Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Web application Security Trends", Omar Ganiev

"Web application Security Trends", Omar Ganiev

OWASP Russia Meetup #2

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

December 04, 2017
Tweet

Transcript

  1. Web application security trends Omar Ganiev 28/02/2015

  2. Hi! I’m Beched, and I love hacking an solving problems.

    Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.
  3. Classification Questions to classify the vulnerabilities: • Is the exploitation

    technique new or known? • Is the attack target new or known technology? • How large is a potential attack surface?
  4. Sourcesof news • Bug trackers, mailing lists • https://blackhat.com/html/archives.html •

    https://blog.whitehatsec.com/top-10-web- hacking-techniques-2013/ • https://blog.whitehatsec.com/top-10-web- hacking-techniques-of-2014/ • …
  5. Community opinion • 30.77% of respondents from rdot.org will go

    to dance a ballet, because web hacking is gonna become way too complex =)
  6. Obvious remarks • Growth of security awareness of developers makes

    their code more secure • At the same time new products and technologies are often released without careful security audit • Old software is often considered as safe and trusty but contains severe vulnerabilities • Business logic bugs are alive
  7. Obvious remarks • Infosec is part of CS and IT,

    and it inherits global trends • The global trend is a wide spread of various gadgets and mobile devices • The global trend is making houses and vehicles smart • The global trend is making web interfaces rich and self-contained in the browsers
  8. Take a look • There’re loads of papers and presentations

    at BlackHat archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends: • client-side && mobile • clouds && big data && social networks • misc && classic • TLS && SSL • IoT && routers • PRNG && SSRF && etc • old soft
  9. Client-side && Mobile • Known technologies, new life • There’re

    loads of papers on client-side security • Loads of bug bounties are given for XSS or something like that • There’re a lot of tricky techniques, and we can see a long war between browser developers and XSS hunters • Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
  10. Client-side && Mobile DISSECTING CSRF ATTACKS & COUNTERMEASURES JAVASCRIPT STATIC

    SECURITY ANALYSIS MADE EASY WITH JSPRIME MILLION BROWSER BOTNET PIXEL PERFECT TIMING ATTACKS WITH HTML5 ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR REVISITING XSS SANITIZATION SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS TWO FACTOR FAILURE THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
  11. Client-side && Mobile • UXSS, MXSS • ChromeOS, FirefoxOS •

    Browser extensions hacking • Endless security features vs bypass war • XSS Auditor, CSP, HttpOnly, SOP, CORS • Funny things like RFD (reflected file download) • OAuth bugs
  12. Example • Chrome XSS auditor breaks a lot of attacks,

    but in most cases it can be bypassed, or at least an attack can be modified • The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets • There’re plenty of bypasses, take a look at http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor- bypass/ https://www.blackhat.com/docs/us-14/materials/us-14-Johns- Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side- XSS-Filtering.pdf
  13. Example • Other bypasses include CSRF tokens leakage, form target

    forgery, etc
  14. Example • Secure CMS and XSS Auditor can be spoiled

    with plugins • Look at this typographic plugin for Drupal: var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove(); • JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored <script> stuff becomes active
  15. Example • OAuth is often vulnerable to open redirect due

    to lack of redirect_uri validation https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879 c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257 After authorization redirects to: http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85 458d0db1c65792d52c8bef3c4407374b2 • Access token (code) value is enough for account takeover
  16. Clouds && Big data && Social networks • Fairly new

    technologies • Cloud computing and machine learning are heavily used for different purposes • As for infosec, this can be used both for attack and defense • Social networks and big data providers can be exploited for deanonymization and fraud • Machine learning can be used for building WAF
  17. Clouds && Big data && Social networks PREDICTING SUSCEPTIBILITY TO

    SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFIC PIVOTING IN AMAZON CLOUDS BRINGING A MACHETE TO THE AMAZON BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
  18. Example • Post-exploitation of distributed web applications is often a

    bit tricky – you don’t exactly know which node will process your request • Nodes can often be enumerated via HTTP response headers or cookies • Sometimes some nodes are not updated and contain vulnerabilities • This creates mind-blowing phantom vulnerabilities =) • Take a look at cool talk about Amazon EC2 post- exploitation: https://www.blackhat.com/docs/us- 14/materials/us-14-Riancho-Pivoting-In-Amazon- Clouds.pdf
  19. Example • Data providers are often used for targeted marketing.

    However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request: https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt p://incsecurity.ru/?adv_id=$UID • $UID will be replaced with actual cookie value by the server and will be sent to attacker host • Information about user can be obtained via JSONP hijacking, even if session id is checked.
  20. Example • Request: https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st =1 • Response contains information about

    gender, interests, etc. Part of interests description file: … { "id": "40010082", "segment": "Fetish & Bondage", "category": "Interests", "section": "Interests", "description": "“ } …
  21. Misc & Classic • There’re a lot of works which

    continue previous researches and bug reports • They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods • The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
  22. Misc & Classic ') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION

    AND OBFUSCATION TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS! SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
  23. Example • The paper about hacking C&C panels reminded me

    of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now: http://ahack.ru/bugs/zeus-vulnerability- exploit.htm https://github.com/Visgean/Zeus/ • Guess what I see there since 5 years? ;)
  24. Example • The name of function has changed, but vulnerability

    is still there, AFAICS ... function fsarcCreate($archive, $files) ... $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); ... foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file; ... if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list)) === false)die('Failed to create archive, please check "system/fsarc.php" script.'); ...
  25. Example • This is a small example, probably there’re more

    critical vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code? • Paper on contemporary automatic program analysis mostly tells about grep =) • Personally I use grep with lovely regular expressions: \w*(include|require)(_once)?[\s\(]+(?!\s*('[^']*'|"[^"]*"| )[@\s\.]*(urlencode|rand|rawurlencode|basename|le venshtein|doubleval|sizeof|base64_encode|strlen|flo or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has h|intval|max|decbin|strpos|crc32|ord|md5|count|sh a1|min|pathinfo|floatval|round|hexdec)\s*\()[^;]*\$. *
  26. Example

  27. Example • 2014 has gone, and here comes 2015, but

    PHP and Apache are still broken • Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there • Apache has not yet learnt RFC • Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
  28. TLS && SSL • As old as the world •

    There’re still a lot of misconfiguration issues with HTTPS • Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others • Many configuration mistakes are result of trade-off between performance and security
  29. TLS && SSL SSL, GONE IN 30 SECONDS - A

    BREACH BEYOND CRIME TLS 'SECRETS' TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS A PERFECT CRIME? ONLY TIME WILL TELL THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP BYPASSING HTTP STRICT TRANSPORT SECURITY
  30. IoT && Routers • This is one of the most

    popular new IT trends everyone heard about • New means untested. Untested means vulnerable • Seriously, the Internet of things is broken, and many yell about it • People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
  31. IoT && Routers EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD

    HACKER HOME INVASION V2.0 - ATTACKING NETWORK- CONTROLLED HARDWARE A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
  32. Example • Just look at this:

  33. Example • And this:

  34. Example • And this (admin;admin):

  35. Example • BTW, side note: why doesn’t XSS Auditor perform

    HTTP response splitting check? • As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
  36. PRNG && SSRF && etc • XXE, SSRF and randomness

    hacking were hot topics of 2012-2013 • They are popular today too, new applications and attack vectors are developed
  37. PRNG && SSRF && etc BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS

    XML OUT-OF-BAND DATA RETRIEVAL THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP
  38. Example • Autodiscover interface in OWA reveals an internal IP

    address of the mail server • Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”) Microsoft.Exchange.Data.Directory.SuitabilityVerifie r.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential) • If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
  39. Example • vBulletin forum CMS allows to upload attachments from

    remote URL (class_upload.php, class_vurl.php) • First it checks the file size via HEAD request, then it downloads the file • You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request • Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
  40. Old soft • We’ve witnessed several critical vulnerabilities in well-known

    and widely used software in 2014 • HeartBleed, GHOST, ShellShock, POODLE, goto fail, etc • Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
  41. Old soft EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK

    SURFACE SPREAD SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
  42. Example • Although these famous vulnerabilities are not caused by

    web applications, they deeply affect them • ShellShock and GHOST affect webapp<->OS interaction layer • HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer
  43. Example • This is another proof of why shouldn’t we

    consider any part of the software as trusted. Each component of the system can be broken • BTW, newspapermen also started the era of nicknames for vulnerabilities • I find this a bit ridiculous but funny =)
  44. Summary • The Internet is broken • The WWW is

    broken • Hackers gonna hack • Web applications become smarter • Hacking becomes smarter
  45. Questions? beched@incsecurity.ru