Reversing Engineering a Web Application - For fun, behavior and detection

Sector 2014
Toronto, Ontario
Reverse Engineering a Web
Application - For Fun, Behavior &
WAF Detection
Rodrigo “Sp0oKeR” Montoro
Sucuri Security

$ whois @spookerlabs
➢ Senior Security Administrator at Sucuri
Security
➢ Author of 2 patent pending technologies
➢ Researcher
➢ Open Source enthusiast
➢ Triathlete
➢ Dad

About Sucuri Security
Over 50 Security Professionals Making a Safer Web
SECURITY SCANNING & ANALYSIS
Checking the health over 3 Million websites
every month through our free Sitecheck Scanner:
http://sitecheck.sucuri.net
MALWARE CLEANUP
Cleaning and remediating 300 – 400
hacked or infected websites everyday.
ATTACK PROTECTION
Blocking over 33 million attacks and
instances of malicious traffic every month
EDUCATION
Providing detailed and actionable security
information through our blog at
http://blog.sucuri.net

A Note on the Examples
This talk is based on WordPress / NGINX, but the
concepts can apply to any
Web Application / CMS.

Motivations
➢ Trying different approach than a regular
WAF
➢ Protect specific content (CMS)
➢ Malware reinfections
➢ Less rules with better detection =
performance
➢ Protected against "new vulnerabilities"

Agenda
➢ Introduction
➢ Detection steps
○ Reverse Engineering a CMS’s traffic
○ Analyzing Application structure (Files / Directories)
○ Local protection & hardening
○ Statistical Data
➢ Challenges
➢ Conclusions

Introduction
Normalizing concepts

Reverse Engineering
“Reverse engineering is taking apart an object to
see how it works in order to duplicate or
enhance the object. ”

1 "equal" 2
1 "not equal" a
Whitelisting

Our Scope: WAF Detection
➢ Traffic Analysis
○ Requests
○ Responses
➢ Application Structure Analysis
○ Directories
○ Headers
○ Files
➢ Behavior
○ Log correlation
○ Application
○ Honeypots
REPEA
T

Traffic Analysis
➢ Methods
➢ URI
➢ Parameters
➢ Headers

Oh wait! Get a job from the headers...

After basic manual analysis, a tool ...
Sucuri Beta pcap traffic parser v0.0.1 (Matched)
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=d+$'
URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[dws]+$'
URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$'
URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[dws]+$'
URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched
regex 's=[dws]+$'
URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=d+$'
Sucuri Beta pcap traffic parser v0.0.1 (Not Matched)
URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regex
URI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0
didn't match any regex
URI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with
parameter(s) ver=20140319 didn't match any regex

Some simple NGINX configs
if ($http_user_agent !~ <something>) {
return <status_code>
}
if ($query_strings ~ <something>) {
}
if ($request_uri !~ <something>) {
}
if ($request_method !~ <something>) {
}
if ($http_cookie !~ <something>) {
}

Something could go wrong …
Counter Intelligence / Statical Data
Traffic Analysis
Analyzing Application
Structure /
Local Hardening
Monitoring
D
E
T
E
C
T
I
O
N
F
L
O
W
Bypass rules
Credentials stolen
Cookie hijack
Bad administrator
D
E
T
E
C
T
I
O
N
F
L
O
W
Analyzing Application
Structure /
Local Hardening
Monitoring

Analyzing Application Structure
(Files / Directories)

File Structure
➢ Files
➢ Directories
➢ Permissions
➢ Monitoring

WordPress Tarball
Lot of files ….
index.php
wp-activate.php
wp-admin/
wp-blog-header.php
wp-comments-post.php
wp-config.php
wp-content/
wp-cron.php
wp-includes/
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-trackback.php
xmlrpc.php

The Basic WP Structure
➢ config files & installation files
➢ Administration directories (/wp-admin/)
➢ Core files (/wp-includes/)
➢ Themes, plugins, uploads … (/wp-content/)
➢ xmlrpc.php

xmlrpc.php
➢ Comments (Spammers)
➢ PingBacks (DDoS Attacks)
➢ User-Auth (wp.GetUsersBlogs) (Brute
Force)
Some fun, redirect to a honeypot
<IfModule mod_alias.c>
Redirect 301 /xmlrpc.php
http://honeypot/xmlrpc.php
</IfModule>

Pingback
$ curl -D - "www.anywordpresssite.com/xmlrpc.php"
-d
'<methodCall><methodName>pingback.ping</metho
dName><params><param><value><string>http://victi
m.com</string></value></param><param><value><st
ring>www.anywordpresssite.com/postchosen</string>
</value></param></params></methodCall>'

Restriction Samples
/uploads/
Options -Indexes
<Files *.php>
deny from all
</Files>
/wp-admin/
<files *>
order allow,deny
deny from all
allow from 1.2.3.4
</files>
<files xmlrpc.php>
order Deny,Allow
deny from all
</Files>
/wp-includes/
<Files *.php>
deny from all
</Files>
/wp-content/
<Files *.php>
deny from all
</Files>
/
<Files *.txt>
deny from all
</Files>
<Files *.log>
deny from all
</Files>
location ~* ^/wp-content/
uploads/.*.(php|pl|py|jsp|asp|htm|html|
shtml|sh|cgi)$ {
types { }
default_type text/plain;
}
location ~* wp-admin/includes { deny all; }
location ~* wp-includes/theme-compat/ { deny
all; }
location ~* wp-includes/js/tinymce/langs/.*.php
{ deny all; }
location /wp-includes/ { internal; }

Local protection, monitoring
& hardening

Realtime Monitoring w/ OSSEC
<localfile>
<log_format>apache</log_format>
<location>/var/log/httpd/access_log</location>
</localfile>

<frequency>14400</frequency>

<directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories realtime="yes" report_changes="yes"
restrict=".htaccess|.php|.html|.js">/var/www/html/</directories>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>

Threshold ideas
➢ Too many 404
➢ GET per time same IP Source
➢ POST per time same IP Source

Special File Permissions ( bit paranoid =) )
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php
spooker@spookerhome:/tmp/wordpress$ cat test.php
Malware Content
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php
-rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php
spooker@spookerhome:/tmp/wordpress$ lsattr test.php
----i--------e-- test.php
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php
bash: test.php: Permission denied
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php
-rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.php
spooker@spookerhome:/tmp/wordpress$
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created
to this file and no data can be written to the file. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

… where false positives become good
information =)
A Unique Place...

Counter Intelligence
➢ Behavior
➢ Alerts
➢ New trends
➢ Honeypots / New Attacks

Behavior: How you look at problems
User-Agent: Something ABCD WXYZ
User-Agent: My UA with ABCD PBC
User-Agent: ABCD is a malicious

GEO IP Block: Top Attack Countries

Quick history (Spambot Stealrat)
Mozilla/5.0 (Windows; U;
Windows NT 5.1; zh-CN;
rv:1.7.6)

The Challenges
➢ Bad codes
➢ Themes
➢ Plugins (33.5K+)
➢ Languages

Looking to the Future
➢ Integration with SCAP (Security Content
Automation Protocol) checks
➢ Create an OpenSource tool to regex traffic
○ Database of regexes per Application
➢ Build a rule set for CMS (WordPress,
Joomla, Drupal, vBulletin, Magento …)
under OWASP Projects

Rodrigo “Sp0oKeR” Montoro
rodrigo.montoro@sucuri.net
@spookerlabs / @sucuri_security
http://blog.sucuri.net
http://www.sucuri.net
Contact

Reversing Engineering a Web Application - For fun, behavior and detection

Related slideshows

More Related Content

Reversing Engineering a Web Application - For fun, behavior and detection

Editor's Notes