Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 20: Internet Explorer Universal XSS and Same Origin Policy Bypass, Browser DDoS via DNS Spoofing, HackerOne Bug Bounty Vulnerability

Hey everybody! Slow news week this week so we sent Jeremiah to Germany…. in the winter. Poor Hawaiian!

Anyway, we started this week off talking about a really cool bug in Internet Explorer. This vuln is a Universal Cross Site Scripting (XSS) bug that also bypasses Same Origin Policy and works in even the latest IE version 11. That is a mouthful and it’s all bad. What this means is that by abusing iFrames, an attacker could execute XSS in any site they want via your browser. Websites could be doing everything completely right but if they aren’t using X-Frame-Options header properly than an attacker can effectively do anything they want on those sites. Bad day to be an IE user or an IE developer for sure.

Next I passed it over to Robert to talk about a few of his favorite things, Denial of Service, browser security, DNS, and even China! If Robert was playing a game of Bingo of the things he likes to talk about, this next story would definitely be on the game board. This week a company noticed a massive spike in traffic coming from China and all going to weird URLs. With the information we have, it looks like somebody was poisoning DNS and making requests originally destined for other websites all pointing at a single website. Interesting DDoS vector! The solution applied was to block the IP addresses which, as Robert shares, is a really bad idea. He also discusses the fact that we probably have a bunch of research to do around browser-based DoS in the future.

Last story we ended up talking about was a fun bug disclosure from HackerOne today which also has a really cool PoC cherry on the cake to check out. For those unfamiliar, HackerOne organizes a bunch of bug bounty efforts for lots of different websites including their own. This particular bug has to do with the abuse of an ineffective escaping method for the “” character. The timeline is over on the HackerOne website and you can see how the researcher figures out how to make this bug progressively more severe. He started with just editing some HTML, including spoofing a profile picture or style sheet, but he ends up figuring out he can use a tag to immediately redirect a user to a potentially evil site. At that point he can utilize phishing, driveby malware downloads, all sorts of Javascript attacks, etc. Even possibly take advantage of a Universal XSS SOP bypass in IE 11 to bring it full circle. Kudos to HackerOne for fixing this in about a day and also publicly disclosing the information and the fact they paid out $5,000 for the bug.

Ended today’s session with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is the completely community-driven part of the process!

Blog outlinging the Top 10

Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay

Resources:

IE UXSS Bypass 1

IE UXSS Bypass 2

IE UXSS Bypass3

Browser DDoS via DNS Spoofing Coming from China

Fun bug disclosure from HackerOne today

Notable stories this week that didn’t make the cut:

Possible New Origins of the Word “Hack”

Web-RTC leaks VPN origin IPs

UK National Health Service – Tons of Vulns

Really cool PoC