Attacking Modern Web Technologies - Frans Rosen

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone thank you for coming to the ultimate talk today today's talk is going to be by Franz Rosen he's going to be talking about attacking modern web technologists so over to you thank you let's see if my mic works also awesome welcome I'm gonna talk about attacking modern web technologies it's a sucky name and you could probably do like that like modern so the thing is if you say like I'm gonna talk about new web technologies that sucks because nobody's using that so my idea about the talk was basically to talk about modern because modern is what people use my name is Franz Rosen I tried to call myself to Swedish Nina it's a douchebag move but the reason why that is is because every time I show people outside of Sweden this profile pic they're like yeah you're dressed as Ania you're a hacker but it's like super cold in Sweden so that's why I have that image I work as a security on the tech 2phi and we're doing like automation we have a booth booth 17 outside of this room I do a lot of bug bounties I use that as a R&D like research and development to enhance our product right now I think I'm number seven but it's like weird point system no no bad feelings hacker one I do a blog posts at our labs blog as well I like to do live hacking I've been to a bunch of life hacking events and I try to do good at them I will talk about some bugs on these from these events but I won't like disclose who it is or whatever so I will try to keep it isolated and not all of them are from these events anyway the random for this is that I'm gonna talk about something that is not modern but I will just try to explain why I want to talk about it and then I'm gonna refer to it inside upload policies which is something that I've been talking about for the last weeks so there's some stuff disclosed there then I'm gonna do a deep dive this is the interesting thing of this talk I'm gonna do a deep dive in postmessage implementations and talk about some really fun bugs so it's gonna be like client-side race conditions some leaks extracting data abusing sandbox domain that's the fun part so we're gonna like rush through the other things and if we have time I'm gonna share too as well so appcache not modern at all it's like super old thing first a disclaimer last app SEC file descriptor actually talked about this specific vulnerability but bear with me there's a reason why I'm talking about it he found it independently of me and matthias oblivion brother Matthias Carlson we found it separately from each other so we when we saw it last epoch we were like oh no but yeah we we also have some pretty fun stories about it so app cache app cache is basically a way for your application to cache data on on your site which means that if you have like a manifest on your on your website or in your DOM and points that to an app cache you can tell that if the browser gets offline for example it's gonna catch these files so it still will serve them even though your browser is offline the replacement of this is of course serviceworkers that's like the proper way of doing this but this is like the old version of serviceworkers and when this was implemented security people were not invited to that meeting as you will see so the thing is this is how it looks like there's also something called a fallback inside this manifest fallback means that whenever you can't reach the website that you want to cache the fallback will actually point to somewhere else and we serve that file instead so this means that whenever you access a URL on a site that has app cache and it can't reach that URL it will use the fallback the interesting thing in here is that I talked about like being offline and that's why you're using the fallback the interesting thing is that if you get an error 500 on the website that's the same thing as being offline so that means that the fallback will be used as well which means that if you were able to like make the site the URL that the person visits on this site make that one trigger an error 500 fall back will be used so how do you do that there's a technique called cookie stuffing or cookie bombing which basically fills your cookies so that the request you're doing to the site is huge like it's it's it's gigantic which means that every time you hit a domain using cookie stuffing it will air out in a 500 saying like oh this request is too large for me so the bug that we found was basically this if you have a manifest with a fallback you could actually even though you see that that manifest is placed inside a path on a domain on this domain you have a manifest inside a path and on that manifest you're saying the fallback for everything on this domain should fall back to my file next to me this is really bad because this means that if you can install a manifest inside a path down on a on a domain you can install a fallback for all the paths on the same domain this means that if if you have like user paths having like specific things for specific users you can actually install a fallback for all the users inside this and the reason why this was a bug in every browser was because the specification was so vague it says like manifest can only specify fall backs that are in the same path as the manifest itself what that means is like up to you to to translate into yourself but what people thought was that okay so the manifest needs to be next to the fallback endpoint that was all what all the browser's assumed but that meant it really meant that you should not be able to have a fallback for a path that is not the same one as the manifest is being installed in so that's one of the big reasons why this happened so this might sounds like gibberish to you so I'm actually gonna show you a demo how this works so this is a live demo not alive dammit because it's fixed now but it this is on Dropbox com so Dropbox comm just to like give you a preparation of this Dropbox com had a public directory which you could like if you put stuff in that public directory you could have a website on Dropbox User Content com everybody had the same subdomain Dropbox User Content comm what happened was that we found a way to use on XML site an XML page using a manifest on that page pointing that to a manifest on in the same directory saying please use our other XML file and when that XML file is running we're going to take a Java Script in the XML because you can of course run JavaScript in an XML file and take the URL that you're trying to access and log it to my external server so we're gonna see right now this is my screen I'm on DL dark box User Content comm and now I'm gonna visit this site that installs the manifest so you can see in the Dom that I have a manifest and a cookie bomb which basically is the things I need so what I'm doing right now is that I'm installing the manifest this is how the manifest was installed now I'm gonna access a totally different file and it's gonna lurk me and saying this is your file I'm gonna go to dropbox.com now go to our website and download an image download this just go to this because I now have the app cache I now took the URL of that site and I can also go to my logging site and look at the log and see that here here is the URL for the Dropbox when we sent this to Dropbox they were not that happy because they thought that they had made every mitigation they they needed to actually make this not work one of them was using a CSP called sandbox which is supposed to isolate you from doing anything at all however the manifest is still allowed on sandbox that was one of the bugs that we actually identified when reporting this so the whole bug was you could run XML on the Elder Dropbox User Content comm as HTML that one installs a manifest that means that every file downloaded from Dropbox would use the fallback HTML because of the cookie bomb which would log the URL sending it to us so we could download every file you had in that side app cache never expires by the way so this was just that persistent unless you're like wiping all your your storage on the so every secret link would be leaked to the attacker they paid out pretty good for it so me Matias received $12,000 to this thing but not only did they pay for this they actually went to all their browsers and like coordinated together with us telling them that you need to fix this so Dropbox did their own mitigations what they did was basically no more XML HTML on DL Dropbox User Content com they also removed the whole functionality of a public directory because that was like a legacy thing then they didn't want to use that anymore they coordinated as I said with all the browsers they also made it so the older browsers does does not support fallback pointing to the root if you're inside a path with a manifest you can't install that the app cache on the whole domain also they're trying to like deprecated the whole app cache so it doesn't work anymore and also Dropbox added so you have like random subdomains so even though you get an app cache installed in one you can't attack another one all the browser's surprisingly actually fix this we reported it back in February last year and they fixed it around June even Safari and Internet Explorer fix this hallelujah yeah we also got some bounties for it so that was that was pretty fun but the cool thing is like the mitigation it did was the fallback path you couldn't escape to the root so app cache bones is still possible they added a really really important mitigation HTTP only like it doesn't doesn't matter in this case it's like of course HTTP is going to be used so if you have files uploaded and they can run HTML could be on an isolated sandbox domain same same thing as Dropbox and and files are uploaded in the same directory for all users you could basically use this also the big brother of this you can do exactly the same thing service workers they have some mitigation state they expire if the if the service workers aren't there anymore they will expire but you can basically get them to renew anyway so the service workers work the exact same way if you have a bucket then you upload files for different users in the same path could be isolated from your own domain someone can install app cache on it and sometimes service workers I think they've added some mitigations to service workers you need like a header a but yeah it's it's still possible so going from this the non modern things I'm gonna talk about upload policies this is like the only thing in my description of this talk but this is not the thing I want to talk about but I will go through it anyway because it's it's awesome so the way to upload files using s3n and google cloud before was basically you took the binary to you or the image or whatever and then you uploaded it to s3 but they realized like okay can't we do so the client themselves upload the file directly to s3 and they thought about it and they said like ok so we have a policy and if you upload that policy together with a signature and then upload that together with a file if the file follows the policy you can upload it so that was a pretty smart move problem is it's super easy to do wrong that's like the main issue with this so a policy upload looks like this it's basically posting to an s3 bucket together with a policy signature access key and some other parameters depending on the policy so if you see here the policy it's basically a base64 JSON the JSON contains all the rules of the file that should be uploaded I would say that probably all lines in this policy can be abused which is quite bad so just some common pitfalls in this and this is specific to AWS this specific policy rule but it looks similar in in Google Cloud so for example if you have starts with key key is basically the file name if you have an empty starts with that means that you can replace any file in the bucket because the policy says whatever file you want in whatever directory you want wherever in this bucket you can place it wherever you want so this is a really bad one another one referring to the last one that I talked about the app cache and serviceworkers is that if you have a start with and a key but no path separator that means that they can store up stuff in the root of the bucket and if you don't know about s3 buckets s3 it has two ways of accessing them either you have the bucket name dot s3 Amazon AWS comm or you have s3 Amazon AWS TOCOM slash bucket name but having the one with the subdomain there the bucket name dr. s3 you can actually do this thing with that cache that I mentioned so that's super bad also Compton type if you have a content type with empty starts with this is super common you can upload HTML files of course depending on you can also have a rule on the content-disposition and if you don't have that you can basically upload whatever is you can have like an inline file meaning you can run HTML the funny thing is that if you're even using start with together with a mime you can just fool a browser to just use text HTML anyway so if you have like starts with image JPEG you can just add image and then a format that the browser won't know about and then a semicolon and text HTML and it will use text HTML so these two are just as bad and looking more at the like upload policies when when you think about the policy so what what this means is that you need to have a policy served for each user because if you point everything to the same path in the policy people can upload files up like override other people's files so you need to have something that provides a custom policy for the current user this is when where starts to happen because people are building custom business logic around how to provide a policy this is a good example of how it can actually go wrong so in this case you have a user upload to a website and what happens is that you give it a mime accountant type and a file name and when that happens you get a signed URL back the problem is as you see this is like specific down in our upload file everybody can use the same directory so you can like override files and also remember if these files are private meaning you need a signed URL to actually access them but you know a file name like invoice 1 dot P PDF you can just provide it with invoice 1 dot PDF and get the signed URL and just download it so then you get access to everything and people getting crazy about that of course you can get access to whatever time every file you want the thing is custom policies sucks and trying to roll in your own policy logic around this like providing it is such a bad environment out there like looking at it it's like so easy to do wrong the thing is the good the thing that you want to do to one achieve is that you want to go to the bucket route if you get a signed URL to the route of the bucket you get the file listing of the bucket you know in a normal setup you get that so we're back to the 90s like this is an example of a website where you say I want to have this image please and it will give you back a signed URL the problem was that when you give give it like path traversal this is back to the 90s like when you did path traversal through file uploads it will actually normalize the URL and give you back a signed URL to the root folder of of the bucket so you have full read access to every object plus object listing you can do whatever you want another one was Dave trying to with regular expressions to extract the URL from the the URL you gave it so basically you gave it a URL saying example bucket and the director and the file and it would insert it back into the URL and give it a signed URL the bypass of that was basically just like fiddling around with a bunch of data and suddenly you get like as I said the two different formats of s3 is that you can have s3 and the bucket name as a directory this means full access to every object another solution another one that I enjoyed very much was basically you gave them a key and said please xx 11 should point to the s3 key / what happens then is that it says okay we created that everything is cool Excel xx 11 points to slash and then you went to their site and slash files xx 11 and that one redirected you back to their bucket the problem with that bucket was that I I think I had like two gigabytes of file listing until the like I was like I will never get the whole file listing of this this contained everything of this company it was crazy they had one bucket and that was everything so I reported this to a bunch of companies the funniest one was basically one that say like this is the worst thing ever and here's $25,000 that's like the worst okay I'm done let's deep dive in postmessage I love postmessage okay so one year ago I talked with a guy called fite fite was here and we talked about like it would be nice like postmessage it's like hard to find it's like very obscure it's like really like hard to identify we should like build an extension and when I came home from access apps like last year I was like I'm gonna do it so my plan was to build a postmessage tracker that catches every listener in all frames so if you know about postmessage you know probably that the chrome console for example can show you the message listeners surprise the price it only shows them for the current window you're currently in that means that if you have 12 iframes with 200 listeners you won't see them there unless you're changing your current scope of your window I also wanted to find a function receiving the message and I also wanted to log all messages from all frames between eachother and I succeeded I actually made up chrome plug-in so basically when you go to a website you get like a notification of how many post message trackers you have in what frames they are and you can also see the messages getting passed between these listeners this was quite fun because I realized like I've been missing out on so many listeners inside an iframe inside an iframe Google tag manager installs like a script running and inside that one there's a little iframe having a listener and then provides data back to the main main window so I found a lot of stuff if you saw Jim's talk in here before he showed you like 'evil is like the XSS as a service I found that it's like oh oh you have a message for me I'm just gonna run it into ever which means that you can have a payload saying like okay well can you just alert the domain please and that's what's happening some more like complex solutions to it like this like if you provide it with a J s load script property you can basically made it load JavaScript so you provide it with a dotter URI and you can just say please run JavaScript and this is my JavaScript I've found some more complex cases this is not one of my favorites so instead of looking at like how to exercise using post message I'm trying to think about how can I like use post message without having any XSS to extract data from your website I found a really cool service called clique tail this is fixed now so I'm not like disclosing anything broken if someone like can someone see something bad with this one I'll give you a hint it's the red regular expression in there so the problem here is that the dots are not escaped and dots in a regular expression means anything so my demo of this was basically to create a queue queue a core app X clique tail comm which is on domain that doesn't exist but still applies and passing this origin check so that was my first like okay I can bypass this what now give me something fun to play with and I got this one and starting to look at it I'm like this is super boring like I can provide it with like test rules like what the hell is test rules and I was like should I should I spend the time looking at this one like it's all about like doing breakpoints and going down the code and realizing what the hell is this code doing so I was like ok let's do it this time so I started looking at it and I saw that as soon as you provide this JSON with test rules it will initiate a bunch of factories constructors from actions observables and States and I was like oh I'm really gonna dig down in this and trying to understand this I never looked at any documentation I was just totally looking at this I would have been probably easier to look at some documentation but I didn't so and I saw this and I'm like ok I can construct something that's super interesting I started looking at the actions 1 and I saw that I could provide it with like events but I had no idea what it does so I just did dug down deeper and I found this switch and this made me really curious so I could provide it with options and what it would do is basically trying to fetch those options the the funny parts of this was basically everything like everything was super interesting the one that I actually ended up using I think was like element value or j/s variable value the thing was I had to understand everything I couldn't just point to the action like give me this because you had as I mentioned triggers and then you also had like states so I started constructing this I realized that you need a trigger something to trigger the rule and I found one of the rules being a delay so I could wait five seconds and it would trigger the action the problem was you need a state also you need something so I first started with this and I realized okay can I do something that I really know exists oh yeah I could use jsv rebel exists and then say is this the domain you're running on and example of calm was the domain so that one passed and then what went funny because then I realized that I could use a test rule event an action saying that please use the element value with a query selector so I was basically I found a way to extract whatever you want using this post message listener to extract all the data I wanted on this site using these three action Staton and triggers so basically I made like a proof of concept sending the message telling them please use this query selector give me the CSRF token and tada I got it so that was like this was so complex I spent probably like two or three or four hours on this just like trying to figure out what the hell was going on but this was super exciting next one was basically XSS on isolated but trusted domain what does that mean you're isolating it because you're not trusting it right yeah but the sandbox domain was not only used for insecure content it was also used to convert documents being uploaded on the trusted domain they used a converter on the sandbox domain the reason for that is that they didn't want to use the converter on the trusted domain because the converter was not trusted problem the problem was that the post message was used to transfer data between the sandbox domain to the trusted domain and that's pretty interesting because as I said it's a insecure they don't trust anything on this domain so the document service looked like this create a new document that's it I found the XSS on the sandbox and I basically use this XSS to open a new window because they get their relation between each other you can't do anything they are totally different domains so they don't have any access to each other however when you click on create new doc that one created a little iframe with the listener of the conversion so that one is passing data down to the iframe the cool thing is that that iframe and my XSS site has the same domain they can talk with each other I can even access all the JavaScript inside this iframe because it's the same orange in policy that's how it works so when someone uploads something on this domain that data get transferred down to the iframe to convert it into a proper document I then hijack that JavaScript and make it send the data over to me which means I get to use a Content just because they went to my site and then decided to upload a file which was a lot of fun another thing I've been looking at is something called client-side race conditions I have no idea like I've not heard about it before but it's that it's probably a lot of vulnerabilities that you can race on the client-side but what I noticed was that post message has some interesting properties that actually make this a lot more possible so one site that I found was basically when you went to the website the first time you're basically getting a script that is loaded like there's a there's a JavaScript being loaded and that script is when that script is loaded it's gonna launch an iframe and that iframe is gonna tell you what language you will be presented with like super weird locale service but it was pretty interesting so if you see here from the beginning the listener was launched before the iframe actually replaced the data and starting looking at this one it's actually looking at the origin the worst Matt the worst check of the origin you can ever see is index of that's like if you're not checking the origin index of sucks completely because index obsess is this in the beginning of your domain yeah it is okay so I just add this domain as a subdomain of my own so linked account at example.com is a valid Origin using this index of never use index of in your origin check strict origin checks every time the problem was that the listener when the origin passed this listener showed up what it does is basically loading a JavaScript file and embedding it you can't control what domain it's loaded so you couldn't do that and also it has a limit it can only load one script and then it will die so what I found with the script was that the parameters that was loaded that is like over here they actually was not sanitized so you could provide it with data in the parameters that would not be escaped so you could actually add your own parameters so I started looking at this script and what it did was basically load a script like this and I found that there was a parameter that was not being used in the script but a parameter called OSL that you could inject in this java script your own javascript in it so i'm escaping the variable inside this java script the problem was I didn't have our cell but remember currency was not escaped so I can actually provide it with with a person and then OSL and then inject that parameter the problem is they decided to like alert should not be used like don't ever think in that way like there's no reason to like block alert just to show how bad it is I'm actually I'm like I'm gonna write a bypass for this like it's super easy to do you're basically creating a new iframe element and then steal the document from that and then or the window alerts from that and then just use that one is that so in the end I have a link taught example calm you open the website to this site I'm gonna stress it so much like every 10 milliseconds I will send a message telling them that the currency is actually ampersand OSL and a function restoring the alert function and then just alerting document.domain the thing is whenever you access this site it's going to load the J's file but because I'm stressing this so hard that iframe that will actually run this one I will get before that one and steal the initiation of this one running the exercise which is fun so I was racing that JavaScript to load the iframe and I came in between so the race condition here is basically post mess between DJ s load and the iframe load I was able to inject that and he worked in all browsers that was like it that's how it's supposed to work like because there's some waiting time between the loading of the iframe and the and the JavaScript another client-side race condition I found which was funny and this is that this is a complicated one but we'll we'll try to get through this was the listener can someone spot a bug in this okay I'll give you a hint the replace here is a very common mistake but the replace means replace the first dot so in the end this will mean that if you have this example code NZ it will just replace the first dot can you find the next book it's actually there the hint was the Cohens said so if you look at Wikipedia on dot NZ in 2015 they decided to remove Co as a requirement for companies so you can register and set yourself that means that we can actually create an example our code of NSAID that will be passed by this one because the only replacement of the first dot that one will actually pass an example echo is conveniently available to register so that means that this website that had the listener basically works like this you have a food site that you can subscribe to getting recipes and like I have no idea I've never subscribed but what happens is when you press subscribe it's gonna open an iframe and they have a PCI certified iframe that it called food payments com classic thing like we're gonna sandbox our PCI certification because we don't want to pay for a PCI certification for our whole domain so we're just gonna have a PCI certification on one so what happens when the iframe is loaded the mainframe will send in its call to this iframe and that's just to say like hello are you awake every week the iframe when it's loaded will receive this message and say oh the origin of this message is okay I approve I will also save you as the target of every message I will send in the future and I will also tell you that I've been initiated properly the thing why they do that is because in the mainframe they have a function that says that they have a timer that if it doesn't get them in it in a couple of seconds it will fail and say payment failed so as soon as it gets an init call from the the iframe it will actually okay all this okay don't kill the frame what happens after the all okay don't kill the frame is that the mainframe will say okay please load stripe and please load stripe together with our public key of our stripe account the thing is this is because they want to have a geo-located payment providing website so the main site is providing the user data where it should initiate so we could initiate like a Braintree payment or a stripe payment or whatever and their iframe will say that if I'm already in it like I got the in it call and you're trying to load a provider I will initiate that provider and I will kill the message listener this is basically it's the same as the first one you can only do this once did you see the bug the problem here is that I connects open my example our code and set which passes the origin open the I like food website that says please subscribe the user will press subscribe open the iframe I will start stressing that iframe sending this post message into the iframe because that's totally valid post message is a course functionality cross-origin resource sharing so I would say please use this key please use this key please use this key and it's like but I haven't in it yet remember the init check for the load I haven't in it I have it in it and then the between the mainframe and the child frame we'll say in it in it in it but I'm stressing they're sitting there with load so I will get in between and it will load Mikey instead in the iframe what happens then is that basically you get this input like priests enter your credit cards to subscribe to iolite food you enter your credit card and it will say it failed the thing is the reason why I say it failed is because the I like food website can't validate that the payment went through but stripe will have in my log of my stripe account the token key because it was successful on stripe but whenever I like food wanted to validate the payment it's just a different account because it loaded my iframe instead so I can use that token now and it's a subscription I can charge whatever I want on this card it's actually like and I also capture the money so the interesting thing with this one I tried it for a very long time and I realized that the post message from an opener between two other post message calls it was like nothing running in between those calls Chrome was the only one actually allowing that Firefox did not so this is probably some form of browser quirk that that makes chrome available to this injection of a post message from a completely different place there's a guy with a horse so when building this post message tracker I had a bunch of speed bumps like I wasn't done a year ago I've been like trying to solve these speed bumps on the way so one of the problems I found was basically there's a bunch of function wrappers out there they're being used to track how the website performs in terms of function calls so they are wrapping every function you have on your website and calculates the time between those function calls that's why you can go to New Relic and say like how long does this JavaScript function take to load so when you start looking at the post message listeners inside chrome console it would look something like this and everything is pointing to NR wrapper and in the beginning when I started using this I ignored it for months I was like this is something that they just tracking something but then I realized like the pending on your website you had more and fewer of these so I was like is this really something and I realized hell yeah that's all the listeners in there like you not gonna see other listeners so what i did what i found the rapper my extension actually finds the rapper and i jump over it and then i provide the javascript back with the original function and i do that recursively so you could have raven roll bar bugs like new relic together and i will unwrap all of those which means that even in the console in the chrome console i'm enhancing the user experience to actually look at these post messages which was like mind blown for me like that was like one once i found that i was like okay so everything i thought did not have any listeners they had a bunch and they were just like so broken so that was one of the speed bumps and one of the solutions another one I had was jQuery like the gems talk like jQuery everything is wrong this was how all the jQuery listeners looked like and jQuery is a mess it's also a mess because it's like changing for every version of of jQuery so I had a bunch of ways to solve it and I ended up in having three ways like I can use like a data object on the jQuery and expand the object and an event object and then I was able to actually unpack the real listener so when you go to the website that has this jQuery it will show the jQuery listener but I will also unwrap the jQuery so I will use those to us as a tracking because I don't get the stack trace from the Expando because the function is not being called but I can actually unpack it so I can see all the listeners the hardest problem I had was basically anonymous functions so you can create like anonymous functions inside JavaScript and I totally didn't know about that one being like a special little breed in chrome so in in like a couple of months probably I sold this in like January so for half a year I had 12 listeners on a website and and then I disabled it and I saw that there were 14 of them and I started looking at it and I'm like ok I can't solve this like the problem is that chrome will not tell you what function it is so that's why I was missing them but now I can actually find them and say there are two anonymous listeners in here but that's it the thing is Firefox has this you can actually set the function and get it but chrome just decided that no you will not be able to get that as a as a string and I'm using their function to string to to get the function so have I released it yet no I suck like it's so much fun like I really like ended up in being like a deep dive in like what could I like add to to this so I like I have so much feature I want to add to it and I have some ideas like I want to be able to like trigger the debugger as soon as the messages come in I can actually trigger the debugger specifically for that message so I can modify it and since I own the order of all the listeners I can actually do that I also want to see if the origin is being used we had a discussion on this on Twitter I think was Cotto and and Eduardo from Google trying to see if the origin property is being checked also if you know about Rex Rex is a amazing little project created by Microsoft Labs and what what Rick says is basically a binary and you provide it with a regular expression and you provide it with a char set and it will give you a solution to the regular expression so I built a little tool that takes a regular expression of a domain or a URL and then it will fuss it until like I think it's Python I'm testing with until Python thinks it's a totally different domain so then I can validate the regular expression and see if I can escape it to another domain so that's something that I really want to like embedded to this Wow 141 slides I made it thank you very much I have one more thing oh sorry oh yeah I have one more thing that I wanted to share I'm gonna cut this off the livestream so one more thing yeah that's that's it so I have a little tool I won't release the post message tracker right now if you're really really nice to me maybe I will give it to you but I have another tool that I wanted to share it's it's quite fun so we did a project back in I think it was last year we did a project about s3 buckets and the problem with s3 buckets was basically that they're vulnerable that's it like end period the thing is you can hide your s3 buckets behind like CloudFront or a CDN service or something so I thought a lot about like how can i decloak these things so for you guys and girls I'm releasing my s3 bucket pic Locker on this URL so what it does is basically shaking with I think it's five or six different ways this is basically like read the manual because the manual says if you're sending invalid signatures we will say how it failed and we will also disclose the bucket so it's not like an ethereal day in s3 it's just that I read the manual and like okay I can use this this checks to actually the cloak the s3 bucket the cool thing with this is that you can actually find if someone used in a reverse reverse proxy on site like example of Chrome slash files and files is served on an s3 bucket you can find that bucket as well so it's actually gonna check what domain or what path is the actual s3 bucket and then use these hacks to actually find that what bucket it is it has been very good for me and I hope it will be for you as well thank you very much hey I think we've got about two minutes for questions so one or two questions anyone no questions my good good exercise what browser is the plug-in made for or is a cross browser chrome Chrome only no big reason I think I think if if you would port it to Firefox you would actually get all the anonymous functions as well so my guess is it should there's nothing like Chrome specific in it at all it's just that I've been finding them like this is a it works really well together with the breakpoint solution of the chrome console so I haven't found like a really good way in Firefox for example to see the their functions and make breakpoints and there's probably like in Firebug or something but I haven't done their research of it so and the problem is I really wanted to do this for Chrome extensions but a chrome extension doesn't have access to other Chrome extensions so I'm screwed there I don't really don't know how to actually solve that one but that would be amazing there's a lot of Chrome extensions listening and using post message but you can't really use an extension to monitor other extensions unfortunately this site okay I think this is it that's everyone think France Rossum with an amazing hacking job thank you very much
Info
Channel: OWASP Foundation
Views: 9,538
Rating: undefined out of 5
Keywords: owasp, appsec
Id: oJCCOnF25JU
Channel Id: undefined
Length: 42min 57sec (2577 seconds)
Published: Sat Aug 10 2019
Related Videos
Eliminating False Assumptions in Bug Bounties - Frans Rosén @fransrosen
OWASP Stockholm
28K
APPSEC Cali 2018 - SecDevOps: Current Research and Best Practices
OWASP Foundation
2.5K
Why Companies Like Google And Facebook Pay Hackers Millions
CNBC
901K
Hacker101 - JavaScript for Hackers (Created by @STÖK)
HackerOne
836K
DNS hijacking using cloud providers - Frans Rosén - Security Fest 2017
Security Fest
10K
How Amazon Changed Whole Foods, Five Years Later
CNBC
591K
LEE STROBEL - The Case for Christ
Passion City Church
1.1M
Germany: Low Crime, Clean Prisons, Lessons for America | Jeff Rosen | TEDxMountainViewHighSchool
TEDx Talks
2.9M
The Problem with the Next Moon Mission
Real Engineering
1.9M
Frans Rosén The Secret life of a Bug Bounty Hunter - Security Fest 2016
Security Fest
31K
The surprising secret to speaking with confidence | Caroline Goyder | TEDxBrixton
TEDx Talks
9.4M
Is the Great Reset Happening? - Robert Kiyosaki @Mark Moss
The Rich Dad Channel
1.2M
Why Private Billions Are Flowing Into Fusion
Bloomberg Quicktake: Originals
1.8M
I'll Let Myself In: Tactics of Physical Pen Testers
Wild West Hackin' Fest
2.7M
Oldest Technologies Scientists Still Can't Explain
Amazing Stock
9.4M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.