Hunting Security Bugs In Web Apps - Suleman Malik

Watch on YouTube

Slide

Exploit 1 - Huawei

修改账户信息Endpoint,无需cookie,匿名用户可以任意修改其他用户的信息

Exploit 2 - Intel Angularjs

Angular会将{1+1}解释为2,查看Angular有否encode input
以下payload, 将/etc/passwd的内容打印。

{php}$s=file_get_contents('/etc/passwd');var_dump($s);{/php}

Exploit 3 - CSRF

尽管有CSRF token,但是将它删除后,replay request,依然接受。

Exploit 4 - Password Reset

Password reset 通常需要旧密码,但是如果intercept, 将它删除,服务器依然接受。

Exploit 5 - PostMessage

大家都知道需要validate origin, 但是以下是错误的示范

// Listner on http://www.examplereceiver.com/

window.addEventListener("message", function(message)){
    if(/^http://www.examplesender.com$/.test(message.origin)){
        console.log(message.data);
    }
}

个正则表达式,不单匹配www.examplesender.com, 还匹配wwwaexamplesender.com, wwwbexample.com.

Exploit 6 - Subdomain Takeover

  1. Search all subdomains with subdomain scanner - DNSDumpster .
  2. Check subdomain alias in the termainal by using command
#host example.com or #CNAME info.hacker.one

Exploit 7 - oAuth Token Stealing

Example Request:

http://example.com/socialize.login?client_id=123456&redirect_uri=http://victim.com/&x_provider=facebook&response_type=token

Forged Request:

http://example.com/socialize.login?
client_id=123456&redirect_uri=http://example.com%2f
%2f.victim.com/&x_provider=facebook&response_type=token

Response :-

http://example.com//.victim.com/?code=9999999999 

NIN: 这个不是很明白. 演讲者话这样的resp会被发送到example.com和victim.com.

Payload

1. %2F%2F -> // 
2. %5c%5c -> \\
3. %3F -> ? 
4. %23 -> # 
5. %40 -> @
Show Comments