Recently, we had the pleasure of hosting Ryan Kelly, a senior software engineer at Mozilla and an avid cybersecurity enthusiast. On this occasion, Ryan spoke about some rather interesting security vulnerabilities that he had encountered during his time at Mozilla.
Bug #1 - Request Splitting Attack
This vulnerability involved Unicode character encoding and how a string of characters could be used to perform a Server Side Request Forgery (SSRF) attack.
It all started when a bug was reported in one of Firefox’s systems that misrepresented Unicode characters. This was caused by the characters being decoded differently(using Latin-1) to how they were encoded(using UTF-8). This would allow potential attackers to perform request splitting attacks, giving them access to restricted areas, e.g. an accounts database, and allowing them to make arbitrary requests to it (something we definitely DON’T want).
Ryan even came up with a payload composed of Unicode characters that would have been able to gain access to the database and delete user accounts.
Bug #2 - Auth Bypass via Poison Null
The second bug encompassed a similar theme to the first. It would allow an attacker to circumvent the input validation in one of Mozilla’s services and gain access to websites with fake certificates. As the service involved validating input and the user for websites, information was being passed from the website to the service and back to the website. With the help of some buggy regex and a null byte terminator, an attacker would be able to pose as a trusted user to a website and pass in arbitrary requests.
It’s amazing to think how the most trivial errors could leave an entire system vulnerable and how difficult input validation can actually get. The most important thing we got out of it was to always validate input regardless of where the data is coming from and to NEVER use string truncation during input validation.
We’d like to thank Ryan Kelly for taking the time from his busy schedule to come over and share this information with our club members.
Read more about these bugs and other similar topics on Ryan’s personal blog: https://www.rfk.id.au/blog/