defense by numbers: making problems for script kiddies
DESCRIPTION
On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see. This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites.TRANSCRIPT
![Page 1: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/1.jpg)
Defense by Numb3r5Making problems for script k1dd13s
and scanner monkeys@ChrisJohnRiley
![Page 2: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/2.jpg)
![Page 3: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/3.jpg)
“THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS
NOTHING”SOCRATES: APOLOGY, 21D
![Page 4: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/4.jpg)
I LIKE EDGE CASES
GLOBAL
INFRASTRUCTURE ISSUES
OS SPECIFICISSUES
APPLICATIONISSUES
![Page 5: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/5.jpg)
TL;DR
![Page 6: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/6.jpg)
Goals for this talk
Describe the defensive uses of HTTP status codes
![Page 7: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/7.jpg)
1) What2) Why3) How4) Goals5) Bringing it together6) Review
![Page 8: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/8.jpg)
1WHAT?
![Page 9: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/9.jpg)
HTTP STATUS CODES
![Page 10: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/10.jpg)
![Page 11: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/11.jpg)
Seems like such a Small detail
![Page 12: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/12.jpg)
… small detail,big impact
![Page 13: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/13.jpg)
![Page 14: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/14.jpg)
This talk contains:- Numbers
- Bad Jokes
- Traces of peanuts
- Did I mention numbers?
![Page 15: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/15.jpg)
HTTP Status Codes
o Majority part of RFC 2616 (HTTP/1.1)o 5 main classes of responseo 1XX informationalo 2XX successo 3XX redirectiono 4XX client erroro 5XX server error
![Page 16: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/16.jpg)
BASICSAKA: THE BORING THEORY BIT
![Page 17: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/17.jpg)
1XX Informational
o Indicates response receivedo Processing is not yet completedo 100 Continueo 101 Switching Protocolso 102 Processing (WebDAV RFC 2518)
![Page 18: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/18.jpg)
2XX Success
o Indicates response receivedo Processed and understoodo 200 OKo 201 Createdo 202 Acceptedo 203 Non-Authoritative Informationo 204 No Content
![Page 19: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/19.jpg)
2XX Success (cont.)
o 205 Reset Contento 206 Partial Contento 207 Multi-Status (WebDAV RFC 4918)
o Codes not supported by Apacheo 208 Already Reportedo 226 IM Usedo 250 Low on Storage Space
![Page 20: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/20.jpg)
3XX Redirection
o Action required to complete requesto 300 Multiple Choiceso 301 Moved Permanentlyo 302 Found / Moved Temporarilyo 303 See Othero 304 Not Modified
![Page 21: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/21.jpg)
3XX Redirection (cont.)
o 305 Use Proxyo 306 Switch Proxyo 307 Temporary Redirect
o Codes not supported by Apacheo 308 Permanent Redirect
![Page 22: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/22.jpg)
4XX Client Error
o Client caused an erroro 400 Bad Requesto 401 Unauthorizedo 402 Payment Requiredo 403 Forbiddeno 404 Not Foundo 405 Method Not Allowed
![Page 23: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/23.jpg)
4XX Client Error (cont.)
o 406 Not Accessibleo 407 Proxy Authentication Requiredo 408 Request Timeouto 409 Conflicto 410 Goneo 411 Length Required
![Page 24: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/24.jpg)
4XX Client Error (cont.)
o 412 Precondition Failedo 413 Request Entity Too Largeo 414 Request-URI Too Longo 415 Unsupported Media Typeo 416 Request Range Not Satisfiableo 417 Expectation Failedo 418 I’m a Teapot (WebDAV RFC 2324)
![Page 25: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/25.jpg)
4XX Client Error (cont.)
o 419 / 420 / 421 Unusedo 422 Unprocessable Entity (RFC 4918)
o 423 Locked (RFC 4918)
o 424 Failed Dependency (RFC 4918)
o 425 No Code / Unordered Collectiono 426 Upgrade Required (RFC 2817)
![Page 26: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/26.jpg)
4XX Client Error (cont.)
o Codes not supported by Apacheo 428 Precondition Requiredo 429 Too Many Requestso 431 Request Header Fields Too Largeo 444 No Response (NGINX)
o 449 Retry With (Microsoft)
o 450 Blocked by Win. Parental Controlso 451 Unavailable For Legal Reasons
![Page 27: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/27.jpg)
4XX Client Error (cont.)
o Codes not supported by Apacheo 494 Request Header Too Large (NGINX)
o 495 Cert Error(NGINX)
o 496 No Cert (NGINX)
o 497 HTTP to HTTPS (NGINX)
o 499 Client Closed Request (NGINX)
![Page 28: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/28.jpg)
5XX Server Error
o Server error occurredo 500 Internal Server Erroro 501 Not Implementedo 502 Bad Gatewayo 503 Service Unavailableo 504 Gateway Timeouto 505 Method Not Allowed
![Page 29: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/29.jpg)
5XX Server Error (cont.)
o 506 Variant Also Negotiates (RFC 2295)
o 507 Insufficient Storage (WebDAV RFC 4918)
o 508 Loop Detected (WebDAV RFC 5842)
o 509 Bandwidth Limit Exceeded (apache ext.) o 510 Not Extended (RFC 2274)
![Page 30: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/30.jpg)
5XX Server Error (cont.)
o Codes not supported by Apacheo 511 Network Authentication Required (RFC
6585)
o 550 Permission Deniedo 598 Network Read Timeout Error (Microsoft
Proxy)
o 599 Network Connect Timeout Error (Microsoft Proxy)
![Page 31: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/31.jpg)
OMG Enough with the numbers already!!!!
![Page 32: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/32.jpg)
![Page 33: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/33.jpg)
2WHY?
![Page 34: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/34.jpg)
It started as a simple idea…
![Page 35: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/35.jpg)
![Page 36: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/36.jpg)
… and I started to think
![Page 37: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/37.jpg)
SCREW WITH
SCANNERS
![Page 38: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/38.jpg)
… AND SCRIPT
K1DD13S
![Page 39: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/39.jpg)
THAT SOUNDS LIKE FUN!
![Page 40: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/40.jpg)
@thegrugq 26 Feb 2013
![Page 41: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/41.jpg)
@thegrugq 26 Feb 2013
![Page 42: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/42.jpg)
- When the tables turn (2004) - Roelof Temmingh, Haroon Meer, Charl van der Walt- http://slideshare.net/sensepost/strikeback
- Stopping Automated Attack Tools (2006)- Gunter Ollmann- http://www.technicalinfo.net/papers/
StoppingAutomatedAttackTools.html
Prior Art
![Page 43: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/43.jpg)
3HOW?
![Page 44: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/44.jpg)
BROWSERS HAVE TO BE
FLEXIBLE
![Page 45: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/45.jpg)
THIS LEADS TO INTERPRETATIO
N
![Page 46: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/46.jpg)
RFCS…THEY’RE MORE OF A GUIDELINE
REALLY
![Page 47: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/47.jpg)
WHAT COULD POSSIBLY GO WRONG!
![Page 48: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/48.jpg)
TESTINGTHE HOW OF THE THING!
![Page 49: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/49.jpg)
o Restricted research to the big 3o Internet Explorero Chrome / Chromiumo Firefox
![Page 50: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/50.jpg)
NO… SAFARI ISN’T IN THE
TOP 10 3
![Page 51: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/51.jpg)
OPERA JUMPED…OR WAS IT PUSHED!
![Page 52: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/52.jpg)
LYNXTHE UNREALISTIC OPTION
![Page 53: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/53.jpg)
o MITMproxyo Python-basedo Simple to setup proxy / reverse proxyo Script-based actions
![Page 54: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/54.jpg)
o PHPo Ability to set response code
o Must be at the top of the PHP codeo Can be added to php.ini
o auto-prepend-file=o Limited by web-server (apache)
![Page 55: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/55.jpg)
o Testing browsers automaticallyo Created PHP file to set status code
- http://c22.cc/POC/respcode.php?code=XXX
![Page 56: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/56.jpg)
BROWSERS… AND THEIR STATUS CODE HABITS
![Page 57: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/57.jpg)
Miss
![Page 58: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/58.jpg)
Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
100 X X X X d/load X X X X
101 X X X X d/load X X X X
102 X X X X d/load X X X X
200
201
202
203
204 X X X X X X X X X
205 X X X X X X
206
207
300 X
301 X X X X
302 X X X X
303 X X X X
304 X X X X X X X X X
305 X
306 X
307 X X X X
![Page 59: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/59.jpg)
Firefox Chrome Internet ExplorerResponse Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
400 X X X X
401 X X X
402 X X X
403 X X X X
404 X X X X
405 X X X X
406 X X X X
407 X Proxy Proxy Proxy X
408 X X X X X X
409 X X X X
410 X X X X
411 X X X
412 X X X
413 X X X
424 X X X
425 X X X
426 X X X
![Page 60: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/60.jpg)
Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
500 X X X X
501 X X X X
502 X X X
503 X X X
504 X X X
505 X X X X
506 X X X
507 X X X
508 X X X
509 X X X
510 X X X
![Page 61: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/61.jpg)
![Page 62: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/62.jpg)
Browsers handle most things just like
they handle a200 OK?
![Page 63: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/63.jpg)
YEP…MOSTLY
![Page 64: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/64.jpg)
o HTML Responseso Almost all response codes are rendered by
the browser correctlyo iFrameso Some special cases for IE, but other
browsers handle this the same as HTML
![Page 65: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/65.jpg)
o JavaScript/CSSo Limited accepted status codeso Limited 3XX support
o Chrome is the exception hereo No support for 4XX/5XX codes
![Page 66: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/66.jpg)
So we know what browsers
interpret differently
![Page 67: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/67.jpg)
What do all browsers have in common?
![Page 68: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/68.jpg)
o 10X code handlingo Retrieso Confusion
o Chrome / IE6 try to download the page!o Fun on Android…
o Timeoutso Eventually
![Page 69: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/69.jpg)
o 204 No Contento Um, no content!
o 304 Not Modifiedo Again, no content
![Page 70: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/70.jpg)
WHAT ABOUT
HEADERS?
![Page 71: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/71.jpg)
Just because the RFC says a specific status code
must have an associated header doesn’t mean it
HAS to…
![Page 72: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/72.jpg)
o Redirection codes (301-304, 307)o No Location header, no redirect
o 401 Unauthorizedo No WWW-Authenticate header, no
authentication prompto 407 Proxy Authentication Requiredo No Proxy-Authenticate header, no prompt
![Page 73: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/73.jpg)
Just because the RFC says a specific status code
shouldn’t have an associated header
doesn’t mean it can’t…
![Page 74: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/74.jpg)
o 300 Multiple Choices w/ Location Headero Firefox/IE6 follows the redirecto Chrome doesn’t
o More research needed in this direction
![Page 75: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/75.jpg)
EACH BROWSER HANDLES
THINGS A LITTLE DIFFERENTLY
![Page 76: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/76.jpg)
I WONDER WHAT WE
CAN DO WITH THAT!
![Page 77: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/77.jpg)
![Page 78: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/78.jpg)
4GOALS
![Page 79: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/79.jpg)
o Each browser handles things differentlyo Use known conditionso Handled codeso Unhandled codes
o Browser weirdness
![Page 80: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/80.jpg)
BROWSER FINGERPRINTI
NG
![Page 81: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/81.jpg)
o Doesn’t load JavaScript returned with a 300 ‘Multiple Choices’ status codeo Other browsers tested DO (IE/Chrome)
o Request JS from servero Respond using 300 ‘Multiple Choices’o If JS doesn’t run in the browser - it’s FF
Firefox
![Page 82: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/82.jpg)
o Loads JavaScript returned with a 307 ‘Temporary Redirect’ status codeo Other browsers tested DON’T (IE/FF)
o Request JS from servero Respond with 307 ‘Temporary Redirect’o If JS runs in the browser - it’s Chrome
Chrome
![Page 83: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/83.jpg)
o Loads JavaScript returned with a 205 ‘Reset Content’ status codeo Other browsers tested DON’T (FF/Chrome)
o Request JS from servero Respond using 205 ‘Reset Content’o If JS runs in the browser - it’s IE
Internet Explorer
![Page 84: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/84.jpg)
o Other options to fingerprint browserso 300 Redirect (Chrome)o 305/306 JavaScript (Firefox)o 400 iFrame (Internet Explorer)o …
o There are probably more
![Page 85: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/85.jpg)
BROWSER FINGERPRINTI
NGDEMO
![Page 86: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/86.jpg)
USER-AGENTS CAN BE SPOOFED
![Page 87: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/87.jpg)
BROWSER TRAITS CAN’T
![Page 88: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/88.jpg)
PROXY DETECTIO
N
![Page 89: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/89.jpg)
o Chrome handles proxy configuration differently to other browserso 407 status code isn’t rendered o Unless an HTTP proxy is set!
o Allows us to detect if an HTTP proxy is in useo Just not which proxy
o Can only detect HTTP proxies ;(
Chrome
![Page 90: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/90.jpg)
o Request page from servero Respond using 407 ‘Proxy Authentication
Required’o - w/o Proxy-Authenticate header
o If Chrome responds, it’s configured to use an HTTP proxy
Chrome Proxy Detection
![Page 91: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/91.jpg)
![Page 92: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/92.jpg)
o Privoxy 3.0.20 (CVE-2013-2503)o 407 Proxy Authentication Required
o w/ Proxy-Authenticate headero User prompted for username/password
o Prompt appears to be from Privoxyo Privoxy passes username/password to
remote siteo Profit???
Side-Effect: Owning Proxies
![Page 93: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/93.jpg)
5BRINGING IT TOGETHER
![Page 94: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/94.jpg)
What we have
o Status codes all browsers treat as contento Status codes all browsers can’t handle
o 10X, etc..o Lots of browser quirks
![Page 95: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/95.jpg)
What can we do
o F*ck with thingso Screw with scanner monkeyso Make RFC lovers cry into their beero Break things in general
![Page 96: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/96.jpg)
Let’s try to…
o Use what we’ve discovered to…o Break spidering toolso Cause false positives / negativeso Slow down attackers
o The fun way!o Blocking successful exploitation
![Page 97: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/97.jpg)
BREAKING SPIDERS
![Page 98: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/98.jpg)
Simplistic view of spiders
![Page 99: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/99.jpg)
o Access target URLo Read links / functionso Test them outo If true: repeato What is TRUE?
![Page 100: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/100.jpg)
o What happens if:o Every response is a 200o Every response is a 404 / 500
![Page 101: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/101.jpg)
200 OK
o IF 200 == True:o Problems!o Never-ending spider
![Page 102: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/102.jpg)
404 Not Found
o IF 404 == False:o More problems!o What website?
![Page 103: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/103.jpg)
500 Internal Server Error
o Skipfish != happy fish
![Page 104: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/104.jpg)
False Positives
/Negatives
![Page 105: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/105.jpg)
o Most scanners use status codeso At least to some extent
o Initial match (prior to more costly regex)o Speed up detection
![Page 106: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/106.jpg)
o What happens if:o Every response is a 200o Every response is a 404 / 500o Every response is random*
* Using codes that are accepted by all browsers as content
![Page 107: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/107.jpg)
Vulnerability Baseline
o w3afo Information 79 pointso Vulnerabilities 65o Shells 0 shells o Scan time 1h37m23s
![Page 108: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/108.jpg)
Every response 200 OK
o No changeo All points discovered - per baseline
o 79/65/0o Scan time 9h56m55s
o Lots more to check ;)
![Page 109: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/109.jpg)
Every response 404 Not Found
o Less to scan == Less to findo False negativeso 44 Information points (-35)o 37 Vulnerabilities (-28)
o Scan time 7m13so Much quicker scano Less paths traversed
![Page 110: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/110.jpg)
Every response 500
o Server error == OMG VULN!o False positives+++o 9540 Information points (+9461)o 9526 Vulnerabilities (+9461)
![Page 111: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/111.jpg)
Random Status Codes
o Multiple runso All tests produced False positives++o avg. 619 Information points (+540)o avg. 550 Vulnerabilities (+485)
o Avg. scan time 11m37so Much quicker scan
![Page 112: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/112.jpg)
Random Status Codes
o Skipfish + $rand = chaoso False Positives and False Negativeso Scan jobs killed due to lack of resources
o Scan timeso 1st scan time 10h3m35so 2nd scan time 0h0m4so 3rd scan time 16h47m41s
![Page 113: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/113.jpg)
Slowing attackers
down!
![Page 114: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/114.jpg)
What does your WAF really do?
![Page 115: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/115.jpg)
o OMG Attacko Return error (401?)o Profit???
![Page 116: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/116.jpg)
Why?
![Page 117: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/117.jpg)
Remember that list of status codes browsers don’t
handle well?
![Page 118: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/118.jpg)
Yeah well, scanners don’t usually handle
them well either!
![Page 119: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/119.jpg)
Especially the 1XX codes
![Page 120: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/120.jpg)
o Remember LaBrea tarpit?o Tim Liston 2001 (labrea.sourceforge.net)o Designed to slow spread of Code Redo Slows down scans / attackers
![Page 121: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/121.jpg)
![Page 122: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/122.jpg)
How about an HTTP Tarpit!
![Page 123: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/123.jpg)
![Page 124: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/124.jpg)
HTTP Tarpit Scenario
o WAF detects scan / attacko Adds source IP to “naughty” listo All responses from the server are
rewritteno 100|101|102 status codes only (random)o 204|304 might also be useful (no content)
![Page 125: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/125.jpg)
Let’s do some science!*
* Science not included
![Page 126: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/126.jpg)
Nikto vs. HTTP Tarpit
![Page 127: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/127.jpg)
Baseline HTTP Tarpit
Scan time
2m 18s
Findings
18
14h 33m 2s
10
![Page 128: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/128.jpg)
W3AF vs. HTTP Tarpit
![Page 129: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/129.jpg)
Baseline HTTP Tarpit
Scan time
1h 37m 23s
Findings
65
18m 10s
0
![Page 130: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/130.jpg)
Skipfish vs. HTTP Tarpit
![Page 131: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/131.jpg)
Baseline HTTP Tarpit
Scan time
18m 10s
Findings
Low: 2519Med: 2522
High: 12
Low:Med: High:
05s
003
![Page 132: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/132.jpg)
HTTP Tarpit
o HTTP Tarpit Results*o Slow scans (nikto)
o 340x as longo Unreliable / aborted scans (w3af / skipfish)
o 100% less findings
* Not scientifically sound ;)
![Page 133: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/133.jpg)
Blocking successful
exploitation
![Page 134: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/134.jpg)
We’ve made it hard to find the vulnerabilities
![Page 135: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/135.jpg)
We’ve made it time consuming
for attackers
![Page 136: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/136.jpg)
Now let’s stop the sk1dd13s using
Metasploit to pop $hells
![Page 137: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/137.jpg)
o How often does Metasploit reference status codes?
rgrep -E 'res[p|ponse]?\.code' *
846*
* Not scientifically sound ;)
rgrep -E 'res[p|ponse]?\.code' *
![Page 138: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/138.jpg)
Lots of dependency on status codes*
* yep, even the stuff I wrote
![Page 139: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/139.jpg)
if (res.code < 200 or res.code >= 300)
case res.codewhen 401
print_warning("Warning: The web site
asked for authentication: #{res.headers
['WWW-Authenticate'] || res.headers
['Authentication']}")end
fail_with(Exploit::Failure::Unknown,"Upload failed on #{path_tmp}[#{res.code} #{res.message}]")
end
![Page 140: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/140.jpg)
No match, No shell*
* exploit dependent
![Page 141: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/141.jpg)
6REVIEW
![Page 142: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/142.jpg)
o Using status codes to our benefit is funo … and useful!
o Browsers can be quirkyo Scanners / attack toolkits are sometimes
set in their wayso Take the easy routeo Easy to fool
![Page 143: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/143.jpg)
o WAFs need to get more offensive about their defenseo More than just blocking a request with a
snazzy messageo Hacking back is bado Slowing down known attacks is goodo Make life harder for skiddies is pricele$$
![Page 144: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/144.jpg)
o Current tools are much the same as APTo APT (Adequate Persistent Threat)o Only as advanced as they NEED to be
![Page 145: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/145.jpg)
Countering this research
![Page 146: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/146.jpg)
o Less reliance on status codeso More reliance on content / headerso Proso Better matching / intelligence
o Conso Slower? (regex)o More resource intensive
![Page 147: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/147.jpg)
Questions?
![Page 148: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/148.jpg)
MITMPROXY SCRIPTS AVAILABLE
GITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE
![Page 149: Defense by numbers: Making problems for script kiddies](https://reader034.vdocuments.us/reader034/viewer/2022042715/55861b2ed8b42a7d428b4bfc/html5/thumbnails/149.jpg)
What doesn’t kill you,makes you
smaller!