Caro2012 attack large-modern_web_applications


Published on

Caro2012 report
Attack on large modern web applications
Vladimir Vorontsov, ONsec, Russia
Munich, May 14-15, 2012

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Caro2012 attack large-modern_web_applications

  1. 1. Attacks on large modernWeb ApplicationCARO2012, Munich, Germany, 15/05/2012
  2. 2. Author bioVladimir Vorontsov@d0znpp,•Have engaged in research in the field of webapplication security (since 2004);•Founder and security expert of ONseccompany (since 2009);•Now days: development of self-learningsystems for the detection of attacks on webapplications and heuristic analysis.
  3. 3. Web Applications: what is large?• > 1000 unique visitors per day• > 4 subdomains• 1+ internal network• Distributed architecture (BE+FE+DB)• Commercial advantage
  4. 4. Web Applications: what is modern?• Cross-browser markup• AJAX used• HTML5• External web services used• API generally provided (SOAP or REST)
  5. 5. Web Applications: typical case• Social network• News portal• Job search portal• Internet auction• Big online store• Professional portal• Enterprise portals100+ webapps since 2009 statistics
  6. 6. Web Applications: typical arch response response response Load App balancer request request DB request servers (HTTP) (HTTP)servers (SQL)
  7. 7. Attack #1. Denied of ServiceIt is possible to take down a web applicationfrom 5-10 special crafted HTTP request•Not the same as DDoS attacks•Based on vulnerabilities•Doesn’t require a large number of bots•Doesn’t require a large number of requests•Require a vulnerabilities in web application83% of webapps are vulnerable
  8. 8. DoS #1.1 App servers under attackArchitecture of attacks and more… until nothing left request (HTTP) response timeout timeout Load App balancer special DB server #2 requestservers (HTTP) request (HTTP) App timeout server #1
  9. 9. DoS #1.1 App servers under attackVulnerabilities statistic
  10. 10. DoS #1.2 DB servers under attackArchitecture of attacks and more… until nothing left request request (HTTP) (HTTP) response timeout timeout timeout Load App balancer special DB server #2 requestservers (HTTP) request request (HTTP) (SQL) timeout App timeout server #1
  11. 11. DoS #1.2 DB servers under attackVulnerabilities statistic
  12. 12. Attack #2. Infrastructure attackFind and exploit a vulnerabilities in webappinfrastructure•Network scan (IP range)•Subdomains scan73% of webapps was exploited byinfrastructure attacks
  13. 13. Typical subdomains
  14. 14. Infrastructure attackExample from a wild 1. Fined subdomains 2. 403 forbidden at beta 3. X-Forwarded-From header bruteforced 4. Find a vuln in beta 5. Exploit beta’s vuln, gain a webshell 6. Observe beta svn.beta.example. server, find a password com 7. Backdoored code at svn.beta. 8. Daily release gain backdoor at host domain. 9. Profit
  15. 15. References between subdomainsCrossdomain.xml:•Adobe Flash and MS Silverlight both policyconfiguration file•Used to configure Same Origin Policy inbrowsers•May be used by attacker to get page contentfrom subdomain’s page.
  16. 16. X-Crosser. Tool for scan cross-refsSubdomain scanner:•Wordlist bruteforce•DNS reverse-lookup (IP scan)•Service discovery (port list)•Find records in crossdomain.xml, robots.txtCrossdomain analyzer:•Collect all crossdomain.xml•Analyze references between subdomainsand draw it (graphviz)Will be published soon as open-source tool
  17. 17. X-Crosser. Tool for scan cross-refs
  18. 18. Subdomains and cookiesmanagementRFC 6265, April 2011:Cookie are set for all subdomains togetherNow XSS at subdomains are dangerous as athost domainOnly 3% of webapps used HTTPOnly cookies
  19. 19. Attack #3. SSRF: Server SideRequest Forgery• Like as CSRF, but on the server side• Provide to make requests in internal (protected network)• May be used by many type of vulns: • Any including (LFI / RFI) • Any readings (LFR / RFR) • XXE • etc
  20. 20. SSRF: example from a wild• Yandex is the leading internet company in Russia, operating the most popular search engine and the most visited website• Competition “Yandex’s Month of Security Bugs” was held in November 2011• A vuln called “Mass XXE in Yandex’s services” won a 1st place and $5000 prize
  21. 21. SSRF: example from a wild• Classic XXE for local file reading:<!DOCTYPE test [ <!ENTITY asd SYSTEM ‘/etc/passwd’ > ]>• XXE for SSRF (portscan)<!DOCTYPE test [ <!ENTITY asd SYSTEM ‘http://intN1:22’ > ]>• XXE for SSRF (read internal network page)<!DOCTYPE test [ <!ENTITY asd SYSTEM ‘http://wiki.local/budget/’ > ]>• XXE for SSRF (read internal network page)<!DOCTYPE test [ <!ENTITY asd SYSTEM ‘ldap://exim.local/?O=*’ > ]>
  22. 22. SSRF: attack architecture SSRF Protected request External App internal (way #4) resource server #N resource (i.e. wiki) SSRF request (way #3) Back- SSRF response ends Load request (way #2) balancer special request SSRF (HTTP) request request App (way #1) (HTTP) server #1
  23. 23. ???CARO2012, Germany, Munich,15/05/