Why do I need this channel

I've always had an urge to share information. Some colleagues and close people believe that I am good at it. That I can tell complicated things in simple words and find an explanation that everyone will understand.

At various times, I had thoughts about teaching at school, creating my own courses for children or adults, even teaching people separately from the hinterland of the country. Because I have this position: if you find a business that interests you, you will be happy at the same time and you will definitely achieve a certain material success. And it seems to me that at the moment I have found such a thing for myself. And I want to tell other people about it, to tell it in an interesting way so that they can also fall in love with it and at the same time make good money. This is the first reason.

I believe that our century is the time of open information. Everything that I know and can do I owe to open reports on HackerOne, blogs of researchers from different countries, YouTube videos and other public sources. Since I have my own experience, my own achievements and ideas, I also want to share them with other people. Plus, unfortunately, our country is objectively lagging behind in terms of the quantity and quality of such content. And I thought I could at least fix it a little. Here is the second reason.

To be honest, for a few days I just dropped out of work, although I can not afford it, as there are a lot of obligations to my family. But I still wanted to write this post. And somehow it sets you up for work, no matter what. This is probably the third reason - to be able to just sometimes speak out.

Regardless of where you are from and how you feel about Russia now, if you are interested in my posts, if they motivate you, teach you something new, I am very happy about this.

Now while problems with free time, but I will try to write more often.

If you want to support my channel, you can become its sponsor on
https://boosty.to/skavans (minimum subnoscription cost is about $1 per month).

Underrated: ClickJacking

Many programs certainly don't accept clickjacking - they just put it entirely in the Out Of Scope.

In general, it is rather stupid when determining the amount of a payout or in-scope / out-of-scope to operate on the type of vulnerability, and not its impact, it always seemed to me very strange.

For example, a scope might have reflected XSS with a complex user interaction on a domain containing a static page without any user data. And at the same time, clickjacking, which allows, for example, to delete objects from the user account (or the entire account) in one click, will be outside the scope. At the same time, it is obvious that the first vulnerability does not have a real impact, unlike the second.

Have you ever seen clickjacking, which does not affect the integrity of information in any way, but affects its confidentiality? Seems weird, right?

I once found clickjacking in NewRelic on a page that hosted a custom API key, and came up with such a funny exploit (see video).

Generally speaking, sensitive data can be stolen from the user in this way. In my example, I created a malicious registration page on some resource, and in the last step, I pass out the frame with the user key in NewRelic as the key to this site and ask that it be copied into a text field to confirm that the key is stored in a safe place (since it is displayed only once).

Alternatively, such tokens can be presented to the user in the form of captcha, which must be entered on a malicious site. I think that you can even put some CSS distortion on top of the iframe with the token to make it completely believable.

P.S.: the real impact is certainly not high, but I really like to come up with such non-standard PoC and exploitation techniques 🙂

If you want, you always can support my channel on Boosty (any donation starting from about $1):

https://boosty.to/skavans

Sometimes it can be useful to check which browsers support a particular technology. Especially when some newfangled protection is implemented on the site, and we want to understand whether it will work in all browsers.

For example, not so long ago Safari did not know how to use CSP Strict-Dynamic, which could sometimes be used when submitting XSS to a bugbounty.

When I have doubts about the prevalence of some security technology, I always go to caniuse.com.

Interesting:

- at the moment no one except IE supports
X-Frame-Options: ALLOW FROM, while some sites use it for some reason, so you can get a little money by reporting clickjacking to them;

- Trusted Types are only supported by Edge, Chrome and Opera, so this technology is not yet destined to defeat XSS;

- once upon a time, it was decided to abandon the sanitizers built into browsers (X-XSS-Protection), since they were more of a headache than good. But not everyone refused. Safari still supports this header, and what it can lead to - I'll tell you another time 🙂

——
If you want to support:
- https://boosty.to/skavans
- ETH 0x1a90F6ABDD2D29bD7A9b8FE099ff8c7dd0961519
- BTC bc1q9uq96lfekq7ec6slhw72k6kvxntzfk9a4un3vs

Guys, I read an interview with some H1 hacker some years ago where he told that he was on vacation with gf and she wasn't glad he was searching for bugs and so he hunted using his mobile and found some bugs. Do anybody know who is this guy? I forgot 🙁 It was one of tops.

If I'm not mistaken, he was hunting in PayPal.

We have a chat here folks so you can join and discuss whatever you want (about bug bounty 🙂)

https://news.1rj.ru/str/+orgiucS0SEQ0Njcy

https://youtu.be/oHYC1-CgrRk?t=243

LOOK IN COMMENTS, there are tools!

For those who has no laptop.
Frans Rosen is telling how he used his iPhone to search for bugs.

It was a long time ago but I think it's possbile now too.

Also, if you find some intercepting proxy tool for your smartphone – you'll be able to do almost the same as we're doing using a laptop.

If anybody know some tools like this, please refer them in comments – it would be way helpful for many people.

Obscure: CSP, SOP, CORS

#technical

Some of you ask me which of them is better and more useful in our bugbounty business. In honor of the anniversary 1631th subscriber, I am making a post-answer for newbies.

Most importantly, you need to understand that although these abbreviations sound similar, they are generally about different things, although 2 of them are still related.

Usually, when such questions arise, you just need to go to Google and read. But okay, let me google this for you.

CSP – Content Security Policy

In short: this is the header of the server's response, in which it defines the content security rules on a given page that the browser should follow. It includes rules from the category:
- noscripts from which domains are allowed to be executed on this page (noscript-src);
- which domains are allowed to embed this page in an iframe (frame-ancestors);
- whether the use of base tags (base-uri) is allowed.

More details: https://developer.mozilla.org/en/docs/Web/HTTP/CSP

When we need it: if some attack (usually XSS or Clickjacking) does not work where it should, we need to look at the CSP header and look at these very rules to understand if they are the reason.

I also sometimes look at the CSP ahead of time if I'm going to tinker with some complex XSS sanitizer. Because there have been cases when you bypass it for a day, and then it turns out that on the CSP page, and XSS still cannot be achieved.

There is a cool CSP security check service from Google - https://csp-evaluator.withgoogle.com. Here you can check if there is a chance to bypass the CSP or if there is nothing to catch.

SOP – Same Origin Policy

In short: this is the basic security principle that keeps our web as we know it secure, and by which all browsers operate. The basic idea is very simple: one site should not have access to another site. By "site" the browser understands origin, which consists of a scheme, a host, and a port.

That is, a noscript located on the site https://google.com will not receive user data from the site https://yandex.ru in any way. Even the requests from https://yandex.ru to http://yandex.ru will not go through, since all three components of origin must be the same in order for the browser to allow such access.

The same works for frames, so if you frame someone else's page on your site, you will not be able to read its content in any way.

Of course, we can send a request from one origin to another, but the browser will not send the user's cookie along with it, which means that at most we can see the version of the page for an unauthenticated user, which is useless.

More details: https://developer.mozilla.org/en/docs/Web/Security/Same-origin_policy

When we need it: only when we don’t understand this basic principle yet and are trying to do things that are simply impossible in 2022. And so once remembered - and forever.

CORS – Cross-Origin Resource Sharing

In short: this is a mechanism that allows you to legally bypass the SOP. Sometimes (often) you still need the ability to send requests from one origin to another. For this, CORS was invented. The owner of a site whose data is to be made available for other sites must send, along with the response, allowing headers like
Access-Control-Allow-Origin: https://google.com

In the case above, a request from https://google.com will be able to retrieve data from that site. Well, not everything is so primitive, of course.

More details: https://developer.mozilla.org/en/docs/Web/HTTP/CORS

When we need it: to search for vulnerabilities like CORS misconfiguration. Sometimes (again often) the list of origins that are allowed to receive data from the target site is not fixed, but, for example, defined using a mask

For example, the owner wants any Google domain to be able to read the data from his site. And he writes code that looks at the origin, which makes a request, and if this origin matches *.google.* - allows access. From time to time it happens that this code is written crookedly and we can also request this data, for example, from the malicious domain google.hacker.ru

If anybody wants to support the channel

💳 https://boosty.to/skavans

🪙 ETH, BNB, MATIC 0x1a90F6ABDD2D29bD7A9b8FE099ff8c7dd0961519

🪙 BTC bc1q9uq96lfekq7ec6slhw72k6kvxntzfk9a4un3vs
🪙 TRX THeRubKK1cNzVRD9JTTQYR7ApK8wCao8Fm
🪙 LTC ltc1q9k2lhuzfg7k482qkcswgqmn0vwsp32suf7yvr3
🪙 BCH bitcoincash:qqypg65vd2cmy54kevdu0ae4jp0229xddycx3xgsg5