Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SecAppDev - Fantastic API Security Vulnerabilities and where to find them

SecAppDev - Fantastic API Security Vulnerabilities and where to find them

Abhay Bhargav

June 26, 2022
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. abhaybhargav
    Yours Truly
    • Founder @ we45


    • Founder @ AppSecEngineer


    • AppSec Automation Junkie


    • Trainer/Speaker at DEF CON, BlackHat, OWASP
    Events, etc world-wide


    • Co-author of Secure Java For Web Application
    Development


    • Author of PCI Compliance: A De
    fi
    nitive Guide

    View full-size slide

  2. abhaybhargav
    My talk…

    View full-size slide

  3. Story 1


    Beware of the Boomerang

    View full-size slide

  4. abhaybhargav
    So you’re building an API…

    View full-size slide

  5. abhaybhargav
    You probably need webhooks…

    View full-size slide

  6. abhaybhargav
    What are they?

    View full-size slide

  7. abhaybhargav
    Webhooks a.k.a “User
    Generated Callbacks”

    View full-size slide

  8. abhaybhargav
    Webhooks are everywhere!

    View full-size slide

  9. abhaybhargav
    Common Webhook Traits

    View full-size slide

  10. abhaybhargav
    Natural Attack Focus/Assumptions

    View full-size slide

  11. abhaybhargav
    Our Focus…
    Can I compromise the Provider? 🤔

    View full-size slide

  12. abhaybhargav
    Can I…?
    Webhook request
    Attacks the Provider
    😈

    View full-size slide

  13. abhaybhargav
    This can only mean….

    View full-size slide

  14. abhaybhargav
    SSRF!

    View full-size slide

  15. abhaybhargav
    What is SSRF?

    View full-size slide

  16. abhaybhargav
    SSRF - Real-world Examples

    View full-size slide

  17. abhaybhargav
    Effects and Impact of SSRF

    View full-size slide

  18. abhaybhargav
    What we want….
    Webhook request
    Redirects to Internal/Metadata URL
    😈

    View full-size slide

  19. abhaybhargav
    But there’s a problem….

    View full-size slide

  20. abhaybhargav
    SSRF works…
    • When there’s a GET request involved


    • Most Webhooks make POST requests
    (some PUT cases as well)


    • That are di
    ffi
    cult to weaponize as an
    SSRF


    • Most 3XX Redirects require clients NOT
    to follow redirects

    View full-size slide

  21. abhaybhargav

    View full-size slide

  22. abhaybhargav
    HTTP 303 See other
    • Is a response that can be triggered for an
    originated POST/PUT request


    • Usually used when a resource has been
    replaced


    • Redirect response is a GET (which works for
    us)


    • Prompts clients to follow with a GET
    request to the speci
    fi
    ed location

    View full-size slide

  23. abhaybhargav
    What we want….
    Webhook POST request
    HTTP 303 Redirect to Metadata/Internal Service
    😈
    GET request to Metadata/Internal URL

    View full-size slide

  24. abhaybhargav
    How we used this on Docker…

    View full-size slide

  25. abhaybhargav

    View full-size slide

  26. abhaybhargav
    Demo time

    View full-size slide

  27. abhaybhargav
    Needless to say!

    View full-size slide

  28. abhaybhargav
    Custom Headers FTW!
    • Several apps (providers) allow you to con
    fi
    gure custom headers for
    Webhooks


    • So all you have to do now is use Cloud Metadata Headers in the Custom
    Headers and you’re in!

    View full-size slide

  29. abhaybhargav
    Custom headers FTW!

    View full-size slide

  30. abhaybhargav
    App Level IP Blocklisting?

    View full-size slide

  31. abhaybhargav
    Defense

    View full-size slide

  32. Story 2: The Fully
    Loaded PDF Generator

    View full-size slide

  33. What is SSRF?

    View full-size slide

  34. What is SSRF?

    View full-size slide

  35. SSRF - Real-world Examples

    View full-size slide

  36. Effects and Impact of SSRF

    View full-size slide

  37. Why does SSRF happen?
    • Application makes HTTP requests based on URIs in Headers and/or Payload
    => Controlled by attacker


    • Application Library makes requests based on URIs in Header and/or Payload
    => Controlled by attacker


    • Application/Library includes content based on URIs from Header and/or
    payload => Controlled by attacker

    View full-size slide

  38. Only HTTP?
    • URI?


    • http(s)://



    fi
    le://


    • gopher://


    • ssh://
    Depends on the Client

    View full-size slide

  39. SSRF Attack Types

    View full-size slide

  40. PDF Gen and Libraries
    • PDF Generation Libraries - Popular for export, report gen, etc


    • PDF Generation Libraries:


    • HTML Rendering => HTML and CSS to PDF


    • Headless Browsers => Webkit/Headless Chrome

    View full-size slide

  41. Exploiting PDF Libraries
    • Typically allow users to load speci
    fi
    c HTML tags:




    • <br/>

    View full-size slide

  42. WeasyPrint SSRF
    • Technique discovered by @NahamSec and CodyBrocious


    • Converts HTML to PDF with very support for limited user-generated HTML
    tags


    • Allows you to use tag

    View full-size slide

  43. Story 2


    Maya and the Shopping
    Spree

    View full-size slide

  44. abhaybhargav we45
    The situation
    • Maya travels a lot for work. Pre-COVID of course 😄


    • She submits expense reports and invoices in an internal expense-
    management system that her company has developed


    • Each expense is reviewed by her Project Manager and approved after
    review


    • Once approved, these bills automatically go into a Payment System
    where the employee is reimbursed with a bank transfer

    View full-size slide

  45. abhaybhargav we45
    The Problem
    • Maya has run into a bit of a debt problem. She has bills
    she can’t pay.


    • She’d love nothing more than getting “larger” approvals
    for all the bills submitted


    • But how does she do that?

    View full-size slide

  46. abhaybhargav we45
    What is an IDOR?
    • Authorization Bypass (some cases for Elevation of Privileges)


    • Adversary is able to leverage a vulnerable authorization system to gain
    access to records that should be unauthorized to access


    • Two Modes:


    • Primary Key


    • Mass-Assignment

    View full-size slide

  47. abhaybhargav we45
    Mass Assignment
    public class User {
    private String id;
    private String email;
    private String password;
    private Boolean isAdmin;
    //getters and setters for other fields
    }

    View full-size slide

  48. abhaybhargav we45
    Exploiting Mass Assignment
    public static Result form(){
    Form filledForm =
    newUserForm.bindFromRequest();
    }
    Adversary can guess isAdmin=True and
    change user privileges

    View full-size slide

  49. abhaybhargav we45
    Ruby - Mass Assignment
    def signup
    params[:user]
    @user = User.new(params[:user])
    end

    View full-size slide

  50. abhaybhargav we45
    Github’s Mass Assignment Flaw - 2013

    View full-size slide

  51. Copyright © we45 2020
    Why?

    View full-size slide