Hacking Web : How to Hacking Web And Make Money Hacking Ethically by Yaworski Peter

Author:Yaworski, Peter [Yaworski, Peter]
Language: eng
Format: epub
Publisher: UNKNOWN
Published: 2020-10-22T00:00:00+00:00

Takeaways

We discussed it in the Application Logic chapter but it bears repeating here, as you search for vulnerabilities, take note of the services a site uses as they each represent a new attack vector during your search. Here, this vulnerability was made possible by combiningHackerOne’s use of Zendesk and the known redirect they were permitting.

Additionally, as you find bugs, there will be times when the security implications are not readily understood by the person reading and responding to your report. This is why it I have a chapter on Vulnerability Reports. If you do a little work upfront and respectfully explain the security implications in your report, it will help ensure a smoother resolution.

But, even that said, there will be times when companies don’t agree with you. If that’s the case, keep digging like Mahmoud did here and see if you can prove the exploit or combine it with another vulnerability to demonstrate effectiveness.

Summary

Open Redirects allow a malicious attacker to redirect people unknowingly to a malicious website. Finding them, as these examples show, often requires keen observation. This sometimes occurs in a easy to spot redirect_to=, domain_name=, checkout_url=, etc. This type of vulnerability relies of an abuse of trust, where by victims are tricked into visiting an attackers site thinking they will be visiting a site they recognize.

Typically, you can spot these when a URL is passed in as a parameter to a web request. Keep an eye out and play with the address to see if it will accept a link to an external site.

Additionally, the HackerOne interstitial redirect shows the importance of both, recognizing the tools and services web sites use while you hunt for vulnerabilities and how sometimes you have to be persistent and clearly demonstrate a vulnerability before it is recognized and accepted.

13. Sub Domain Takeover

Description

A sub domain takeover is really what it sounds like, a situation where a malicious person is able to claim a sub domain on behalf of a legitimate site. In a nutshell, this type of vulnerability involves a site creating a DNS entry for a sub domain, for example, Heroku (the hosting company) and never claiming that sub domain.

1. example.com registers on Heroku

2. example.com creates a DNS entry pointing sub domain.example.com to unicorn457.heroku.com

3. example.com never claims unicorn457.heroku.com

4. A malicious person claims unicorn457.heroku.com and replicates example.com

5. All traffic for sub domain.example.com is directed to a malicious website which looks like example.com

So, in order for this to happen, there needs to be unclaimed DNS entries for an external service like Heroku, Github, Amazon S3, Shopify, etc. A great way to find these is using KnockPy, which is discussed in the Tools section and iterates over a common list of sub domains to verify their existence.

Examples

1. Ubiquiti sub domain Takeover

Difficulty : Low

Url : http://assets.goubiquiti.com

Report Link : https://hackerone.com/reports/109699 1 Date Reported : January 10, 2016

Bounty Paid : $500

Description :

1 https://hackerone.com/reports/109699

75 Just as the description for sub domain takeovers implies, http://assets.goubiquiti.com had a DNS entry pointing to Amazon S3 for file storage but no Amazon S3 bucket actually existing.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.