Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be...
Transcript of Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be...
![Page 1: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/1.jpg)
Killing a bounty program, Twice. Hack In The Box 2012 By : Itzhak (Zuk) Avraham; Nir Goldshlager; 05/2012
![Page 2: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/2.jpg)
# whoami | presentation
Itzhak Avraham (Zuk) Founder & CEO Ihackbanme http://imthezuk.blogspot.com [email protected]
![Page 3: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/3.jpg)
# whoami | presentation
Nir Goldshlager Senior Web Applications Researcher Twitter: @nirgoldshlager Blog : http://nirgoldshlager.com
![Page 4: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/4.jpg)
![Page 5: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/5.jpg)
Reasons for bug bounty
ü Money ü Credit
![Page 6: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/6.jpg)
Reasons for bug bounty
ü Money ü Credit ü Okay, mostly credit, they don’t pay much :P
![Page 7: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/7.jpg)
Bug bounty programs 1995 – Netscape 2004 – Firefox 2005 – ZDI 2007 – Pwn2own 2010 – Google 2011 – Facebook
![Page 8: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/8.jpg)
Know your enemy
![Page 9: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/9.jpg)
Know your enemy
Nope. Your enemies might be : • Masato Kinugawa • Neal Poole • Nils Juenemann • Szymon Gruszecki • Wladimir Palant
![Page 10: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/10.jpg)
Know your enemy
Nope. Your enemies might be : • Masato Kinugawa • Neal Poole • Nils Juenemann • Szymon Gruszecki • Wladimir Palant
![Page 11: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/11.jpg)
Learn your target Overview
Spy on their blogs • New bugs – new ideas to detect different vulnerabilities.
Learn the company • Unchecked services
• Successful acquisitions • Untested/Less secured web applications
• Multi vector • Unknown vectors / logical techniques
• Repetitive of weak spots
![Page 12: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/12.jpg)
Google Overview
Learn the company • Successful acquisitions
http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google • New services – Knol(???), Friends Connect • Subdomains • Learn all the functions of the application you are going to test
• Multi vector • Unknown vectors / logical techniques
• Repetitive of weak spots
![Page 13: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/13.jpg)
Google Overview
• Successful acquisitions http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google
• More than 1 acquisition per week since 2010!
![Page 14: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/14.jpg)
Google Overview
Approach • Logical / mixed issues
![Page 15: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/15.jpg)
XSS for fun and … profit?
• XSS is not just for account hijacking • Trusted website, runs malicious javascript…
• Client Side Exploit anyone?
![Page 16: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/16.jpg)
Google Overview
Convention • Calender
Google.com/calender • Friends Connect
google.com/friendconnect • Knol
Google.com/knol • Analytics
Google.com/analytics • Blogger
Google.com/blogger
![Page 17: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/17.jpg)
Google Support Overview Convention
• Knol Google.com/knol No
• Friends Connect Support.google.com/friendconnect
• Calendar Support.google.com/calendar
• Analytics Support.google.com/analytics
• Blogger Support.google.com/blogger
• Admob Support.google.com/admob
![Page 18: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/18.jpg)
Google Calendar Stored XSS
![Page 19: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/19.jpg)
Google Calendar Error based
• General Attacks against Google Calendar.
• Going Deep Into the Application.
• What we found. • We need to find a way to
trigger it for REMOTE users.
![Page 20: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/20.jpg)
Stored XSS (Error based) “Self” Xss Payload
![Page 21: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/21.jpg)
Google Calendar Error based • Changing the attack vector • Resolving the Self XSS Issue By using the Sharing
Option
![Page 22: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/22.jpg)
Google Calendar Error based
The Sharing process:
![Page 23: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/23.jpg)
Google Calendar Error based
Wait, HOUSTON WE HAVE A PROBLEM!!! user must delete his calendar 1-5 times. How can we force our Target to delete our malicious calendars?
![Page 24: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/24.jpg)
Google Calendar Error based • Resolving the problem: No sharing limit. • Users gets email for each share & our Calendar Is
added Automatically to the victim account.
![Page 25: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/25.jpg)
Google Calendar Error based
• Calendar SPAM !!! • After the user deletes 1-5 ,
Error occurred • Error Message Details: • Calendar (calendar name)
not load, After that a Stored XSS will be triggerJ
![Page 26: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/26.jpg)
Google Calendar Error based Game over! Achievement unlocked.
![Page 27: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/27.jpg)
Google Analytics – Stored XSS
![Page 28: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/28.jpg)
Google Analytics In-page analytics doesn’t escape incoming requests:
• Meaning, an attacker can send XSS to the administrator by sending a URL
![Page 29: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/29.jpg)
Google Analytics In-page analytics doesn’t escape incoming requests:
• Meaning, an attacker can send XSS to the administrator by sending a URL
![Page 30: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/30.jpg)
Google Analytics
![Page 31: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/31.jpg)
Google Analytics Let’s exploit this vulnerability in 2 creative ways:
• In-Page Analytics – When the administrator logins. Ouch. • Sharing – Infect ourselves and share our Analytics with the
victim (direct link to in-page analytics)
![Page 32: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/32.jpg)
Google Analytics 1st method:
![Page 33: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/33.jpg)
Google Analytics Let’s wait for our administrator to login
![Page 34: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/34.jpg)
Google Analytics Let’s wait for our administrator to login
• Achievement unlocked, we can run JS on any web administrator using Analytics
![Page 35: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/35.jpg)
Google Analytics
![Page 36: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/36.jpg)
Google Analytics
• Second method : Sharing with the victim our analytics • We will add the victim with read-only permission and
will submit the link for google.com/analytics account with our ID
![Page 37: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/37.jpg)
Google Analytics
![Page 38: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/38.jpg)
Google Analytics § Game over. Achievement unlocked
![Page 39: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/39.jpg)
Google FeedBurner Stored XSS
FeedBurner provides custom RSS feeds and management tools to bloggers,podcasters, and other web-‐based content publishers
![Page 40: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/40.jpg)
Google Feedburner Stored XSS Feed title is “vulnerable” to an XSS
![Page 41: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/41.jpg)
Google Feedburner Stored XSS Wait, Nothing Happened here!!!, There is “NO” XSS
![Page 42: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/42.jpg)
Google Feedburner Stored XSS Lets look closer on the features of FeedBurner App
![Page 43: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/43.jpg)
Google Feedburner Unsubscribe XSS § We already know that there is a Subscription feature in
Feed burner, Right??? § What about Unsubscribe option, Maybe this can help us?
![Page 44: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/44.jpg)
Google Feedburner Unsubscribe XSS When the victim will decide to unsubscribe from the malicious feed burner a stored xss will be run on his client.
![Page 45: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/45.jpg)
Google Feedburner Unsubscribe XSS Lets Exploit it with two methods: 1. Victim subscribe to the service & Later unsubscribe from the malicious FeedBurner. 2. Attacker Send a malicious unsubscribe link to the victim (Victim dont need to be subscribe to the malicious feed).
![Page 46: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/46.jpg)
Google FriendConnect Error based Meet your new best friend :
![Page 47: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/47.jpg)
Google FriendConnect Error based The target approved our request.
![Page 48: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/48.jpg)
Google FriendConnect Error based The target approved our request. Now, let’s force him to delete us, not before we’re going to change our name to : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA …. “><XSS Payload>
![Page 49: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/49.jpg)
Google FriendConnect Error based
![Page 50: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/50.jpg)
Google FriendConnect Error based After User delete :
• Achievement Unlocked.
![Page 51: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/51.jpg)
Permission bypass – Google Knol
Knol is an online knowledge Portal
![Page 52: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/52.jpg)
Permission bypass
• Privacy in Google Knol • Function :Publish, Unpublished Docs
![Page 53: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/53.jpg)
Permission bypass Example of Unpublished document:
![Page 54: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/54.jpg)
Permission bypass This document isn’t accessible via direct URL
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
![Page 55: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/55.jpg)
Permission bypass
Google Validate Permission, Block us from viewing the unpublished Document
What can we do ????
![Page 56: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/56.jpg)
Permission bypass Lets meet our new friend J Google Knol Translator Toolkit
![Page 57: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/57.jpg)
Permission bypass
Attacker Provide the url of the Unpublished Doc
![Page 58: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/58.jpg)
Permission bypass And magic happens
![Page 59: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/59.jpg)
Google Affiliate Network – Stored XSS + Administrator Priv!
![Page 60: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/60.jpg)
Google Affiliate Network
What Is Google Affiliate Network??
![Page 61: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/61.jpg)
Google Affiliate Network
Google Affiliate Network is a free program that makes it easy for website publishers to connect with quality advertisers and get rewarded for driving conversions. § Discover high-performing advertisers § Save time with a speedy and intuitive interface § Track conversions and access real-time reporting § Enjoy local payments via your AdSense account § VIP and Rising Star status for top publishers
![Page 62: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/62.jpg)
Google Affiliate Network The goals: 1. XSS an account. 2. Gaining Administrator Privilege
![Page 63: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/63.jpg)
Google Affiliate Network First Attack: ConnectCommerce->Performics->DoubleClick->Google;
![Page 64: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/64.jpg)
Google Affiliate Network First Attack: Manipulating Parameters on connectcommerce.com domain in order to Inject XSS Payload on google.com Domain
![Page 65: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/65.jpg)
Google Affiliate Network PoC : Stored XSS from Google.com Domain
![Page 66: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/66.jpg)
Google Affiliate Network Second attack?? Manipulate, Gaining administrator privilege on any Google Affiliate
account.
![Page 67: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/67.jpg)
Google Affiliate Network Manipulate UserID, Email fields
![Page 68: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/68.jpg)
Game Over 3133.7$!!!!!
![Page 69: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/69.jpg)
Google Picnik – Local File Inclusion
![Page 70: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/70.jpg)
Google Picnik
Picnik.com seems to be Secure So what is the way to crack the lock?
![Page 71: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/71.jpg)
Google Picnik
1. Execute a BruteForce to Files, Dir Attack 2. Execute a Sub domain Brute Force Attack 3. Port Scanning
![Page 72: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/72.jpg)
Google Picnik
Treasure Found!!!!!! Result: Sub domain: vpn.picnik.com
![Page 73: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/73.jpg)
Picnik WhoIs vpn Which Server vpn.picnik.com Hosted
![Page 74: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/74.jpg)
Google Picnik
• So what was the story of vpn picnik?,
• Someone installed by mistake a older version of phpList in Picnik vpn sub domain
![Page 75: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/75.jpg)
Google Picnik
• So what was the story of vpn picnik?,
• Someone installed by mistake a older version of phpList in Picnik vpn sub domain
• No way!!! With Default Password J ?
![Page 76: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/76.jpg)
What Is phpList???
phplist is open source email application & suffers from well known Vulnerabilities
![Page 77: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/77.jpg)
Google Picnik
File Inclusion vulnerability that allow me to get a Shell with a leet bounty $3133,7
![Page 78: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/78.jpg)
Google Picnik Game Over
![Page 79: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/79.jpg)
Summary
§ Out-Of-The-Box (Hack-In-The-Box) Thinking § Think different § Information gathering § Mixed services § Permissions
![Page 80: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/80.jpg)
Reference
● http://www.nirgoldshlager.com/2011/03/blogger-get-administrator-privilege-on.html - Blogger admin privileges bypass
● http://www.google.com/about/company/rewardprogram.html - Google Reward program
● http://www.google.com/about/company/halloffame.html - Google Hall of Fame
● http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web - Michael Coates - Bug Bounty Program – OWASP 2011
![Page 81: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/81.jpg)
One more Maybe it’s not a good idea to follow our blogs
![Page 82: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/82.jpg)
One more Maybe it’s not a good idea to follow our blogs
![Page 83: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/83.jpg)
Okay okay, one more Blogger video…
HPP Attack
![Page 84: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/84.jpg)
Join us tonight at Hack-In-The-Empire event For invites : [email protected] Subject : HITE Invite
![Page 85: Hack In The Box 2012 - HITBconference.hitb.org/hitbsecconf2012ams/materials...The image cannot be displayed. Your computer may not have enough memory to open the image, or the image](https://reader034.fdocuments.net/reader034/viewer/2022042207/5eaa341e027aff2a3d784ca6/html5/thumbnails/85.jpg)
Itzhak “Zuk” Avraham - @IHackBanMe Nir Goldshlager - @NirGoldshlager
Thank you!