Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hook, Line and Sinker - Pillaging API Webhooks

Abhay Bhargav
March 29, 2022
Technology
0
740

Hook, Line and Sinker - Pillaging API Webhooks

Webhooks are an important part of modern web services and event-driven applications. They are defined as “user-defined HTTP callbacks”, and are triggered by some events, such as pushing code to a repo or adding a new customer entry in a CRM tool. Webhooks are ubiquitous and gaining in popularity owing to their asynchronous nature and the integration possibilities that they engender.
Webhooks are seen as “harmless”, owing to their “one-way” orientation. They are perceived as such, because they typically post some event information to a URL and they are done once they receive an HTTP response.

In this talk, I will demonstrate a series of attacks that we dub “Webhook Boomerang flaws”. These flaws allow attackers to leverage webhooks to create a boomerang effect that ends up attacking the originating web service itself. The techniques showcased in this talk will highlight a unique set of attack vectors that piggyback on nothing more than the standard HTTP and DNS protocols, which allow us to to perform Server-side Request Forgery style attacks that can lead to cloud-metadata compromise even with security protections like Metadata Headers. In our research, we’ve discovered this across multiple cloud providers and found that these attacks can be used in more conventional SSRF compromises of internal web-services.

Abhay Bhargav

March 29, 2022
Tweet

More Decks by Abhay Bhargav

See All by Abhay Bhargav
Policy-as-Code: Across the Stack - OWASP AppSec DC 2023 | Abhay Bhargav
abhaybhargav
0
550
Flaming Hot SLSA!
abhaybhargav
1
560
SecAppDev - Fantastic API Security Vulnerabilities and where to find them
abhaybhargav
1
95
SecAppDev 2022 - Everything as code
abhaybhargav
0
120
DevSecOops - Stories of DevSecOps Failures and Success
abhaybhargav
0
1.5k
Practical DevSecOps Pipelines
abhaybhargav
1
320
A Hitchhikers Guide to Secrets Management in the Cloud - OWASP Seattle
abhaybhargav
0
260
Agile Threat Modeling-as-Code
abhaybhargav
2
680

Other Decks in Technology

See All in Technology
競技としてのKaggle、役に立つKaggle
yu4u
6
2.3k
本当のAWS基礎
toru_kubota
1
600
MapLibreとAmazon Location Service
dayjournal
1
170
Azureの基本的な権限管理の勉強会
yhana
1
1.9k
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
17k
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
LLM開発・活用の舞台裏@2024.04.25
yushin_n
3
1.1k
.NET Profiler in 2024.
kkamegawa
2
810
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
5
670
BPStudyの200回を中心にIT業界を振り返る。そしてこれから
haru860
3
390
Rustで「プリズモイダル法」を利用して「土量計算」をガチでやる
nokonoko1203
1
230
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
3.2k

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
21
1.4k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
358
22k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Debugging Ruby Performance
tmm1
70
11k
What's in a price? How to price your products and services
michaelherold
238
11k
Designing the Hi-DPI Web
ddemaree
276
33k
The Illustrated Children's Guide to Kubernetes
chrisshort
32
46k
Git: the NoSQL Database
bkeepers
PRO
423
63k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k

Transcript

  1. abhaybhargav Hook, Line and Sinker Pillaging API Webhooks Abhay Bhargav

  2. abhaybhargav Yours Truly • Founder @ we45 • Chief Research

    O ffi cer - AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Lead Trainer - we45 Training and Workshops • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide

  3. abhaybhargav Community Initiatives • Youtube Channel: AppSecEngineer • Blog: abhaybhargav.com

  4. abhaybhargav My talk…

  5. abhaybhargav My talk…

  6. abhaybhargav My talk…

  7. abhaybhargav Agenda

  8. abhaybhargav Agenda • What are webhooks? How do they work?

  9. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns

  10. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction

  11. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws

  12. abhaybhargav Agenda • What are webhooks? How do they work?

    • Common Webhook Attack Patterns • SSRF: A Gentle introduction • Webhook Boomerang Flaws • Interesting Sub-variants

  13. abhaybhargav So you’re building an API…

  14. abhaybhargav You probably need webhooks…

  15. abhaybhargav What are they?

  16. abhaybhargav Webhooks a.k.a “User Generated Callbacks”

  17. abhaybhargav Webhooks are everywhere!

  18. abhaybhargav Common Webhook Traits

  19. abhaybhargav Natural Attack Focus/Assumptions

  20. abhaybhargav Our Focus…

  21. abhaybhargav Our Focus… Can I compromise the Provider? 🤔

  22. abhaybhargav Can I…?

  23. abhaybhargav Can I…?

  24. abhaybhargav Can I…?

  25. abhaybhargav Can I…?

  26. abhaybhargav Can I…?

  27. abhaybhargav Can I…? Webhook request

  28. abhaybhargav Can I…? Webhook request

  29. abhaybhargav Can I…? Webhook request Attacks the Provider

  30. abhaybhargav Can I…? Webhook request Attacks the Provider 😈

  31. abhaybhargav This can only mean….

  32. abhaybhargav SSRF!

  33. abhaybhargav What is SSRF?

  34. abhaybhargav SSRF - Real-world Examples

  35. abhaybhargav SSRF - Real-world Examples

  36. abhaybhargav SSRF - Real-world Examples

  37. abhaybhargav SSRF - Real-world Examples

  38. abhaybhargav SSRF - Real-world Examples

  39. abhaybhargav SSRF - Real-world Examples

  40. abhaybhargav SSRF - Real-world Examples

  41. abhaybhargav Effects and Impact of SSRF

  42. abhaybhargav What we want….

  43. abhaybhargav What we want….

  44. abhaybhargav What we want….

  45. abhaybhargav What we want….

  46. abhaybhargav What we want….

  47. abhaybhargav What we want…. Webhook request

  48. abhaybhargav What we want…. Webhook request

  49. abhaybhargav What we want…. Webhook request Redirects to Internal/Metadata URL

  50. abhaybhargav What we want…. Webhook request Redirects to Internal/Metadata URL

    😈

  51. abhaybhargav But there’s a problem….

  52. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects

  53. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects

  54. abhaybhargav

  55. abhaybhargav HTTP 303 See other • Is a response that

    can be triggered for an originated POST/PUT request • Usually used when a resource has been replaced • Redirect response is a GET (which works for us) • Prompts clients to follow with a GET request to the speci fi ed location

  56. abhaybhargav What we want….

  57. abhaybhargav What we want….

  58. abhaybhargav What we want….

  59. abhaybhargav What we want….

  60. abhaybhargav What we want….

  61. abhaybhargav What we want…. Webhook POST request

  62. abhaybhargav What we want…. Webhook POST request

  63. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service

  64. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈

  65. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈 GET request to Metadata/Internal URL

  66. abhaybhargav How we used this on Docker…

  67. abhaybhargav

  68. abhaybhargav

  69. abhaybhargav

  70. abhaybhargav

  71. abhaybhargav

  72. abhaybhargav

  73. abhaybhargav

  74. abhaybhargav

  75. abhaybhargav

  76. abhaybhargav

  77. abhaybhargav

  78. abhaybhargav

  79. abhaybhargav

  80. abhaybhargav

  81. abhaybhargav

  82. abhaybhargav Demo time

  83. abhaybhargav Needless to say!

  84. abhaybhargav Needless to say!

  85. abhaybhargav Needless to say!

  86. abhaybhargav Needless to say!

  87. abhaybhargav So what?

  88. abhaybhargav Custom Headers FTW! • Several apps (providers) allow you

    to con fi gure custom headers for Webhooks • So all you have to do now is use Cloud Metadata Headers in the Custom Headers and you’re in!

  89. abhaybhargav Custom headers FTW!

  90. abhaybhargav App Level IP Blocklisting?

  91. abhaybhargav Defense

  92. abhaybhargav Conclusions

  93. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others

  94. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks”

  95. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles

  96. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend

  97. abhaybhargav Conclusions • Webhooks are a powerful way to integrate

    your apps with others • Also a powerful way to get attacked with “Boomerang Attacks” • Consider webhooks in your threat model - multiple attack angles • SSRF is an attacker’s good friend • Look at defense holistically, and from multiple layers

  98. abhaybhargav Thank you • Twitter: @abhaybhargav, @AppSecEngineer, @we45 • Youtube:

    AppSecEngineer • Website: appsecengineer.com, we45.com