Académique Documents
Professionnel Documents
Culture Documents
Introduction
Agenda
The VRP
A Great Report
Proprietary + Confidential
Proprietary + Confidential
The VRP
Proprietary + Confidential
Proprietary + Confidential
You send us
vulnerability reports.
Reports we receive
Reports we receive
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. DuisSource:
non erat
1 2sem
34
Proprietary + Confidential
Bugfix Remediation
Bug Product team
Triage
submission ACK
Panel Reward
Reproduction
Finding duplicates
Severity assessment
A Great Report:
Account Hijacking with XSS
See also: blog post
Proprietary + Confidential
Proprietary + Confidential
The Report
Attack scenario
1. XSS on www.google.com
Query
→ HTML can be attacker provided HTML
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
3. CSRF on
Redirect 2 on www
accounts.google.com URL: …?est=TOKEN
4. Choosing the
questionnaire
Back on www
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
5. The questionnaire
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Proprietary + Confidential
6. Win
Password reset email is
sent to the attacker
Proprietary + Confidential
Proprietary + Confidential
Proprietary + Confidential
High value targets probably mean more Out of scope: XSS in sandbox domains:
work. ad.doubleclick.net
googleusercontent.com
XSS on sandbox domain is out of scope. googlecode.com
codespot.com
Beginners: try acquisitions. feeds.feedburner.com
...
What does the victim and the attacker do? 1. Victim visits the attacker’s website
2. The victim is tricked into clicking on
Attacker privileges: less → more the website
3. The attacker exploits a clickjacking
How likely is that the victim will do this? bug using this click.
4. The attacker has JS execution on
Safe to assume that the victim
xyz.google.com, can steal data.
● is logged in to Google
● clicks on a link (phishing works)
● clicks once or twice on an attacker
website (Clickjacking works)
Test your PoC before sending 1. With clickjacking, the user clicks on
the “Enable XSS” button.
2. Then an iframe is navigated to the
vulnerable XSS page.
3. The “title” URL parameter is
interpolated without escaping.
4. JS is injected that reads the user’s
emails and alerts the text of the first.
Always verify tools’ output I’ve attached a 5MB zip with the text
output of my X tool. EVERY Google
Tools often report false positives. page is affected by these cyber
We very rarely receive valid reports vulnerabilities. Please read it ASAP!!!!
generated by public automatic scanning
tools.
Source: wikimedia.org
Proprietary + Confidential
Proprietary + Confidential
+1: Be Polite
“
I have 2 SQLi's I am willing to sell to you
to fix it. that is 20k$. payment only
Don’t CC Larry or Sergey accepted by bitcoin. …
Don’t CC Gerhard (VP Security & Privacy) dont pull magic tricks, or they will be sold
on black market. …
”
Source: Anonymous VRP Reporter
Proprietary + Confidential
+2: Hack for charity! You may have read about Sanmay Ved, a
researcher from who was able to buy
We double rewards donated to charity! google.com for one minute on Google
Domains.
Don’t register a fake charity.
Our initial financial reward to Sanmay—$
6,006.13—spelled-out Google, numerically
(squint a little and you’ll see it!).