Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hook, Line and Sinker - Pillaging API Webhooks

Abhay Bhargav
March 29, 2022
Technology
0
810

Hook, Line and Sinker - Pillaging API Webhooks

Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.

In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.

Abhay Bhargav

March 29, 2022
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
Secure by Design - Across the Stack
abhaybhargav
0
140
Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav
abhaybhargav
0
610
Flaming Hot SLSA!
abhaybhargav
1
620
SecAppDev - Fantastic API Security Vulnerabilities and where to find them
abhaybhargav
1
100
SecAppDev 2022 - Everything as code
abhaybhargav
0
130
DevSecOops - Stories of DevSecOps Failures and Success
abhaybhargav
0
1.6k
Practical DevSecOps Pipelines
abhaybhargav
1
350
A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle
abhaybhargav
0
300
Agile Threat Modeling-as-Code
abhaybhargav
2
730

Other Decks in Technology

See All in Technology
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
Lexical Analysis
shigashiyama
1
150
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
Why does continuous profiling matter to developers? #appdevelopercon
salaboy
0
180
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
Platform Engineering for Software Developers and Architects
syntasso
1
510
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k

Featured

See All Featured
Building an army of robots
kneath
302
43k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
Facilitating Awesome Meetings
lara
50
6.1k
Music & Morning Musume
bryan
46
6.2k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Designing the Hi-DPI Web
ddemaree
280
34k
YesSQL, Process and Tooling at Scale
rocio
169
14k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
The Invisible Side of Design
smashingmag
298
50k

Transcript

  1. abhaybhargav Hook, Line and Sinker Pillaging API Webhooks Abhay Bhargav

  2. abhaybhargav Yours Truly • Founder @ we45 • Chief Research

    O ffi cer - AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide

  3. abhaybhargav Community Initiatives • Youtube Channel: AppSecEngineer • Blog: abhaybhargav.com

  4. abhaybhargav My talk…

  5. abhaybhargav My talk…

  6. abhaybhargav My talk…

  7. abhaybhargav Agenda

  8. abhaybhargav Agenda • What are webhooks? How do they work?

  9. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns

  10. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction

  11. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws

  12. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws • Interesting Sub-variants

  13. abhaybhargav So you’re building an API…

  14. abhaybhargav You probably need webhooks…

  15. abhaybhargav What are they?

  16. abhaybhargav Webhooks a.k.a “User Generated Callbacks”

  17. abhaybhargav Webhooks are everywhere!

  18. abhaybhargav Common Webhook Traits

  19. abhaybhargav Natural Attack Focus/Assumptions

  20. abhaybhargav Our Focus…

  21. abhaybhargav Our Focus… Can I compromise the Provider? 🤔

  22. abhaybhargav Can I…?

  23. abhaybhargav Can I…?

  24. abhaybhargav Can I…?

  25. abhaybhargav Can I…?

  26. abhaybhargav Can I…?

  27. abhaybhargav Can I…? Webhook request

  28. abhaybhargav Can I…? Webhook request

  29. abhaybhargav Can I…? Webhook request Attacks the Provider

  30. abhaybhargav Can I…? Webhook request Attacks the Provider 😈

  31. abhaybhargav This can only mean….

  32. abhaybhargav SSRF!

  33. abhaybhargav What is SSRF?

  34. abhaybhargav SSRF - Real-world Examples

  35. abhaybhargav SSRF - Real-world Examples

  36. abhaybhargav SSRF - Real-world Examples

  37. abhaybhargav SSRF - Real-world Examples

  38. abhaybhargav SSRF - Real-world Examples

  39. abhaybhargav SSRF - Real-world Examples

  40. abhaybhargav SSRF - Real-world Examples

  41. abhaybhargav Effects and Impact of SSRF

  42. abhaybhargav What we want….

  43. abhaybhargav What we want….

  44. abhaybhargav What we want….

  45. abhaybhargav What we want….

  46. abhaybhargav What we want….

  47. abhaybhargav What we want…. Webhook request

  48. abhaybhargav What we want…. Webhook request

  49. abhaybhargav What we want…. Webhook request Redirects to Internal/Metadata URL

  50. abhaybhargav What we want…. Webhook request Redirects to Internal/Metadata URL

    😈

  51. abhaybhargav But there’s a problem….

  52. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects

  53. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects

  54. abhaybhargav

  55. abhaybhargav HTTP 303 See other • Is a response that

    can be triggered for an originated POST/PUT request • Usually used when a resource has been replaced • Redirect response is a GET (which works for us) • Prompts clients to follow with a GET request to the speci fi ed location

  56. abhaybhargav What we want….

  57. abhaybhargav What we want….

  58. abhaybhargav What we want….

  59. abhaybhargav What we want….

  60. abhaybhargav What we want….

  61. abhaybhargav What we want…. Webhook POST request

  62. abhaybhargav What we want…. Webhook POST request

  63. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service

  64. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈

  65. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈 GET request to Metadata/Internal URL

  66. abhaybhargav How we used this on Docker…

  67. abhaybhargav

  68. abhaybhargav

  69. abhaybhargav

  70. abhaybhargav

  71. abhaybhargav

  72. abhaybhargav

  73. abhaybhargav

  74. abhaybhargav

  75. abhaybhargav

  76. abhaybhargav

  77. abhaybhargav

  78. abhaybhargav

  79. abhaybhargav

  80. abhaybhargav

  81. abhaybhargav

  82. abhaybhargav Demo time

  83. abhaybhargav Needless to say!

  84. abhaybhargav Needless to say!

  85. abhaybhargav Needless to say!

  86. abhaybhargav Needless to say!

  87. abhaybhargav So what?

  88. abhaybhargav Custom Headers FTW! • Several apps (providers) allow you

    to con fi gure custom headers for Webhooks • So all you have to do now is use Cloud Metadata Headers in the Custom Headers and you’re in!

  89. abhaybhargav Custom headers FTW!

  90. abhaybhargav App Level IP Blocklisting?

  91. abhaybhargav Defense

  92. abhaybhargav Conclusions

  93. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others

  94. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks”

  95. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles

  96. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend

  97. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend • Look at defense holistically, and from multiple layers

  98. abhaybhargav Thank you • Twitter: @abhaybhargav, @AppSecEngineer, @we45 • Youtube:

    AppSecEngineer • Website: appsecengineer.com, we45.com