Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Defense	
  by	
  Numb3r5	
  
	
  
Making	
  problems	
  for	
  script	
  k1dd13s	
  
and	
  scanner	
  monkeys	
  
@ChrisJ...
“THE	
  WISEST	
  MAN,	
  IS	
  HE	
  
WHO	
  KNOWS,	
  THAT	
  HE	
  
KNOWS	
  NOTHING”	
  
	
  
	
  
SOCRATES:	
  APOLOG...
This	
  talk	
  contains:	
  
	
  - Numbers
- Bad Jokes
- Traces of peanuts
- Did I mention numbers?
	
  	
  
TL	
  ;DR	
  
Goals	
  for	
  this	
  talk	
  
Describe	
  the	
  
defensive	
  uses	
  of	
  
HTTP	
  status	
  codes	
  
1)  What	
  
2)  Why	
  
3)  How	
  
4)  Goals	
  
5)  Bringing	
  it	
  together	
  
6)  Review	
  
#1	
  
]	
  [	
  WHAT ?
HTTP	
  STATUS	
  CODES	
  
Seems	
  like	
  such	
  a	
  	
  
Small	
  detail	
  
…	
  small	
  detail,	
  
big	
  impact	
  
HTTP	
  Status	
  Codes	
  
§  Majority	
  part	
  of	
  RFC	
  2616	
  (HTTP/1.1)	
  
§  5	
  main	
  classes	
  of	
  ...
HTTP	
  Status	
  Codes	
  
§  Proposed	
  RFC*	
  for	
  7XX	
  codes	
  
§  Examples:	
  
§  701	
  Meh	
  
§  719	
...
BASICS	
  
AKA:	
  THE	
  BORING	
  THEORY	
  BIT	
  
#1.1	
  
1XX	
  Informaeonal	
  
§  Indicates	
  response	
  received	
  
§  Processing	
  is	
  not	
  yet	
  completed	
  
§  ...
2XX	
  Success	
  
§  Indicates	
  response	
  received	
  
§  Processed	
  and	
  understood	
  
§  200	
  OK	
  
§  ...
2XX	
  Success	
  (cont.)	
  
§  205	
  Reset	
  Content	
  
§  206	
  Pareal	
  Content	
  
§  207	
  Mule-­‐Status	
 ...
3XX	
  Redireceon	
  
§  Aceon	
  required	
  to	
  complete	
  request	
  
§  300	
  Muleple	
  Choices	
  
§  301	
  ...
3XX	
  Redireceon	
  (cont.)	
  
§  305	
  Use	
  Proxy	
  
§  306	
  Switch	
  Proxy	
  (unused)	
  
§  307	
  Tempora...
4XX	
  Client	
  Error	
  
§  Client	
  caused	
  an	
  error	
  
§  400	
  Bad	
  Request	
  
§  401	
  Unauthorized	
...
4XX	
  Client	
  Error	
  (cont.)	
  
§  406	
  Not	
  Accessible	
  
§  407	
  Proxy	
  Authenecaeon	
  Required	
  
§...
4XX	
  Client	
  Error	
  (cont.)	
  
§  412	
  Precondieon	
  Failed	
  
§  413	
  Request	
  Enety	
  Too	
  Large	
  ...
4XX	
  Client	
  Error	
  (cont.)	
  
§  419	
  /	
  420	
  /	
  421	
  Unused	
  
§  422	
  Unprocessable	
  Enety	
  (...
4XX	
  Client	
  Error	
  (cont.)	
  
Codes	
  not	
  supported	
  by	
  Apache	
  
§  428	
  Precondieon	
  Required	
  ...
5XX	
  Server	
  Error	
  
§  Server	
  error	
  occurred	
  
§  500	
  Internal	
  Server	
  Error	
  
§  501	
  Not	
...
5XX	
  Server	
  Error	
  (cont.)	
  
§  506	
  Variant	
  Also	
  Negoeates	
  (RFC	
  2295)	
  
§  507	
  Insufficient	
...
OMG	
  Enough	
  with	
  
the	
  numb3rs	
  
already!!!!	
  
#2	
  
]	
  [	
  WHY?
It	
  started	
  as	
  a	
  simple	
  idea…	
  
?	
  
?	
  
?	
  
…	
  and	
  started	
  to	
  think	
  
SCREW	
  WITH	
  
SCANNERS	
  
…	
  AND	
  SCRIPT	
  
K1DD13S	
  
THAT	
  SOUNDS	
  
LIKE	
  FUN!	
  
@thegrugq	
  26	
  Feb	
  2013	
  
@thegrugq	
  26	
  Feb	
  2013	
  
INCREASE	
  
ATTACKER	
  COSTS	
  
$	
  $	
  
$	
  
WASTE	
  
ATTACKER	
  TIME	
  
-­‐  When	
  the	
  tables	
  turn	
  (2004)	
  	
  
-­‐  Roelof	
  Temmingh,	
  Haroon	
  Meer,	
  Charl	
  van	
  der	
 ...
-­‐  mod-­‐security	
  mailing	
  list	
  (2006)	
  	
  
-­‐  Status	
  Code	
  503	
  together	
  w/	
  Retry-­‐Aoer	
  h...
#3	
  
]	
  [	
  HOW?
BROWSERS	
  HAVE	
  
TO	
  BE	
  FLEXIBLE	
  
THIS	
  LEADS	
  TO	
  
INTERPRETATION	
  
…	
  which	
  leads	
  to	
  the	
  dark-­‐side	
  
RFCS…	
  	
  
THEY’RE	
  MORE	
  OF	
  A	
  
GUIDELINE	
  REALLY	
  
WHAT COULD POSSIBLY GO
WRONG!
TESTING	
  
THE	
  HOW	
  OF	
  THE	
  THING!	
  
#3.1	
  
§  Restricted	
  research	
  to	
  the	
  big	
  3	
  
§  Internet	
  Explorer	
  
§  Chrome	
  /	
  Chromium	
  
§  F...
NO…	
  SAFARI	
  ISN’T	
  
IN	
  THE	
  TOP	
  10	
  3	
  
OPERA	
  JUMPED…	
  
…or	
  was	
  it	
  pushed?	
  
LYNX	
  
THE	
  UNREALISTIC	
  OPTION	
  
§  MITMproxy	
  /	
  MITMdump	
  
§  Python-­‐based	
  
§  Simple	
  to	
  setup	
  proxy	
  /	
  reverse	
  proxy	
  
...
§  PHP	
  
§  Ability	
  to	
  set	
  response	
  code	
  
§  Must	
  be	
  at	
  the	
  top	
  of	
  the	
  PHP	
  cod...
§  Teseng	
  browsers	
  automaecally	
  
§  Created	
  PHP	
  file	
  to	
  set	
  status	
  code	
  
§  h]p://c22.cc/P...
BROWSERS	
  
…	
  AND	
  THEIR	
  STATUS	
  CODE	
  HABITS	
  
#3.2	
  
Miss
Browsers	
  handle	
  
most	
  things	
  just	
  like	
  
they	
  handle	
  a	
  
200	
  OK?	
  
YEP…	
  MOSTLY	
  
§  HTML	
  Responses	
  
§  Almost	
  all	
  response	
  codes	
  are	
  rendered	
  
by	
  the	
  browser	
  correctly	...
§  JavaScript/CSS	
  
§  Limited	
  accepted	
  status	
  codes	
  
§  Limited	
  3XX	
  support	
  
§  Chrome	
  is	
...
So	
  we	
  know	
  
what	
  browsers	
  
interpret	
  
differently	
  
What	
  do	
  
browsers	
  have	
  
in	
  common?	
  
§  1XX	
  code	
  handling	
  
§  Retries	
  
§  Confusion	
  
§  Chrome	
  /	
  IE6	
  try	
  to	
  download	
  the	
...
§  204	
  No	
  Content	
  
§  Um,	
  no	
  content!	
  
§  304	
  Not	
  Modified	
  
§  Again,	
  no	
  content	
  re...
WHAT	
  ABOUT	
  
HEADERS?	
  
#3.3	
  
Just	
  because	
  the	
  RFC	
  says	
  
a	
  specific	
  status	
  code	
  
must	
  have	
  an	
  associated	
  
header…	...
…doesn’t	
  mean	
  
it	
  HAS	
  to	
  
§  Redireceon	
  codes	
  (301-­‐304,	
  307)	
  
§  No	
  Locaeon	
  header,	
  no	
  redirect	
  
§  401	
  Unauthori...
Just	
  because	
  the	
  RFC	
  says	
  
a	
  specific	
  status	
  code	
  
shouldn’t	
  have	
  an	
  
associated	
  hea...
…doesn’t	
  mean	
  
it	
  can’t	
  
§  300	
  Muleple	
  Choices	
  w/	
  Locaeon	
  Header	
  
§  Firefox	
  /	
  IE6	
  follows	
  the	
  redirect	
  
§ ...
EACH	
  BROWSER	
  
HANDLES	
  THINGS	
  A	
  
LITTLE	
  DIFFERENTLY	
  
I	
  WONDER	
  WHAT	
  
WE	
  CAN	
  DO	
  
WITH	
  THAT!	
  
#4	
  
]	
  [	
  GOALS
§  Each	
  browser	
  handles	
  things	
  differently	
  
§  Use	
  known	
  condieons	
  
§  Handled	
  codes	
  
§  ...
BROWSER	
  
FINGERPRINTING	
  
#4.1	
  
§  Doesn’t	
  load	
  JavaScript	
  returned	
  with	
  a	
  300	
  
‘Muleple	
  Choices’	
  status	
  code	
  
§  Other...
§  Loads	
  JavaScript	
  returned	
  with	
  a	
  307	
  
‘Temporary	
  Redirect’	
  status	
  code	
  
§  Other	
  bro...
§  Loads	
  JavaScript	
  returned	
  with	
  a	
  205	
  ‘Reset	
  
Content’	
  status	
  code	
  
§  Other	
  browsers...
BROWSER	
  
FINGERPRINTING	
  
DEMO	
  
§  Other	
  opeons	
  to	
  fingerprint	
  browsers	
  
§  300	
  Redirect	
  (Chrome)	
  
§  305	
  /	
  306	
  JavaScr...
USER-­‐AGENTS	
  
CAN	
  BE	
  
SPOOFED	
  
BROWSER	
  
TRAITS	
  CAN’T	
  
PROXY	
  
DETECTION	
  
#4.2	
  
§  Chrome	
  handles	
  proxy	
  config	
  differently	
  
§  407	
  status	
  code	
  isn’t	
  rendered	
  	
  
§  Unles...
§  Request	
  page	
  from	
  server	
  
§  Response	
  Status:	
  407	
  Proxy	
  Authenecaeon	
  
§  w/o	
  Proxy-­‐A...
§  Privoxy	
  3.0.20	
  (CVE-­‐2013-­‐2503)	
  
§  407	
  Proxy	
  Authenecaeon	
  Required	
  
§  w/	
  Proxy-­‐Authen...
§  Not	
  just	
  Privoxy	
  that’s	
  effected	
  
§  Any	
  transparent	
  proxy	
  
§  e.g.	
  Burp,	
  ZAP,	
  …	
  ...
#5	
  
]	
  [	
  BRINGINGITALL
TOGETHER
What	
  we	
  have	
  
§  Status	
  codes	
  all	
  browsers	
  treat	
  as	
  content	
  
§  Status	
  codes	
  all	
  ...
What	
  can	
  we	
  do	
  
§  F*ck	
  with	
  things	
  
§  Screw	
  with	
  scanner	
  monkeys	
  
§  Make	
  RFC	
  ...
Let’s	
  try	
  to…	
  
§  Use	
  what	
  we’ve	
  discovered	
  to…	
  
§  Break	
  spidering	
  tools	
  
§  Cause	
 ...
BREAKING	
  
SPIDERS	
  
#5.1	
  
Simplisec	
  view	
  
of	
  spiders	
  
§  Access	
  target	
  URL	
  
§  Read	
  links	
  /	
  funceons	
  
§  Test	
  them	
  out	
  
§  If	
  true:	
  cone...
§  What	
  happens	
  if:	
  
§  Every	
  response	
  is	
  
§  200	
  OK	
  
§  404	
  Not	
  Found	
  
§  500	
  In...
200	
  OK	
  
§  IF	
  200	
  ==	
  True:	
  
§  Problems!	
  
§  Never-­‐ending	
  spider	
  
404	
  Not	
  Found	
  
§  IF	
  404	
  ==	
  False:	
  
§  What	
  website?	
  
500	
  Internal	
  Server	
  Error	
  
§  Skipfish	
  !=	
  happy	
  fish	
  
False	
  
Posieves	
  /
Negaeves	
  
#5.2	
  
§  Most	
  scanners	
  use	
  status	
  codes	
  
§  At	
  least	
  to	
  some	
  extent	
  
§  Inieal	
  match	
  (pri...
§  What	
  happens	
  if:	
  
§  Every	
  response	
  is	
  
§  200	
  OK	
  
§  404	
  Not	
  Found	
  
§  500	
  In...
Vulnerability	
  Baseline	
  
§  w3af	
  
§  Informaeon	
  Points	
  à	
  79	
  
§  Vulnerabiliees	
  à	
  65	
  
§ ...
Every	
  response	
  200	
  OK	
  
§  No	
  change	
  in	
  discoveries	
  
§  All	
  points	
  discovered	
  -­‐	
  per...
Every	
  response	
  404	
  Not	
  Found	
  
§  Less	
  to	
  scan	
  ==	
  Less	
  to	
  find	
  
§  False	
  negaeves	
...
Every	
  response	
  500	
  
§  Server	
  Error	
  ==	
  OMG	
  VULN	
  SANDWICH!	
  
§  False	
  posieves+++	
  
§  95...
Random	
  Status	
  Codes	
  
§  Muleple	
  test	
  runs	
  
§  All	
  tests	
  produced	
  False	
  posieves++	
  
§  ...
Random	
  Status	
  Codes	
  
§  Skipfish	
  +	
  $random_status	
  =	
  chaos	
  
§  False	
  Posieves	
  +	
  False	
  ...
Slowing	
  
a]ackers	
  
down!	
  
#5.3	
  
What	
  does	
  
your	
  WAF	
  
really	
  do?	
  
§  OMG	
  A]ack	
  
§  Block	
  /	
  Return	
  error	
  
§  403,	
  500,	
  …	
  
§  Profit???	
  
Why?	
  
Remember	
  that	
  list	
  
of	
  status	
  codes	
  
browsers	
  don’t	
  
handle	
  well?	
  
Yeah	
  well,	
  scanners	
  
don’t	
  usually	
  handle	
  
them	
  well	
  either!	
  
Especially	
  the	
  
1XX	
  codes	
  
§  Remember	
  LaBrea	
  tarpit?	
  
§  Tim	
  Liston	
  2001	
  *	
  
§  Designed	
  to	
  slow	
  spread	
  of	
  Cod...
How	
  about	
  an	
  
HTTP	
  Tarpit!	
  
HTTP	
  Tarpit	
  Scenario	
  
§  WAF	
  detects	
  scan	
  /	
  a]ack	
  
§  Adds	
  source	
  IP	
  to	
  “naughty”	
 ...
Let’s	
  do	
  
some	
  
science!*	
  
*	
  Science	
  not	
  included	
  
vs.	
  the	
  HTTP	
  TARPIT	
  
NIKTO	
  
Baseline	
   HTTP	
  Tarpit	
  
Scan	
  eme	
  
2m	
  18s	
  
Findings	
  
18	
  
14h	
  33m	
  2s	
  
10	
  
vs.	
  the	
  HTTP	
  TARPIT	
  
W3AF	
  
Baseline	
   HTTP	
  Tarpit	
  
Scan	
  eme	
  
1h	
  37m	
  23s	
  
Findings	
  
65	
  
18m	
  10s	
  
0	
  
vs.	
  the	
  HTTP	
  TARPIT	
  
SKIPFISH	
  
Baseline	
   HTTP	
  Tarpit	
  
Scan	
  eme	
  
18m	
  10s	
  
Findings	
  
Low:	
  2519	
  
Med:	
  2522	
  
High:	
  12	...
vs.	
  the	
  HTTP	
  TARPIT	
  
ACUNETIX	
  
Baseline	
   HTTP	
  Tarpit	
  
Scan	
  eme	
  
1h	
  19m	
  
Findings	
  
Info:	
  1104	
  
Low:	
  30	
  
Med:	
  32	
  ...
HTTP	
  Tarpit	
  Results	
  
§  HTTP	
  Tarpit	
  Results	
  *	
  
§  Slow	
  down	
  scans	
  
§  Nikto:	
  340x	
  a...
Blocking	
  
successful	
  
exploitae0n	
  
#5.4	
  
We’ve	
  made	
  it	
  
hard	
  to	
  find	
  the	
  
vulnerabiliees	
  
We’ve	
  made	
  it	
  
Ome	
  consuming	
  
for	
  a]ackers	
  
Now	
  let’s	
  stop	
  the	
  
sk1dd13s	
  using	
  
Metasploit	
  to	
  pop	
  
$hells	
  
Q:	
  How	
  ooen	
  does	
  Metasploit	
  reference	
  
status	
  codes?	
  
	
  
	
  rgrep	
  -­‐E	
  'res[p|ponse]?.cod...
Lots	
  of	
  
dependency	
  on	
  
status	
  codes*	
  
*	
  yep,	
  even	
  the	
  stuff	
  I	
  wrote	
  
  	
  if	
  (res.code	
  <	
  200	
  or	
  res.code	
  >=	
  300)	
  
	
   	
   	
  case	
  res.code	
  
	
   	
   	
  whe...
No	
  match,	
  
No	
  shell*	
  
*	
  exploit	
  dependent	
  
#6	
  
]	
  [	
  REVIEW
§  Using	
  status	
  codes	
  to	
  our	
  benefit	
  is	
  fun	
  
§  …	
  and	
  useful!	
  
§  Browsers	
  can	
  be...
§  WAFs	
  need	
  to	
  get	
  more	
  offensive	
  about	
  
their	
  defense	
  
§  More	
  than	
  just	
  blocking	
...
§  Current	
  tools	
  are	
  much	
  the	
  same	
  as	
  APT	
  
§  APT	
  (Adequate	
  Persistent	
  Threat)	
  
§  ...
…because	
  screwing	
  
with	
  sk1dd13s	
  
is	
  fun!	
  
Implementaeon	
  
#6.1	
  
§  PHP	
  (the	
  lowest	
  common	
  denominator)	
  
§  auto-­‐prepend-­‐file	
  
§  Limited	
  to	
  resources	
  PHP...
§  Usable	
  implementaeon	
  
§  Nginx	
  as	
  reverse	
  proxy	
  
§  Requires:	
  ngx_lua	
  
§  ngx.status	
  =	
...
§  Ease	
  adopeon	
  
§  Implement	
  into	
  mod-­‐security	
  
§  Not	
  a	
  simple	
  task	
  
§  Already	
  been...
Countering	
  
this	
  research	
  
#6.2	
  
§  Less	
  reliance	
  on	
  status	
  codes	
  
§  More	
  reliance	
  on	
  content	
  /	
  headers	
  
§  Pros 	
  	...
Queseons?	
  
 
CODE	
  /	
  SCRIPTS	
  AVAILABLE	
  
	
  
HTTP://GITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE	
  
Thanks	
  for	
  coming	
  
	
  
h]p://blog.c22.cc	
  
@ChrisJohnRiley	
  	
  	
  	
  contact@c22.cc	
  
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
Upcoming SlideShare
Loading in …5
×

of

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 1 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 2 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 3 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 4 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 5 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 6 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 7 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 8 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 9 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 10 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 11 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 12 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 13 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 14 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 15 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 16 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 17 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 18 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 19 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 20 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 21 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 22 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 23 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 24 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 25 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 26 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 27 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 28 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 29 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 30 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 31 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 32 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 33 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 34 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 35 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 36 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 37 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 38 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 39 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 40 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 41 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 42 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 43 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 44 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 45 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 46 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 47 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 48 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 49 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 50 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 51 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 52 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 53 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 54 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 55 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 56 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 57 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 58 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 59 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 60 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 61 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 62 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 63 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 64 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 65 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 66 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 67 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 68 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 69 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 70 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 71 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 72 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 73 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 74 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 75 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 76 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 77 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 78 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 79 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 80 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 81 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 82 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 83 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 84 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 85 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 86 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 87 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 88 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 89 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 90 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 91 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 92 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 93 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 94 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 95 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 96 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 97 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 98 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 99 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 100 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 101 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 102 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 103 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 104 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 105 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 106 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 107 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 108 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 109 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 110 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 111 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 112 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 113 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 114 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 115 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 116 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 117 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 118 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 119 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 120 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 121 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 122 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 123 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 124 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 125 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 126 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 127 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 128 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 129 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 130 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 131 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 132 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 133 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 134 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 135 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 136 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 137 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 138 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 139 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 140 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 141 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 142 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 143 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 144 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 145 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 146 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 147 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 148 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 149 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 150 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 151 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 152 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 153 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 154 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 155 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 156 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 157 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 158 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 159 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 160 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 161 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 162 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 163 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 164 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 165 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 166 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 167 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 168 Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys Slide 169
Upcoming SlideShare
Productos de ANT
Next
Download to read offline and view in fullscreen.

4 Likes

Share

Download to read offline

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys

Download to read offline

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys

DEF CON 21 (2013)

On the surface most common browsers look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the shiny surface however, the way specific user agents handle traffic varies in a number of interesting and unique ways. This variation allows for defenders to play games with attackers and scripted attacks in a way that most normal users will never even see.

This talk will attempt to show that differences in how different user agents handle web server responses (specifically status codes) can be used to improve the defensive posture of modern web applications while causing headaches for the average script kiddy or scanner monkey!

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys

  1. 1. Defense  by  Numb3r5     Making  problems  for  script  k1dd13s   and  scanner  monkeys   @ChrisJohnRiley  
  2. 2. “THE  WISEST  MAN,  IS  HE   WHO  KNOWS,  THAT  HE   KNOWS  NOTHING”       SOCRATES:  APOLOGY,  21D  
  3. 3. This  talk  contains:    - Numbers - Bad Jokes - Traces of peanuts - Did I mention numbers?    
  4. 4. TL  ;DR  
  5. 5. Goals  for  this  talk   Describe  the   defensive  uses  of   HTTP  status  codes  
  6. 6. 1)  What   2)  Why   3)  How   4)  Goals   5)  Bringing  it  together   6)  Review  
  7. 7. #1   ]  [  WHAT ?
  8. 8. HTTP  STATUS  CODES  
  9. 9. Seems  like  such  a     Small  detail  
  10. 10. …  small  detail,   big  impact  
  11. 11. HTTP  Status  Codes   §  Majority  part  of  RFC  2616  (HTTP/1.1)   §  5  main  classes  of  response   §  1XX  informaOonal   §  2XX  success   §  3XX  redirecOon   §  4XX  client  error   §  5XX  server  error  
  12. 12. HTTP  Status  Codes   §  Proposed  RFC*  for  7XX  codes   §  Examples:   §  701  Meh   §  719  I  am  not  a  teapot   §  721  Known  unknowns   §  722  Unknown  unknowns   §  732  Fucking  Unic☐de   *  h]ps://github.com/joho/7XX-­‐rfc  
  13. 13. BASICS   AKA:  THE  BORING  THEORY  BIT   #1.1  
  14. 14. 1XX  Informaeonal   §  Indicates  response  received   §  Processing  is  not  yet  completed   §  100  Conenue   §  101  Switching  Protocols   §  102  Processing  (WebDAV  RFC  2518)  
  15. 15. 2XX  Success   §  Indicates  response  received   §  Processed  and  understood   §  200  OK   §  201  Created   §  202  Accepted   §  203  Non-­‐Authoritaeve  Informaeon   §  204  No  Content  
  16. 16. 2XX  Success  (cont.)   §  205  Reset  Content   §  206  Pareal  Content   §  207  Mule-­‐Status  (WebDAV  RFC  4918)   Codes  not  supported  by  Apache   §  208  Already  Reported   §  226  IM  Used   §  250  Low  on  Storage  Space  
  17. 17. 3XX  Redireceon   §  Aceon  required  to  complete  request   §  300  Muleple  Choices   §  301  Moved  Permanently   §  302  Found  (Moved  Temporarily)   §  303  See  Other   §  304  Not  Modified  
  18. 18. 3XX  Redireceon  (cont.)   §  305  Use  Proxy   §  306  Switch  Proxy  (unused)   §  307  Temporary  Redirect   Codes  not  supported  by  Apache   §  308  Permanent  Redirect  
  19. 19. 4XX  Client  Error   §  Client  caused  an  error   §  400  Bad  Request   §  401  Unauthorized   §  402  Payment  Required   §  403  Forbidden   §  404  Not  Found   §  405  Method  Not  Allowed  
  20. 20. 4XX  Client  Error  (cont.)   §  406  Not  Accessible   §  407  Proxy  Authenecaeon  Required   §  408  Request  Timeout   §  409  Conflict   §  410  Gone   §  411  Length  Required  
  21. 21. 4XX  Client  Error  (cont.)   §  412  Precondieon  Failed   §  413  Request  Enety  Too  Large   §  414  Request-­‐URI  Too  Long   §  415  Unsupported  Media  Type   §  416  Request  Range  Not  Saesfiable   §  417  Expectaeon  Failed   §  418  I’m  a  Teapot  (IETF  April  Fools  RFC  2324)  
  22. 22. 4XX  Client  Error  (cont.)   §  419  /  420  /  421  Unused   §  422  Unprocessable  Enety  (RFC  4918)   §  423  Locked  (RFC  4918)   §  424  Failed  Dependency  (RFC  4918)   §  425  No  Code  /  Unordered  Colleceon   §  426  Upgrade  Required  (RFC  2817)  
  23. 23. 4XX  Client  Error  (cont.)   Codes  not  supported  by  Apache   §  428  Precondieon  Required   §  429  Too  Many  Requests   §  431  Request  Header  Fields  Too  Large   §  444  No  Response  (NGINX)   §  449  Retry  With  (Microsoo)   §  450  Blocked  by  Win.  Parental  Controls   §  451  Unavailable  For  Legal  Reasons   §  494  Request  Header  Too  Large  (NGINX)   §  495  Cert  Error  (NGINX)   §  496  No  Cert  (NGINX)   §  497  HTTP  to  HTTPS  (NGINX)   §  499  Client  Closed  Request  (NGINX)  
  24. 24. 5XX  Server  Error   §  Server  error  occurred   §  500  Internal  Server  Error   §  501  Not  Implemented   §  502  Bad  Gateway   §  503  Service  Unavailable   §  504  Gateway  Timeout   §  505  HTTP  Version  Not  supported  
  25. 25. 5XX  Server  Error  (cont.)   §  506  Variant  Also  Negoeates  (RFC  2295)   §  507  Insufficient  Storage  (WebDAV  RFC  4918)   §  508  Loop  Detected  (WebDAV  RFC  5842)   §  509  Bandwidth  Limit  Exceeded  (apache  ext.)     §  510  Not  Extended  (RFC  2274)   Codes  not  supported  by  Apache   §  511  Network  Authenecaeon  Required  (RFC  6585)   §  550  Permission  Denied   §  598  Network  Read  Timeout  Error  (Microsoo  Proxy)   §  599  Network  Conneceon  Timeout  Error  (Microsoo  Proxy)  
  26. 26. OMG  Enough  with   the  numb3rs   already!!!!  
  27. 27. #2   ]  [  WHY?
  28. 28. It  started  as  a  simple  idea…  
  29. 29. ?   ?   ?   …  and  started  to  think  
  30. 30. SCREW  WITH   SCANNERS  
  31. 31. …  AND  SCRIPT   K1DD13S  
  32. 32. THAT  SOUNDS   LIKE  FUN!  
  33. 33. @thegrugq  26  Feb  2013  
  34. 34. @thegrugq  26  Feb  2013  
  35. 35. INCREASE   ATTACKER  COSTS   $  $   $  
  36. 36. WASTE   ATTACKER  TIME  
  37. 37. -­‐  When  the  tables  turn  (2004)     -­‐  Roelof  Temmingh,  Haroon  Meer,  Charl  van  der  Walt   -­‐  h]p://slideshare.net/sensepost/strikeback   -­‐  Stopping  Automated  A]ack  Tools  (2006)   -­‐  Gunter  Ollmann   -­‐  h]p://www.technicalinfo.net/papers/ StoppingAutomatedA]ackTools.html     Prior  Art  
  38. 38. -­‐  mod-­‐security  mailing  list  (2006)     -­‐  Status  Code  503  together  w/  Retry-­‐Aoer  header   -­‐  Ryan  BarneW   -­‐  h]p://bb10.com/apache-­‐mod-­‐security-­‐user/ 2006-­‐12/msg00042.html   Prior  Art   SecFilterDefaultAceon  "deny,log,status:503"   SecFilter  ".*"   Header  set  Retry-­‐Aoer  "120"  
  39. 39. #3   ]  [  HOW?
  40. 40. BROWSERS  HAVE   TO  BE  FLEXIBLE  
  41. 41. THIS  LEADS  TO   INTERPRETATION   …  which  leads  to  the  dark-­‐side  
  42. 42. RFCS…     THEY’RE  MORE  OF  A   GUIDELINE  REALLY  
  43. 43. WHAT COULD POSSIBLY GO WRONG!
  44. 44. TESTING   THE  HOW  OF  THE  THING!   #3.1  
  45. 45. §  Restricted  research  to  the  big  3   §  Internet  Explorer   §  Chrome  /  Chromium   §  Firefox  
  46. 46. NO…  SAFARI  ISN’T   IN  THE  TOP  10  3  
  47. 47. OPERA  JUMPED…   …or  was  it  pushed?  
  48. 48. LYNX   THE  UNREALISTIC  OPTION  
  49. 49. §  MITMproxy  /  MITMdump   §  Python-­‐based   §  Simple  to  setup  proxy  /  reverse  proxy   §  Script-­‐based  aceons  
  50. 50. §  PHP   §  Ability  to  set  response  code   §  Must  be  at  the  top  of  the  PHP  code   §  Can  be  added  to  php.ini   §  auto-­‐prepend-­‐file  =  /full/path   §  Limited  by  web-­‐server  (apache)   #  set  response  code   Header($_server[“SERVER_PROTOCOL”].  ”  $status_code”);  
  51. 51. §  Teseng  browsers  automaecally   §  Created  PHP  file  to  set  status  code   §  h]p://c22.cc/POC/respcode.php?code=XXX  
  52. 52. BROWSERS   …  AND  THEIR  STATUS  CODE  HABITS   #3.2  
  53. 53. Miss
  54. 54. Browsers  handle   most  things  just  like   they  handle  a   200  OK?  
  55. 55. YEP…  MOSTLY  
  56. 56. §  HTML  Responses   §  Almost  all  response  codes  are  rendered   by  the  browser  correctly   §  iFrames   §  Some  special  cases  for  IE,  but  other   browsers  handle  this  the  same  as  HTML    
  57. 57. §  JavaScript/CSS   §  Limited  accepted  status  codes   §  Limited  3XX  support   §  Chrome  is  the  excepeon  here   §  No  support  for  4XX/5XX  codes  
  58. 58. So  we  know   what  browsers   interpret   differently  
  59. 59. What  do   browsers  have   in  common?  
  60. 60. §  1XX  code  handling   §  Retries   §  Confusion   §  Chrome  /  IE6  try  to  download  the  page!   §  Fun  on  Android…  (never  ending  download)   §  Times  outs  (eventually)  
  61. 61. §  204  No  Content   §  Um,  no  content!   §  304  Not  Modified   §  Again,  no  content  returned  
  62. 62. WHAT  ABOUT   HEADERS?   #3.3  
  63. 63. Just  because  the  RFC  says   a  specific  status  code   must  have  an  associated   header…  
  64. 64. …doesn’t  mean   it  HAS  to  
  65. 65. §  Redireceon  codes  (301-­‐304,  307)   §  No  Locaeon  header,  no  redirect   §  401  Unauthorized   §  No  WWW-­‐Authenecate  header,  no   authenecaeon  prompt   §  407  Proxy  Authenecaeon  Required   §  No  Proxy-­‐Authenecate  header,  no  prompt  
  66. 66. Just  because  the  RFC  says   a  specific  status  code   shouldn’t  have  an   associated  header…    
  67. 67. …doesn’t  mean   it  can’t  
  68. 68. §  300  Muleple  Choices  w/  Locaeon  Header   §  Firefox  /  IE6  follows  the  redirect   §  Chrome  doesn’t   §  More  research  needed  in  this  direceon   §  Most  headers  are  unintereseng  /  ignored  
  69. 69. EACH  BROWSER   HANDLES  THINGS  A   LITTLE  DIFFERENTLY  
  70. 70. I  WONDER  WHAT   WE  CAN  DO   WITH  THAT!  
  71. 71. #4   ]  [  GOALS
  72. 72. §  Each  browser  handles  things  differently   §  Use  known  condieons   §  Handled  codes   §  Unhandled  codes   §  Browser  weirdness  
  73. 73. BROWSER   FINGERPRINTING   #4.1  
  74. 74. §  Doesn’t  load  JavaScript  returned  with  a  300   ‘Muleple  Choices’  status  code   §  Other  browsers  tested  DO  (IE/Chrome)     §  Request  JavaScript  from  server   §  Response  Status:  300  Muleple  Choices   §  If  JavaScript  doesn’t  run  in  the  browser   §  Firefox   Firefox  
  75. 75. §  Loads  JavaScript  returned  with  a  307   ‘Temporary  Redirect’  status  code   §  Other  browsers  tested  DON’T  (IE/FF)   §  Request  JavaScript  from  server   §  Response  Status:  307  Temporary  Redirect   §  If  JavaScript  runs  in  the  browser   §  Chrome   Chrome    
  76. 76. §  Loads  JavaScript  returned  with  a  205  ‘Reset   Content’  status  code   §  Other  browsers  tested  DON’T  (FF/Chrome)   §  Request  JavaScript  from  server   §  Response  Status:  205  Reset  Content   §  If  JavaScript  runs  in  the  browser   §  Internet  Explorer   Internet  Explorer    
  77. 77. BROWSER   FINGERPRINTING   DEMO  
  78. 78. §  Other  opeons  to  fingerprint  browsers   §  300  Redirect  (Chrome)   §  305  /  306  JavaScript  (Firefox)   §  400  iFrame  (Internet  Explorer)   §  …     POC  Script  à  h]p://c22.cc/POC/fingerprint.html  
  79. 79. USER-­‐AGENTS   CAN  BE   SPOOFED  
  80. 80. BROWSER   TRAITS  CAN’T  
  81. 81. PROXY   DETECTION   #4.2  
  82. 82. §  Chrome  handles  proxy  config  differently   §  407  status  code  isn’t  rendered     §  Unless  an  HTTP  proxy  is  set!   §  Allows  us  to  detect  if  an  HTTP  proxy  is  set   §  Just  not  which  proxy   §  Can  only  detect  HTTP  proxies  ;(   Chrome  Proxy  Deteceon  
  83. 83. §  Request  page  from  server   §  Response  Status:  407  Proxy  Authenecaeon   §  w/o  Proxy-­‐Authenecate  header   §  If  Chrome  responds  HTTP  proxy  is  set   Chrome  Proxy  Deteceon  
  84. 84. §  Privoxy  3.0.20  (CVE-­‐2013-­‐2503)   §  407  Proxy  Authenecaeon  Required   §  w/  Proxy-­‐Authenecate  header   §  User  prompted  for  user/pass   §  Prompt  appears  to  be  from  Privoxy   §  Privoxy  passes  user/pass  to  remote  site   §  Profit???   Side-­‐Effect:  Owning  Proxies  
  85. 85. §  Not  just  Privoxy  that’s  effected   §  Any  transparent  proxy   §  e.g.  Burp,  ZAP,  …   §  Not  really  a  vuln  for  most   §  Works  as  designed!   Side-­‐Effect:  Owning  Proxies  
  86. 86. #5   ]  [  BRINGINGITALL TOGETHER
  87. 87. What  we  have   §  Status  codes  all  browsers  treat  as  content   §  Status  codes  all  browsers  can’t  handle   §  1XX,  etc..   §  Lots  of  browser  quirks  
  88. 88. What  can  we  do   §  F*ck  with  things   §  Screw  with  scanner  monkeys   §  Make  RFC  lovers  cry  into  their  beer   §  Break  things  in  general  
  89. 89. Let’s  try  to…   §  Use  what  we’ve  discovered  to…   §  Break  spidering  tools   §  Cause  false  posieves  /  negaeves   §  Slow  down  a]ackers   §  The  fun  way!   §  Blocking  successful  exploitaeon  
  90. 90. BREAKING   SPIDERS   #5.1  
  91. 91. Simplisec  view   of  spiders  
  92. 92. §  Access  target  URL   §  Read  links  /  funceons   §  Test  them  out   §  If  true:  conenue   §  What  is  TRUE?  
  93. 93. §  What  happens  if:   §  Every  response  is   §  200  OK   §  404  Not  Found   §  500  Internal  Server  Error  
  94. 94. 200  OK   §  IF  200  ==  True:   §  Problems!   §  Never-­‐ending  spider  
  95. 95. 404  Not  Found   §  IF  404  ==  False:   §  What  website?  
  96. 96. 500  Internal  Server  Error   §  Skipfish  !=  happy  fish  
  97. 97. False   Posieves  / Negaeves   #5.2  
  98. 98. §  Most  scanners  use  status  codes   §  At  least  to  some  extent   §  Inieal  match  (prior  to  more  costly  regex)   §  Speed  up  deteceon   §  Easy  solueon  
  99. 99. §  What  happens  if:   §  Every  response  is   §  200  OK   §  404  Not  Found   §  500  Internal  Server  Error   §  raNd0M*   *  Using  codes  that  are  accepted  by  all  browsers  as  content    
  100. 100. Vulnerability  Baseline   §  w3af   §  Informaeon  Points  à  79   §  Vulnerabiliees  à  65   §  Shells  à  0  shells  L   §  Scan  eme  à  1h37m23s  
  101. 101. Every  response  200  OK   §  No  change  in  discoveries   §  All  points  discovered  -­‐  per  baseline   §  79  Informaeon  Points   §  65  Vulnerabiliees   §  0  Shells   §  Scan  eme  à  9h56m55s   §  Lots  more  to  check  ;)  
  102. 102. Every  response  404  Not  Found   §  Less  to  scan  ==  Less  to  find   §  False  negaeves   §  44  Informaeon  Points  (-­‐35)   §  37  Vulnerabiliees  (-­‐28)     §  Scan  eme  à  7m13s   §  Much  quicker  scan   §  Less  paths  traversed  
  103. 103. Every  response  500   §  Server  Error  ==  OMG  VULN  SANDWICH!   §  False  posieves+++   §  9540  Informaeon  points  (+9461)   §  9526  Vulnerabiliees  (+9461)    
  104. 104. Random  Status  Codes   §  Muleple  test  runs   §  All  tests  produced  False  posieves++   §  avg.  619  Informaeon  points  (+540)   §  avg.  550  Vulnerabiliees  (+485)     §  Avg.  scan  eme  à  11m37s   §  Ooen  much  quicker  scans   §  Lots  of  variaeon  in  scan  emes  
  105. 105. Random  Status  Codes   §  Skipfish  +  $random_status  =  chaos   §  False  Posieves  +  False  Negaeves   §  Scan  jobs  killed  (due  to  lack  of  scanner  resources)   §  Scan  emes   §  1st  scan  eme  à  10h3m35s   §  2nd  scan  eme  à  0h0m4s   §  3rd  scan  eme  à  16h47m41s  
  106. 106. Slowing   a]ackers   down!   #5.3  
  107. 107. What  does   your  WAF   really  do?  
  108. 108. §  OMG  A]ack   §  Block  /  Return  error   §  403,  500,  …   §  Profit???  
  109. 109. Why?  
  110. 110. Remember  that  list   of  status  codes   browsers  don’t   handle  well?  
  111. 111. Yeah  well,  scanners   don’t  usually  handle   them  well  either!  
  112. 112. Especially  the   1XX  codes  
  113. 113. §  Remember  LaBrea  tarpit?   §  Tim  Liston  2001  *   §  Designed  to  slow  spread  of  Code  Red   §  Slows  down  scans  /  a]ackers   *  h]p://labrea.sourceforge.net  
  114. 114. How  about  an   HTTP  Tarpit!  
  115. 115. HTTP  Tarpit  Scenario   §  WAF  detects  scan  /  a]ack   §  Adds  source  IP  to  “naughty”  list   §  Rewrite  all  responses  from  the  server   §  100|101|102  status  codes  only  (random)   §  204|304  might  also  be  useful  (no  content)  
  116. 116. Let’s  do   some   science!*   *  Science  not  included  
  117. 117. vs.  the  HTTP  TARPIT   NIKTO  
  118. 118. Baseline   HTTP  Tarpit   Scan  eme   2m  18s   Findings   18   14h  33m  2s   10  
  119. 119. vs.  the  HTTP  TARPIT   W3AF  
  120. 120. Baseline   HTTP  Tarpit   Scan  eme   1h  37m  23s   Findings   65   18m  10s   0  
  121. 121. vs.  the  HTTP  TARPIT   SKIPFISH  
  122. 122. Baseline   HTTP  Tarpit   Scan  eme   18m  10s   Findings   Low:  2519   Med:  2522   High:  12   Low:   Med:     High:   05s   0   0   3  
  123. 123. vs.  the  HTTP  TARPIT   ACUNETIX  
  124. 124. Baseline   HTTP  Tarpit   Scan  eme   1h  19m   Findings   Info:  1104   Low:  30   Med:  32   High:  24   Info:   Low:   Med:     High:   33m   3   3   1   0  
  125. 125. HTTP  Tarpit  Results   §  HTTP  Tarpit  Results  *   §  Slow  down  scans   §  Nikto:  340x  as  long   §  Others  give  up  quicker  ;)   §  Unreliable  /  aborted  scans   §  Up  to  100%  less  findings   *  Not  scienefically  sound  ;)  
  126. 126. Blocking   successful   exploitae0n   #5.4  
  127. 127. We’ve  made  it   hard  to  find  the   vulnerabiliees  
  128. 128. We’ve  made  it   Ome  consuming   for  a]ackers  
  129. 129. Now  let’s  stop  the   sk1dd13s  using   Metasploit  to  pop   $hells  
  130. 130. Q:  How  ooen  does  Metasploit  reference   status  codes?      rgrep  -­‐E  'res[p|ponse]?.code'  *   à  958  *   *  Not  scienefically  sound  ;)   rgrep  -­‐E  'res[p|ponse]?.code'  *  
  131. 131. Lots  of   dependency  on   status  codes*   *  yep,  even  the  stuff  I  wrote  
  132. 132.    if  (res.code  <  200  or  res.code  >=  300)        case  res.code        when  401          print_warning("Warning:  The  web  site          asked  for  authentication:  #{res.headers          ['WWW-­‐Authenticate']  ||  res.headers            ['Authentication']}")        end        fail_with(Exploit::Failure::Unknown,        "Upload  failed  on  #{path_tmp}        [#{res.code}  #{res.message}]")      end  
  133. 133. No  match,   No  shell*   *  exploit  dependent  
  134. 134. #6   ]  [  REVIEW
  135. 135. §  Using  status  codes  to  our  benefit  is  fun   §  …  and  useful!   §  Browsers  can  be  quirky   §  Scanners  /  a]ack  toolkits  are  someemes   set  in  their  ways   §  Take  the  easy  route   §  Easy  to  fool  
  136. 136. §  WAFs  need  to  get  more  offensive  about   their  defense   §  More  than  just  blocking  a  request   §  Even  if  you  use  a  snazzy  message   §  Hacking  back  is  bad   §  Slowing  down  known  a]acks  is  good   §  Make  life  harder  for  skiddies  is  pricele$$  
  137. 137. §  Current  tools  are  much  the  same  as  APT   §  APT  (Adequate  Persistent  Threat)   §  Only  as  advanced  as  they  NEED  to  be  
  138. 138. …because  screwing   with  sk1dd13s   is  fun!  
  139. 139. Implementaeon   #6.1  
  140. 140. §  PHP  (the  lowest  common  denominator)   §  auto-­‐prepend-­‐file   §  Limited  to  resources  PHP  handles   §  MITMdump   §  MITMproxy  ==  memory  hog   §  Reverse  proxy  mode   Ghe]o  Implementaeon  
  141. 141. §  Usable  implementaeon   §  Nginx  as  reverse  proxy   §  Requires:  ngx_lua   §  ngx.status  =  XXX   §  Bugs  in  non-­‐git  version   §  203,  305,  306,  414,  505,  506  return  nil   h]ps://github.com/ChrisJohnRiley/Random_Code/blob/master/nginx/nginx.conf    
  142. 142. §  Ease  adopeon   §  Implement  into  mod-­‐security   §  Not  a  simple  task   §  Already  been  discussed  many  emes   §  Help  wanted  ;)  
  143. 143. Countering   this  research   #6.2  
  144. 144. §  Less  reliance  on  status  codes   §  More  reliance  on  content  /  headers   §  Pros     §  Be]er  matching  /  intelligence   §  Cons   §  Slower?  (regex  matching)   §  More  resource  intensive  
  145. 145. Queseons?  
  146. 146.   CODE  /  SCRIPTS  AVAILABLE     HTTP://GITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE  
  147. 147. Thanks  for  coming     h]p://blog.c22.cc   @ChrisJohnRiley        contact@c22.cc  
  • khungbo33

    Mar. 20, 2015
  • trietptm

    Mar. 20, 2015
  • cvlorenzo

    Feb. 1, 2015
  • 0xalg

    Oct. 7, 2014

Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys DEF CON 21 (2013) On the surface most common browsers look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the shiny surface however, the way specific user agents handle traffic varies in a number of interesting and unique ways. This variation allows for defenders to play games with attackers and scripted attacks in a way that most normal users will never even see. This talk will attempt to show that differences in how different user agents handle web server responses (specifically status codes) can be used to improve the defensive posture of modern web applications while causing headaches for the average script kiddy or scanner monkey!

Views

Total views

18,472

On Slideshare

0

From embeds

0

Number of embeds

14,529

Actions

Downloads

64

Shares

0

Comments

0

Likes

4

×