abusing open http proxies

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Abusing Open HTTP Proxies

Mike ZusmanIntrepidus Group, IncMike.zusman@intrepidusgroup.com

June 18, 2008

OWASP 2

Hi everybody!

Mike Zusman, CISSPPast

Web Application Developer Whale Communications/Microsoft ADP Application Security Team

Current Senior Consultant @ Intrepidus Group

OWASP

Don’t mind me, I’m just sniffing your ports!

3

OWASP

What am I talking about?

Open HTTP ProxiesRemote Access appliancesPlain Old Web Applications

4

OWASP

Using SSL? Come on in!

SSL VPN Remote Access Portals

5

OWASP

One HTTP listener, many web servers

URL Rewriting

6

OWASP

The Good, the bad, and the 0wned

Microsoft Intelligent Application Gatewayhttps://sslvpn.yourbiz.com/

whalecom0AB387458CD84347EF878763CCAEF78878723/path/to/app/index.asp

SonicWALL SSL VPNhttps://sslvpn.yourbiz.com/cgi-bin/nph-httprp/

http://192.168.151.100/exchange/

7

OWASP

The Good, the bad, and the 0wned

8

OWASP

The Good, the bad, and the 0wned

9

OWASP

But wait, there is more . . .

We just showed a client-side attack

We can also attack the network and other servicesHow does HTTP work?

And we can attack the application/proxy itselfThink beyond HTTP

10

OWASP

Scanning the Network

HTTP is sent over TCPhttps://www.kb.cert.org/CERT_WEB

%5Cservices%5Cvul-notes.nsf/id/150227Date Public02/19/2002

Open HTTP proxies will open arbitrary TCP sockets /fetchurl.asp?url=http://192.168.1.1:139

Timing

11

OWASP

Scanning the Network

Trying: http://127.0.0.1:139Result:500Duration: 0.937832117081s

Trying: http://127.0.0.1:443Result:timed outDuration: 30.0013480185s

OWASP

Attacking the Proxy

Web Applications can act as proxiesMicrosoft: WinHTTP, ServerXMLHTTP, XMLHTTPPHP: Include(), fopen(), etc (if your bored)Perl: request()

These Libraries can do more then fetch remote URLsWhat about file:/// ?

13

OWASP

SEO Web Sites (1)

Search Engine Optimize http://127.0.0.1

14

OWASP

SEO Web Sites (2) Great Success!

Search Engine Optimize http://127.0.0.1

15

OWASP

Blog Engine .NET

http://ha.ckers.org/blog/20080412/blogenginenet-intranet-hacking/

Widespread: “probably 100,000 public installs”

Local web site disclosure /js.axd?path=http://localhost

Local file disclosure /js.axd?path=/web.config

16

OWASP

HTTP Request Amplification

Attacker sends X number of requests to the proxy

The proxy sends (x)(y) number of requests to the victim

Google RSS Reader: 2 to 1 request amplification on non-existing feeds

Transloading and WebTV users17

OWASP

Open Application Proxy Chaining

AnonymizationA large number of open app proxies (HTTP GET)Attacker -> Proxy1 -> Proxy2 -> Proxy3 … ->

Victim

Auto-Exploitation: Open Proxy WormA large number of open app proxies (HTTP GET)Attacker -> Proxy1 -> Proxy2 -> Proxy3 … ->

ProxyNThe Proxies are the Victims

18

OWASP

Open Application Proxy Chaining

Embedding URLs

http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3Dhttp%253A%252F%252Fhost3.com%252F%253Furl%253Dhttp%25253A%25252F%25252Fhost3.com%25252F%25253Furl%25253Dhttp%2525253A%2525252F%2525252Fhost4.com%2525252F%2525253Dhttp ….

19

OWASP

Open Application Proxy Chaining

Embedding URLs

20

OWASP

URL Length

.NET 260 char?

IIS: 32K charshttp://support.microsoft.com/kb/820129

How long of a URL can you have?“In theory, there is no limit.

In practice, IE imposes a limit of 2,083 bytes.Because nobody could need more than 640k. - Some Guy on the Internet

21

OWASP

What about the HTTP Response?

Sometimes you see the proxied response, sometimes you don’tWhat are your goals?

Timing can help (or hurt you)Order of Execution

ConfirmationMake yourself the last hopTCP Sequencing

22

OWASP

No request propagation without exploitation!

Request PropagationAttacker makes one request that turns into N

requests

How can we exploit this?Persistent XSSBlind SQLiGet code to run on a machine in the chain (or a

web browser)23

OWASP

No request propagation without exploitation!

Persistent XSS

http://host1.com/?url=http://host2.com&param=<img src=“http://tinyurl.com/xyz”>

http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3D …

24

OWASP

Persistent XSS Exploitation

25

OWASP

Demo

Hopefully, it will work.

26

OWASP

No FUD

Attack PrerequisitesApp must have a URL that makes arbitrary

requestThe same URL must have some other code

execution vulnerability: /index.asp?url=[URL]&param=[EXPLOIT]

Order of Execution: Exploit then Propagate

Leg WorkAttacker must find targets ahead of time

Mitigating FactorURL Length Limitations

27

OWASP

This is OWASP…

…so how do we fix this stuff? Input ValidationDisplaying host names in URLs is bad

Manipulation Information Leakage

Lock down the config Use a product that supports white lists Don’t allow .* hosts

Firewall configuration Does your proxy NEED to…

– talk to the Internet?– talk to every host on your LAN?

28

OWASP

Thanks

Questions? Comments? Concerns?

Mike.zusman@intrepidusgroup.com http://schmoil.blogspot.com http://blog.phishme.com

29