[HackerNotes Ep. 70]: NahamCon and CSP Bypasses Everywhere

Hacker TLDR;

• Meta’s Bug Bounty Program: Meta’s top bounties go up to $300k. The program also offers an exploitation window, to allow you to craft out full attack chains and go the extra mile to demonstrate impact. One pentester used this to go from BXSS → XXE → RCE. Program info can be found here: https://m.facebook.com/whitehat/payout_guidelines/

• NahamCon: Justin and Joel are hosts for this year's NahamCon. There’s a tonne of cool talks throughout the event from WAF bypasses to code review workshops, alongside $50k in bonuses AND a trip to Defcon to be won in the CTF. Check it out here: https://www.nahamcon.com/schedule

• CI/CD & Dependency Confusion: A new enterprise tool is being dropped soon by Lupin & Holmes called Depi, check it out here: https://www.landh.tech/depi/

• CSP Bypasses: A few CSP bypasses to add to the list from Google and YouTube domains:

  • https://maps.googleapis.com/maps/api/js?callback=alert()-print

  • https://www.youtube.com/oembed?callback=alert()

  • https://www.googleapis.com/customsearch/v1?callback=alert(1)

  • https://www.google.com/complete/search?client=chrome&q=hax&jsonp=alert(1)//

Meta Bug Bounty Program

One program to add to your list if it isn’t already is Meta. Meta’s bug bounty program is quite impressive when it comes to bounties, with a top bounty of $300k!

The 300k is reserved for RCE on some main applications mind, but it's still an insane amount. To add to this, they also offer a loyalty program to hackers. This program rewards hunters who spend more time on their program and have reported numerous bugs, allowing hunters to receive bonuses on top of the bounty amount.

Meta also gives you an exploitation window to demonstrate the impact on any of your findings. Say you’ve found SSRF or RCE and you want to demonstrate the bug end to end, the program gives you a window to do so. During this, they monitor the activity from the finding, helping you and the triager fully determine its extent.

Ben mentioned on the pod one of their pentesters used this window to go from blind XSS → XXE → RCE, demonstrating a full exploit chain!

One of the downsides (well… upsides, depending on how you look at it) is that Meta is a very complex and dense ecosystem. So if you plan to hack them, make sure you spend a lot of time getting familiar with the scope.

Check out the program here: https://m.facebook.com/whitehat/payout_guidelines/

NahamCon

Our guys Justin and Joel are the hosts alongside John Hammond at NahamCon this year. If you haven’t checked it out already, here's what to expect:

CTF: From Thursday, May 23rd - Saturday, May 25th

Workshops: Friday, May 24th

Conference: Saturday, May 25th

There’s $50k up for grabs in bonuses on the CTF from Yahoo, alongside a trip to Defcon (flight, hotel, badge) to be won from the CTF. To win a bonus all you have to do is participate in the CTF, and a valid submission will get you entered into the pool to win a trip to Defcon.

There’s a tonne of cool talks happening from WAF bypasses, JS Analysis, Code review and SQL Injection. Check it out below: https://www.nahamcon.com/schedule

CI/CD and Depi

CI/CD seems to be a hot topic as of late, probably due to the massive attack surface it consistently provides us all and its importance to enterprises!

The guys at Lupin & Holmes are dropping a tool aimed at addressing some of the problems around the whole software supply chain. It hasn’t been fully released yet but the website is live, so check it out here: https://www.landh.tech/depi/

Hacking CI/CD

Ben started hacking some CI/CD solutions from the pentest engagement and found quite a nice attack surface across a few customers.

Searching for .gitignore on web servers can often expose repos or items within a repo that devs don’t want to be tracked. This however can provide a very rich attack surface to us as attackers, as it can expose routable paths on the webserver.

Keep an eye out for references to repos in these types of files, as it can also help to identify dependency confusion-related bugs.

Equally, searching for hints of other JSON or config files which could help identify their technology stack to further refine the wordlist for the target can yield good results. This is also a great use case for AI; using it to build out a wordlist of similar items which could be accessible.

When performing content discovery, scanners are usually configured to just hit the webroot / of the host with a given wordlist. A lot of apps don’t serve directly from the webroot and instead an app-specific path, such as /app/ or /login/ or even /API/ - with this in mind, it can pay dividends to identify a host’s app-specific routes and brute force these instead of just the webroot of /

In practice, this might look like:

1. Run gau

2. Run wayback

3. Combine all paths, filter out the noise and create a wordlist of unique paths

4. Run your targeted wordlist or quick hits wordlist on these app paths instead of just the webroot

CSP Bypasses

We all love a CSP bypass, especially on domains which are more often than not specified in a CSP. The guys dropped these JSONP endpoints on the pod for Google and YouTube:

https://maps.googleapis.com/maps/api/js?callback=alert()-print

https://www.youtube.com/oembed?callback=alert()

https://www.googleapis.com/customsearch/v1?callback=alert(1)

https://www.google.com/complete/search?client=chrome&q=hax&jsonp=alert(1)//

If you aren’t familiar with JSONP and how you can abuse it to bypass CSP, HurricaneLabs has done some great research here: https://hurricanelabs.com/blog/bypassing-csp-with-jsonp-endpoints/

Equally, some awesome research by Paulos Yibelo the guys mentioned on the pod on some WordPress-specific CSP bypasses can be found here: https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/

As always, keep hacking!