We recently awarded our biggest bug bounty payout(facebook.com) |
We recently awarded our biggest bug bounty payout(facebook.com) |
For applications on mainstream stacks, if you accept XML inputs (explicitly accept them, that is; as in, invoke the XML parser yourself) and haven't taken the time to make sure you're not expanding entities, the safest bet is to assume that your XML parser has a "let inbound XML run shell commands" feature embedded into it. That's an oversimplification, but maybe not much of one.
This is a great, subtle finding. And Reginaldo handled it like a pro. Let the feeding frenzy for hiring Reginaldo Silva... commence! :)
When I saw your name, it looked familiar, and I went and looked up your old mail. Great work! Congrats on an awesome finding.
How in the world is that ok? How is that the standard?
Are there examples somewhere I can see to understand how this is even possible?
%95 of the time your just using XML like another JSON/serialization format and you should definitely be using something just as lightweight.
Any HNers want to chime in with an account of actually using them for what they're meant for?
Right now, I'd put money on "malicious uses" outnumbering "legitimate" uses.
This is a holdover to the SGML days, where this was a pretty important feature, and used quite frequently in many document formats required for government contracting. As I recall, there was lots of consternation about stuff that was thrown away from SGML when XML was built, but this external entity stuck.
That seems like a nice chunk of money. I can't help but think about how much his exploit would be worth on the black market though. 10x that amount maybe? I have no clue.
Either way, being able to put a bug find like this on your resume is probably worth a lot more than those payouts.
>>> ... We knew we wanted to pay out a lot because of the severity of the issue, so we decided to average the payout recommendations across a group of our program administrators. As always, we design our payouts to reward the hard work of researchers who are already inclined to do the right thing and report bugs to the affected vendors. ... >>>
So, instead of awarding bounty to the researcher who found and intelligently handled the disclosure of the issue, Facebook "decided to average the payout" in order to keep part of the bounty to themselves, rewarding themselves for "hard work" and glorifying themselves for "awarding our biggest bug bounty payout ever" ?
I submitted patches for them all, but it was kinda nasty to fix in Java, because each XML parser had different custom properties to set. https://github.com/rometools/rome/blob/master/src/main/java/... is the hackiness I had to do for ROME.
[1] http://svn.apache.org/repos/asf/shindig/trunk/java/common/sr...
Firstly, how can you be sure HN hasn't introduced the same, or a similar bug? Writing your own implementations does not make them secure.
Secondly, I don't understand why you are suggesting that people should always write their own implementations. Should I write my own servlet container rather than using Tomcat?
> Reginaldo agreed we could share the payout, it was $33,500 for this issue.
There have been many vulnerabilities in YAML parsers for ruby because they let you encode actual objects / code.
JSON, despite being "Javascript object notation", can't actually encode full code/objects. You only have a few datatypes: (off the top of my head) bools, strings, numbers, arrays, key/value dicts. None of these are dangerous or difficult to parse.
What you might be thinking about is the recent Ruby on Rails vulnerability which was caused by transforming JSON into YAML and then parsing the YAML. It would be more accurate to say the YAML parser was vulnerable.
Your claim that "JSON parsers are notoriously vulnerable" implies that this is a common occurrence as well, not just a single incidence.
I personally don't see it as likely because JSON has pretty much no features compared to xml; the surface area is tiny.
[1] http://arstechnica.com/business/2011/12/huge-portions-of-web...
So, no clue where you're getting that from.