Dead Packet Society

As this talk is in Spanish which I don't speak, but the subject matter is a huge interest. I've employed Google to translate the slides. The original talk can be viewed here

---

A quick Intro

My name is Samuel Orellana (aka samux). I have been dedicated to cybersecurity for more than ten years, and in February I complete a decade actively participating in bug bounty programs. I am currently a HackerOne Ambassador in Chile, I have participated in Live Hacking Events around the world and I am part of the platform's Global Top 50.

Besides all that, I love cats.

---

Agenda - Introduction to Client-Side Encryption (CSE).

- CSE and Server-Side Encryption (SSE).

- Types of client-side ciphers.

- Vulnerability detection process.

- Vulnerabilities detected in Bug Bounty programs.

- Conclusions and recommendations.

---

Introduction to Client-Side Encryption (CSE)

- CSE is the process of encrypting sensitive data directly in the user's web browser (the client) before it is transmitted to the server.

- The encryption process is done through JavaScript, which is why developers generally trust that this cannot be breached.

---

CSE and Server-Side Encryption (SSE)

To increase the degree of security, developers often choose to add an additional encryption layer. This is achieved by implementing a server-side encryption (SSE) mechanism, with the objective of preventing the analysis or exposure of data, both in the client and server environments.

---

Yeah but, can server-side encryption be vulnerable?

---

ENOUGH WITH ALL THE SMOKE AND MIRROR, HACK IT ALREADY, DAMMIT!

---

Types of client-side ciphers

Crypto JS

Web Crypto API

Ciphers with SDK (AWS, Azure)

How to identify them?

Crypto JS

crypto-js CryptoJS.AES.encrypt CryptoJS.AES.decrypt CryptoJS.*

Web Crypto ΑΡΙ

crypto.subtle window.crypto.subtle.encrypt crypto.subtle.generateKey subtle.encrypt subtle.decrypt

SDK (AWS, Azure)

aws-sdk @aws-crypto/client-browser azure-storage

---

Vulnerability detection process

The objective of detecting vulnerabilities in the encryption mechanism is based on manipulating data before it is encrypted; therefore, it is necessary to find JavaScript files where the encryption logic is located and then debug them to be able to manipulate them.

---

Vulnerability detection process

Firefox

1. Open the browser, right click, inspect element

2. Click on the debugger (in the middle)

3. A window will open on the left where you can search for everything necessary to break CSE.

---

Vulnerability detection process

Chrome

1. Open the browser, right click, inspect element

2. Top right corner click on "search"

3. A window will open on the left where you can search everything necessary to break CSE.

---

Demo 1

---

Vulnerability detection process

Search for keywords to find where the encryption process is performed (name of encryption libraries, name of endpoints, name of variables, etc.).

Manipulate the information and continue with the flow.

A little more tedious but if possible, analyze each jump of the debugger in order to find sensitive information, etc.

IMPORTANT: If the variable does not allow direct editing on the debugger, manipulate it directly from the console.

---

Full Account Takeover 0 click without user interaction

Demo 2

BOUNTY: $5000

---

Full PII of any registered user

Demo 3

BOUNTY: $3000

---

Total vulnerabilities detected

Vulnerability - Bounty

Full ATO (without interaction) - $5000

Full ATO (without interaction) X2 - $6000

Jira exposed credentials within encryption mechanism logic (*) - $5000

Bypass 2FA $3000

Full PII of any registered admin user - $3000

Full (PII) of any registered user - $3000

Security questions can be changed for any user - $3000

Passwords can potentially be changed for any user - $1500

Disclosure of registered email, name, and last name is possible - $1000

$30,500 Bounties

---

Conclusions and recommendations

Just because it's encrypted doesn't mean it can't be breached.

Always analyze the behavior of JavaScript.

JavaScript for hackers - Gareth Heyes (https://leanpub.com/javascriptforhackers-es)

Jsmon (https://jsmon.sh/).

Adopt a cat!!! 🐱

---

Thank you

When the Internet goes down, I have 5 people who will quickly let me know. But our home server went down without an outcry and I'm not sure when.

I've wanted to setup a monitoring solution just for instances like this. But I would most likely put it on the server that went down. Again I wouldn't know if the server went down, without me checking it. So it always seemed pointless to set it up.

I guess could have a second network monitor to watch the first... but then I feel like this solution quickly becomes #TurtlesAllTheWay down.

But recently I discovered n8n, which makes it easy to run a task and send the output to a Discord channel, or other communications methods if I needed it.

I now have a raspi setup with n8n and NetAlertX. NetAlertX does a great job of letting me know if there's a new host on the network, or if a host is down (again the notifications are sent via webhook to Discord).

Then n8n reports the status of my docker containers to discord as well.

Haven't been productive lately as I've been reorganizing my notes. I have literally decades of notes spread across Google Docs, Google Keep, mindmaps, TiddlyWikis, OneNote, and Trello, which isn't ideal. Furthermore, I'm not taking as many notes as I should be, because these solutions all have some drawbacks.

It's annoyed me that in 2023, with 30 years of the Internet, that our note/document solutions are designed to group information based on a system designed in the medieval times. I was promised the future of a paperless office. Why are we still organizing information to be printed? Just imagine the Internet without hyperlinks or hashtags.

Some solutions do attempt to organize hypertextually, but with drawbacks. I've actually discovered the limit of tags the Google Keep supports. Most wiki's are online only, except for Tiddly Wiki. However, I never liked having to save TiddlyWiki, or risk losing it by closing off the browser.

But with my recent ranting, people have pointed me to Obsidian, and after a week of using it I'm really enjoying it. It has many of the features I've been wanting. It's hypertextual, supports tagging, and offline.

While I could pay for Obsidian Sync to backup my notes to "the cloud," my current setup is using mirror the folder to Google Drive so I can access the notes on multiple systems, and back them up to my SeaFile store.

You may wonder why I care about it being offline if I'm just going to throw it onto Google Drive. Mainly its about control. I can choose if it goes onto the cloud, or which provider, and how much I'm paying. Also, I've worked in environments where we cant store sensitive notes online, so if I start using this for my work then offline becomes a critical feature.

I do not know if I have ADHD. My friends who do notice that I bounce from project to project rather quickly, but yet I'm able to finish them and have asked how. After thinking it over, these are my answers, but YMMV.

Keep a record/journal/engaged friend

First is to record your activity. This and other blogs of mine, serve as my record. I can look it over and tell, have I been active recently. It doesn't have to be a public record, mine are because I like to share.

I'm not suggesting that you get on the social media burnout treadmill of posting 3 useless things a day to get follows. Be your own judge. If you look over your record and haven't done anything in a week, but you know that your life has been busy with events or illnesses, then don't sweat it. But if its been 3 months without an update, then perhaps you should try harder to integrate your projects with your activities.

As far as an engaged friend. There are friends/people who you can talk to about your life, and as nice and caring as they are, they end up just waiting for the moment to talk about their life. Doing this may actually sabotage your project.

But a friend who is engaged with your life, will bring up your previous topics in future conversations, and are interested in hearing updates, which can drive you to accomplishing things to provide the updates.

Minimal Viable Product and Deadlines

The MVP is a term thrown around in software design, often by people who I feel don't know what the word minimal means. (Seriously, if you need a team of people to create an MVP, then you're over thinking it.) Though, we're not trying to pitch our ideas to VCs, the MVP idea is a useful notion to get out project to a point that, we can ignore it for a length of time.

It doesn't even have to be a full "product." Can you throw together a component of the MVP in a night? Then tonight, tell yourself you're going to do it, and don't go to bed until you've reached a stage of completion. You'll either get better assessing what you can realistically accomplish, loose a lot of sleep, or start achieving small victories. Remember the tortoise vs the hare. You don't need one grand victory. A trail of small but consistent victories will lead you to success.

The deadlines are important. They help you prioritize the project over other fun activities that don't have deadlines. An evening deadline won't always fit. Zack Freedman has a number of tips on completing projects and I'll link his videos at the end of this post, but one that stands out is his video on the weekend project. Basically, you start the project on booze o'clock Friday, and you have until Monday to having a function product. If its not done by Monday, then you throw it into the trash.

Last weekend I went to Shmoocon. While it had less moose than ever, I really enjoyed "Escalating Attack and Defense on Cloud-based Kubernetes" by Jay Beale and Inglourious Drivers by Omer Tsarfati.

I always imagined that my IoT hacking trajectory would take me into deeper levels of hardware hacking. Years ago when I took a class on Android internals, I groaned when the instructor declared that we wouldn't be going over the baseband portion of the phone. What was I going to do with this knowledge, hack a terrible game or tik tok?

But last year, several things have forced me to look at web API's and mobile apps as peripherals to the target, but are the target as well, and not just a means to snarf firmware.

Last year I saw press releases for a digital license plate and wanted to attack it. The plates cost about $900, so I figured it would be a while before I even see one in the wild, let alone get my hands on one. Other researchers though, decided to go after the mobile app and APIs and find really amazing findings.

Even cellular networks are turning into APIs.

and micro-services

Last weekend I harvested SIM cards from my collection of dead cell phones for research, and reading them using Osmocom's PySim. Most of them are Tracfone or T-mobile cards, but I have one Verizon as well.