MonkeHacks #26

What a week for amazing security research! On my end, I flew back to Cork, Ireland for a family gathering. As a result, I didn’t have many productive days - but one of my favourite programs launched a campaign, so I had a very successful week of bugs. I also began a very interesting piece of novel research, that I hope to present in the near future.

I started developing an Electron application for fun. Bug bounty and developer work overlap often, so this isn’t a wasted effort. Someday I’ll be testing an Electron app, and this experience will be useful.

Apologies for the late issue again. It’s been a hectic few days. Things will calm down again once I’m back in Scotland - I fly back tomorrow. I’m in Dublin at the moment to hang out with my friend from France, who is on holidays here.

Gadget of the Week

I’m finished with the 100-hour challenge now, so for now I’ll put a Gadget of the Week until I can think of something else to put here.

This week’s gadget is WebRTC! I’m not sure if this still works, but as recently as last year, WebRTC was a valid CSP bypass for data exfiltration and featured in a SekaiCTF challenge. You can read more about it here.

Weekly Ideas / Notes 

• One of my favourite bug chains, a really neat CSTI to ATO chain, recently duped on a Medium submission because the reporter didn’t bother escalating it to ATO. Escalate, people! That way I’ll be less depressed when I dupe on you. Stop reporting plain XSSes! You’re just throwing away money (unless you hack on Intigriti).

• Cross-discipline expertise is very useful to have in hacking. Many technologies overlap between various fields - for example, React Native can be used to create mobile applications, and Electron uses Javascript. VoIP often uses HTTP-like protocols. Game hacking uses APIs. It’s all interlinked, so don’t be afraid to chase after tangential projects that interest you.

• To continue this train of thought, examine existing security research and try to deduce potential issues that could occur in other, similar systems. Header injection attacks in HTTP-like protocols? Phone number RFCs? CSP bypasses in mobile applications? The ideas are endless. We stand on the shoulders of giants.

• There was an interesting, brief discussion in the Critical Thinking server about familiarity. The main point is that you cannot learn how to break stuff without first learning how something should behave. You cannot take a shortcut here - this takes practice to understand intuitively. Once you’ve developed this familiarity, you can start trying to break the application because you’ve established your baseline of what should happen. If you’re trying to learn to hack, but you’re overwhelmed and have no idea what a valid bug looks like - this is your problem.

Resources

What an amazing week for security research!

• Listen to the whispers: web timing attacks that actually work : the latest piece of research from James Kettle, a.k.a albinowax. He outlines an amazing study of timing attacks and how they can be used to detect the smallest of differences in webserver behaviour.

• Splitting the email atom: exploiting parsers to bypass access controls: Gareth Heyes pushes the limits of email parsing to pop a variety of crazy vulnerabilities. This really shows the importance of reading the RFCs!

• Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! : Research by Orange Tsai, the hacker god, outlining RCE in Apache HTTP server. What more needs to be said?