$30 off During Our Annual Pro Sale. View Details »

Hook, Line and Sinker - Pillaging API Webhooks

Hook, Line and Sinker - Pillaging API Webhooks

Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.

In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.

Abhay Bhargav

March 29, 2022
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. abhaybhargav Yours Truly • Founder @ we45 • Chief Research

    O ffi cer - AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide
  2. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction
  3. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws
  4. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws • Interesting Sub-variants
  5. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects
  6. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects
  7. abhaybhargav HTTP 303 See other • Is a response that

    can be triggered for an originated POST/PUT request • Usually used when a resource has been replaced • Redirect response is a GET (which works for us) • Prompts clients to follow with a GET request to the speci fi ed location
  8. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈 GET request to Metadata/Internal URL
  9. abhaybhargav Custom Headers FTW! • Several apps (providers) allow you

    to con fi gure custom headers for Webhooks • So all you have to do now is use Cloud Metadata Headers in the Custom Headers and you’re in!
  10. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks”
  11. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles
  12. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend
  13. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend • Look at defense holistically, and from multiple layers
  14. abhaybhargav Thank you • Twitter: @abhaybhargav, @AppSecEngineer, @we45 • Youtube:

    AppSecEngineer • Website: appsecengineer.com, we45.com