Fuzzing XSS Sanitizers for Fun and Profit | Tom Anthony

HackerOne

19 Sept 202229:19

Summary

TLDRIn this engaging talk, the speaker shares his journey from being arrested for hacking to becoming a web security expert. He introduces a novel approach to finding cross-site scripting (XSS) bugs using coverage-guided fuzzing, a technique that automates the process of inputting diverse data into applications to uncover vulnerabilities. Through case studies, he demonstrates how this method led to discovering zero-day bypasses in sanitizers, emphasizing the power of this strategy for identifying and exploiting edge cases in web security.

Takeaways

😀 The speaker was arrested for hacking in 1998 using a 14.4k modem and faced potential jail time for fraud and theft charges related to hacking activities.
🚀 After avoiding jail, the speaker transitioned from hacking to web development, focusing on SEO (Search Engine Optimization).
🔍 The speaker emphasizes the 'hacking mindset' as a valuable approach to problem-solving, which involves creative and unconventional methods.
📚 The presentation introduces the concept of fuzzing, a technique for finding bugs by inputting a wide range of invalid and unexpected data into an application.
🖥️ The difference between black box fuzzing and coverage-guided fuzzing is explained, with the latter being the focus of the talk due to its ability to see inside the application's code execution.
🌐 The speaker shares personal experiences using coverage-guided fuzzing to find cross-site scripting (XSS) bugs in web applications, leading to significant bug bounties.
🛠️ A detailed case study is provided on how the speaker identified and fuzzed a JavaScript sanitizer, leading to the discovery of a XSS vulnerability and a substantial bounty.
🔑 The importance of understanding the configuration of the sanitizer used by a target is highlighted, as it is crucial for effective fuzzing.
🤖 Custom JavaScript was used to redirect the fuzzer's focus from crashes to finding XSS payloads, demonstrating a creative application of fuzzing techniques.
🔄 The process of priming the fuzzer with initial inputs, such as XSS payloads and HTML snippets, is discussed as a key step in starting the fuzzing process effectively.
🛁 The speaker humorously suggests that patience and taking breaks, like taking a bath, are important while waiting for fuzzing results, emphasizing the time-intensive nature of the process.

Q & A

What was the speaker arrested for in 1998?
-The speaker was arrested for hacking into a corporate network using a 14.4k modem over phone lines.
How did the police officers react to the speaker's technical explanation?
-The police officers did not understand most of what the speaker told them but were still trying to decide what to charge him with.
What were the initial charges the speaker faced?
-The speaker was initially charged with one count of fraud for each time he logged in with someone else's username, totaling four counts, and one count of theft for each individual file he downloaded, totaling 57 counts.
How did the speaker's perspective on hacking change after his arrest?
-The speaker realized that hacking probably wasn't going to be a great career and later got into building websites and SEO instead.
What is the main topic of the speaker's talk?
-The main topic of the speaker's talk is an approach to finding cross-site scripting bugs using fuzzing, specifically coverage-guided fuzzing.
What is fuzzing in the context of software security?
-Fuzzing is a method of finding bugs using automation by providing a wide range of invalid and unexpected data into an application and monitoring for exceptions.
What is the difference between black box fuzzing and coverage-guided fuzzing?
-Black box fuzzing does not allow visibility into the application's internal workings, whereas coverage-guided fuzzing instruments the target to see how it responds to different inputs, focusing on maximizing the execution of different lines of code.
How did the speaker apply fuzzing to find vulnerabilities in cross-site scripting sanitizers?
-The speaker used coverage-guided fuzzing to identify how sanitizers respond to various inputs and to find zero-day bypasses in at least four different sanitizers.
What was the speaker's first experience with fuzzing in the context of a bug bounty program?
-The speaker's first experience involved fuzzing a JavaScript client-side sanitizer used on an online holidays website to find a reflected cookie bug.
What was the outcome of the speaker's fuzzing efforts on the video conferencing platform?
-The speaker found a complex payload that bypassed the sanitizer's fix for a previous vulnerability, leading to additional bounties.
What advice does the speaker give for maintaining a healthy corpus during fuzzing?
-The speaker advises to periodically stop the fuzzer and de-duplicate the corpus to maintain efficiency and avoid unnecessary complexity.
What is the significance of the speaker's mention of 'currying in the bath'?
-The mention of 'currying in the bath' is a humorous anecdote illustrating the speaker's personal habits during the long waiting periods required for fuzzing processes to run.