[HackerNotes Ep.90] 5k Clickjacking, Encryption Oracles, and Cursor for PoCs

Using Cursor for POC creation, fresh research with some SQLi, encryption Oracles, file upload content types for XSS and a $5k clickjacking bounty on Google with a bunch of neat gadgets. Check it out below.

Author

gr3pme
September 28, 2024

Hacker TLDR;

  • Cursor for POC Creation: If you need to spin out some quick, clean POCs for a report which you can use as a boilerplate, Cursor might be worth checking out. This can be useful for adding nice finishing touches like loading bars to create additional visual impact to keep a user on a page, instead of having to write something yourself.

  • WhatsUp Gold SQLi: Some great research from SinSinology where they used the concept of encryption oracles to update database content. Some takeaways from this research:

    • Encryption oracles: If an application heavily depends on signed or encrypted values, finding an encryption oracle where you can provide a cleartext value and disclose the ciphertext, or signed value of the message can be an incredibly powerful gadget.

    • When enumerating these oracles, try to pad your input (add 1000 x ‘a’) and examine if the response matches the input length. Equally, this method can cause errors or stack traces which can disclose additional context under the hood.

  • File Upload - Content Type Research for XSS: Stuck with a file upload that you can’t quite pop XSS on due to some annoying content type restrictions? This repo is for you, with a whole bunch of unexpectedly valid content types for you to try: https://github.com/BlackFan/content-type-research/blob/master/XSS.md#content-type-that-can-be-used-for-xss

  • Caido Updates - Plugin Store: The new Caido update dropped with a new addition of.. a plugin store! This has been a long-awaited addition from the community, check out the documentation here: https://developer.caido.io/ and https://github.com/caido/caido/releases

  • 5K Google Clickjacking: Abusing an embed video feature in a Google doc, chained with numerous open redirects and a Google docs file preview gadget, this researcher managed to land a 5k bounty from Google for a clickjacking which allowed them to disclose the entire contents of a user’s Google Drive. Some of the cool gadgets used in this one:

    • Open (limited) redirect 1 - which allows YouTube subdomains: https://www.youtube.com/signin?action_handle_signin=true&app=desktop&hl=en&next=https%3A%2F%2Fwww.youtube.com%2F&feature=passive&hl=en

    • Open redirect 2: https://accounts.youtube.com/accounts/SetSID?ssdc=1&sidt=&continue=https%3A%2F%2Fwww.google.com&tcc=1&dbus=EE

    • Docs preview gadget: ../signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fdocs.google.com%252Ffile%252Fd%252F1sHy3aQXsIlnOCj-mBFxQ0ZXm4TzjjfFL%252Fedit%253Fuserstoinvite%253Dlyra.horse%2540gmail.com

Cursor for POC Creation

If you aren’t familiar with Cursor, you may have been on a long tech detox or living under a rock - either way, I’m jealous. Cursor is a flavour of VSCode that has embedded AI/LLM support and is primarily used for development and coding. It’s pretty cool, check it out here if you haven’t done so already:

Under the hood, it’s hooking into Claude 3.5; it offers a bunch of cool functionality which will save you time (in most use cases, more on this shortly) and includes some free tier usage if you want to give it a spin.

However, this one caused mixed opinions on the pod. Joel had been using it extensively for some complex IOS app development which eventually showed the limits of the Claude integrations, with some limits around more complex and contextual-based development requirements.

Cursor is more than sufficient if you’re looking for a tool to create some clean POCs with a quick turnaround time. If you need to create simple web applications or HTML/CSS/JS, loading bars, or add finishing touches to get that extra visual impact for the triager, it can be quite a nice addition to the toolbelt.

One use case Justin had was when adding some nice finishing touches to some POCs such as loading bars to ensure the user stays on your payload page. The best thing is it requires very little/no overhead from you.

TL;DR: Good for POCs, if you’re doing something crazy complex and need that context maybe not so good.

WhatsUp Gold SQLi - CVE-2024-6670

We’ve got some more great research from SinSinology who starred on the pod a few episodes back going into some of his Pwn2Own research. If you’re looking for a writeup which is very brand; technical, in-depth and has some really solid walkthroughs on vuln discovery, exploitation and hacking flow, you gotta check this one out: https://summoning.team/blog/progress-whatsup-gold-sqli-cve-2024-6670/

The TL;DR here is he turned a ‘vanilla’ SQLi and overwrote the master password for the admin user of the application. In this instance, the application encrypted passwords, so it wasn’t as easy as doing an update directly in the DB when the password was encrypted first.

After diving into the source of the crypto functions and figuring out he’s unable to encrypt the password before sending it off from the context he is in, he dives through the code and instead finds an encryption oracle.

He used the SQLi to read an encrypted piece of text that was set elsewhere in the application. As he knew the cleartext value and could use this encryption oracle as a means of setting the valid ciphertext value, he used this gadget to set the password for the user.

So, what’s an encryption oracle?

If you can provide an oracle (take a specific endpoint or function, for example) a string and retrieve the signed/encrypted value back based on your input, that would be classed as an oracle. You can give this a piece of plaintext and receive back the ciphertext.

This concept of encryption oracles can be very very powerful when approaching a target on a hunt. If in some cases requests are being signed, or something in your request is being signed, and you aren’t able to modify the contents of it directly, finding a signing (or encryption) oracle to do this on your behalf can save a lot of time as you’re letting the app do the heavy lifting for you.

If you find one of these, try and pad your input with incredibly long data, such as 1000 x ‘a’. If the encryption oracle is functioning as expected, the response length will go up significantly.

The other potential use of this is a lot of apps sometimes aren’t expecting large objects which might break something and give you an error or stack trace to work with.

File Upload - Content Type Research for XSS

If you’ve got some flexibility in a file upload and you’re trying to pop an XSS but you can’t quite get it, this research is for you.

Using some weird quirks in the mime type RFC (no surprise there) it’s actually possible to abuse a browser’s content sniffing capabilities with some pretty unexpected content types. The research lists a bunch of content types that will be interpreted as a content type that will allow XSS in one form or another:

And even details some response type sorcery which are in fact, valid response types?

Caido Updates - Plugin Store

Caido 0.41 has dropped and it has the long-awaited… plugin store! This has been a huge ask from the community from day one so I’m sure it’ll be a very welcomed addition to almost every Caido user!

Some additional features and documentation have also been dropped, covering some plugin basics and how to make your own here: https://developer.caido.io/ 

Be sure to check out the release if you're a Caido user, it’ll no doubt prove useful:

5K Google Clickjacking

Clickjacking and payouts don’t typically go hand in hand, but before we had a $150k clickjacking from Coinbase and now a 5k clickjacking from Google - it’s probably time to remember that it’s all about impact in bug bounty.

This one combines a nice chain of seemingly low-impact gadgets into something much more impactful - you can find the original research links below:

Clickjacking POC to share entire drive contents

So this one was a clickjacking where the researcher was able to craft a Google doc that looked like it had a Google form in it, but when you clicked the button to submit the Google form, it would give the attacker access to the victims’ entire Google Drive!

Now, how did they get there? It’s a really good writeup, and it started with a seemingly innocent piece of functionality ‘..Google Slides has this neat feature that lets you add YouTube videos to your presentations. Just open up the video picker, look for your favorite clip, and add it onto a slide.’

Under the hood, this actually depends on an iframe validated to the YouTube domain. By abusing numerous chained-together gadgets, they managed to craft this seemingly innocent (and useful) functionality into something pretty cool.

All in all, the writeup abused: An embed feature via iframe restricted to YouTube → a limited open redirect on YouTube → a more open redirect on YouTube → Google Docs file preview gadget → Clickjacking == Entire Google Drive contents shared!

We highly recommend giving this one a read yourself as it highlights a great use of gadgets and chaining pretty low-impact gadgets together to form quite a nice impactful chain.

Some of the gadgets used include:

  • Open (limited) redirect 1 which allows YouTube subdomains: https://www.youtube.com/signin?action_handle_signin=true&app=desktop&hl=en&next=https%3A%2F%2Fwww.youtube.com%2F&feature=passive&hl=en

  • Open redirect 2: https://accounts.youtube.com/accounts/SetSID?ssdc=1&sidt=&continue=https%3A%2F%2Fwww.google.com&tcc=1&dbus=EE

  • Docs preview gadget: ../signin?next=https%3A%2F%2Faccounts.youtube.com%2Faccounts%2FSetSID%3Fcontinue%3Dhttps%3A%2F%2Fdocs.google.com%252Ffile%252Fd%252F1sHy3aQXsIlnOCj-mBFxQ0ZXm4TzjjfFL%252Fedit%253Fuserstoinvite%253Dlyra.horse%2540gmail.com

Great chain and a great POC, remember to note down all of these gadgets you stumble upon when looking at a target.

As always, keep hacking!