One Article Review
| Source |  w00tsec |
|---|---|
| Identifiant | 8300169 |
| Date de publication | 2014-07-16 23:40:46 (vue: 2023-01-11 16:56:00) |
| Titre | Wildcard DNS, Content Poisoning, XSS and Certificate Pinning |
| Texte | Hi everyone, this time I'm going o talk about an interesting vulnerability that I reported to Google and Facebook a couple of months ago. I had some spare time last October and I started testing for vulnerabilities on a few companies with established bug bounty programs. Google awarded me with $5000,00 and Facebook payed me $500,00 for reporting the bugs.I know you may be more interested on highly sophisticated exploits that allow arbitrary file upload to the Internet, with custom payloads that may lead to unexpected behavior like closing Security Lists. Hopefully this class of bugs is already patched by Fyodor and Attrition is offering an efficient exploit mitigation technique.The title may be a little confusing, but I'm going to show that it's possible to combine all these techniques to exploit vulnerable systems.Content Poisoning and Wildcard DNSHost header poisoning occurs when the application doesn't validate full URL's generated from the HTTP Host header, including the domain name. Recently, the Django Framework fixed a few vulnerabilities related to that and James Kettle made an interesting post discussing lots of attack scenarios using host header attacks.While testing this issue, I found a different kind of Host header attack that abuses the possibility to browse wildcard domains. Let's have a quick look at the Wikipedia entry on Hostnames:"The Internet standards (Request for Comments) for protocols mandate that component hostname labels may contain only the ASCII letters 'a' through 'z' (in a case-insensitive manner), the digits '0' through '9', and the hyphen ('-'). The original specification of hostnames in RFC 952, mandated that labels could not start with a digit or with a hyphen, and must not end with a hyphen. However, a subsequent specification (RFC 1123) permitted hostname labels to start with digits. No other symbols, punctuation characters, or white space are permitted."The fun part here is that the network stack from Windows, Linux and Mac OS X consider domains like -www.plus.google.com, www-.plus.google.com and www.-.plus.google.com valid. It's interesting to note that Android won't resolve these domains for some reason. |
| Envoyé | Oui |
| Condensat | $500 $5000 docs drive glass https://src https://w00t prom sandbox script sites 1123 2013 33+ 397 500 952 abc about abuse abuses accepting accidentally account actionfor actions advanced affected after ago all allow already also analysis and android anyone anyway” apcswdhp application apply arbitrary archiveid=redacted are asking assign associate association attack attack: attacker attacks attrition awarded based because behalf behavior better big body both bounty browse browsing bug bugs bugsome but bypassed ca could can case certain certificate certificates changed characters checking checks chrome chromium circumventing class click closing codename coding com com/export combine comin comments commits comnow companies complete compliant component compose conclusiongoogle confirm confirmation confusing consider contain containing content context control controlled cookies could couple craft crafted crazy create creating cross custom cve datasets deal def design did didn different digit digits discussing discussions display django dns dnshost dnsso dnswhile documents does doesn domain domains don download downloading drive duplicate during easily efficient emails enabled end endpoint enforces entries entry error established everyone example exploit exploits ext facebook failing fails far fetching few file find first fix fixed fixing flaw folder follow followed following for forms forward found framework from full fun fuzzer fyodor generated glitch gmail goes going good goodguy+duplicate@example goodguy@example google got goto great had happens hard hardcoded has have header here here: highly hopefully host hostname hostnames hostnames: hotmail how however hsts http http://www https://sites https://www hyphen impersonate implant in rfc including industry initial inject injected insensitive inside instead interested interesting internal internationalized internet invalid issue issued issues its james job jsonduring kept kettle kind know koala labels last lcamtuf lead leaks legitimate let level leverages like like: link links linux list lists little logged look lookup lots mac made mail mails make mandate mandated manner may mentioning message messages messages: mitigation mitm months more most must name names nation navigate need needs network new next nginx:this not note nothing notice notification notifications now nsa number occurs october offering offers one only option order org/viewvc/chrome/trunk/src/net/http/transport origin original other our out owasp own part parts password paste patched payed payloads perform performed performing permitted persistent phishing pinned pinning please plus point poison poisoned poisoning policies policy possibility possible post prefixes prior process processing programs promiscuous proper protocols proxy punctuation quick quickly quite ready ready” really reason received recently recommended records red refer references regexp registration rejecting related relative removed reported reporting reproduce request requests reset resolve resolved result results reverse rfc right run running same sandbox sanity scans scenarios using script scripts searching security security” see sending sent server servers service services session shall should show sign simply single site site:requests sites snowden some something sophisticated space spare specifically specification specified split sponsored ssl stack standards start started state static steal stealing still stripped subsequent suppose sure symbols system systems take talk teams technique techniques telecom terminologies test testing tests that the the ascii letters the hyphen their them there therefore these they this this: this:the through time times title told too: top totally track tracker traditional traffic transport transportsecuritystate trusted try turkey turkish two type typing unable unexpected until upload url url: url: www use used useful user using v31: valid validate very visit visits vulnerabilities vulnerability vulnerab |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.