Blog

Confidence 2019: Portals, Clint Eastwood and polish cyber-force military

On 3rd and 4th of June another edition of CONFidence 2019 took a place at The Aviation Museum of Cracow. Our team member joined the event and left surprisingly contented and amazed.

What is CONFidence?

CONFidence is a cybersecurity conference that connects web security experts and its enthusiasts since 2005. This year’s edition was hosted at Polish Aviation Museum and over 1300 people had joined it. Lectures were split across 3 main tracks and additional community track, conference agenda can be found here. Besides lectures you could attend a treasure hunt - a game in which you had to collect points by finishing special tasks and at the end of the conference team with the highest score won money and tickets for the next year’s edition. If by any chance you would like to compete, you could also join a CTF - a hacking game based on finding hidden flags by exploiting malfunctioning code in many different ways. SQL Injection, cryptography, reverse engineering and miscellaneous. Here is a link to the online CTF teaser.

Speakers

In total 50 speakers talked about different security topics. We couldn’t attend them all but here is a breakdown of the ones we did. Most of the lectures took 55 minutes.

Topic 1 - Portals

Michał Bentkowski: Security analysis of < portal > element - including SOP bypass and file read in Chrome Canary

Source: https://web.dev/hands-on-portals

Michał Bentkowski made a short talk about vulnerabilities in portals. Detecting which port is open at any host? Same-Origin Policy bypass? Keyjacking? You have it all.

But actually… what is portal?

Portal is html tag that was recently announced by Google at I/O 2019 conference and is currently only available on Chrome Canary. It can be compared to iframe as it allows to embed external website and additionally, what is completely new - to navigate into it by using javascript. Comparison table of iframes and portals:

Source: https://www.zdnet.com/article/google-launches-portals-a-new-web-page-navigation-system-for-chrome/

How to use portals

Portals can be added by javascript or by html <portal> tag wih src attribute and can be only activated using js. Here is a snippet which demonstrates how to use it:

<html>
<body>
  Address:  <input type="text" id="address"/>
    <button id="btnOpen">Open adress in portal  </button>
    <button id="btnActivate">portal.activate()  </button>
    <portal id="portal" style="width: 1000px; height: 800px;
     border: 1px solid #000;" onload="console.log('portal onload')"/>
</body>
<script type="text/javascript">
  function openUrlInPortal(url){
    portal.src = url
  }

  portal = document.getElementById('portal');
  btnOpen = document.getElementById('btnOpen');
  btnActivate = document.getElementById('btnActivate');

  btnOpen.addEventListener('click', event => {
    var address = document.getElementById('address').value;
    openUrlInPortal(address);
  });

  btnActivate.addEventListener('click', event => {
    portal.activate();
  });

</script>
</html>

As you can see, after activating the portal, URL in the browser is replaced by portal URL and website content is replaced with portal content.

Vulnerability 1 - SOP bypass

As written in Google’s web.dev article:“The same-origin policy is a browser security feature that restricts cross-origin interactions by documents and scripts.”. This basically means that you can’t execute javascript code outside of a domain you are currently at. It did not mean that for portals not that while ago. It was possible to run javascript in portal’s domain. It could be demonstrated by using openUrlInPortal function from previous section like that:

openUrlInPortal(‘https://accounts.google.com’);
openUrlInPortal(‘javascript:console.log(document.domain)’);
# this returned accounts.google.com = SOP bypass

Vulnerability 2 - Framing issues (keyjacking)

Another mentioned issue was keyjacking - presented scenario showed possible case of stealing API key by displaying only part of the website in portal and by making user belive that it’s captcha. For example:

This looks like pretty long captcha isn’t it? In fact, code looks like this:

<html>
<body>
  Please enter captcha:<input type="text"/>
  <portal id="portal" style="width: 400px;
  height: 863px; border: 1px solid #000;
  margin-top: -849px;"
  src="https://marketplace.magento.com/customer/accessKeys/"/>
</body>
</html>

And is displaying one of the Magento access keys:

Vulnerability 3 - Port Scan

This one is a bit tricky - it uses portal onload event to determine what is a port status of any host. In fact, Michał described few posible cases that can occur when loading content into portal:

  • onload fired even times (i.e 2, 4, 6 etc.) - this means that requested port is OPEN
  • onload fired odd times (i.e 3, 5, 7 etc.) - this means that requested port is CLOSED
  • onload didn’t fire in 1s - this means that requested port can be FILTERED

Using those indicators, simple javascript function can be written to scan all ports of given host using portal and check onload count to determine if any port is opened closed or maybe filtered.

Topic 2 - Clint Eastwood

Udo Schneider: Vulnerabilities for Sale - The Good, the Bad and the Ugly

Source: https://www.biography.com/actor/clint-eastwood

Udo Schneider talk was less technical but touched really important ethical issue of vulnerability trading. In modern age of technology you can live pretty decent life by just looking for vulnerabilities in the most known applications and reporting it back to the vendor. Large companies often host a Bug Bounty programs by which you can get paid for finding exploitable features. But what if there is no such a program and you found a bug in software? There are multiple paths you can take.

The Bad

Common throught that people have when founding exploitable piece of software is “I wonder how much I can get for this at darknet”. Darknet is full of hacking tools and there are planty of places where you could sell it, but is it worth it? It turns out that investing in 0days is very risky - exploit can be detected right after first use or might be patched shortly after purchasing. Besides that, there is something more important to worry about - selling exploits by using Tor network is 100% illegal.

The Ugly

Multiple websites exist that buys exploits on the internet - price range vary, depending on harm level - from hundreds of dollars to millions. Companies that are buying exploits like that are then reselling them to military and largest corporations. This one is ugly because it’s working legally but is making web much less secure place just for sake of profit.

no report to vendor = no fix = software vulnerabilities wide open to attack at any moment

The Good

Last but not least is the good path that can be taken when founding vulnerability. You can report it to vendor, and in case they just bluntly say that they won’t fix it, you can contact team dedicated to web security like Google’s Project Zero. Project Zero is team of qualified security experts that looks for vulnerable pieces of software (not only!) and reports it back to vendor and disclosures exploits after 90 days, if vendor does not take action to fix it up to this time, exploit becomes visible to everyone

Topic 3 - Polish cyber-force military

płk Przemysław Przybylak: Military operations in cyberspace, know-how guide of army work in that domain

Source: https://www.cyber.mil.pl/

Last of the discussed talks was made by colonel of polish cyber-force military Przemysław Przybylak. He described what steps are taken by military in cyber-space to make Poland more secure country to live in. Of course topic is broad as modern technology brings up new threats every day that needs to be handled. Colonel described in general whole process that needs to be followed strictly to ensure civilians safety. He also mentioned recent Israel bombing, in respond to hackers cyber-attack and more distant in time 2007 cyberattacks on Estonia.

Summary

To sum up, we have to say that CONFidence is a conference that is really worth attending when working in IT business. We will definitely join it again in 2020.

Related links: