HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

preview_player
Показать описание
URLs are surprisingly hard to read.

-=[ 🔴 Stuff I use ]=-

-=[ ❤️ Support ]=-

-=[ 🐕 Social ]=-

-=[ 📄 P.S. ]=-

All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

#CVE #SecurityResearch
  1. LiveOverflow
  2. Live Overflow
  3. liveoverflow
  4. hacking tutorial
  5. how to hack
  6. exploit tutorial
Рекомендации по теме
HOW FRCKN' HARD 0:15:47

HOW FRCKN' HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

How To Learn 0:07:44

How To Learn Hacking With CTFs

What is CTF? 0:06:46

What is CTF? An introduction to security Capture The Flag competitions

Reversing and Cracking 0:09:03

Reversing and Cracking first simple Program - bin 0x05

The Secret step-by-step 0:14:42

The Secret step-by-step Guide to learn Hacking

The End Of 0:04:54

The End Of Haxember - See You In 2020!

What do Nintendo 0:18:44

What do Nintendo Switch and iOS 9.3 have in common? CVE-2016-4657 walk-through

Solving a Hard 0:26:26

Solving a Hard Google CTF challenge - 'Paste-tastic!'

ReDos — The 0:02:08

ReDos — The killer stuff | This Can Crash Any System

Only Cybersecurity Career 0:10:00

Only Cybersecurity Career Advice You Need

Going to Chinese 0:12:47

Going to Chinese Hacking Competition - Real World CTF Finals

EP004: Pluck Vulnhub 0:19:44

EP004: Pluck Vulnhub Walk through in Urdu/Hindi

Cyberbites Series - 0:03:26

Cyberbites Series - Bite 10 How To Read a URL

What is a 0:18:06

What is a Browser Security Sandbox?! (Learn to Hack Firefox)

Crazy Steam Phishing 0:17:19

Crazy Steam Phishing Page

Generic HTML Sanitizer 0:14:05

Generic HTML Sanitizer Bypass Investigation

Twitter Xssf 0:00:32

Twitter Xssf

Cybercrime is Not 0:11:16

Cybercrime is Not Hacking!

How I was 0:01:00

How I was able to send Authentic Emails as others  - $500 -  Google VRP [Resolved] #bugbounty

STOP WASTING YOUR 0:11:35

STOP WASTING YOUR TIME AND LEARN MORE HACKING!

New to Linux? 0:06:22

New to Linux? Need Help Understanding Shell Commands?

Syscalls, Kernel vs. 0:13:24

Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09

Reading Kernel Source 0:19:02

Reading Kernel Source Code - Analysis of an Exploit

HOW TO GET 0:15:50

HOW TO GET STARTED WITH HACKING AND CYBER SECURITY (Ft. LiveOverflow) #grindreel #liveoverflow

Комментарии
Автор

"You are not browsing it right" - Apple, 2018

daab
Автор

>discover exploit
>suggest fixing it with crash
>get money!

HorochovPL
Автор

There is only one correct answer to this.
(Though, please correct me if I'm wrong)

According to section 3.2.2, "In order to disambiguate the syntax, we apply the "first-match-wins" algorithm:
If host matches the rule for IPv4address, then it should be considered an IPv4 address literal and not a reg-name."

Ignoring "scheme", the logic goes as follows:
- "Hier-part" is prefixed with "//", so is defined as "authority path-abempty".
- "Userinfo" matches only "1.1.1.1&", as it must come first, cannot contain an "@", and should therefore ignore the second one.
- "Host" matches "2.2.2.2" as an IPv4address, and should stop there.
- "Host" is not followed by ":", meaning port-number is absent, and the "authority" part has ended.
- "Authority" is not directly followed by "/", therefore "path-abempty" is empty, and the "hier-part" has ended.
- "Hier-part" is not directly followed by "?", resulting in no hit on the optional "query". But the "#" makes a hit on "fragment".
- The entire URI is valid, as it is split up in correctly defined and ordered parts, and all are valid in both syntax and semantics.

The only correct interpretation should therefore be as follows:
Userinfo: 1.1.1.1&
Host: 2.2.2.2
Fragment: @3.3.3.3/

We can follow these relevant ABNF syntax rules by the first-match-wins algorithm, in order to recognize these consequences:

URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
hier-part = "//" authority path-abempty / - / - / -

authority = [ userinfo "@" ] host [ ":" port ]
userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
host = - / IPv4address / reg-name
port = *DIGIT

IPv4address = dec-octet "." dec-octet "." dec-octet "." dec-octet
dec-octet = DIGIT / %x31-39 DIGIT / "1" 2DIGIT / "2" %x30-34 DIGIT / "25" %x30-35 ; 0-255
reg-name = *( unreserved / pct-encoded / sub-delims )

pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
fragment = *( pchar / "/" / "?" )

pct-encoded = "%" HEXDIG HEXDIG
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
reserved = gen-delims / sub-delims
gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / ", " / ";" / "="


Parts of rules not relevant to the case has been changed to a single dash(-) to lessen the info-dump. Appendix A of the standard contains the complete list.

Note that any scheme may contain additional restrictions, further reducing the amount of valid URI's for that scheme. And according to section 3.1: "When presented with a URI that violates one or more scheme-specific restrictions, the scheme-specific resolution process should flag the reference as an error rather than ignore the unused parts".

PainSled
Автор

9:08
I love this, "QUICK CRASH CHROME THERE'S AN ATTACK"

OrangeC
Автор

“Award is so high”… 7500$ is not that high for such a critical bug, though it is a lot for a bug found in open source software..

rkan
Автор

Ah, the good old days where the password was right in the url ;-)

MrNateSPF
Автор

As a front-end developer, I must admit that a good amount of this was not something that I am super familiar with. All the same, I feel like I really learned something here and I really appreciate you taking the time to explain things so clearly. In short, great video!

CalvinBonner
Автор

Heh, it must've been fun to write code that _has to crash instead of _mustn't.

retepaskab
Автор

You just overcomplicated my life for no reason at all

fuzzydark
Автор

"What is the correct interpretation of this URL?"
My answer: *CRASH* :P

rGunti
Автор

2.2.2.2 is the hostname. Firefox and Chrome loads 2.2.2.2 and it makes sense. The & before the first @ doesn't have significant meaning, however '?' in the same place would since it would then start the query part of the URL. If # comes before @ it starts the fragment part and then the @ can no longer separate the username:password part from the hostname, everything after is the fragment.

SuperMarkusparkus
Автор

"I don't understand Python"

Sky_Shaymin
Автор

I love your channel so much. Please never stop making videos!!

Ben-dscm
Автор

I'm credited for CVE-2016-5191, a bug that shares many similar characteristics. I only got $500 for it though. 😪

Myx
Автор

12:53 - He did it all correctly, Google cares about security of Google Chrome browser as it's brand is on it even if the issues is with non-google owned component, they have implemented a quick fix from their side to get this issue mitigated (alas not perfectly), while Apple will be fixing it from their side.

Gastell
Автор

I had barely any idea what you were talking about for the most part (regarding the URL parsing) but I loved it regardless. Shows even small mistakes can have big concequences

DJTimeLock
Автор

Many Things are are defined way back, like URI/URL, XML and so on. Have many "Features" that are defined to be a security issue in some future. Like XXE, which is a XML Parser just working on Spec. I found so many things where an old RFC definition just design a "feature" which is itself a security issue

Serverfrog
Автор

I understood like, 20% of the video at most, but it was somehow still interesting

rysea
Автор

Thank you for providing the text subtitle for that guy at the end. I really could not understand him.

TheSpacecraftX
Автор

Wow! I have just started to scratch the surface of computer security and this video just blew my mind! Thank you very much for sharing

astrix