[HackerNotes Ep. 57] Live Hacking Event Inside Scoop - H1-305

Justin and Joel Drop the Pod While Attending Capital One's LHE and Have Some Valuable Takeaways from the Event.

Author

gr3pme
February 08, 2024

Hacker TLDR;

  • Live From Capital One’s LHE: Justin and Joel deliver this episode on the road whilst attending Capital One's LHE. The event has finished up, so check out the leaderboard and payouts here.

  • Weird HTML5 Specs: Browsers auto-convert <image> tags to <img> tags. One to keep in mind for filter bypasses.

  • Client Side Path Traversal: Some classes of bugs are slowly phasing out due to secure by default configurations in browsers, one example being CSRF, but this paves the path for other classes of bugs such as Client Side Path Traversal:

    • What is it? Client-side path traversal involves manipulating file paths on the client's browser, typically through user-controlled input, to access unintended files or resources.

    • What does it look like in practice? Context is key here, but impacts range from XSS, CSS injection, CSRF, and more. Open redirect is a common gadget used with CSPT to achieve XSS. You can read some real-world examples of these types of chains below.

  • LHE takeaways: The guys spent some serious time on this target and have some nice takeaways for us in hindsight**:**

    • Track time when hunting: This can be useful when approaching a bigger target to know when to move on and cut losses after X amount of hours spent in X functionality.

    • Going deep on a target: Going deep on a target pays off when it comes to finding bugs. Gaining deep knowledge of a target can help you map unique threat models and uncover complex gadgets, both allowing you to craft high-impact bugs.

    • Set goals when bug-hunting: Some hunters went into the LHE with the goal of finding certain bug classes. Doing so when hunting can help refine your methodology, and keep an eye out for gadgets related to your goal.

    • Third-party software: Third-party software is often not subject to the same level of scrutiny as in-house software on secured targets. Identifying third-party software and how it integrates into an application can provide a foothold for exploitation on a target where security is locked down, often due to the assumptions made around the security of an integration.

Live From Miami

The pod is on the road this week, with Justin and Joel presenting from Miami. The guys were attending a live hacking event (LHE), for Capital One.

The guys smashed the event, with some pretty impressive leaderboard stats - check it out here.

Client Side Routing Based Bugs

A massive takeaway from this LHE was a bug class becoming more and more relevant - Client-side path traversal. As additional complexity is added around browser-based controls and functionality, there’s more focus on client-side path traversal, as it can facilitate a whole range of client-side-based exploitation scenarios.

What is it?

You may already be familiar with the idea of a typical path traversal attack - where you can send a payload containing a path traversal payload such as ../../../{file} which would traverse the file structure serverside by 3 directory structures.

The idea is the same here for the client side (the browser). We can embed similar payloads to modify where certain requests will be routed to but instead of this happening serverside, it happens client side.

When an application is expecting a certain path or certain content from a path, it can get interesting.

What Does It Look Like in Practice?

This type of vuln can arise in many different contexts, as it depends on user-controlled input being placed into the path of where a resource is loaded, or redirected to.

For example, take a password reset flow that uses the following URL to perform the resets and depends on the Token value to redirect the user: https://target.com/reset/token?user=victim&Token=810128475189

If the application depends on input from the token value to perform an additional request or redirect, we could modify the value to the following to poison the flow:

https://target.com/reset/token?user=victim&Token=810128475189%2F..%2F..%2Fuser

Which would then turn the request into:

https://target.com/user

Now, by itself, there isn’t much impact here. When used as a gadget in conjunction with an open redirect, or other functionality such as stylesheet imports this is where you can start proving the impact.

Real-World Examples

The impact completely depends on where user-controlled inputs land on the client side and what functionality is available on the application. Context is key here, and impact can lead to any one of the clientside vulnerability types - XSS, open redirect, CSRF, etc.

Some cool examples of this being exploited in the wild:

  • CSS Injection via Client Side Path Traversal + Open Redirect: Mr-medi pulled off a cool one here, using a chain to exfiltrate data via CSS. Full writeup here.

  • CSRF Via Client Side Path Traversal: Erasec used a CSPT to achieve CSRF, allowing them to cancel a user's bank account card. Full writeup here.

LHE Takeaways

The guys put some serious hours into this LHE and have a few takeaways for us. If you aren't familiar with the format of LHEs, there’s a dupe window for the first week of hacking where all bounties that are dupes are split between reporters.

This tends to lend itself to submitting all of the lower hanging/generic type bugs within this dupe window, and focusing on more niche-related bugs after this dupe window to minimize the chances of dupes throughout the event and also ensure payouts.

Let's jump into some of the takeaways from the guys for this event:

Tracking Time When Hunting

Spending extended periods on a single area of a target can pay huge dividends when it comes to bounties. The flip side to this approach is it won't go your way every time, and sometimes it doesn’t pay off.

Tracking time spent on a certain piece of functionality can help you 1. Set a defined goal for how many hours to spend before focusing on something new, and 2. Helps you decide when to cut your losses in that area.

This isn’t a one-size-fits-all answer when it comes to this, but time boxing can be a useful technique if you find yourself spending a tonne of time in an area, and you aren’t sure when to move in.

Equally, taking notes in this process can massively assist in keeping track of gadgets, behaviors, and any potential avenues to explore.

Both Justin and Joel had some stories on time boxing in this LHE. Joel hit his target of 25 hours on a mobile target and decided to move on - Justin went down the rabbit hole on one finding, with the final nail in the coffin being a missed CSP directive after 8 hours of hacking.

We can’t win them all, huh?

Going Deep on a Target

Fully understanding the inner workings of an application and how it integrates into its wider ecosystem is essential when looking for high-impact bugs.

Having a deep understanding of the application can help understand the application threat model, if it has a unique threat model, and what the program would classify as high impact. Equally, uncovering behavior that could be used as a gadget (a behavior/functionality that could be used to facilitate exploitation in a wider exploit chain) often requires a deeper understanding of the application.

Not all high-impact bugs have to fall into your typical vulnerability buckets - some high-impact bugs can be unique to the target.

Set Goals when Bug Hunting

One area Joel wished he spent some more time on in hindsight for the LHE was setting goals when hunting.

This helps define the direction of hunting, allowing you to tune in on behaviors and gadgets to achieve account takeover (ATO) for example.

Equally, when combined with timeboxing, going deep on an application, and taking notes it lends itself to more efficient hunting.

Understand Auth Flows on Bigger Applications

Looking at auth in bigger and more complex applications is key for high-impact bugs. Auth can be tricky to implement properly, especially for bigger companies that have numerous flows for different clients.

The added complexity inevitably leads to more room for error, and as companies grow it’s standard for more functionality to be supported as requirements naturally progress.

This feeds back into the point of going deep on an application, but naturally auth related bugs can take some time to get right due to the amount of knowledge needed and gadgets required to pull them off.

Third-Party Software

If you’re hitting a target that takes their security seriously, it's likely their stuff has been locked down and secured tightly.

Third-party software is often embedded or integrated to save the target from re-writing already existing functionality, but third-party software often isn’t scrutinized to the same level when it comes to security practices.

This naturally reduces the attention given to our potential attack surface as hunters, which could provide an opportunity for exploitation.

Random Tip Discovered from the LHE

The browser auto-converts any <image tags to <img tags. This could be used to bypass filtering in place on solutions looking for <img tags, as this conversion is done in the browser.

Shout out to Justin for reading the HTML5 RFC after discovering this so we don’t have to <3

Although this episode ran shorter than usual due to the team wrapping up at the LHE, it still delivered plenty of valuable insights. Stay tuned for next week's episode, where we delve into some fascinating bugs and exploits with hunter Youssef Sammouda.

Till next time, happy hunting!