10. Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
➡Why did I look for XSS on Benesse?
11. In summer 2013
I found a possibility of DOM based
XSS using U+2028/2029
http://masatokinugawa.l0.cm/2013/09/u2028
u2029.domxss.html
Used to be a problem in easy regex
Details on my Blog:U+2028/2029とDOM based XSS
Looking for the impact
I think many people
have same situation
12. How to test
❶ Added U+2028 and text that
may cause DOM based XSS after #
in URL.
❷ Check the strange error happens
http://host/#[U+2028]'"><svg/onload=alert(1)>
13. then
I found ordinary DOM based XSS on
Benesse site.
https://web.archive.org/web/20130723155109/http://manabi.benes
se.ne.jp/#"><svg/onload=alert(1)>
function writeAccesskeyForm(){
var htm = '';
var ownURI = location.href;
//...
htm+= '<input type="hidden" name="backurl"
value="' + ownURI + '">';
//...
document.write(htm);
}
writeAccesskeyForm();
14. after that
2013/08/05 Report
2013/08/06 Response
"Thank you very much for your bug report of
"Benesse Manabision". we will check the fact as
soon as possible and proceed the correspondence.
Thank you so much again for your cooperation."
2013/end of Aug.
confirmed the fix.
15. After this response
I feel their appreciation to the bug
report and their attitude to fix it.
Let's find more and report to them!
It is a start of
XSS-Nightmare…
16. found
Easy to find regular Reflected XSS.
We received the 3 of new XSS vulnerability from you.
Thank you very much. At this time, we will check the
facts, and we will proceed the intensive measures.
Following the last time, we would very much
appreciate your valuable pointed-out. We would like
thank you over and over again.
2013/08/28 Report
2013/08/30 Response
17. Same time
Suddenly I became not to access to
manabi.benesse.ne.jp
I can access to it after changing IP.
Investigate further
➡Access denied because
of my testing requests?
18. There will be such a thing
(with bug report)I added a comment:
".. maybe blocked due to my testing
requests... Best regards"
On a later date
Thank you for pointing-out that our fix is
uncompleted. After the investigation, we will
proceed the correspondence. Thank you very much.
➡They are ignoring my comment...
I think they understood what I mentioned.
19. continue to report
Reported many time that the fix is
incomplete.
Access denied at every confirmation
testing...
Repeat testing by changing IP
21. What happened?!
At first I thought it was a trouble or a
failure of equipment
but it was not
I found a warning email
from service provider
Detect suspicious access from your
network, check your PC if infected by virus
or generating unauthorized access?
22. Suspicious Access
I can just make sense of it.
Checked vulnerability before and
after warning mail.
reported: Google, excite, Benesse
(I mean, my daily activities (only
access history) are all suspicious!!)
➡Never reported site of Benesse is
access denied, I considered it is doubtful.
23. Contortion
Thank you very much for your point-out. We will
check your email received on 6th and 7th Sep.
We will proceed with intensive measures. We
would like thank you over and over again for your
very valuable report.
9th Sep. In the reply thanks as usual:
25. Call to Benesse/@nifty
Both "We can not answer for
a security reason!"
Me "I'm in trouble, my home internet was
stopped. I want to check the facts."
26. It is no use!!
Got a WiMAX mobile wifi router as I can’t do a
stroke of work
Using tethering, I wrote a blog as a last hope
I'm giving up...
At that time the Messiah
appears...
http://masatokinugawa.l0.cm/2013/09/xss.benesse.html
Disconnected from Internet maybe because of XSS
28. Received DM
I read your blog. I am contacting to
Benesse about it. Could you let me
know your E-mail address?
Oh God!
29. afterwards
Benesse entrusted the operation
of intrusion detection system to a
security company who block the
network and/or contact ISP when
detecting attacks.
hmmm
30. afterwards
In the flow, it seems
detected by IPS(Intrusion
Prevention System)
➡ Monitoring by security company
➡ contact to ISP
➡ blocked by ISP
I see!
31. afterwards
After some exchanges, I was told
Benesse can contact to ISP.
If you send them your IP address
at the reporting time, they will
match it.
Sure. Do I have records?...
32. Yes
Daily, I tested browser behavior in my
domain (vulnerabledoma.in),
I have my IP access logs on a daily
basis!
28th Aug.: XX.X.XX.2
29th Aug.: XX.X.XX.25
30th Aug.: XX.X.XX.195
31st Aug.: XX.X.XX.14
01st Sep.: XX.X.XX.14
....
like this:
33. After reporting IP
I heard they did "withdrawal of the
unauthorized access information"
and "request for block release" to
ISP. It leaves a decision up to ISP
now.
Thank God...
35. Re-Acknowledgment
It would be difficult for me to explain
the situation to companies without Mr.
Tokumaru's cooperation.
Thank you so much again!!
※ this is not
"Mimirin"
36. God Tokumaru's books
are on sale!
http://www.amazon.co.jp/dp/
4822279987/
http://www.amazon.co.jp/dp/
4797361190/
Buy now!!
37. I felt through the problem
I wonder inside of big
company is complicated...
I felt through the problem
I can imagine that
information leak
occurs...
38. Not others problem
I send you a link that make you
XSS-like request to Benesse site.
http://manabi.beness・・・/?<script>alert(1)</script>
Site will become unavailable.
In worst case, Internet block?!
When you access
※ can not link because it's so dangerous
39. Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in
order to address XSS.
I can Yet understand if they stop all access.
In this case, need the collation of log and reporting
The cause is similar to remotely control PC incident?
➡To give a help to fix XSS's
fundamental problem. I believe it
is the only way to eradicate XSS.
40. Threat of XSS
Execute arbitrary script/manipulation
Confidential information leak
The phishing by page contents change
41. Threat of XSS
Execute arbitrary script/manipulation
Confidential information leak
The phishing by page contents change
◆Internet Block!!
46. After Internet resume
If telling IP address in advance,
Benesse allows my testing.
Reported nearly 100 vulns
(All were fixed in the short period of time.
This attitude is really great.)
As a consequence
➡ explain 2 cases out of it!
47. DOM based XSS ❶
https://web.archive.org/web/20130904143057/http://www.
benesse.co.jp/s/land/pass/
jQuery("#nav-pw li a, a.tab-link")
.bind("click touchstart", function(event){
setTimeout(function(){
hash = location.hash;
if (hash != "" && jQuery(hash).length) {
//...
}
}, 500);
});
48. DOM based XSS ❶
To run the event at the time of
clicking a special link
jQuery("#nav-pw li a, a.tab-link")
.bind("click touchstart", function(event){
...
49. Specific link
<div id="nav-pw">
<ul>
<li id="nav-first"><a href="#first-login"><img
src="img/nav_pw_01.png" width="260" height="50" alt="
はじめてログインするかたへ"></a></li>
<li id="nav-passmodif"><a href="#passmodif"><img
src="img/nav_pw_02.png" width="270" height="50" alt="
パスワードを変更(へんこう)したい"></a></li>
<li id="nav-passlost"><a href="#passlost"><img
src="img/nav_pw_03.png" width="270" height="50" alt="
パスワードを忘(わす)れたので再発行(さいはっこう)したい
...
jQuery("#nav-pw li a, a.tab-link")
All links to #
50. Based on this
jQuery("#nav-pw li a, a.tab-link")
.bind("click touchstart", function(event){
setTimeout(function(){
hash = location.hash;
if (hash != "" && jQuery(hash).length) {
//...
}
}, 500);
});
look it again carefully
51. Based on this
jQuery("#nav-pw li a, a.tab-link")
.bind("click touchstart", function(event){
setTimeout(function(){
hash = location.hash;
if (hash != "" && jQuery(hash).length) {
//...
}
}, 500);
});
can change hash in 0.5 sec!
look it again carefully
53. DOM based XSS ❷
<script type="text/javascript">
$(document).ready(function(){
result = "./answer/answer_" +
$.query.get('result') + ".html";
$("#answer_box").load(result);
});
</script>
...
<div id="answer_box"></div>
Make a path from parameter 'result'
→ Extract page response from that URL.
54. DOM based XSS ❷
The path is limited within the same domain, safe?
<script type="text/javascript">
$(document).ready(function(){
result = "./answer/answer_" +
$.query.get('result') + ".html";
$("#answer_box").load(result);
});
</script>
...
<div id="answer_box"></div>
https://web.archive.org/web/20120329044331/http://wm.benesse.ne.jp/
contents/oyashindan/answer.html?
55. No!
Uploadable user avatar image
host in the same domain.
If you write <script>.... in the image
comment area, it will upload directly.