[HackerNotes Ep. 66] CDN-CGI Research, Intent To Ship, and Louis Vuitton

The guys cover the YesWeHack Louis Vuitton LHE, browser market shares and browser behaviours, OAuth redirect_uri bypasses, documented bug bounty journeys and Googles intent to ship features.

Hacker TLDR;

  • Louis Vuitton LHE: YesWeHack launched an LHE with Louis Vuitton. Team Spain seemed to dominate the leaderboards with some pretty good bugs. The leaderboard can be found here, Twitter thread here.

  • Browser Market Shares: Browser market share data has come to light with some unlikely competition and a discrepancy in the same-site Lax behaviour. Full information is below.

  • Justin’s Bug of the Week: Justin found a nice bug to bypass the validation in the redirect_uri of an OAuth flow, abusing flaws in the validation logic. A good resource on this top from Blackhat Asia here and ‘Golden techniques to bypass host validations’ here.

  • Zero to Hero - Bug Bounty Edition: 9 Months with Justin’s Methodology-ish: Shreyas Chavhan made a cool blog documenting their bug bounty journey with a MASSIVE amount of data, lessons learned, and hours spent here.

  • Intent to ship: Staying up to date with new browser behaviours and features can often be quite fruitful when looking for XSS & WAF bypasses. Google posts these features publicly with a tag of ‘intent to ship’ for all upcoming features, which can be publicly viewed. Example here.

Louis Vuitton LHE

YesWeHack hosted a live hacking event with Louis Vuitton, who would have thought?

The LHE looked pretty sweet if you haven’t seen it on Twitter. Laptops, a backdrop of the Eiffel Tower, and some Louis Vuitton swag. YesWeHack done well on this one!

The leaderboard is equally as impressive, with team Spain seeming to dominate. Full URL - https://event.yeswehack.com/events/hack-me-im-famous-2:

Award names were fitted (pun intended) towards the target, with Godiego claiming a large chunk of them, Full URL - https://twitter.com/yeswehack/status/1776280653744554287:

Browser Market Shares

Now this is some pretty interesting information. We can see below, some of the same-site lax configurations are set to none for some browsers alongside the market share for each browser.

This may come in useful when targeting your exploits to your target demographic - it might be unlikely, but if there’s a reason or a flow for example uses the Safari mobile app on a site and you have a means of CSRF for example, being able to provide browser-specific exploits for that might be useful.

  • Total

    • 65% Chrome - Same-site Lax: Default

    • 18.55% Safari - Same-site Lax: None

    • 5% Edge - Same-site Lax: Default

    • 2.8% Firefox - Same-site Lax: None

    • 2.64% Samsung Internet - Same-site Lax: Default

    • 2.53% Opera - Same-site Lax: Default

  • Desktop

    • 65% Chrome

    • 13% Edge

    • 8% Safari

    • 6% Firefox

    • 3% Opera

    • 1% 360 Safe

  • Mobile

    • 65% Chrome

    • 24% Safari

    • 4% Samsung Internet

    • 2% Opera

    • 1% UC Browser

    • .5% Firefox

Justin’s Bug of the Week

A well-hacked target that had an LHE in the past year, which Justin also uses regularly, Justin found a pretty nice bug on the signup!

It was a classic example of using the @ to bypass restrictions on the redirect URI. They weren’t allowing / \ # but they did allow a ? character.

A good resource which covers some of this is a research paper from Blackhat Asia in 2019, check it out here for some further reading: https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Wang-Make-Redirection-Evil-Again-wp.pdf

Mobile OAuth Redirects

On a similar note, if the mobile app is performing any form of OAuth redirect to an app scheme and allows any scheme to be input, you can use Chrome to do all the heavy lifting and arbitrarily redirect the user:

A good resource the guys frequently shout out on the pod is the ‘Golden techniques to bypass host validations in Android apps’ - check it out here: https://hackerone.com/reports/431002

Zero to Hero - Bug Bounty Edition: 9 Months with Justin’s Methodology-ish

Shreya Chavhan has made a very nice writeup and extensively documented his bounty journey from the start - including how many hours he’s spent hunting, time spent studying, the number of submissions, lessons learned and a whole lot more. The original tweet can be found here, but the Notion blog can be found below:

A good takeaway from here is making that shift from learning to hacking is shifting your time spent from learning to hacking and instead of doing 80% studying and 20% hacking, spending 80% of your time hacking and 20% learning.

A common mistake made, me historically included, is spending all your time studying, doing labs, learning instead of actually hacking and wondering why you aren’t finding any bugs.

Intent to ship

Some of the WAF bypasses, XSS filter bypasses and new gadgets for XSS can sometimes have you wondering how they were discovered, where they came from, and why they even work.

Fortunately, any new features Google intends to ship on Chrome are publicly posted for the community to review - this info can be found in the ‘Intent to ship’ posts, one example here: https://groups.google.com/a/chromium.org/g/blink-dev/c/jGTYNuidPRs/m/X44YSfCzAAAJ

These intent-to-ship threads often contain new functionality to be supported in Chrome, changes in behaviour, and more. If you want to stay up to date, Justin has made a bot in the Critical Thinkers Discord channel which auto-posts all new intent to ship posts to the channel.

As always, keep hacking.