serviceChallenges of building a search engine like web rendering service
Challenges of building a search engine like web rendering service
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
SEO Audits that Maximize Growth #SMXL19
SEO Audits that Maximize Growth #SMXL19SEO Audits that Maximize Growth #SMXL19
SEO Audits that Maximize Growth #SMXL19
 
REST API Pentester's perspective
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspective
 
Password management for you
Password management for youPassword management for you
Password management for you
 
Owasp for dummies handouts
Owasp for dummies handoutsOwasp for dummies handouts
Owasp for dummies handouts
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Aleyda Solis: How to develop actionable and impactful SEO audits
Aleyda Solis: How to develop actionable and impactful SEO auditsAleyda Solis: How to develop actionable and impactful SEO audits
Aleyda Solis: How to develop actionable and impactful SEO audits
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Hreflang tags: everything you need to know to start implementing them
Hreflang tags: everything you need to know to start implementing themHreflang tags: everything you need to know to start implementing them
Hreflang tags: everything you need to know to start implementing them
 
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]
A (Fairly) Complete Guide to Performance Budgets [SmashingConf SF 2023]
 
Core Web Vitals - Why You Need to Pay Attention
Core Web Vitals - Why You Need to Pay AttentionCore Web Vitals - Why You Need to Pay Attention
Core Web Vitals - Why You Need to Pay Attention
 
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021
Why the f*ck Doesn't This HREFLANG Work - BrightonSEO Autumn 2021
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Brighton SEO April 2022 - Automate the technical SEO stuff
Brighton SEO April 2022 - Automate the technical SEO stuffBrighton SEO April 2022 - Automate the technical SEO stuff
Brighton SEO April 2022 - Automate the technical SEO stuff
 

Similar a Bug-hunter's Sorrow

What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrongafa reg
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developersmatthewhughes
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threatAvădănei Andrei
 
Blockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easilyBlockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easilyAdam Yorkshire
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityChristian Heilmann
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Esteban Bedoya
 
Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Jesus Rances
 
Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)Munir Njiru
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Securityeugenet
 
Dmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber SuitesDmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber SuitesQA or the Highway
 
How well are you delivering your experience?
How well are you delivering your experience?How well are you delivering your experience?
How well are you delivering your experience?Andrew Fisher
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cristian Alexandrescu
 
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...John Fink
 
Cyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena MishraCyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena MishraDevsena Mishra
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Money Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay IntroductionMoney Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay IntroductionMimi Young
 

Similar a Bug-hunter's Sorrow (20)

What Are We Still Doing Wrong
What Are We Still Doing WrongWhat Are We Still Doing Wrong
What Are We Still Doing Wrong
 
Security testing for web developers
Security testing for web developersSecurity testing for web developers
Security testing for web developers
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Xss is more than a simple threat
Xss is more than a simple threatXss is more than a simple threat
Xss is more than a simple threat
 
Blockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easilyBlockchain Info _ in Simple english to understand more easily
Blockchain Info _ in Simple english to understand more easily
 
Beyond xss
Beyond xssBeyond xss
Beyond xss
 
Things that go bump on the web - Web Application Security
Things that go bump on the web - Web Application SecurityThings that go bump on the web - Web Application Security
Things that go bump on the web - Web Application Security
 
Hack for security
Hack for securityHack for security
Hack for security
 
Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)Hacking with experts (by anurag dwivedi)
Hacking with experts (by anurag dwivedi)
 
Empowerment Technologies - Module 2
Empowerment Technologies - Module 2Empowerment Technologies - Module 2
Empowerment Technologies - Module 2
 
Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)Beyond xss (SheHacks Nairobi 2018)
Beyond xss (SheHacks Nairobi 2018)
 
OpenID Security
OpenID SecurityOpenID Security
OpenID Security
 
Dmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber SuitesDmitry sharkov - Maturing Your Cucumber Suites
Dmitry sharkov - Maturing Your Cucumber Suites
 
How well are you delivering your experience?
How well are you delivering your experience?How well are you delivering your experience?
How well are you delivering your experience?
 
Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu Cross-Site Scripting course made by Cristian Alexandrescu
Cross-Site Scripting course made by Cristian Alexandrescu
 
Bear Writing Paper
Bear Writing PaperBear Writing Paper
Bear Writing Paper
 
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
I'm Not Here I'm There -- Using a Local Instant Messaging Service in Your Lib...
 
Cyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena MishraCyber security-awareness-for-social-media-users - Devsena Mishra
Cyber security-awareness-for-social-media-users - Devsena Mishra
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
 
Money Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay IntroductionMoney Can Buy Happiness Essay Introduction
Money Can Buy Happiness Essay Introduction
 

Más de Masato Kinugawa

X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~Masato Kinugawa
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみMasato Kinugawa
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」Masato Kinugawa
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」Masato Kinugawa
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)Masato Kinugawa
 

Más de Masato Kinugawa (6)

X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみ
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」
 
いでよ、電卓!
いでよ、電卓!いでよ、電卓!
いでよ、電卓!
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)
 

Último

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Último (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Bug-hunter's Sorrow

  • 2. Introduction Masato Kinugawa Lonely bug hunter Only XSS is my friend.
  • 3. Daily job Office Home Duty Up to my motivation Job Looking for security bugs Income Bug Bounty ➡Is it enough for living?
  • 6. Last year Income 41050707 Yen (Octal notation) 💰
  • 10. Summary Looking for XSS on Benesse My home internet was blocked twists and turns ➡Why did I look for XSS on Benesse?
  • 11. In summer 2013 I found a possibility of DOM based XSS using U+2028/2029 http://masatokinugawa.l0.cm/2013/09/u2028 u2029.domxss.html Used to be a problem in easy regex Details on my Blog:U+2028/2029とDOM based XSS Looking for the impact I think many people have same situation
  • 12. How to test ❶ Added U+2028 and text that may cause DOM based XSS after # in URL. ❷ Check the strange error happens http://host/#[U+2028]'"><svg/onload=alert(1)>
  • 13. then I found ordinary DOM based XSS on Benesse site. https://web.archive.org/web/20130723155109/http://manabi.benes se.ne.jp/#"><svg/onload=alert(1)> function writeAccesskeyForm(){ var htm = ''; var ownURI = location.href; //... htm+= '<input type="hidden" name="backurl" value="' + ownURI + '">'; //... document.write(htm); } writeAccesskeyForm();
  • 14. after that 2013/08/05 Report 2013/08/06 Response "Thank you very much for your bug report of "Benesse Manabision". we will check the fact as soon as possible and proceed the correspondence. Thank you so much again for your cooperation." 2013/end of Aug. confirmed the fix.
  • 15. After this response I feel their appreciation to the bug report and their attitude to fix it. Let's find more and report to them! It is a start of XSS-Nightmare…
  • 16. found Easy to find regular Reflected XSS. We received the 3 of new XSS vulnerability from you. Thank you very much. At this time, we will check the facts, and we will proceed the intensive measures. Following the last time, we would very much appreciate your valuable pointed-out. We would like thank you over and over again. 2013/08/28 Report 2013/08/30 Response
  • 17. Same time Suddenly I became not to access to manabi.benesse.ne.jp I can access to it after changing IP. Investigate further ➡Access denied because of my testing requests?
  • 18. There will be such a thing (with bug report)I added a comment: ".. maybe blocked due to my testing requests... Best regards" On a later date Thank you for pointing-out that our fix is uncompleted. After the investigation, we will proceed the correspondence. Thank you very much. ➡They are ignoring my comment... I think they understood what I mentioned.
  • 19. continue to report Reported many time that the fix is incomplete. Access denied at every confirmation testing... Repeat testing by changing IP
  • 21. What happened?! At first I thought it was a trouble or a failure of equipment but it was not I found a warning email from service provider Detect suspicious access from your network, check your PC if infected by virus or generating unauthorized access?
  • 22. Suspicious Access I can just make sense of it. Checked vulnerability before and after warning mail. reported: Google, excite, Benesse (I mean, my daily activities (only access history) are all suspicious!!) ➡Never reported site of Benesse is access denied, I considered it is doubtful.
  • 23. Contortion Thank you very much for your point-out. We will check your email received on 6th and 7th Sep. We will proceed with intensive measures. We would like thank you over and over again for your very valuable report. 9th Sep. In the reply thanks as usual:
  • 24. Letter from @nifty with a Pledge letter "Do not attack" Wait wait, it's misunderstanding…
  • 25. Call to Benesse/@nifty Both "We can not answer for a security reason!" Me "I'm in trouble, my home internet was stopped. I want to check the facts."
  • 26. It is no use!! Got a WiMAX mobile wifi router as I can’t do a stroke of work Using tethering, I wrote a blog as a last hope I'm giving up... At that time the Messiah appears... http://masatokinugawa.l0.cm/2013/09/xss.benesse.html Disconnected from Internet maybe because of XSS
  • 28. Received DM I read your blog. I am contacting to Benesse about it. Could you let me know your E-mail address? Oh God!
  • 29. afterwards Benesse entrusted the operation of intrusion detection system to a security company who block the network and/or contact ISP when detecting attacks. hmmm
  • 30. afterwards In the flow, it seems detected by IPS(Intrusion Prevention System) ➡ Monitoring by security company ➡ contact to ISP ➡ blocked by ISP I see!
  • 31. afterwards After some exchanges, I was told Benesse can contact to ISP. If you send them your IP address at the reporting time, they will match it. Sure. Do I have records?...
  • 32. Yes Daily, I tested browser behavior in my domain (vulnerabledoma.in), I have my IP access logs on a daily basis! 28th Aug.: XX.X.XX.2 29th Aug.: XX.X.XX.25 30th Aug.: XX.X.XX.195 31st Aug.: XX.X.XX.14 01st Sep.: XX.X.XX.14 .... like this:
  • 33. After reporting IP I heard they did "withdrawal of the unauthorized access information" and "request for block release" to ISP. It leaves a decision up to ISP now. Thank God...
  • 34. Finally Tears of gratitude 13th Sep. evening(About 1 week from being blocked), Internet is back!
  • 35. Re-Acknowledgment It would be difficult for me to explain the situation to companies without Mr. Tokumaru's cooperation. Thank you so much again!! ※ this is not "Mimirin"
  • 36. God Tokumaru's books are on sale! http://www.amazon.co.jp/dp/ 4822279987/ http://www.amazon.co.jp/dp/ 4797361190/ Buy now!!
  • 37. I felt through the problem I wonder inside of big company is complicated... I felt through the problem I can imagine that information leak occurs...
  • 38. Not others problem I send you a link that make you XSS-like request to Benesse site. http://manabi.beness・・・/?<script>alert(1)</script> Site will become unavailable. In worst case, Internet block?! When you access ※ can not link because it's so dangerous
  • 39. Mistake of IDS company They do not scrutinize attack or not They do not understand property of attack I want to question the effectiveness to block IP in order to address XSS. I can Yet understand if they stop all access. In this case, need the collation of log and reporting The cause is similar to remotely control PC incident? ➡To give a help to fix XSS's fundamental problem. I believe it is the only way to eradicate XSS.
  • 40. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change
  • 41. Threat of XSS Execute arbitrary script/manipulation Confidential information leak The phishing by page contents change ◆Internet Block!!
  • 42. Lessons learned: The world Things that should not be poked
  • 43. Recently blocked again! Non-payment of charge (not completed payment transaction by misunderstanding)
  • 46. After Internet resume If telling IP address in advance, Benesse allows my testing. Reported nearly 100 vulns (All were fixed in the short period of time. This attitude is really great.) As a consequence ➡ explain 2 cases out of it!
  • 47. DOM based XSS ❶ https://web.archive.org/web/20130904143057/http://www. benesse.co.jp/s/land/pass/ jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); });
  • 48. DOM based XSS ❶ To run the event at the time of clicking a special link jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ ...
  • 49. Specific link <div id="nav-pw"> <ul> <li id="nav-first"><a href="#first-login"><img src="img/nav_pw_01.png" width="260" height="50" alt=" はじめてログインするかたへ"></a></li> <li id="nav-passmodif"><a href="#passmodif"><img src="img/nav_pw_02.png" width="270" height="50" alt=" パスワードを変更(へんこう)したい"></a></li> <li id="nav-passlost"><a href="#passlost"><img src="img/nav_pw_03.png" width="270" height="50" alt=" パスワードを忘(わす)れたので再発行(さいはっこう)したい ... jQuery("#nav-pw li a, a.tab-link") All links to #
  • 50. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); look it again carefully
  • 51. Based on this jQuery("#nav-pw li a, a.tab-link") .bind("click touchstart", function(event){ setTimeout(function(){ hash = location.hash; if (hash != "" && jQuery(hash).length) { //... } }, 500); }); can change hash in 0.5 sec! look it again carefully
  • 52. Current source hash = location.hash; // 2013.10.4 fix XSS if(hash == "#first-login"|| hash == "#passmodif" || hash == "#passlost") { }else { hash = ""; } if (hash != "" && jQuery(hash).length) { ... tabs.js from http://www.benesse.co.jp/s/land/pass/ !
  • 53. DOM based XSS ❷ <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> Make a path from parameter 'result' → Extract page response from that URL.
  • 54. DOM based XSS ❷ The path is limited within the same domain, safe? <script type="text/javascript"> $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); </script> ... <div id="answer_box"></div> https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/ contents/oyashindan/answer.html?
  • 55. No! Uploadable user avatar image host in the same domain. If you write <script>.... in the image comment area, it will upload directly.
  • 56. In this way /vulnpage?result=/../../../../uploads/profile/icon.jpg%23 $(document).ready(function(){ result = "./answer/answer_" + $.query.get('result') + ".html"; $("#answer_box").load(result); }); ➡Export image binary in to page
  • 58. Conclusion I will continue finding bugs by trying not to bother anyone. Thank you very much (Yoroshiku!)