[HN Gopher] The unexpected Google wide domain check bypass
___________________________________________________________________
The unexpected Google wide domain check bypass
Author : notRobot
Score : 238 points
Date : 2020-03-09 18:03 UTC (4 hours ago)
(HTM) web link (bugs.xdavidhu.me)
(TXT) w3m dump (bugs.xdavidhu.me)
| chatmasta wrote:
| This was a really enjoyable, thorough and readable write-up.
| Thanks, and nice work!
| tanseydavid wrote:
| This is the exact comment I would have written if @chatmasta
| had not already posted it.
|
| Thanks for the write-up.
| eternalban wrote:
| > I put this regex in www.debuggex.com. This is a really cool
| website
|
| What a great find.
| gajus wrote:
| There is also regex101.com. It is my favourite personal.
|
| It highlights individual parts of the regex and provides human
| explanation, e.g. https://regex101.com/r/xKG7pE/1
| zeta0134 wrote:
| Something something regex and two problems. \s
|
| Seriously though, _nice find!_ It 's often surprising how tiny
| little curiosities can lead down the rabbit hole to such
| interesting problems. In this case, it was a fairly logical
| flawed assumption, but the mess of regex made it just hidden
| enough to be tough to spot.
| jcims wrote:
| This is one area where bug bounty programs can really
| outperform an internal security function. There are others,
| generally, but this deep rabbit hole exploration is one of the
| best.
| tialaramex wrote:
| Windows again. "Let's use a backslash instead of a slash in
| paths" has to be up there with "NUL-terminated strings" in terms
| of tiny bad ideas from long ago that are still haunting us.
|
| Of course it's not as though Google had a choice at the outset,
| I'm sure some non-trivial number of web sites magically didn't
| work (and maybe still don't work) if you insist that
| https://www.example.com\works\fine\on\my\pc doesn't do what the
| person writing it expects... I think we can blame some early
| Internet Explorer build for first having this work (I can't see
| Netscape allowing it) and then it becomes a choice whether to be
| a purist or sigh and move on once IE gets popular and real people
| do it.
| roywiggins wrote:
| Oh, I still hear ads giving URLs with inexplicable backslashes
| in them. "Visit our website at foo.com backslash baz"
| anschwa wrote:
| I think few people know the difference, so they say backslash
| when they mean forward slash.
| AaronFriel wrote:
| Seems like the real problem is using a regex to parse a URL
| instead of using a URL parser!
| lioeters wrote:
| Many joyous moments of genuine positive hackery. Notable for me
| were:
|
| - At several points, unusual things were done "for some reason",
| following an intuition.
|
| - The one character that does the trick was discovered by brute-
| forcing the browser's URL parsing logic.
|
| - After finding that this little trick works, other related
| Google apps were explored (for "some reason") to see if the trick
| is generally applicable, which indeed it was.
|
| - Deep diving into Chromium source to confirm why the trick
| works.
|
| - How nicely the ends are tied up at the end, seeing the result
| of his work have an effect deep in a Closure library commonly
| used at Google.
|
| ---
|
| Loved this part (my emphasis):
|
| > I was always "afraid" to dig this deep, and would never have
| thought about looking into the source code of a browser, but
| after browsing around a bit, you realise that _this code is also
| just code, and you can understand how it works_. This is super
| and interesting and can be really helpful in many situations.
| ultrablack wrote:
| Well done!
| ipsum2 wrote:
| $6,000 seems low for such a severe bug across almost all Google
| web properties. I would expect an order of magnitude larger.
| lsaferite wrote:
| That was my exact thought when reading the payout amount.
| Someone1234 wrote:
| Google's bug bounty has a $7.5K max on "Vulnerabilities giving
| access to client or authenticated session of the logged-in
| victim." See here:
|
| https://www.google.com/about/appsecurity/reward-program/inde...
|
| I guess they were awarded $6K instead of the full because they
| didn't demonstrate it against more substantial properties. But
| either way the ceiling is quite low on these classes of
| vulnerabilities.
| dessant wrote:
| That payout is indeed quite low, especially because access to
| an authenticated client session could lead to compromised
| Google servers when the vulnerability affects web services
| used by Google employees.
| tptacek wrote:
| Why? Who else is going to outbid Google for this serverside URL
| parsing bug?
| lucasmullens wrote:
| Why not offer only a dollar then?
| tptacek wrote:
| You joke, but lots of places that don't offer cash bounties
| still get good bounty submissions. Google offers bounties
| because they can, and to attract more submissions. Like I
| said below: for this kind of work, $6k is a strong bounty.
| Not a lot of places will pay you thousands of dollars for a
| URL whitelist bypass bug.
| joshspankit wrote:
| As we've seen in the smartphone world: the competitors are
| people who would rather the bug stay secret so that they can
| exploit it.
| mjw1007 wrote:
| The "competition" that Google is bidding against is all the
| other ways that people capable of finding this sort of bug
| might choose to spend their free time.
| tptacek wrote:
| If this were Android drive-by RCE, I'd agree with you. But
| they're bidding for the attention of the kinds of
| researchers who find URL whitelist validation bugs. $6k is
| a strong bounty for that kind of work.
|
| (The work is important! But people who find web bugs like
| this tend to make their money on volume, not on a couple
| major hits a year, like the RCE researchers do.)
| rootsudo wrote:
| That regex explorer to map is pretty cool.
|
| Good idea - I know this would work on some places. I never
| thought of it like this.
| yvoschaap wrote:
| Great find! True hacker news worthy.
| kyle-rb wrote:
| I love that the fix is simply a quadruple-backslash (aka an
| "actual backslash, for real this time" per
| https://xkcd.com/1638/)
| gulbrandr wrote:
| Thanks for the xkcd link, I loved it!
| alanfranz wrote:
| URL parsing is a mess. The specification is poorly defined, and
| different libraries and/or servers handle them differently. This
| is one kind of attack; many SSRFs exist which leverage that
| weakness.
|
| The regex approach, btw, is even worse. Parse your URLs before
| doing things with them.
| terrislinenbach wrote:
| And.. it's down..
| JamesCoyne wrote:
| Down for me too. Mirror.
| https://web.archive.org/web/20200309211517/https://bugs.xdav...
| londons_explore wrote:
| I feel like Google is not the only company parsing domains to
| check security origins...
|
| If a backslash can end a security origin, I am going to guess
| there are a lot of other vulnerable bits of code...
|
| One more reason joining and splitting strings with security
| impact is a bad idea.
| Someone1234 wrote:
| > One more reason joining and splitting strings with security
| impact is a bad idea.
|
| Doing it in a standard/shared library is more secure than
| bespoke code on each page, since at the very least as we
| witness here it can all be updated together as needed. You can
| add additional abstraction, but someone eventually has to do
| this work.
|
| Even web browsers themselves aren't immune from bugs in
| "joining and splitting strings with security impact" for URL
| comprehension. All you can really do is try not to re-write
| known secure code.
|
| Plus this buggy RegX was from the standard on URL parsing:
|
| https://tools.ietf.org/html/rfc3986#appendix-B
| ck2 wrote:
| Such a relief some really smart and persistent people are not
| evil.
|
| Though you have to wonder, if there wasn't a bounty...
| robocat wrote:
| The impact of this bug is probably very wide including server-
| side - not just a Google or Closure because as Someone1234 said:
| this buggy RegX was from the [RFC3986] standard on URL parsing:
| https://tools.ietf.org/html/rfc3986#appendix-B
|
| Edit: maybe do a search of github for this Regexp, and see what
| significant finds there are. Certainly bad actors are already
| doing so...
|
| Also, Google's $6000 payout seems extremely disappointing: Google
| should payout on the total impact of the bug that they measure
| (not just the one place he happened to find). Why should the
| reporter have to investigate the total impact of the bug on
| Google in order to get a fair payout?
| [deleted]
___________________________________________________________________
(page generated 2020-03-09 23:00 UTC)