Reversing Engineering a Web Application - For fun, behavior and detection
- 1. Sector 2014
Toronto, Ontario
Reverse Engineering a Web
Application - For Fun, Behavior &
WAF Detection
Rodrigo “Sp0oKeR” Montoro
Sucuri Security
- 2. $ whois @spookerlabs
➢ Senior Security Administrator at Sucuri
Security
➢ Author of 2 patent pending technologies
➢ Researcher
➢ Open Source enthusiast
➢ Triathlete
➢ Dad
- 3. About Sucuri Security
Over 50 Security Professionals Making a Safer Web
SECURITY SCANNING & ANALYSIS
Checking the health over 3 Million websites
every month through our free Sitecheck Scanner:
http://sitecheck.sucuri.net
MALWARE CLEANUP
Cleaning and remediating 300 – 400
hacked or infected websites everyday.
ATTACK PROTECTION
Blocking over 33 million attacks and
instances of malicious traffic every month
EDUCATION
Providing detailed and actionable security
information through our blog at
http://blog.sucuri.net
- 4. A Note on the Examples
This talk is based on WordPress / NGINX, but the
concepts can apply to any
Web Application / CMS.
- 5. Motivations
➢ Trying different approach than a regular
WAF
➢ Protect specific content (CMS)
➢ Malware reinfections
➢ Less rules with better detection =
performance
➢ Protected against "new vulnerabilities"
- 6. Agenda
➢ Introduction
➢ Detection steps
○ Reverse Engineering a CMS’s traffic
○ Analyzing Application structure (Files / Directories)
○ Local protection & hardening
○ Statistical Data
➢ Challenges
➢ Conclusions
- 10. Our Scope: WAF Detection
➢ Traffic Analysis
○ Requests
○ Responses
➢ Application Structure Analysis
○ Directories
○ Headers
○ Files
➢ Behavior
○ Log correlation
○ Application
○ Honeypots
REPEA
T
- 21. After basic manual analysis, a tool ...
Sucuri Beta pcap traffic parser v0.0.1 (Matched)
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$'
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$'
URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[dws]+$'
URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$'
URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[dws]+$'
URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched
regex 's=[dws]+$'
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$'
URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$'
Sucuri Beta pcap traffic parser v0.0.1 (Not Matched)
URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regex
URI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0
didn't match any regex
URI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with
parameter(s) ver=20140319 didn't match any regex
- 22. Some simple NGINX configs
if ($http_user_agent !~ <something>) {
return <status_code>
}
if ($query_strings ~ <something>) {
return <status_code>
}
if ($request_uri !~ <something>) {
return <status_code>
}
if ($request_method !~ <something>) {
return <status_code>
}
if ($http_cookie !~ <something>) {
return <status_code>
}
- 27. Something could go wrong …
Counter Intelligence / Statical Data
Traffic Analysis
Analyzing Application
Structure /
Local Hardening
Monitoring
D
E
T
E
C
T
I
O
N
F
L
O
W
Bypass rules
Credentials stolen
Cookie hijack
Bad administrator
D
E
T
E
C
T
I
O
N
F
L
O
W
Analyzing Application
Structure /
Local Hardening
Monitoring
- 30. WordPress Tarball
Lot of files ….
index.php
wp-activate.php
wp-admin/
wp-blog-header.php
wp-comments-post.php
wp-config.php
wp-content/
wp-cron.php
wp-includes/
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-trackback.php
xmlrpc.php
- 31. The Basic WP Structure
➢ config files & installation files
➢ Administration directories (/wp-admin/)
➢ Core files (/wp-includes/)
➢ Themes, plugins, uploads … (/wp-content/)
➢ xmlrpc.php
- 32. xmlrpc.php
➢ Comments (Spammers)
➢ PingBacks (DDoS Attacks)
➢ User-Auth (wp.GetUsersBlogs) (Brute
Force)
Some fun, redirect to a honeypot
<IfModule mod_alias.c>
Redirect 301 /xmlrpc.php
http://honeypot/xmlrpc.php
</IfModule>
- 35. Pingback
$ curl -D - "www.anywordpresssite.com/xmlrpc.php"
-d
'<methodCall><methodName>pingback.ping</metho
dName><params><param><value><string>http://victi
m.com</string></value></param><param><value><st
ring>www.anywordpresssite.com/postchosen</string>
</value></param></params></methodCall>'
- 37. Restriction Samples
/uploads/
Options -Indexes
<Files *.php>
deny from all
</Files>
/wp-admin/
<files *>
order allow,deny
deny from all
allow from 1.2.3.4
</files>
<files xmlrpc.php>
order Deny,Allow
deny from all
</Files>
/wp-includes/
<Files *.php>
deny from all
</Files>
/wp-content/
<Files *.php>
deny from all
</Files>
/
<Files *.txt>
deny from all
</Files>
<Files *.log>
deny from all
</Files>
location ~* ^/wp-content/
uploads/.*.(php|pl|py|jsp|asp|htm|html|
shtml|sh|cgi)$ {
types { }
default_type text/plain;
}
location ~* wp-admin/includes { deny all; }
location ~* wp-includes/theme-compat/ { deny
all; }
location ~* wp-includes/js/tinymce/langs/.*.php
{ deny all; }
location /wp-includes/ { internal; }
- 40. Realtime Monitoring w/ OSSEC
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>
<!-- Frequency that syscheck is executed - set to every 4 hours -->
<frequency>14400</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" report_changes="yes"
restrict=".htaccess|.php|.html|.js">/var/www/html/</directories>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
- 41. Threshold ideas
➢ Too many 404
➢ GET per time same IP Source
➢ POST per time same IP Source
- 42. Special File Permissions ( bit paranoid =) )
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php
spooker@spookerhome:/tmp/wordpress$ cat test.php
Malware Content
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php
-rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php
spooker@spookerhome:/tmp/wordpress$ lsattr test.php
----i--------e-- test.php
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php
bash: test.php: Permission denied
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php
-rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php
spooker@spookerhome:/tmp/wordpress$
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created
to this file and no data can be written to the file. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
- 44. … where false positives become good
information =)
A Unique Place...
- 46. Behavior: How you look at problems
User-Agent: Something ABCD WXYZ
User-Agent: My UA with ABCD PBC
User-Agent: ABCD is a malicious
- 53. Looking to the Future
➢ Integration with SCAP (Security Content
Automation Protocol) checks
➢ Create an OpenSource tool to regex traffic
○ Database of regexes per Application
➢ Build a rule set for CMS (WordPress,
Joomla, Drupal, vBulletin, Magento …)
under OWASP Projects
- 54. Rodrigo “Sp0oKeR” Montoro
rodrigo.montoro@sucuri.net
@spookerlabs / @sucuri_security
http://blog.sucuri.net
http://www.sucuri.net
Contact
Editor's Notes
- Regex splunk material
- When crawling remember about simulate a regular user =)
Burp to spider and tcpdump saving pcap
- Many thousands ways to modify a variable, why not check if only one way and so drop the rest ?
Comment about HTTP version
Referer
Number of headers
- Pwd as blacklisted most common password
POST won't cache info
Comment about HTTP version
Referer
User-Agent (talk about size)
Number of headers
- Non match traffic will be drop when deploying but we could deploy after some tune in monitor mode
Save a regular traffic to site and TEST against our parser.
Customer could send a pcap with traffic so we could previous tune rules for them.
- Comment about if problems
Talk about POST methods
- Comment about default bypass, cookie hijack or regular stolen user/pass
- remember to talk about Gregg CMS 101 talk that looks into readme, changelog to detect versions
- Besides protecting some files, those protection will make your directory/files not accessible if infected.
Advantage about nginx protection its harder to hack nginx file
- No 100% security
What to do if protection fails and attacker has local acccess ?
- Talk about CMS hacking 101
Changing 404.php file using admin interface
- Talk about CMS 101 AppSec hacking
- 19 bytes
- Most of ours blocks are made by GEOIP
- Comment about default bypass, cookie hijack or regular stolen user/pass