[HN Gopher] The unexpected Google wide domain check bypass ___________________________________________________________________ The unexpected Google wide domain check bypass Author : notRobot Score : 238 points Date : 2020-03-09 18:03 UTC (4 hours ago) (HTM) web link (bugs.xdavidhu.me) (TXT) w3m dump (bugs.xdavidhu.me) | chatmasta wrote: | This was a really enjoyable, thorough and readable write-up. | Thanks, and nice work! | tanseydavid wrote: | This is the exact comment I would have written if @chatmasta | had not already posted it. | | Thanks for the write-up. | eternalban wrote: | > I put this regex in www.debuggex.com. This is a really cool | website | | What a great find. | gajus wrote: | There is also regex101.com. It is my favourite personal. | | It highlights individual parts of the regex and provides human | explanation, e.g. https://regex101.com/r/xKG7pE/1 | zeta0134 wrote: | Something something regex and two problems. \s | | Seriously though, _nice find!_ It 's often surprising how tiny | little curiosities can lead down the rabbit hole to such | interesting problems. In this case, it was a fairly logical | flawed assumption, but the mess of regex made it just hidden | enough to be tough to spot. | jcims wrote: | This is one area where bug bounty programs can really | outperform an internal security function. There are others, | generally, but this deep rabbit hole exploration is one of the | best. | tialaramex wrote: | Windows again. "Let's use a backslash instead of a slash in | paths" has to be up there with "NUL-terminated strings" in terms | of tiny bad ideas from long ago that are still haunting us. | | Of course it's not as though Google had a choice at the outset, | I'm sure some non-trivial number of web sites magically didn't | work (and maybe still don't work) if you insist that | https://www.example.com\works\fine\on\my\pc doesn't do what the | person writing it expects... I think we can blame some early | Internet Explorer build for first having this work (I can't see | Netscape allowing it) and then it becomes a choice whether to be | a purist or sigh and move on once IE gets popular and real people | do it. | roywiggins wrote: | Oh, I still hear ads giving URLs with inexplicable backslashes | in them. "Visit our website at foo.com backslash baz" | anschwa wrote: | I think few people know the difference, so they say backslash | when they mean forward slash. | AaronFriel wrote: | Seems like the real problem is using a regex to parse a URL | instead of using a URL parser! | lioeters wrote: | Many joyous moments of genuine positive hackery. Notable for me | were: | | - At several points, unusual things were done "for some reason", | following an intuition. | | - The one character that does the trick was discovered by brute- | forcing the browser's URL parsing logic. | | - After finding that this little trick works, other related | Google apps were explored (for "some reason") to see if the trick | is generally applicable, which indeed it was. | | - Deep diving into Chromium source to confirm why the trick | works. | | - How nicely the ends are tied up at the end, seeing the result | of his work have an effect deep in a Closure library commonly | used at Google. | | --- | | Loved this part (my emphasis): | | > I was always "afraid" to dig this deep, and would never have | thought about looking into the source code of a browser, but | after browsing around a bit, you realise that _this code is also | just code, and you can understand how it works_. This is super | and interesting and can be really helpful in many situations. | ultrablack wrote: | Well done! | ipsum2 wrote: | $6,000 seems low for such a severe bug across almost all Google | web properties. I would expect an order of magnitude larger. | lsaferite wrote: | That was my exact thought when reading the payout amount. | Someone1234 wrote: | Google's bug bounty has a $7.5K max on "Vulnerabilities giving | access to client or authenticated session of the logged-in | victim." See here: | | https://www.google.com/about/appsecurity/reward-program/inde... | | I guess they were awarded $6K instead of the full because they | didn't demonstrate it against more substantial properties. But | either way the ceiling is quite low on these classes of | vulnerabilities. | dessant wrote: | That payout is indeed quite low, especially because access to | an authenticated client session could lead to compromised | Google servers when the vulnerability affects web services | used by Google employees. | tptacek wrote: | Why? Who else is going to outbid Google for this serverside URL | parsing bug? | lucasmullens wrote: | Why not offer only a dollar then? | tptacek wrote: | You joke, but lots of places that don't offer cash bounties | still get good bounty submissions. Google offers bounties | because they can, and to attract more submissions. Like I | said below: for this kind of work, $6k is a strong bounty. | Not a lot of places will pay you thousands of dollars for a | URL whitelist bypass bug. | joshspankit wrote: | As we've seen in the smartphone world: the competitors are | people who would rather the bug stay secret so that they can | exploit it. | mjw1007 wrote: | The "competition" that Google is bidding against is all the | other ways that people capable of finding this sort of bug | might choose to spend their free time. | tptacek wrote: | If this were Android drive-by RCE, I'd agree with you. But | they're bidding for the attention of the kinds of | researchers who find URL whitelist validation bugs. $6k is | a strong bounty for that kind of work. | | (The work is important! But people who find web bugs like | this tend to make their money on volume, not on a couple | major hits a year, like the RCE researchers do.) | rootsudo wrote: | That regex explorer to map is pretty cool. | | Good idea - I know this would work on some places. I never | thought of it like this. | yvoschaap wrote: | Great find! True hacker news worthy. | kyle-rb wrote: | I love that the fix is simply a quadruple-backslash (aka an | "actual backslash, for real this time" per | https://xkcd.com/1638/) | gulbrandr wrote: | Thanks for the xkcd link, I loved it! | alanfranz wrote: | URL parsing is a mess. The specification is poorly defined, and | different libraries and/or servers handle them differently. This | is one kind of attack; many SSRFs exist which leverage that | weakness. | | The regex approach, btw, is even worse. Parse your URLs before | doing things with them. | terrislinenbach wrote: | And.. it's down.. | JamesCoyne wrote: | Down for me too. Mirror. | https://web.archive.org/web/20200309211517/https://bugs.xdav... | londons_explore wrote: | I feel like Google is not the only company parsing domains to | check security origins... | | If a backslash can end a security origin, I am going to guess | there are a lot of other vulnerable bits of code... | | One more reason joining and splitting strings with security | impact is a bad idea. | Someone1234 wrote: | > One more reason joining and splitting strings with security | impact is a bad idea. | | Doing it in a standard/shared library is more secure than | bespoke code on each page, since at the very least as we | witness here it can all be updated together as needed. You can | add additional abstraction, but someone eventually has to do | this work. | | Even web browsers themselves aren't immune from bugs in | "joining and splitting strings with security impact" for URL | comprehension. All you can really do is try not to re-write | known secure code. | | Plus this buggy RegX was from the standard on URL parsing: | | https://tools.ietf.org/html/rfc3986#appendix-B | ck2 wrote: | Such a relief some really smart and persistent people are not | evil. | | Though you have to wonder, if there wasn't a bounty... | robocat wrote: | The impact of this bug is probably very wide including server- | side - not just a Google or Closure because as Someone1234 said: | this buggy RegX was from the [RFC3986] standard on URL parsing: | https://tools.ietf.org/html/rfc3986#appendix-B | | Edit: maybe do a search of github for this Regexp, and see what | significant finds there are. Certainly bad actors are already | doing so... | | Also, Google's $6000 payout seems extremely disappointing: Google | should payout on the total impact of the bug that they measure | (not just the one place he happened to find). Why should the | reporter have to investigate the total impact of the bug on | Google in order to get a fair payout? | [deleted] ___________________________________________________________________ (page generated 2020-03-09 23:00 UTC)