This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving cloud computing, big data, and the Internet of Things. Old vulnerabilities persist in widely used software while new issues are found in new technologies. Overall, the growth of web applications and their interactions creates many new attack surfaces despite ongoing security improvements, ensuring hackers will continue finding novel ways to exploit systems.

1. Web application security
trends
Omar Ganiev
28/02/2015

2. Hi!
I’m Beched, and I love hacking an solving problems.
Let’s observe overall trends and some recently
published papers, vulnerabilities and techniques,
connected with web application security.

3. Classification
Questions to classify the vulnerabilities:
• Is the exploitation technique new or known?
• Is the attack target new or known technology?
• How large is a potential attack surface?

4. Sourcesof news
• Bug trackers, mailing lists
• https://blackhat.com/html/archives.html
• https://blog.whitehatsec.com/top-10-web-
hacking-techniques-2013/
• https://blog.whitehatsec.com/top-10-web-
hacking-techniques-of-2014/
• …

5. Community opinion
• 30.77% of respondents from rdot.org will go
to dance a ballet, because web hacking is
gonna become way too complex =)

6. Obvious remarks
• Growth of security awareness of developers
makes their code more secure
• At the same time new products and
technologies are often released without
careful security audit
• Old software is often considered as safe and
trusty but contains severe vulnerabilities
• Business logic bugs are alive

7. Obvious remarks
• Infosec is part of CS and IT, and it inherits
global trends
• The global trend is a wide spread of various
gadgets and mobile devices
• The global trend is making houses and
vehicles smart
• The global trend is making web interfaces rich
and self-contained in the browsers

8. Take a look
• There’re loads of papers and presentations at BlackHat
archives. If we filter those, which are connected with
web security, and range the topics, we get the
following scoreboard of trends:
• client-side && mobile
• clouds && big data && social networks
• misc && classic
• TLS && SSL
• IoT && routers
• PRNG && SSRF && etc
• old soft

9. Client-side && Mobile
• Known technologies, new life
• There’re loads of papers on client-side security
• Loads of bug bounties are given for XSS or
something like that
• There’re a lot of tricky techniques, and we can
see a long war between browser developers and
XSS hunters
• Mobile browsers are also targeted. Some mobile
OS interfaces are HTML5-based, which increases
impact of XSS

10. Client-side && Mobile
DISSECTING CSRF ATTACKS & COUNTERMEASURES
JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME
MILLION BROWSER BOTNET
PIXEL PERFECT TIMING ATTACKS WITH HTML5
ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS
CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY
THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT
CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING
REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR
REVISITING XSS SANITIZATION
SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD
MANAGERS
TWO FACTOR FAILURE
THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES
JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY
UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED
ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD

11. Client-side && Mobile
• UXSS, MXSS
• ChromeOS, FirefoxOS
• Browser extensions hacking
• Endless security features vs bypass war
• XSS Auditor, CSP, HttpOnly, SOP, CORS
• Funny things like RFD (reflected file download)
• OAuth bugs

12. Example
• Chrome XSS auditor breaks a lot of attacks, but in most cases it
can be bypassed, or at least an attack can be modified
• The idea is that it looks for complete tag names or attributes
from the page in the HTTP request packets
• There’re plenty of bypasses, take a look at
http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/
http://www.thespanner.co.uk/2015/02/19/another-xss-auditor-
bypass/
https://www.blackhat.com/docs/us-14/materials/us-14-Johns-
Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side-
XSS-Filtering.pdf

13. Example
• Other bypasses include CSRF tokens leakage, form target
forgery, etc

14. Example
• Secure CMS and XSS Auditor can be spoiled with
plugins
• Look at this typographic plugin for Drupal:
var result = Typographus_Lite_UTF8.typo_text( $(this).text() );
$(this).after(result).remove();
• JQuery method after() is insecure. As a result, div
contents become HTML-decoded, and all your
reflected or stored <script> stuff becomes
active

15. Example
• OAuth is often vulnerable to open redirect due to
lack of redirect_uri validation
https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879
c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco
pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257
After authorization redirects to:
http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85
458d0db1c65792d52c8bef3c4407374b2
• Access token (code) value is enough for account
takeover

16. Clouds && Big data && Social networks
• Fairly new technologies
• Cloud computing and machine learning are
heavily used for different purposes
• As for infosec, this can be used both for attack
and defense
• Social networks and big data providers can be
exploited for deanonymization and fraud
• Machine learning can be used for building WAF

17. Clouds && Big data && Social networks
PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER
USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER
WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS
BIG DATA FOR WEB APPLICATION SECURITY
FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT
YOU AND HOW HACKERS CAN CONTROL TRAFFIC
PIVOTING IN AMAZON CLOUDS
BRINGING A MACHETE TO THE AMAZON
BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE
SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING
BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS
HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT
HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION
ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS

18. Example
• Post-exploitation of distributed web applications is
often a bit tricky – you don’t exactly know which
node will process your request
• Nodes can often be enumerated via HTTP response
headers or cookies
• Sometimes some nodes are not updated and contain
vulnerabilities
• This creates mind-blowing phantom vulnerabilities =)
• Take a look at cool talk about Amazon EC2 post-
exploitation: https://www.blackhat.com/docs/us-
14/materials/us-14-Riancho-Pivoting-In-Amazon-
Clouds.pdf

19. Example
• Data providers are often used for targeted
marketing. However, their data can sometimes be
stolen and used for deanonymisation or fraud.
This is documented API request:
https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt
p://incsecurity.ru/?adv_id=$UID
• $UID will be replaced with actual cookie value by
the server and will be sent to attacker host
• Information about user can be obtained via JSONP
hijacking, even if session id is checked.

20. Example
• Request:
https://*.ru/api/get/?uid=$UID&success_cb=_cb_s&fail_cb=_cb_e&st
=1
• Response contains information about gender, interests, etc. Part of
interests description file:
…
{
"id": "40010082",
"segment": "Fetish & Bondage",
"category": "Interests",
"section": "Interests",
"description": "“
}
…

21. Misc & Classic
• There’re a lot of works which continue previous
researches and bug reports
• They improve exploitation of classical
vulnerabilities like SQL injection and
testing/analysis methods
• The raise of penetration testing industry
pushed up demand for .NET and J2EE
applications hacking methods

22. Misc & Classic
') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION
TECHNIQUES’)%00
INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE
WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO
AND RIA
CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS
FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG
IMPLEMENTATIONS
I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL
ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY
SOLUTIONS
WHAT GOES AROUND COMES BACK AROUND - EXPLOITING
FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS!
SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS

23. Example
• The paper about hacking C&C panels reminded
me of the RCE vulnerability in Zeus C&C, which I
published near 2010. I opened these links now:
http://ahack.ru/bugs/zeus-vulnerability-
exploit.htm
https://github.com/Visgean/Zeus/
• Guess what I see there since 5 years? ;)

24. Example
• The name of function has changed, but vulnerability is still there,
AFAICS
...
function fsarcCreate($archive, $files)
...
$cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';
exec($cli, $e, $r);
...
foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file;
...
if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list))
=== false)die('Failed to create archive, please check
"system/fsarc.php" script.');
...

25. Example
• This is a small example, probably there’re more critical
vulnerabilities in this popular botnet C&C. BTW, how
do you find vulnerabilities in the source code?
• Paper on contemporary automatic program analysis
mostly tells about grep =)
• Personally I use grep with lovely regular expressions:
w*(include|require)(_once)?[s(]+(?!s*('[^']*'|"[^"]*"|
)[@s.]*(urlencode|rand|rawurlencode|basename|le
venshtein|doubleval|sizeof|base64_encode|strlen|flo
or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has
h|intval|max|decbin|strpos|crc32|ord|md5|count|sh
a1|min|pathinfo|floatval|round|hexdec)s*()[^;]*$.
*

26. Example

27. Example
• 2014 has gone, and here comes 2015, but PHP
and Apache are still broken
• Several UAF vulnerabilities in PHP fixed
recently, still a lot of restriction bypasses and
RCE vulnerabilities live deep there
• Apache has not yet learnt RFC
• Other popular miscellaneous words among
hackers: NoSQL, SSJS, SCADA, SAP

28. TLS && SSL
• As old as the world
• There’re still a lot of misconfiguration issues
with HTTPS
• Also there’re a lot of scary words like BEAST,
CRIME, BREACH, HeartBleed, POODLE,
SSLStrip and others
• Many configuration mistakes are result of
trade-off between performance and security

29. TLS && SSL
SSL, GONE IN 30 SECONDS - A BREACH BEYOND
CRIME
TLS 'SECRETS'
TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS
IN WEB APPLICATIONS
A PERFECT CRIME? ONLY TIME WILL TELL
THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO
PROTECT HTTP
BYPASSING HTTP STRICT TRANSPORT SECURITY

30. IoT && Routers
• This is one of the most popular new IT trends
everyone heard about
• New means untested. Untested means
vulnerable
• Seriously, the Internet of things is broken, and
many yell about it
• People hack RF protocols of alarms, people find
smart houses without doors via Shodan, etc,
etc

31. IoT && Routers
EXPLOITING NETWORK SURVEILLANCE CAMERAS
LIKE A HOLLYWOOD HACKER
HOME INVASION V2.0 - ATTACKING NETWORK-
CONTROLLED HARDWARE
A SURVEY OF REMOTE AUTOMOTIVE ATTACK
SURFACES
ABUSING THE INTERNET OF THINGS: BLACKOUTS,
FREAKOUTS, AND STAKEOUTS
OWNING A BUILDING: EXPLOITING ACCESS
CONTROL AND FACILITY MANAGEMENT SYSTEMS

32. Example
• Just look at this:

33. Example
• And this:

34. Example
• And this (admin;admin):

35. Example
• BTW, side note: why doesn’t XSS Auditor
perform HTTP response splitting check?
• As you could see on the screenshot above,
response splitting kills XSS Auditor, because
we can inject header X-XSS-Protection: 0.

36. PRNG && SSRF && etc
• XXE, SSRF and randomness hacking were hot
topics of 2012-2013
• They are popular today too, new applications
and attack vectors are developed

37. PRNG && SSRF && etc
BLACK-BOX ASSESSMENT OF PSEUDORANDOM
ALGORITHMS
XML OUT-OF-BAND DATA RETRIEVAL
THE NEW PAGE OF INJECTIONS BOOK:
MEMCACHED INJECTIONS
ICSCORSAIR: HOW I WILL PWN YOUR ERP
THROUGH 4-20 MA CURRENT LOOP

38. Example
• Autodiscover interface in OWA reveals an internal
IP address of the mail server
• Ev.owa interface with cPfdDC parameter can be
used to send some LDAP requests and connect to
different hosts (“domain controllers”)
Microsoft.Exchange.Data.Directory.SuitabilityVerifie
r.CreateConnectionAndBind(String fqdn, Int32
portNumber, NetworkCredential credential)
• If there was bypass for anti-CSRF canary, you
could possibly steal NTLM credentials

39. Example
• vBulletin forum CMS allows to upload attachments
from remote URL (class_upload.php,
class_vurl.php)
• First it checks the file size via HEAD request, then it
downloads the file
• You can use HTTP multiplexor to exploit race
condition and return code 200 and valid file size
for the first request and 302 redirect for the
second request
• Some configuration options and old versions of
cURL allow file:// URL wrapper in Location header

40. Old soft
• We’ve witnessed several critical vulnerabilities
in well-known and widely used software in
2014
• HeartBleed, GHOST, ShellShock, POODLE, goto
fail, etc
• Probably it’s an important moment, when we
stop trusting and begin reviewing all the
fundamental old software that we use
everywhere

41. Old soft
EPIDEMIOLOGY OF SOFTWARE
VULNERABILITIES: A STUDY OF ATTACK
SURFACE SPREAD
SSL VALIDATION CHECKING VS. GO(ING) TO FAIL

42. Example
• Although these famous vulnerabilities are not
caused by web applications, they deeply affect
them
• ShellShock and GHOST affect webapp<->OS
interaction layer
• HeartBleed, goto fail, POODLE, affect mainly
webapp<->encryption<->network interaction
layer

43. Example
• This is another proof of why shouldn’t we
consider any part of the software as trusted.
Each component of the system can be broken
• BTW, newspapermen also started the era of
nicknames for vulnerabilities
• I find this a bit ridiculous but funny =)

44. Summary
• The Internet is broken
• The WWW is broken
• Hackers gonna hack
• Web applications become smarter
• Hacking becomes smarter

45. Questions?
beched@incsecurity.ru