Embed Size (px)
Citation preview
Bug-hunters Sorrow
Masato Kinugawa
Introduction
Masato Kinugawa
Lonely bug hunter
Only XSS is my friend
Daily job
Office Home
Duty Up to my motivation
Job Looking for security bugs
Income Bug Bounty
Is it enough for living
Last year Income
Last year Income
41050707 Yen
128176
Last year Income
41050707 Yen
(Octal notation) 128176
Good story is that all
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Introduction
Masato Kinugawa
Lonely bug hunter
Only XSS is my friend
Daily job
Office Home
Duty Up to my motivation
Job Looking for security bugs
Income Bug Bounty
Is it enough for living
Last year Income
Last year Income
41050707 Yen
128176
Last year Income
41050707 Yen
(Octal notation) 128176
Good story is that all
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Daily job
Office Home
Duty Up to my motivation
Job Looking for security bugs
Income Bug Bounty
Is it enough for living
Last year Income
Last year Income
41050707 Yen
128176
Last year Income
41050707 Yen
(Octal notation) 128176
Good story is that all
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Last year Income
Last year Income
41050707 Yen
128176
Last year Income
41050707 Yen
(Octal notation) 128176
Good story is that all
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Last year Income
41050707 Yen
128176
Last year Income
41050707 Yen
(Octal notation) 128176
Good story is that all
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Last year Income
41050707 Yen
(Octal notation) 128176
Good story is that all
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Good story is that all
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Topics
1st
half
Story of blocked internet
2nd
halfSorrow of bug
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Story of blocked internet
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Summary
Looking for XSS on Benesse
My home internet was blocked
twists and turns
Why did I look for XSS on Benesse
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
In summer 2013I found a possibility of DOM based
XSS using U+20282029
httpmasatokinugawal0cm201309u2028u2029domxsshtml
Used to be a problem in easy regex
Details on my BlogU+20282029とDOM based XSS
Looking for the impact
I think many people have same situation
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
How to test
❶ Added U+2028 and text that may cause DOM based XSS after
in URL
❷ Check the strange error happens
httphost[U+2028]gtltsvgonload=alert(1)gt
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
thenI found ordinary DOM based XSS on Benesse sitehttpswebarchiveorgweb20130723155109httpmanabibenessenejpgtltsvgonload=alert(1)gt
function writeAccesskeyForm()var htm = var ownURI = locationhrefhtm+= ltinput type=hidden name=backurl
value= + ownURI + gtdocumentwrite(htm)
writeAccesskeyForm()
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
after that20130805 Report
20130806 ResponseThank you very much for your bug report of Benesse Manabision we will check the fact as soon as possible and proceed the correspondence Thank you so much again for your cooperation
2013end of Aug confirmed the fix
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
After this response
I feel their appreciation to the bug report and their attitude to fix it
Lets find more and report to them
It is a start of
XSS-Nightmarehellip
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
foundEasy to find regular Reflected XSS
We received the 3 of new XSS vulnerability from you
Thank you very much At this time we will check the
facts and we will proceed the intensive measures
Following the last time we would very much
appreciate your valuable pointed-out We would like thank you over and over again
20130828 Report
20130830 Response
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Same time
Suddenly I became not to access to manabibenessenejp
I can access to it after changing IP
Investigate further
Access denied because of my testing requests
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
There will be such a thing
(with bug report)I added a comment
maybe blocked due to my testing requests Best regards
On a later date
Thank you for pointing-out that our fix is uncompleted After the investigation we will proceed the correspondence Thank you very much
They are ignoring my comment I think they understood what I mentioned
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
continue to report
Reported many time that the fix is incomplete
Access denied at every confirmation testing
Repeat testing by changing IP
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
And
201397 Evening Incident happened
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
What happened
At first I thought it was a trouble or a failure of equipment
but it was not
I found a warning email from service provider
Detect suspicious access from your network check your PC if infected by virus or generating unauthorized access
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Suspicious Access
I can just make sense of it
Checked vulnerability before and after warning mail
reported Google excite Benesse
(I mean my daily activities (only access history) are all suspicious)
Never reported site of Benesse is access denied I considered it is doubtful
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Contortion
Thank you very much for your point-out We will check your email received on 6th and 7th SepWe will proceed with intensive measures We would like thank you over and over again for your very valuable report
9th Sep In the reply thanks as usual
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Letter from nifty
with a Pledge letter Do not attack
Wait wait its misunderstandinghellip
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Call to Benessenifty
Both We can not answer for a security reason
Me Im in trouble my home internet was stopped I want to check the facts
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
It is no use
Got a WiMAX mobile wifi router as I canrsquot do a stroke of work
Using tethering I wrote a blog as a last hope
Im giving upAt that time the Messiah
appears
httpmasatokinugawal0cm201309xssbenessehtml
Disconnected from Internet maybe because of XSS
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
The Tokumaru
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Received DM
I read your blog I am contacting to Benesse about it Could you let me know your E-mail address
Oh God
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
afterwards
Benesse entrusted the operation of intrusion detection system to asecurity company who block the network andor contact ISP when detecting attacks
hmmm
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
afterwardsIn the flow it seemsdetected by IPS(Intrusion Prevention System) Monitoring by security company contact to ISP blocked by ISP
I see
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
afterwards
After some exchanges I was told Benesse can contact to ISPIf you send them your IP address at the reporting time they will match it
Sure Do I have records
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
YesDaily I tested browser behavior in my domain (vulnerabledomain)I have my IP access logs on a daily basis
28th Aug XXXXX229th Aug XXXXX2530th Aug XXXXX19531st Aug XXXXX1401st Sep XXXXX14
like this
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
After reporting IPI heard they did withdrawal of the unauthorized access information and request for block release to ISP It leaves a decision up to ISP now
Thank God
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Finally
Tears of gratitude
13th Sep evening(About 1 week from being blocked)
Internet is back
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Re-AcknowledgmentIt would be difficult for me to explain
the situation to companies without Mr Tokumarus cooperation
Thank you so much again
this is not Mimirin
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
God Tokumarus books are on sale
httpwwwamazoncojpdp4822279987
httpwwwamazoncojpdp4797361190
Buy now
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
I felt through the problem
I wonder inside of big company is complicated
I felt through the problem
I can imagine that information leakoccurs
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Not others problem
I send you a link that make you XSS-like request to Benesse site
httpmanabibenessltscriptgtalert(1)ltscriptgt
Site will become unavailableIn worst case Internet block
When you access
can not link because its so dangerous
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Mistake of IDS company
They do not scrutinize attack or not
They do not understand property of attack
I want to question the effectiveness to block IP in order to address XSS I can Yet understand if they stop all access
In this case need the collation of log and reportingThe cause is similar to remotely control PC incident
To give a help to fix XSSs fundamental problem I believe it is the only way to eradicate XSS
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Threat of XSS
Execute arbitrary scriptmanipulation
Confidential information leak
The phishing by page contents change
Internet Block
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Lessons learned The world
Things that should not be poked
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Recently blocked again
Non-payment of charge
(not completed payment transaction by misunderstanding)
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
World is harsh
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Sorrow of bug
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
After Internet resume
If telling IP address in advance Benesse allows my testing
Reported nearly 100 vulns(All were fixed in the short period of time
This attitude is really great)
As a consequence
explain 2 cases out of it
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
DOM based XSS ❶httpswebarchiveorgweb20130904143057httpwwwbenessecojpslandpass
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
DOM based XSS ❶
To run the event at the time of clicking a special link
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Specific link
ltdiv id=nav-pwgtltulgtltli id=nav-firstgtlta href=first-logingtltimg src=imgnav_pw_01png width=260 height=50 alt=はじめてログインするかたへgtltagtltligt
ltli id=nav-passmodifgtlta href=passmodifgtltimg src=imgnav_pw_02png width=270 height=50 alt=パスワードを変更(へんこう)したいgtltagtltligt
ltli id=nav-passlostgtlta href=passlostgtltimg src=imgnav_pw_03png width=270 height=50 alt=パスワードを忘(わす)れたので再発行(さいはっこう)したい
jQuery(nav-pw li a atab-link)
All links to
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
look it again carefully
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Based on this
jQuery(nav-pw li a atab-link)bind(click touchstart function(event)setTimeout(function()hash = locationhashif (hash = ampamp jQuery(hash)length)
500))
can change hash in 05 sec
look it again carefully
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Current sourcehash = locationhash
2013104 fix XSSif(hash == first-login||
hash == passmodif ||hash == passlost)
else hash =
if (hash = ampamp jQuery(hash)length)
tabsjs from httpwwwbenessecojpslandpass
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
DOM based XSS ❷
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
Make a path from parameter resultrarr Extract page response from that URL
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
DOM based XSS ❷The path is limited within the same domain safe
ltscript type=textjavascriptgt$(document)ready(function()
result = answeranswer_ + $queryget(result) + html
$(answer_box)load(result))ltscriptgtltdiv id=answer_boxgtltdivgt
httpswebarchiveorgweb20120329044331httpwmbenessenejpcontentsoyashindananswerhtml
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
No
Uploadable user avatar image host in the same domain
If you write ltscriptgt in the image comment area it will upload directly
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
In this wayvulnpageresult=uploadsprofileiconjpg23
$(document)ready(function()result = answeranswer_ +
$queryget(result) + html$(answer_box)load(result)
)
Export image binary in to page
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
DEMOhttpvulnerabledomainavtokyo2015
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
Conclusion
I will continue finding bugs by trying not to bother anyone
Thank you very much (Yoroshiku)
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
kinugawamasato
masatokinugawa[at]gmailcom
Thanks
128176128176128176
