A Rojak of Singapore Web Exploits


Citation preview

A Rojak of Singapore Web Exploits

Ryan Baxendale – OWASP Singapore

14th November 2012

Who Am I?

I am Ryan

I live in Singapore

Security Consultant at Security-Assessment.com

I find bugs in web applications and hack things


Today's rojak includes bugs in

1. Microsoft SharePoint (Top10-A6-Security Misconfiguration)

2. Administrative Interfaces (Top10-A6-Security Misconfiguration)

3. JavaScript Encryption (Top10-A3-Broken Authentication)

4. “Too” Factor Authentication (Top10-A3-Broken Authentication)

5. Password Reset (XSRF + Horrible password reset)

6. 2 Requests Are Better Than 1 (WAF Bypass)

Microsoft SharePoint

Intranet content management

and document management

SharePoint can be used to


intranet portals, document & file

management, collaboration, social

networks, extranets, websites,

enterprise search, and business


'Publishing' feature can be used

to manage larger public website

You might not know that site xyz is

running on SharePoint

Microsoft SharePoint

Intranet content management

and document management

SharePoint can be used to


intranet portals, document & file

management, collaboration, social

networks, extranets, websites,

enterprise search, and business


'Publishing' feature can be used

to manage larger public website

You might not know that site xyz is

running on SharePoint

Microsoft SharePoint

Find additional functionality through the SharePoint site

Try all the default or well know SharePoint pages:





Nice list from

Stach&Liu – SharePoint Hacking Diggity Project

Also try to look for the admin web interface on a high port,

although probably not available over internet due to firewall

Microsoft SharePoint



Microsoft SharePoint

Upload your own page, edit pages

The user that

created and

modified this


Links to internal

team sites and other

confidential things

Create a new

page, edit a


Microsoft SharePoint

Find list of user accounts, guess passwords, get access

All the site content, pages,

things that should not be

seen by the public, etc

I want to hack

this account

This is the list of users

from Active Directory

Microsoft SharePoint

Don’t have internal or confidential information on external

facing SharePoint sites

Firewall admin port

ACL to block external IP addresses

accessing SharePoint pages

Administrative Interfaces

Manage web applications and content

on web servers

Admin interfaces let you run your own web


OWASP states the following objectives:

Administrator level functions are

appropriately segregated from user activity

Users cannot access or utilize administrator


(boring..) Provide necessary audit and

traceability of administrative functionality

Administrative Interfaces

Links to




if you need

help haxx0ring




Usually on port 8080 (Apache Tomcat)

Try default usernames and passwords (tomcat:tomcat,

admin:tomcat, both:tomcat, manager:tomcat, etc)

Administrative Interfaces

Create a metasploit payload

WAR file and upload

Administrative Interfaces

Create a metasploit payload

WAR file and upload

Administrative Interfaces

Create a metasploit payload

WAR file and upload

Administrative Interfaces

HTTP Methods (WebDAV)

PUT – Put a file on the server, a web shell perhaps?

DELETE – Delete a file

INDEX – List the files

PROPFIND – Find files, discover backup files

IIS 6.0

WebDAV by default only supports static Web pages, not dynamic

pages (ASP)

Administrative Interfaces

Generate metasploit payload

Fix the payload

Upload with Cadaver

Run the payload

Administrative Interfaces

Generate metasploit payload

Fix the payload

Upload with Cadaver

Run the payload

Administrative Interfaces

Guess usernames and

passwords with hydra/medusa

then “PUT” a web shell

Password protected WebDAV methods

Nobody knew that the server had this functionality

So nobody changed the password

Administrative Interfaces

Find WebDAV enabled servers with metasploit

Administrative Interfaces

Don’t let users connect to admin interfaces

Firewall rules


JavaScript Encryption

JavaScript runs on the client side (browser)

<script> ... JavaScript ... </script>

JavaScript debuggers

Firebug (Firefox)

Chrome developer tools

Internet Explorer

View source

JavaScript Encryption

Client: “We don’t use SSL/TLS because we have

encrypted passwords”

Implemented in JavaScript

Takes the first character of the username/password ex. ‘a’ and

changes it to ‘23’

Separates characters with ‘0’

‘admin’ gets sent as ‘2305060340560’, ‘a’ = 23, ‘d’ = 5, ‘m’ = 6...

“admin”… Seems like the password starts with “admin” too..

JavaScript Encryption

I broke your JavaScript encryption with a l33t BlackHat

HaXx0r tool called...

Microsoft Excel

JavaScript Encryption

JavaScript with Public/Private key encryption Hey ;)

Here’s my public key

User : AsianGirl2012

Password: ChickenRice1

User : J#^ZML@)*FMA&

Password: acE($2mvT$^m!fG

Encrypt( Public Key , Credentials )

} {

??? Decrypt( Private Key , Credentials )

User : AsianGirl2012

Password: ChickenRice1 } { Where is the

chicken rice?

JavaScript Encryption

A substitution cipher is not encryption

JavaScript makes secret keys visible to the user

Use public/private key encryption in JavaScript

“Too” Factor Authentication

Two-factor authentication requires the use of two of the three

authentication factors:

Something the user knows (password, PIN);

Something the user has (ATM card, smart card); and

Something the user is (biometric characteristic, such as a fingerprint)

Most of the time it ends up being knows (password) and has


“Too” factor authentication is...

“Too” Factor Authentication

First login/signup for “Too” factor

authentication Login with “Too” factor


“Too” Factor Authentication

First login/signup for “Too” factor

authentication Login with “Too” factor


“Too” Factor Authentication

First login/signup for “Too” factor

authentication Login with “Too” factor


“Too” Factor Authentication

First login/signup for “Too” factor

authentication Login with “Too” factor


Verbose error

message and step by

step authentication

“Too” Factor Authentication















Find a list of common names for the typical customers

Burp Intruder

Send every name as the username

Look at the response

Now we know all the


Continue by doing the

same thing on the next

step of this broken


“Too” Factor Authentication

But wait there’s more…

“Too” Factor Authentication

Some things are just not the same

2FA is a combination of two: know, have, is

Password Reset

Password reset

Typically an admin function to change a user’s password to a randomly

generate password and securely transmit the new password to the


A typical reset password page for a user

Asks for email/username, maybe a secret question

Sends unique password reset link to email address

A typical change password page

Asks for old password, new password, confirm your new password

Password Reset

Once upon a time a lazy developer needed to create a reset

password page

“Lets just take the change password page and make a few changes”

Great idea!......for pen testers

If a typical change password page takes username (from

session), old password, new password and confirmed new

password as input...

Creating a password reset page would only need the following input:

username and new password

Password Reset

Password reset page accepted the following:

Hidden input, useraccount to administrator – because we are the

admin right?

Hidden input, oldPassword to administrator

Set Password and confirmpasswd to the new password

Set userID to the victim’s username

Lets get access to the admin account with Cross Site Request

Forgery (XSRF/CSRF)

Create a image tag with a request to change the password





ministrator&CALLER=" />

Password Reset

To get it working:

Admin needs to view a page with the CSRF img tag

Must be logged into the application in the same web


Possible ways to share your img tag

Web forum

Profile signature

Create a note with HTML editor (tinymce)

Send a personal message

You get to login as Administrator with password4444

Password Reset

Don’t be a lazy developer

2 Requests Are Better Than 1

One day I was testing a web application

It gets tested often

And by lots of different people/companies

So at this point its one of the most boring (secure)

applications a pen tester can come across

2 Requests Are Better Than 1

I found a directory traversal bug where I request for

/app/test../../../ and I get a directory listing

This wasn’t too interesting because I could only see the

directory listing, but never access those files or folders

Something strange was going on...

2 Requests Are Better Than 1

Then using Burp Intruder with a list of common files and

folders (such as the dirBuster wordlist)

Found /app/test../../../console

2 Requests Are Better Than 1

This bug was only in the UAT environment

I need to get this bug working in production

There's a web application firewall (WAF) that looks at all the

requests and decides if they should be forwarded on to the

web server

So how do we trick the WAF into forwarding anything

But the client has a WAF, so they’re safe right?...

2 Requests Are Better Than 1

There’s a strange bug in a few webservers

“… Reports indicate that Microsoft IIS 5.0 truncates requests that contain

a body of greater than 48 KB in length. After 49152 bytes of a request

body are handled, IIS terminates the request and starts to parse a new

request.” (1)

“… There appears to be a bug … strangely, IIS/5.0 silently truncates the

body after 48K (49,152 bytes) … we can smuggle a request in the last

x bytes of the body.” (2)

“If the size of the request exceeds a particular threshold (by default, 48

KB), then the ISAPI or CGI code to which the request is directed needs to

be aware of chunked-transfer encoding to process the request correctly.”


(1) - www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21219

(2) - www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

(3) - hostingadministration.blogspot.sg/2008/01/urlscan-security-tool-faq.html

2 Requests Are Better Than 1

A basic HTTP POST request before smuggling:

POST /crosstraining/aboutyou2.php HTTP/1.1

Host: www.webscantest.com

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en,en-us;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.webscantest.com/crosstraining/aboutyou2.php

Cookie: SESSIONID_VULN_SITE=4vdvho53o3vk9tjr94lks786q3

Content-Type: application/x-www-form-urlencoded

Content-Length: 84


2 Requests Are Better Than 1

The idea is to send one big evil request, and a normal request

directly after it

The big evil request has to be more than 48kb

We have to include what we need to send (parameters etc)

Then fill the rest of the space with garbage

POST /test../../../console/adminlogin.jsp HTTP/1.1

Host: ….

Content-length: 49152


ThisIs48kbOfGarbage ThisIs48kbOfGarbage ThisIs48kbOfGarbage


GET /happy.nice.users.normal.page.jsp HTTP/1.1


2 Requests Are Better Than 1

48kb in bytes is 49152.

The first request must be larger than

48kb, and the content-length must be

larger than 48kb

Uncheck “Update Content-Length”

We want to manually specify that it’s a

bit more than 48kb

This is our malicious request

Now we fill the request with

48kb of garbage -----------------------(snip)------------------------

This is our “normal” request that returns

404, but allows us to get our “evil”

request to the web server

2 Requests Are Better Than 1

Response from the server

As if we sent a normal request

Probably using IIS 5 or 6 with custom ISAPI filters or an

appliance such as CheckPoint FW-1 with “Web Intelligence”

Now lets login

2 Requests Are Better Than 1

Username and password to


Login error

Wrong user and password

Burp Intruder to the


Brute force the

password for admin

2 Requests Are Better Than 1


Lets deploy our own

web app and get shell :D

2 Requests Are Better Than 1


Don’t rely on a web app firewall (WAF) to fix web app vulnerabilities

Fix the code


Microsoft SharePoint

Keep internal and external sites separate

Administrative Interfaces

Don’t let users connect to them, change default passwords

JavaScript Encryption

Don’t use your own encryption, use public/private key crypto

“Too” Factor Authentication

Remove verbosity from error messages, find out what 2FA is

Password Reset

Don’t be a lazy developer

2 Requests Are Better Than 1

A web app firewall (WAF) doesn’t fix broken code, fix the code

Questions? Comments



Invite more people to OWASP meetings

Sign up and be active on the OWASP Singapore mailing



黑客 ? Think you can hack? Got talent?

We are hiring!