More Related Content
Similar to Art of InfoJacking, Source Conference Seattle, 2011
Similar to Art of InfoJacking, Source Conference Seattle, 2011 (20)
More from Aditya K Sood (20)
Art of InfoJacking, Source Conference Seattle, 2011
- 1. Art of InfoJacking
Detecting/Testing Web Network Devices – Hidden Patterns
Source Security Conference
15th-16th June 2011, Seattle
Software Confidence. Achieved.
Aditya K Sood
Security Researcher
adi_ks [at] secniche.org | asood@cigital.com
Friday, June 17, 2011 1
- 2. About Me
Aditya K Sood
─ Founder , SecNiche Security (Research Arena)
● Independent Security Consultant, Researcher and Practitioner
● Worked previously for Armorize, Coseinc and KPMG
● Active Speaker at Security conferences
● Written Content for – ISSA/ISACA/Virus Bulletin/
CrossTalk/HITB/Hakin9/Elsevier NESE|CFS
● LinkedIn : http://www.linkedin.com/in/adityaks
● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com
─ PhD Candidate at Michigan State University
© 2011 Cigital Inc. Friday, June 17, 2011 2
- 3. Words
Disclaimer
All vulnerabilities and attacks presented in this presentation were discovered during my
professional avocation with web application penetration testing and research.
This research is different from my ongoing routine work.
All contents of this presentation represent my own beliefs and views and do not, unless
explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that
effect, employers.
All for Education and Development Purposes
Sincere Thanks
Sammy Migues ( Principal Consultant , Cigital)
Joel Scambray (Managing Principal, Cigital)
Robert Hines ( Managing Consultant, Cigital)
Richard J Enbody ( A. Professor, Michigan State University)
© 2011 Cigital Inc. Friday, June 17, 2011 3
- 4. Agenda
Disclaimer
Information Gathering Facets
Information Truth
Web Network Devices
HTTP Cloaking
Inside Layer 7 (HTTP) Policy Metrics
Custom HTTP Response Headers
Cookie and IP Session Management
Proxy Protocols
Web Proxy Auto Detection (WPAD)
Proxy Auto Configuration (PAC)
Anonymous Services
Art of Information Gathering
Vulnerable and Bad Design Practices in Network Devices
Conclusion
© 2011 Cigital Inc. Friday, June 17, 2011 4
- 7. Web Network Devices
Pictures Courtesy – Google Search
© 2011 Cigital Inc. Friday, June 17, 2011 7
- 8. HTTP Cloaking
Inside Server Cloaking
─ Bait and switch paradigm
─ General working
– To serve different pages to search engines and generic requests
– Web server is scripted to return original pages to search engines by
fingerprinting search spider requests
– Basically, a stealth process of hiding the reality of web servers
– Thought- cloaking is necessary to protect the meta data. Is it ethical?
─ Is it true server cloaking technique is used by web based security
devices?
– Yes, Web Application Firewalls (WAF’s) use this technique effectively
– Zero visibility
» Internal web servers
» Internal application servers
» Operating systems in use
» Applied patch levels
– Target – to conceal all sensitive information that may result in potential
attack
© 2011 Cigital Inc. Friday, June 17, 2011 8
- 9. HTTP Cloaking (Cont..)
Considered as an implicit technique to thwart web attacks
– Combining HTTP Cloaking with web net work security devices provides
additional layer of security
– It is required to protect the URL space of the internal web servers
– Looks quite robust from security point of view
─ Applied Techniques
● HTTP response header manipulation and rewriting
– Rewriting the sensitive data information from the headers
– Manipulating the layout of HTTP response headers
– Adding custom headers for traffic management based on user information
● URL translations
– Web Address Translation (WAT) proposed in 2007 by Net continuum
– URL address translation from exterior to interior networks
– Typically, based on DNS namespaces and implicit mapping
– Internal application changes does not impact the external URL scheme
– Web administrators have full access to the user requests and the resultant
URL’s
© 2011 Cigital Inc. Friday, June 17, 2011 9
- 10. Facets of HTTP Cloaking
Pictures Courtesy – Google Search
© 2011 Cigital Inc. Friday, June 17, 2011 10
- 11. Layer 7 – HTTP Policy Designing
Layer 7 Policy Differentiators
Defining the depth of HTTP request parsing
– Forcing the device to read the number of bytes in HTTP request
POST classification input handling
– Forcing the device to scrutinize HTTP header or HTTP Body or both
Persistent switching mode
– Defines behavior with multiple client requests over the same TCP connection.
– First request/ complete and overwrite /complete and maintain
HTTP request normalization
– Enables or disables normalization of URLs in HTTP requests, before parsing
the HTTP request itself.
Explicit farm naming
– Explicitly configure the name of the farm with the load that must be taken into
consideration during the DNS resolve phase
Backend port encryption
© 2011 Cigital Inc. Friday, June 17, 2011 11
- 12. Layer 7 Content Switching
Effective process of switching traffic
– Heavily used by web based network security devices
– Content is switched based on the URL header information
– Sometimes used collaboratively with the WAF’s
Content Switching – How?
● URL header matching criteria
– HTTP response header
– HTTP status codes
– Client IP address
– HTTP versions (HTTP1.0/ HTTP1.1)
– HTTP methods
– URL and URI pathinfo
– Header value
● Load balancing
– Appropriate HTTP handling and redirection
– Algorithms (Round Robin/ Weighted Round Robin / Least Requested)
© 2011 Cigital Inc. Friday, June 17, 2011 12
- 13. HTTP Request Normalization
Security Devices and Normalization
– WAF’s and IDS/IPS has to perform normalization to incoming HTTP
requests
– Normalization is required to manage the detection/prevention control
mechanism
– Depends on web server compliance in accordance to HTTP RFC
Productivity
● HTTP Requests Fuzzing
– Analyzing HTTP responses by sending invalid HTTP verbs
– Return status code provides a lot of information
– Also depends on the configuration of web server that allows HTTP methods
– WAF’s and IDS/IPS – fuzzing may result in bypass and helps in designing
bypasses
– Examples
– Invalid verbs (POSTTT , GETTT, ROGUE, rnrnrn etc)
– Using encoded separators instead of white characters (%20 t)
– Encoding (Unicode, double encoding, %, //, %00, etc)
© 2011 Cigital Inc. Friday, June 17, 2011 13
- 14. HTTP Cloaking (Example 1)
Response Check 1
HTTP/1.1 200 OKrn
Date: Tue, 05 Jul 2007 17:05:18 GMTrn
Server: Serverrn Citrix NetScaler
Vary: Accept-Encoding,User-Agentrn
Content-Type: text/html;
(WAF + Load Balancer)
charset=ISO-8859-1rn
nnCoection: closern
Transfer-Encoding: chunkedrn
Response Check 2
send: 'GET /?Action=DescribeImages&AWSAccessKeyId=0CZQCKRS3J69PZ6QQQR2&Owner.1
=084307701560&SignatureVersion=1&Version=2007-01- 03&Signature=<signature removed>
HTTP/1.1rnHost: ec2.amazonaws.com:443rnAccept- Encoding: identityrnrn' reply: 'HTTP/1.1 200
OKrn' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header: Date: Thu, 15
Feb 2007 17:30:13 GMT
send: 'GET /?Action=ModifyImageAttribute&Attribute=launchPermission&AWSAccessKeyId
=0CZQCKRS3J6 9PZ6QQQR2&ImageId=ami-00b95c69&OperationType=add&SignatureVersion=1&
Timestamp=2007- 02-15T17%3A30%3A14&UserGroup.1=all&Signature=<signature removed>
HTTP/1.1rnHost: ec2.amazonaws.com:443rnAccept-Encoding: identityrnrn' reply: 'HTTP/1.1 400
Bad Requestrn' header: Server: Apache-Coyote/1.1 header: Transfer-Encoding: chunked header:
Date: Thu, 15 Feb 2007 17:30:14 GMT header: nnCoection: close
© 2011 Cigital Inc. Friday, June 17, 2011 14
- 15. HTTP Cloaking (Example 2)
Request /Response Check
GET / HTTP/1.1
Hostexample.com
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Keep-Alive 115
Connection keep-alive
(Status-Line) HTTP/1.1 301 Moved Permanently Citrix NetScaler
DateMon, 08 Nov 2010 19:49:23 GMT (WAF + Load Balancer)
Cneonction close
Content-Type httpd/unix-directory
Set-Cookie
uu=9mjpm8rn90Duu4CQwFOZbQPyOCTl4V6yoHENgcCxLaHVsZ3h5dQ99JSlTTGlpO4Tw/IehNChD
cKgwZ4SkLD98SNSnGEggS3RM4FdkEVkaDIDUknUIRRI9fOEyYXz10uCA9bKIgdm+sIHNgpXl6Y
Lh+ChPhIREU2wQKD9obDCvgGQ0Y3BwNGN8eNSvhGz0h6ypaRIUuPyHvWQ8paioPEtkaDRnSGA
wr4RsLFNwcDRnSGDwr4Rs9IesqPUWCLgwh6yoME9ocDRnSGT4r4Rs9IesqPyHvLjom6Co=;expires
=Thu, 30 Dec 2037 00:00:00 GMT;path=/;domain=.imdb.com
Set-Cookie session-id=284-9245763-9527093;path=/;domain=.imdb.com
Set-Cookie session-id-time=1289332163;path=/;domain=.imdb.com
Vary Accept-Encoding,User-Agent
Content-Encoding gzip
P3P policyref="http://i.imdb.com/images/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo
OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA
PRE LOC GOV OTC "
Content-Length 20
© 2011 Cigital Inc. Friday, June 17, 2011 15
- 16. HTTP Cloaking (Example 3)
Response Check 1
HTTP/1.0 404 Not Foundrn
Xontent-Length: rn
Server: thttpd/2.25b 29dec2003rn Citrix NetScaler
Content-Type: text/html; charset=iso-8859-1rn
Last-Modified: Tue, 05 Jul 2010 17:01:12 GMTrn (WAF + Load Balancer)
Accept-Ranges: bytesrn
Cache-Control: no-cache, no-storern
Date: Tue, 05 Jun 2010 17:01:12 GMTrn
Content-Length: 329rn
Connection: closern
HTTP/1.0 302 Moved Temporarily
Age: 0
Date: Thu, 11 Mar 2010 12:01:55 GMT
Xontent-Length:
Connection: Close
Via: NS-CACHE-7.0: 11
ETag: "KXIPDABNAPPNNTZS"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Powered-By: PHP/5.1.6
Location: http://216.99.132.20/smb/index.php
Content-type: text/html
Xontent-Length: rn:”
© 2011 Cigital Inc. Friday, June 17, 2011 16
- 17. Custom HTTP Response Headers
Custom HTTP Response Headers
─ Web security devices add its own custom response headers
─ General working
– WAF’s usually adds HTTP response headers
– All the HTTP traffic is routed through the intermediate security device
– Basically, VIA: and Cache: response headers are added
– Primarily, there is no need to request web server every time if an updated
copy of web site is present in the cache
– Via: header supports the fact that traffic is handled by another device in the
network which can make changes in the inbound and outbound HTTP traffic
© 2011 Cigital Inc. Friday, June 17, 2011 17
- 18. Custom HRH (Example)
Response Headers
HTTP/1.0 200 OK
Date: Wed, 25 Aug 2010 08:45:45 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Wed, 25 Aug 2010 08:45:46 GMT
X-BinarySEC-Via: frontal2.re.saas.example.com
HTTP/1.0 301 Moved Permanently
Content-length: 0
BinarySec Device
Content-language: fr
X-binarysec-cache: saas.example.com
Connection: keep-alive
Location: http://www.binarysec.fr/cms/index.html
Date: Tue, 24 Nov 2009 22:49:01 GMT
Content-type: text/html
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Wed, 25 Aug 2010 08:45:46 GMT
X-BinarySEC-Via: frontal2.re.saas.example.com
© 2011 Cigital Inc. Friday, June 17, 2011 18
- 19. Cookie and IP Session Management
Custom HTTP Response Header (Set-Cookie)
─ Web security devices add its own Set-Cookie response header
– Adding Security to existent cookie (Web Server)
– HTTP Web security devices manages sessions using self driven cookies
– Effective way to manage sessions with intermediate layer of working
– Use internal IP addresses to generate sessions (BIG IP Devices)
─ WAF’. Do they play around with cookie?
● Cookie Encryption (configuration specific)
– Encrypting cookies before sending it to client. Hard to interpret.
– Possible protecting the integrity of the cookies
● Cookie Signing (configuration specific)
– Adding digital signature as second line of defense to existent cookie
– If tampered, digital signature wont be verified in general
– Simple and direct detection mechanisms
– Example: Barracuda Web Application Firewalls does this.
© 2011 Cigital Inc. Friday, June 17, 2011 19
- 20. CSM (Example 1)
Response Check (It uses Set_Cookie with “Barracuda” name parameter)
HTTP/1.0 500 Internal Server Error
Date: Thu, 11 Nov 2010 05:52:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727 Barracuda WAF
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 5145
Set-Cookie: BNI__BARRACUDA_LB_COOKIE=df0fa8c000005000; Path=/; Max-age=1020
HTTP/1.0 400 Bad Request
Content-Type: text/html
Date: Thu, 11 Nov 2010 05:02:23 GMT
Connection: close
Content-Length: 39
Set-Cookie: BARRACUDA_LB_COOKIE=192.168.155.11_80; path=/
HTTP/1.0 200 OK
Date: Thu, 11 Nov 2010 10:29:51 GMT
Server: BarracudaServer.com (Windows)
Connection: Keep-Alive
Content-Type: text/html
Cache-Control: No-Cache
Transfer-Encoding: chunked
Set-Cookie: BarracudaDrive=3.2.1; expires=Wed, 07 Sep 2011 10:29:51 GMT
© 2011 Cigital Inc. Friday, June 17, 2011 20
- 21. CSM (Example 2)
Request / Response (GEO Location Based Session Management)
(Request-Line) GET / HTTP/1.1
Host www.example.net
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive Juniper Sec Device
(Status-Line) HTTP/1.1 200 OK
Accept-Ranges bytes
Content-Type text/html; charset=UTF-8
Date Mon, 08 Nov 2010 18:48:02 GMT
Connection keep-alive
Set-Cookie rl-sticky-key=b159fd3052f1f60eea47e0dc56d57d62; path=/; expires=Mon, 08 Nov 2010
19:35:22 GMT
Set-Cookie
CT_Akamai=georegion=264,country_code=US,region_code=MI,city=EASTLANSING,dma=551,msa=4
040,areacode=517,county=INGHAM,fips=26065,lat=42.7369,long=-84.4838,timezone=EST,zip=48823-
48826,continent=NA,throughput=vhigh,bw=1000,asnum=237,location_id=0; path=/;
domain=example.net
© 2011 Cigital Inc. Friday, June 17, 2011 21
- 22. CSM and IPSM ( Example 3)
Request / Response
E:audit>nc example.com 80
GET / HTTP/1.1
HOST:example.com
HTTP/1.1 302 Object moved
Server: Microsoft-IIS/5.0 Big IP Sec Device
Date: Mon, 08 Nov 2010 17:41:56 GMT
X-Powered-By: ASP.NET
Location: http://www.example.com/us/index.asp
Content-Length: 159
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCCCCSBAA=AHLDLDDANEKJOOPHGOHAAKBA; path=/
Cache-control: private
Set-Cookie: http.pool=167880896.20480.0000; path=/
<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a
HREF="http://www.example.com/us/index.asp">here</a>.</body>
© 2011 Cigital Inc. Friday, June 17, 2011 22
- 23. CSM and IPSM ( Example 3 Cont…..)
Request / Response
E:audit>nc example.com 80
GET / HTTP/1.1
HOST:example.com
Big IP Sec Device
HTTP/1.1 302 Object moved
Set-Cookie: http.pool=167880896.20480.0000; path=/
Converting to Binary: Binary ( cookie ) Part == 00001010000000011010100011000000
Converting to blocks of 4
00001010
00000001
10101000
11000000
00001010 10
00000001 1
10101000 168
11000000 192
192.168.1.10
© 2011 Cigital Inc. Friday, June 17, 2011 23
- 24. Web Proxy Auto Detection Protocol (WPAD)
Inside WPAD
– To detect network proxy automatically
– Protocol based on DHCPINFORM query.
– DHCP based , No DNS. Query is sent through URL
– Configuration entries are present in wpad.dat file
– FindProxyForURL () function is used
© 2011 Cigital Inc. Friday, June 17, 2011 24
- 25. Web Proxy Auto Detection Protocol (WPAD)
Information Driven
– Access to wpad.dat leverages lot of critical information
– Becomes easy to map proxy servers and internal network
© 2011 Cigital Inc. Friday, June 17, 2011 25
- 26. Web Proxy Auto Detection Protocol (WPAD)
Information Driven
– Beneficial in penetration testing
© 2011 Cigital Inc. Friday, June 17, 2011 26
- 27. Proxy Auto Config (PAC)
Inside PAC
– Indicates browser to find proxy t( manual implementation)
– FindProxyForURL () function is used
© 2011 Cigital Inc. Friday, June 17, 2011 27
- 28. Proxy Auto Config (PAC)
Information Driven
© 2011 Cigital Inc. Friday, June 17, 2011 28
- 29. Anonymous Access and Exploitation
Anonymous Access
─ General working
– Some network based security devices allows anonymous access
– To what extent we can exploit the scenario?
– Tactical exploitation and robust techniques are required
– Typically protocol that falls under this is {FTP} as an example
© 2011 Cigital Inc. Friday, June 17, 2011 29
- 31. Anonymous Access and Exploitation
Is that all ? NO !
© 2011 Cigital Inc. Friday, June 17, 2011 31
- 32. Case Study – Synology Diskstation Manager
Is that all ? NO !
FTP Console – Default Buffer Tactic
Determining the number of characters that are acceptable
FTP Protocol
Username – Another generic input point
Password – Another input point
© 2011 Cigital Inc. Friday, June 17, 2011 32
- 33. Case Study – Synology Diskstation Manager
Is that all ? So what !
FTP Console – Using it as an entry point to conduct XSS
Exploiting the vulnerable log module at the backend
Remote code execution using CRSF payload injected through FTP console
Advisory : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3684
© 2011 Cigital Inc. Friday, June 17, 2011 33
- 34. Case Study – Synology Diskstation Manager
Pwned !
Advisory : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3684
© 2011 Cigital Inc. Friday, June 17, 2011 34
- 35. HTTP Web Server – Network Devices
HTTP Web Server Types and Usage
Listed web servers are used effectively in network based devices
Comparative study of the acceptable HTTP verbs
© 2011 Cigital Inc. Friday, June 17, 2011 35
- 36. The Culprit – CGI Implementation
Implementation of CGI enabled interfaces
─ Web security devices uses CGI interface for HTTP functionality
─ Point of command injection. Hidden services execution
─ Unauthorized access and implicit restriction bypasses
─ Examples ( never ending ………)
– /cgi-bin/filemanager/filemanager.cgi?folder=/home/httpd/cgi-
bin/filemanager/share&lang=eng [NAS Device]
– /cgi-bin/password.cgi
– /cgi/maker/unittest.cgi?action=
– /cgi/maker/tools.cgi?command=
– /control/click.cgi?list | /img/image.cgi?next_file=main_fs.htm
– /control/rotorcgi?help
– /en/help.cgi?ID=25 | /main_activex.cgi
– /cgi-bin/wg_login-act.cgi
– /CgiStart?page=Login&Language=0
– /cgi/b/users/usrpage/?nm=1
– /cgi-bin/csi_login-act.cgi
© 2011 Cigital Inc. Friday, June 17, 2011 36
- 37. Bad Design or Ignorance !!
© 2011 Cigital Inc. Friday, June 17, 2011 37
- 38. Binary Controls and Decompilation
Binary Authentication Controls
─ Bad practice in authentication process
─ Usage of [0|1] and [Yes|No] in the authentication modules
─ Verifying authentication information in URL’s
─ http://www.example.com/auth.php?authenticated=YES|NO
Decompiling Java Applets (JAR Files)
─ Very effective process in detecting and finding information
─ Devices using Java applets must be decompiled
─ Leverages lot of information
─ Hard coded passwords ; Reflected information about sessions
─ Understanding about the login algorithm and specific details
© 2011 Cigital Inc. Friday, June 17, 2011 38