Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author decided to fuzz the AWS APIs. Because of the large amount of functionality, this was no easy feat! Valid resources had to be used for the APIs as well in.

While fuzzing the inputs, they found an error message in Elastic Beanstalk in the Change History functionality. Simply put, the error message broke the UI of the console because of a NULL error. I personally would have brushed this off as an error in the console and nothing else. But, the story continues on!

When looking at what caused the error in the Chrome dev tools, the author found out that there was a missing field from Cloudtrail. When looking at what this null was, it was trying to append a string/object directly into the DOM.

By adding in HTML tags to the Cloudtrail input that was set to null, there was an HTML injection vulnerability! However, the security of the CSP made it impossible to load in JavaScript directly. +1 for defense in depth! But, the CSP allowed frames to be loaded from anything that starts with S3.

The website was not using Angular; it was using AngularJS, which has a bad history of client-side template injection. The basic payload for this is {{6*6}}, which turns into 36 after it has been executed.

Using AngularJS, JavaScript can be injected via directives(research by Gareth Heyes). Using the directives, we can be used to bypass the CSP! This leads to a devastating to a truly impactful XSS.

To me, a few things should be noted here:

• Defense-in-depth is incredibly important. The CSP nearly made this attack impossible.
• Fuzzing can be used to find unexpected bugs, even in web applicatons. Make sure to fuzz the planet with a good list!
• Cross-service bugs are hard to detect. The penetration test for each of these services individually was unlikely to find this bug.