Book “Bug Trap. A Field Guide to Web Hacking "

Hello Habitants! “To learn something, you need to apply knowledge in practice. This is how we learned the craft of hacking. ”- Michael Prince and Jobert Abma, co-founders of HackerOne. The Bug Trap introduces you to white-hat hacking - the search for security vulnerabilities. It doesn't matter if you are a cybersecurity newbie looking to make the internet safer, or an experienced developer looking to write secure code, Peter Jaworski will show you how.



The book covers common types of mistakes and real-life hacker reports from companies like Twitter, Facebook, Google, Uber, and Starbucks. From these reports, you will understand how vulnerabilities work and can make your own applications more secure.



You will learn:

• how the internet works and learn the basic concepts of web hacking;
• how cybercriminals break into websites;
• how request forgery forces users to submit information to other websites;
• how to access the data of another user;
• where to start hunting for vulnerabilities;
• how to get websites to disclose information using fake requests.

Who is this book for?

The book is written for novice hackers. They can be web developers, web designers, parents on



maternity leave , schoolchildren, retirees, etc. Of course, programming experience and a general understanding of web technologies will be useful, but will not be a prerequisite for hacking.



Programming skills can make it easier to find vulnerabilities in programming logic. If you can put yourself in the shoes of a programmer or read their code (if available), your chances of success will be higher.

14 Capturing a subdomain

Hijacking a subdomain allows an attacker to distribute their own content or intercept traffic on someone else's site.

Domain names

Domain is the URL to access the website. It binds to an IP address using DNS servers. In its hierarchical structure, the individual parts are separated by dots, and the final element (on the far right) is called the top-level domain. Examples of such domains are .com, .ca, .info, etc. To the left is the domain name. This part of the hierarchy is for website access. For example, <example> .com is a registered domain name with a .com top-level domain.



Subdomains make up the far left of the URL and can belong to different websites in the same registered domain. For example, Example has built a website but needs a separate email address. It can use two different subdomains with different content: www. <example> .comand webmail. <example> .com.



Site owners can use several methods to create subdomains, such as adding one of two records to the domain name description: A or CNAME. The A record binds a site name to one or more IP addresses. A unique CNAME record links the two domains. Only the site administrator has the right to create DNS records.

How subdomain capture occurs

A subdomain is considered hijacked if the user controls the IP and URLs pointed to by the A record or CNAME record. Example: After creating a new application, the developer hosted it on Heroku and created a CNAME record pointing to the subdomain of the main site Example. This situation got out of control if:

1. Example has registered an account on the Heroku platform without using SSL.
2. Heroku Example unicorn457.herokuapp.com.
3. Example DNS- CNAME, test.<example>.com unicorn457.herokuapp.com.
4. Example test.<example>.com, Heroku . CNAME .
5. , CNAME URL- Heroku, unicorn457.heroku.com.
6. test.<example>.com, URL- Example.

The consequences of taking over a subdomain depend on its configuration and the settings of the parent domain. For example, in his presentation Web Hacking Pro Tips # 8 ( www.youtube.com/watch?v=76TIDwaxtyk ), Arne Swinnen describes how to group cookies to transfer only matching domains. However, if you specify a single dot as a subdomain, for example,. <example> .com, the browser will send the <example> .com cookie to any subdomain of Example that the user visits. By controlling the address test. <example> .com, a hacker can steal the <example> .com cookie from a victim who visits the hijacked subdomain test. <example> .com.



But even if the cookies are not grouped in this way, an attacker could still create a subdomain that mimics the parent site. By placing a login form on this subdomain, it can force users to pass their credentials to it. This vulnerability allows two common types of attacks, but there are other hacking methods such as intercepting emails.



To find vulnerabilities with subdomain hijacking, analyze the site's DNS records using the KnockPy tool, which searches subdomains for typical error messages for such vulnerabilities returned by services like S3. KnockPy comes with a list of common domain names worth checking out, but you can expand on it. A similar list can be found in the SecLists GitHub repository ( https://github.com/danielmiessler/SecLists/).

Capturing Ubiquiti subdomain

Difficulty: Low

URL: assets.goubiquiti.com

Source: hackerone.com/reports/109699/ Filing

Date: January 10, 2016 Bounty Paid

: $ 500



Amazon Simple Storage (or S3) is a file storage service that is part of Amazon Web Services (AWS). An account in S3 is a bucket that can be accessed through an AWS URL that starts with the account name. Amazon uses the global namespace for its bucket URLs, so each registered bucket is unique. For example, if I register a bucket <example>, it will have the URL <example> .s3.amazonaws.com and only I will own it. But an attacker can also pick up any free S3 bucket.



Ubiquiti has created a CNAME record for assets.goubiquiti.com and linked it to the uwn-images S3 bucket available at uwn-images.s3.website.us-west-1.amazonaws.com. Since Amazon servers are scattered all over the world, this URL contained information about the geographic region where the bucket was hosted -. us-west-1 (Northern California).



This bucket was either not registered or Ubiquiti deleted it from its AWS account without removing the CNAME record, but when visiting assets.goubiquiti.com, the browser tried to fetch content from S3. The hacker took this bucket for himself and reported the vulnerability.

conclusions

Look out for DNS records that point to third party services like S3. If such records are found, check if the company has configured the service correctly. In addition, you can continuously monitor records and services using automated tools like KnockPy in case a company deletes a subdomain but forgets to update its DNS settings.

Scan.me subdomain linking to Zendesk

Difficulty: Low

URL: support.scan.me

Source: hackerone.com/reports/114134/ Report

Date : Feb 2, 2016 Bounty Paid

: $ 1,000



Zendesk platform provides customer support in website subdomains. For example, if Example was using it, this subdomain might look like support. <example> .com.



As in the previous example, the owners of scan.me created a CNAME record that binds support.scan.me to scan.zendesk.com. The scan.me service was later acquired by Snapchat. Shortly before the deal was finalized, the support.scan.me subdomain was removed from Zendesk, but its CNAME record remained. Upon discovering this, the hacker using the alias harry_mg registered scan.zendesk.com and published his content on it using the Zendesk platform.

conclusions

During the integration process between parent and child companies, some subdomains may be deleted. If administrators forget to update DNS records, there is a threat of subdomain hijacking. Since the subdomain can change at any time, start continuous tracking of records information as soon as the company is announced.

Hijacking windsor subdomain on Shopify site

Difficulty: Low

URL: windsor.shopify.com

Source: hackerone.com/reports/150374/

Report Filing Date: July 10, 2016 Bounty Paid

: $ 500



Taking over a subdomain does not always involve registering an account with a third-party service. Hacker zseano discovered that Shopify created a CNAME record for windsor.shopify.com that pointed to aislingofwindsor.com. He found this out while searching all Shopify subdomains on crt.sh, which tracks all registered SSL certificates and their associated subdomains. This information is public, as any SSL certificate must be issued by a CA so browsers can verify its authenticity when visiting the site. Websites can also register so-called wildcard certificates that provide SSL protection for all of their subdomains (in such cases, crt.sh is shown with an asterisk instead of the subdomain).



When a website registers a wildcard certificate, crt.sh cannot determine which subdomain it is for, but shows its unique hash. The censys.io service monitors certificate hashes and the subdomains in which they are used by scanning the Internet. If you search censys.io for the wildcard certificate hash, you will find new subdomains.



Scrolling through the list of subdomains on crt.sh and visiting each subdomain, zseano noticed that windsor.shopify.com was returning a "404 Page not Found" error. That is, the site was either empty or no longer owned by aislingofwindsor.com. To test the second option, zseano visited a domain name registration service and tried to find aislingofwindsor.com. It turned out that this domain could be bought for $ 10. By doing so, zseano informed the Shopify reps about the subdomain hijacking vulnerability.

conclusions

If you find a subdomain that points to another site and returns a 404 error, check if that site is available for registration. The crt.sh service can serve as a starting point for identifying a subdomain. If you find a wildcard certificate there, look for its hash on censys.io.

Capturing the fastly subdomain on Snapchat

Difficulty: Medium

URL: fastly.sc-cdn.net/takeover.html

Source: hackerone.com/reports/154425/

Report Filing Date : Jul 27, 2016 Bounty Paid

: $ 3,000



Fastly is a content delivery network. or CDN). It stores copies of the content on servers around the world so that they are as close as possible to the users who request them.



Hacker Ibraitas informed Snapchat about an incorrect DNS configuration for its sc-cdn.net domain. The url fastly.sc-cdn.netthere was a CNAME record that referenced the fastly subdomain. The latter belonged to Snapchat, but was not correctly registered. At that time, the Fastly service made it possible to register custom subdomains, provided that traffic was encrypted using TLS, for which the Fastly common wildcard certificate was used. In case of incorrect configuration of the user subdomain on the site, an error message was displayed: “Fastly error: unknown domain:. Please check that this domain has been added to a service. ”Please check that this domain has been added to the service.



Before reporting the issue, Ibraitas searched censys.io for the sc-cdn.net domain and confirmed its ownership to Snapchat by registering his SSL certificate. He then configured the server to receive traffic from that URL and showed that the domain was in fact being used.



Snapchat confirmed that a small percentage of visitors continued to use the old version of their app, which requested unauthenticated content from that subdomain. The custom config has been updated with a link to a different url. In theory, for a short period of time, an attacker could distribute malicious files to users from this subdomain.

conclusions

Look for sites that link to services that return error messages. If you find such an error, read the service documentation and understand how it is used. Then try to find the incorrect configuration with which you can take over the subdomain.

Capture a subdomain on the Legal Robot website

Difficulty: Medium

URL: api.legalrobot.com

Source: hackerone.com/reports/148770/ Submission

Date: July 1, 2016 Bounty Paid

: $ 100



Even when the subdomain of a third-party service is correctly configured, the service itself may not be configured correctly. Frans Rosen told Legal Robot that the DNS CNAME record for the api.legalrobot.com subdomain pointed to Modulus.io, which he could hijack.



After finding the error page, the hacker had to visit the service and register a subdomain. But in the case of api.legalrobot.com, this was not crowned with success: Legal Robot already owned this site.



Without giving up, Rosen tried to register a wildcard subdomain * .legalrobot.com, which remained available. The Modulus site configuration gave priority to wildcard subdomains over more detailed entries, among which was api.legalrobot.com. As a result, as seen in Fig. 14.1, Rosen was able to mark up his own content on api.legalrobot.com.





Note the content posted by Rosen in fig. 14.1. Instead of embarrassing the site owner and claiming that he had taken over the subdomain, he used a modest text page with an HTML commentary to confirm that it was he who posted the text.

conclusions

When a website uses third party services to host a subdomain, it relies on the security mechanisms of those services. Do not forget that in case of a successful subdomain capture, it is better to do the demo carefully.

about the author

Peter Jaworski became a hacker, independently studying the experience of his predecessors (some of them are mentioned in the book). He is now a successful vulnerability hunter, thanks to Salesforce, Twitter, Airbnb, Verizon Media, US Department of Defense, and others, he is now an Application Security Engineer at Shopify.

About the scientific editor

Tsang Chi Hong , aka FileDescriptor, is a pentester and vulnerability hunter. Lives in Hong Kong, writes articles on web security at blog.innerht.ml , is interested in soundtracks and cryptocurrency.



»More details about the book can be found on the publisher's website

» Table of Contents

» Excerpt



For Habitants a 25% discount on coupon - Hacking



Upon payment for the paper version of the book, an e-book is sent to the e-mail.