Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BACKSLASH POWERED
SCANNING
James Kettle
AUTOMATING HUMAN INTUITION
©PortSwigger Ltd 2017 All Rights Reserved
marketizer1
Invalid username or password
©PortSwigger Ltd 2017 All Rights Reserved
OUTLINE
• The three failures of scanners
• Solving the 'Million Payload Problem'...
©PortSwigger Ltd 2017 All Rights Reserved
WHOAMI
@albinowax
Head of Research at PortSwigger Web Security
My Background: pe...
©PortSwigger Ltd 2017 All Rights Reserved
BLIND SPOT 1/3: RARE TECHNOLOGY
• Security through obscurity works (versus scann...
©PortSwigger Ltd 2017 All Rights Reserved
BLIND SPOT 2/3: Variants & filters
• How do we detect blind eval() injection?
"....
©PortSwigger Ltd 2017 All Rights Reserved
BLIND SPOT 3/3: Buried vulnerabilities
GET /search/?q=david HTTP/1.1
Host: sea.e...
©PortSwigger Ltd 2017 All Rights Reserved
THE MILLION PAYLOAD PROBLEM
•For every request
•For every input
• For every vuln...
©PortSwigger Ltd 2017 All Rights Reserved
IDENTIFYING SUSPECTS
Don't scan for vulnerabilities
Scan for suspicious behavior...
©PortSwigger Ltd 2017 All Rights Reserved
text=foo 200 OK
text=foo' 500 Error
text=foo' 200 OK
PROBE-PAIR FUZZING
• You ha...
©PortSwigger Ltd 2017 All Rights Reserved
'
'
VULN
PROBE-PAIR CONTROL FLOW
VULNVULN
MATCH
MATCH
NO MATCH
NO MATCH
©PortSwigger Ltd 2017 All Rights Reserved
BLACK-BOX INTERROGATION
Question Probe pair
Am I in a single-quoted string?
Am I...
©PortSwigger Ltd 2017 All Rights Reserved
BLACK-BOX ITERATION
Question Probe pair
What type of quotes am I in?
How can I c...
©PortSwigger Ltd 2017 All Rights Reserved
Attributes: status code, content type, tag structure, line count, word count ,
i...
©PortSwigger Ltd 2017 All Rights Reserved
foo 200 1393 25
foo' 200 1392 23
foo' 200 1393 24
String - apostrophe foo' foo'
...
©PortSwigger Ltd 2017 All Rights Reserved
Probe Code Words
7 200 139
7/0 500 27
7/1 200 121
7/0 500 27
7/1 200 142
Divide ...
©PortSwigger Ltd 2017 All Rights Reserved
PROBE SELECTION&DELIVERY
•Random content
• Repeat probes
•Alternating responses
...
©PortSwigger Ltd 2017 All Rights Reserved
221 965
221' 965
221/0 327
221/1 327
221,abz(1) 0
221,abs(1) 965
221,abs(0,1) 0
...
©PortSwigger Ltd 2017 All Rights Reserved
HUNTING FINDINGS
©PortSwigger Ltd 2017 All Rights Reserved
TESTING AT SCALE
• Requirements
• Per-domain throttling
• High net speed
• Attac...
©PortSwigger Ltd 2017 All Rights Reserved
SAMPLE - MySQLi
Basic fuzz z`z'z" `z'z"
content_length 5357 5263
String - apostr...
©PortSwigger Ltd 2017 All Rights Reserved
SAMPLE – TRICKIER
String - doublequoted " "
error 1 0
tag_count 3 0
Concatenatio...
©PortSwigger Ltd 2017 All Rights Reserved
SAMPLE - INTERRUPTED
Order-by injection ,abz(1) ,abs(1)
word_count *0* 1023
MSSQ...
©PortSwigger Ltd 2017 All Rights Reserved
SAMPLE – REGEX INJECTION
java.lang.illegalargumentexception: character to be esc...
©PortSwigger Ltd 2017 All Rights Reserved
SAMPLE - FALSE POSITIVE
WAF grepping for 'substr'
Fixed by adding substr('',0,9)...
©PortSwigger Ltd 2017 All Rights Reserved
SAMPLE - INTEL
•A WAF is re-writing requests to remove comments
•Use this to byp...
©PortSwigger Ltd 2017 All Rights Reserved
MYSTERY SAMPLE
Backslash  
<div 24 32
Escape - unicode g0041 u0041
<div 24 32
Re...
©PortSwigger Ltd 2017 All Rights Reserved
http://example.com/?q=pub
->http://backend/?q=pub&city=london
http://example.com...
©PortSwigger Ltd 2017 All Rights Reserved
HPP – BACKEND PARAMETER GUESSING
Released today
Backend param: city %26city=<a'"...
©PortSwigger Ltd 2017 All Rights Reserved
COLD-START BRUTEFORCE ATTACKS
•Enumerating inputs with no prior knowledge
•param...
©PortSwigger Ltd 2017 All Rights Reserved
ENUMERABLE INPUT DETECTION
/edit_profile?id=734
•Is id enumerable?
•id=734, id=7...
©PortSwigger Ltd 2017 All Rights Reserved
RESOURCES
Backslash Powered Scanner code:
https://github.com/portswigger/backsla...
©PortSwigger Ltd 2017 All Rights Reserved
TAKE-AWAYS
@albinowax
Email: james.kettle@portswigger.net
Scanners can find rese...
Upcoming SlideShare
Loading in …5
×

Сканирование с использованием бэкслэша: подключаем интуицию

311 views

Published on

Существующие сканеры защищенности находят серверные уязвимости по сигнатурам, используя определенный набор специфичных для каждой системы правил, что напоминает принцип работы антивирусных программ. Докладчик поделится своим опытом разработки сканера с открытым исходным кодом, пришедшего на смену классическим неавтоматизированным методам и способного находить и подтверждать наличие как известных, так и новых классов уязвимостей.

Published in: Technology
  • Be the first to comment

Сканирование с использованием бэкслэша: подключаем интуицию

  1. 1. BACKSLASH POWERED SCANNING James Kettle AUTOMATING HUMAN INTUITION
  2. 2. ©PortSwigger Ltd 2017 All Rights Reserved marketizer1 Invalid username or password
  3. 3. ©PortSwigger Ltd 2017 All Rights Reserved OUTLINE • The three failures of scanners • Solving the 'Million Payload Problem' • Black-box interrogation • Exploit iteration • Payload sets • Findings&illustrations • Further research • Q&A
  4. 4. ©PortSwigger Ltd 2017 All Rights Reserved WHOAMI @albinowax Head of Research at PortSwigger Web Security My Background: pentesting & bug-bounty hunting I automate vulnerability detection: • Cross-Site Request Forgery, PRSSI/RPO, Burp Collaborator • Server-Side Template Injection
  5. 5. ©PortSwigger Ltd 2017 All Rights Reserved BLIND SPOT 1/3: RARE TECHNOLOGY • Security through obscurity works (versus scanners) • How many types of Server-Side Template Injection does your scanner support? • 2014: { } {Amber, Apache Velocity, action4JAVA, ASP.NET (Microsoft), ASP.NET (Mono), AutoGen, Beard, Blade, Blitz, Casper, CheetahTemplate, Chip Template Engine, Chunk Templates, CL-EMB, CodeCharge Studio, ColdFusion, Cottle, csharptemplates, CTPP, dbPager, Dermis, Django, DTL::Fast (port of Django templates), Djolt-objc, Dwoo, Dylan Server Pages, ECT, eRuby, FigDice, FreeMarker, Genshi (templating language), Go templates, Google-ctemplate, Grantlee Template System, GvTags, H2o, HAH, Haml, Hamlets, Handlebars, Hyperkit PHP/XML Template Engine, Histone template Engine, HTML- TEMPLATE, HTTL, Jade, JavaServer Pages, jin-template, Jinja, Jinja2, JScore, Kalahari, Kid (templating language), Liquid, Lofn, Lucee, Mako, Mars- Templater, MiniTemplator, mTemplate, Mustache, nTPL, Open Power Template, Obyx, Pebble, Outline, pHAML, PHP, PURE Unobtrusive Rendering Engine, pyratemp, QueryTemplates, RainTPL, Razor, Rythm, Scalate, Scurvy, Simphple, Smarty, StampTE, StringTemplate, SUIT Framework, Template Attribute Language, Twital, Template Blocks, Template Toolkit, Thymeleaf, TinyButStrong, Tonic, Toupl, Twig, Twirl, uBook Template, vlibTemplate, WebMacro, ZeniTPL, BabaJS, Rage, PlannerFw, Fenom} http://artsploit.blogspot.co.uk/2016/08/pprce2.html
  6. 6. ©PortSwigger Ltd 2017 All Rights Reserved BLIND SPOT 2/3: Variants & filters • How do we detect blind eval() injection? ".sleep(10)." • If parenthesis is filtered? False Negative ".`sleep 10`." • If there's a WAF? False Negative ".sl%D0%B5ep(10)." (Cyrillic е) • If " is filtered? False Negative {${sleep(10)}} • SQLi in double quotes
  7. 7. ©PortSwigger Ltd 2017 All Rights Reserved BLIND SPOT 3/3: Buried vulnerabilities GET /search/?q=david HTTP/1.1 Host: sea.ebay.com.sg User-Agent: Mozilla/5.0 etc Firefox/49.0 Accept: text/html Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://sea.ebay.com.sg/ Cookie: session=pZGFjciI6IjAkLCJlx2V4cCI6MTA4 Connection: close Origin: null X-Forwarded-For: 127.0.0.1 X-Forwarded-Host: evil.com http://secalert.net/2013/12/13/ebay-remote-code-execution/ &q[1]=sec{${phpinfo()}}
  8. 8. ©PortSwigger Ltd 2017 All Rights Reserved THE MILLION PAYLOAD PROBLEM •For every request •For every input • For every vulnerability class • For every technology • For every variant • For every filter • Send the payload!
  9. 9. ©PortSwigger Ltd 2017 All Rights Reserved IDENTIFYING SUSPECTS Don't scan for vulnerabilities Scan for suspicious behavior Iteratively gather evidence
  10. 10. ©PortSwigger Ltd 2017 All Rights Reserved text=foo 200 OK text=foo' 500 Error text=foo' 200 OK PROBE-PAIR FUZZING • You have an error in your SQL syntax… • Invalid input
  11. 11. ©PortSwigger Ltd 2017 All Rights Reserved ' ' VULN PROBE-PAIR CONTROL FLOW VULNVULN MATCH MATCH NO MATCH NO MATCH
  12. 12. ©PortSwigger Ltd 2017 All Rights Reserved BLACK-BOX INTERROGATION Question Probe pair Am I in a single-quoted string? Am I in a numeric context? Am I in a file path? Am I a function invocation? Am I in a JSON value? z'z vs z'z X/0 vs X/1 ","a"," vs ","a":" sprintg vs sprintf ./../x vs ././x
  13. 13. ©PortSwigger Ltd 2017 All Rights Reserved BLACK-BOX ITERATION Question Probe pair What type of quotes am I in? How can I concatenate? Can I call a generic function? Which language am I executing? z'z vs z'z z"z vs z"z z"z"z vs z"."z z"z"z vs z"||"z z"z"z vs z"+"z "+abz(1)+" vs "+abs(1)+" "+phpversioz()+" vs "+phpversion()+" "+to_numbez(1)+" vs "+to_number(1)+" "+isFinitez(1)+" vs "+isFinite(1)+"
  14. 14. ©PortSwigger Ltd 2017 All Rights Reserved Attributes: status code, content type, tag structure, line count, word count , input reflection count, keyword count, leading/trailing characters We need at least one attribute with two properties • Consistently different between probe1 and probe2 • Consistently the same across repeats Burp Extender API: responseDetails.updateWith(response1); responseDetails.updateWith(response2); List<String> consistentDetails = responseDetails.getInvariantAttributes(); RESPONSE COMPARISON
  15. 15. ©PortSwigger Ltd 2017 All Rights Reserved foo 200 1393 25 foo' 200 1392 23 foo' 200 1393 24 String - apostrophe foo' foo' word_count 1392 1393 Evidence Probe Code Words Lines
  16. 16. ©PortSwigger Ltd 2017 All Rights Reserved Probe Code Words 7 200 139 7/0 500 27 7/1 200 121 7/0 500 27 7/1 200 142 Divide by 0 /0 /1 status_code 500 200 word_count 27 *121* Released today Evidence
  17. 17. ©PortSwigger Ltd 2017 All Rights Reserved PROBE SELECTION&DELIVERY •Random content • Repeat probes •Alternating responses • Shuffle probe order •Deterministic random content • Use probe batches (cosmetic) • Before: 7/0 vs 7/1 • After: {7/0, 7/00, 7/0*0} vs {7/1, 7/01, 7/1*1}
  18. 18. ©PortSwigger Ltd 2017 All Rights Reserved 221 965 221' 965 221/0 327 221/1 327 221,abz(1) 0 221,abs(1) 965 221,abs(0,1) 0 221,abs(01) 965 221,power(current_request_idz(),0) 0 221,power(current_request_id(),0) 965 221,power(current_request_ic(),0) 0 221,power(current_request_id(),0) 965 SAMPLE REQUEST LOG
  19. 19. ©PortSwigger Ltd 2017 All Rights Reserved HUNTING FINDINGS
  20. 20. ©PortSwigger Ltd 2017 All Rights Reserved TESTING AT SCALE • Requirements • Per-domain throttling • High net speed • Attack-surface optimisation • distributeDamage • Interleave target hosts • Extract URLs to file for spidering • Scan each parameter once per site per response type
  21. 21. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - MySQLi Basic fuzz z`z'z" `z'z" content_length 5357 5263 String - apostrophe z'z z'z Concatenation: '|| z||'z'z zz'||'z Basic function injection '||abz(1)||' '||abs(1)||' MySQL injection '||power( unix_timestanp(),0 )||' '||power( unix_timestamp(),0 )||'
  22. 22. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE – TRICKIER String - doublequoted " " error 1 0 tag_count 3 0 Concatenation: ". ."z"z z"."z error 1 0 tag_count 3 0 Interpolation: dollar ${{ }}$ error 1 0 tag_count 3 0
  23. 23. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - INTERRUPTED Order-by injection ,abz(1) ,abs(1) word_count *0* 1023 MSSQL Injection ,power( current_request_iz() ,0) ,power( current_request_id() ,0) word_count 0 1023 403 Forbidden
  24. 24. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE – REGEX INJECTION java.lang.illegalargumentexception: character to be escaped is missing java.util.regex.matcher.appendreplacement(matcher.java:809) org.tuckey.web.filters.urlrewrite.utils.regexmatcher.replaceall(regexmatcher.java:72) GET /folder?q=foo0bar HTTP/1.1 HTTP/1.1 301 Moved Permanently Location: https://zz.com/folder/?q=foohttp://zz.com/folder/bar Backslash ( vs ) Regex breakout: q=foo/<regex flags> q=${sleep(1)}/e%00
  25. 25. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - FALSE POSITIVE WAF grepping for 'substr' Fixed by adding substr('',0,9) vs substr('',0,0) Function Injection '||substrz('',0,0)||' '||substr('',0,0)||' status_code 302 403
  26. 26. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - INTEL •A WAF is re-writing requests to remove comments •Use this to bypass browser XSS filters Comment Injection 0/**z'*/ 0*/*/z'*/ status_code 200 500 Tag stripping 0->zz<- <-zz-> status_code 200 500 Released today
  27. 27. ©PortSwigger Ltd 2017 All Rights Reserved MYSTERY SAMPLE Backslash <div 24 32 Escape - unicode g0041 u0041 <div 24 32 Released today String - singlequoted z' z' <div 24 32
  28. 28. ©PortSwigger Ltd 2017 All Rights Reserved http://example.com/?q=pub ->http://backend/?q=pub&city=london http://example.com/?q=pub%26city=';exploit%23 ->http://backend/?q=pub&city=';exploit#&city=london HTTP PARAMETER POLLUTION Backend Parameter Injection $<x%zz &<x%zz status_code 500 200 Released today
  29. 29. ©PortSwigger Ltd 2017 All Rights Reserved HPP – BACKEND PARAMETER GUESSING Released today Backend param: city %26city=<a'"<% %26cityz=<a'"<% <script count 5 11 <div count 89 1095
  30. 30. ©PortSwigger Ltd 2017 All Rights Reserved COLD-START BRUTEFORCE ATTACKS •Enumerating inputs with no prior knowledge •parameters •usernames/passwords •files/folders •gadgets/classes
  31. 31. ©PortSwigger Ltd 2017 All Rights Reserved ENUMERABLE INPUT DETECTION /edit_profile?id=734 •Is id enumerable? •id=734, id=735 and id=736 are distinct •Is there a finite number of entries? •id=100735 and id=100736 are the same
  32. 32. ©PortSwigger Ltd 2017 All Rights Reserved RESOURCES Backslash Powered Scanner code: https://github.com/portswigger/backslash-powered-scanner DistributeDamage code: https://github.com/portswigger/distribute-damage Original whitepaper: http://blog.portswigger.net/2016/10/backslash-powered-scanning.html
  33. 33. ©PortSwigger Ltd 2017 All Rights Reserved TAKE-AWAYS @albinowax Email: james.kettle@portswigger.net Scanners can find research grade vulnerabilities Enhance, don't replace, the pentester This is still just the beginning

×