First bounty, time to step up my game
Hello again and thanks for reading my second blog post! After publishing my first blog I kept on trying to hack different companies and websites. Not as easy as I had hoped for! It took me quite some time to find another security issue after the IDOR in my first month. This SOME issue I found is not to be made public, so I won’t be able to mention company details and will have to mask url’s etc.
Extensive recon of different websites owned by my target company learned that they were using an old version of an upload plugin. This plugin attempts to allow user uploads for as many different browsers and versions as possible and includes a flash component. Funny thing is this flash component was vulnerable to XSS:
This wil pop an alert box containing kciredor. How did I know? While browsing the website and proxying everything through Burp to create a sitemap, the Retire.js chrome extension pointed out that this specific library was out of date. So I started looking into it and searched for published issues.
So far so good but it does not end with an alert of my nickname. Can I also alert document.cookie for instance? The anwser is: no. Simply reporting this XSS right now would end up getting myself in trouble, because I cannot prove exploitability. Cloning the library from github including submodules and browsing through the code I found out the target parameter has a regex filter like this: a-zA-Z0-9._ and the uid parameter has a regex filter like this: a-zA-Z0-9_ which does not leave us a lot of room to get things done.
This is where I want to thank smiegles for giving me a heads up on SOME attacks: Same Origin Method Execution. There’s even a PoC to get inspired! The impact of SOME attacks is roughly the same as XSS. Using only alphanumeric input and a dot is enough to make a SOME attack work, meaning this could do the trick! Ben Hayak wrote an excellent whitepaper on these kind of attacks.
Now there’s only one more thing: how do I make sure someone actually clicks on the link containing my attack? That depends given the context of the website. If it’s something like eBay you could add a link claiming there’s more info and pictures behind it. Given the context of the company I was attacking it was pretty easy to find a good reason.
The end result looked something like this (poc.html):
The ‘first month IDOR issue’ has been resolved by the company, but it’s still not published. As soon as it’s publically disclosed I’ll write a detailed blog post about it, without having to mask anything! During my second month I invested a lot of time, perhaps most of my time, into coding a successor of recon.sh. I kept on having to fix and customize recon.sh to work with each and every target I tried and it kept on crashing, etc. The new setup is what I call recon-docker. It’s a python/django dockerized set of scanners with a web frontend, leveraging the usual tools like masscan and recon-ng. For now I’m able to define targets with exact scope and let it run from one or more vm’s. If a tool crashes then recon-docker will recover and continue. Next up would be continues scanning and change detection: send me a push notification as soon as company X has new sub domain Y! Hoping this investment will help me in the long run.
Wrapping Stepping up
So far I’ve found an IDOR in the first month, a SOME attack in the second month and an open S3 bucket (yet to be triaged) in the third month. Mixed feelings: out of nowhere I stepped into the world of bug bounties, having a professional background in software engineering, but not in information security let alone web hacking. So finding one bug each month so far as a beginner should be a good start… but it does not feel like it’s enough. Far from it! Bills will have to be paid for. I’m eager to pursue my dreams. So it’s time to step up my game. When I was young I fell in love with reverse engineering: disassemblers, debuggers, hex editors, you name it. Let’s find out what the possibilities are in that specific area of expertise: a healthy (?) mix between binary exploitation/reverse engineering/vm escapes and web application hacking.
Let’s keep on hacking!
"First bounty, time to step up my game" by @kciredor_ https://t.co/kEAo63fS9Z #bugbounty #infosec— Roderick Schaefer (@kciredor_) September 19, 2017