This document summarizes vulnerabilities related to server-side request forgery (SSRF) attacks and how they can be exploited. It discusses how external network access and internal network access can be obtained through SSRF. It provides examples of vulnerabilities in various protocols like HTTP, FTP, TFTP, and protocols used by services like Memcached, databases, and file uploads. It also describes how file descriptors can be used to write to open sockets or files to forge server responses or inject malicious content. Overall, the document is an overview of real-world SSRF attacks and exploitation techniques.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
DNS hijacking using cloud providers – No verification neededFrans Rosén
This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
DNS hijacking using cloud providers – No verification neededFrans Rosén
This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
Kerberos on macOS with and without Active Directory (AD). Where are attacks possible in Kerberos and how does the LKDC (Local Key Distribution Center) come into play.
Presented at Objective By The Sea (OBTS) 3.0 in Maui, Hawaii March 2020
Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
DeepExploit is fully automated penetration testing tool using Deep Reinforcement Learning. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint. DeepExploit’s key features are the following:
1) Efficiently execute exploit:
DeepExploit can execute exploits at pinpoint (minimum 1 attempt).
2) Deep penetration:
If DeepExploit succeeds the exploit to the target server (=compromised server) with in the perimeter network, then it executes the exploit to internal servers via compromised server.
3) Self-learning:
DeepExploit can learn how to exploitation by itself.
By using our DeepExploit, you will benefit from the following:
For penetration testers:
(a) They can greatly improve the test efficiency;
(b) The more penetration testers use DeepExploit, DeepExploit learns how to method of exploitation using Deep Reinforcement learning. As a result, accuracy of test can be improved.
For Information Security Officers:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Because attack methods to servers are evolving day by day, there is no guarantee that yesterday’s security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. DeepExploit will contribute greatly to maintaining your safety.
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target.
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
We interact with payments every day. Yet how many of us actually know how they work? Join us to learn about payments and techniques for spotting vulnerabilities in them.
This is a "payments 101" training course covering vulnerability research in payments and related issues and attacks.
The main goal of this course is to break the status quo of payment insecurity. We help our audience to gain a better understanding to:
Find vulnerabilities in payment systems while staying within the law
Obtain necessary skills and equipment - Learn from the best in the industry—and leave with your wallet a little lighter.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
Cloud Security:
Some interesting instances of breach
Best practices to protect AWS account from unauthorized access and usage
What and How to look for security loopholes
Audit scripts
What one should learn to safeguard Cloud application?
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
Vortrag "Leveraging the Security of AWS's Own APIs for Your App" von Brian Wagner beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
CNIT 124 Ch 13: Post Exploitation (Part 1)Sam Bowne
Slides for a college course in "Advanced Ethical Hacking" at CCSF. Instructor: Sam Bowne
Course Web page:
https://samsclass.info/124/124_F17.shtml
Based on "Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman -- ISBN-10: 1593275641, No Starch Press; 1 edition (June 8, 2014)
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
Kerberos on macOS with and without Active Directory (AD). Where are attacks possible in Kerberos and how does the LKDC (Local Key Distribution Center) come into play.
Presented at Objective By The Sea (OBTS) 3.0 in Maui, Hawaii March 2020
Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
[CB19] Deep Exploit: Fully Automatic Penetration Test Tool Using Reinforcemen...CODE BLUE
DeepExploit is fully automated penetration testing tool using Deep Reinforcement Learning. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint. DeepExploit’s key features are the following:
1) Efficiently execute exploit:
DeepExploit can execute exploits at pinpoint (minimum 1 attempt).
2) Deep penetration:
If DeepExploit succeeds the exploit to the target server (=compromised server) with in the perimeter network, then it executes the exploit to internal servers via compromised server.
3) Self-learning:
DeepExploit can learn how to exploitation by itself.
By using our DeepExploit, you will benefit from the following:
For penetration testers:
(a) They can greatly improve the test efficiency;
(b) The more penetration testers use DeepExploit, DeepExploit learns how to method of exploitation using Deep Reinforcement learning. As a result, accuracy of test can be improved.
For Information Security Officers:
(c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach.
Because attack methods to servers are evolving day by day, there is no guarantee that yesterday’s security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. DeepExploit will contribute greatly to maintaining your safety.
Footprinting is a part of reconnaissance process which is used for gathering possible information about a target computer system or network. Footprinting could be both passive and active. Reviewing a company’s website is an example of passive footprinting, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering.
Footprinting is basically the first step where hacker gathers as much information as possible to find ways to intrude into a target system or at least decide what type of attacks will be more suitable for the target.
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
We interact with payments every day. Yet how many of us actually know how they work? Join us to learn about payments and techniques for spotting vulnerabilities in them.
This is a "payments 101" training course covering vulnerability research in payments and related issues and attacks.
The main goal of this course is to break the status quo of payment insecurity. We help our audience to gain a better understanding to:
Find vulnerabilities in payment systems while staying within the law
Obtain necessary skills and equipment - Learn from the best in the industry—and leave with your wallet a little lighter.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
Cloud Security:
Some interesting instances of breach
Best practices to protect AWS account from unauthorized access and usage
What and How to look for security loopholes
Audit scripts
What one should learn to safeguard Cloud application?
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
Vortrag "Leveraging the Security of AWS's Own APIs for Your App" von Brian Wagner beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
Securing Serverless Architectures - AWS Serverless Web DayAWS Germany
Vortrag "Securing Serverless Architectures" von Dave Walker beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
Security Boundaries and Functions of Services for Serverless Architectures on...AWS Germany
Vortrag "Security Boundaries and Functions of Services for Serverless Architectures on AWS" von Bertram Dorn beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Amazon Web Services
In this talk, we’ll take well known architectural patterns such as 3-tier web application, stream processing, scheduled jobs and show how they can be realized without needing to manage servers.
The AWS platform offers a rich set of capabilities that can be leveraged by the customer to better control applications state, configuration, and supporting infrastructure throughout the service lifecycle – all while operating with security best practices such as audit and accountability, access control, change review and governance, and systems integrity. We will showcase and discuss design patterns for using these capabilities in synergy with fast-paced and agile application development methodologies – such as DevOps – to achieve an integrated security operations program.
AWS re:Invent 2016: Operating Your Production API (SVR402)Amazon Web Services
In this session, you learn how to monitor and manage your serverless APIs in production. We show you how to set up Amazon CloudWatch alarms, interpret CloudWatch logs for Amazon API Gateway and AWS Lambda, and automate common maintenance and management tasks on your service.
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014Amazon Web Services
If you're trying to figure out how to run enterprise applications and services on AWS securely, come join Intuit and the AWS Professional Services team to learn how to embrace a new discipline called DevSecOps. You'll learn more about software-defined security and why we think that DevSecOps helps organizations large and small adopt cloud services at a rapid pace. We'll provide you with links and information to help you get started with creating your own DevSecOps team.
Talk @ API Days Paris, 13/12/2016
Simplifying development and deployment of serverless applications with Open Source frameworks and tools: Serverless, Gordon, Chalice, etc.
Managed services such as AWS Lambda and API Gateway allow developers to focus on value adding development instead of IT heavy lifting. This workshop introduces how to build a simple REST blog backend using AWS technologies and the serverless framework.
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
More organisations are embracing DevOps and automation to realise compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource utilization. However, many security and compliance monitoring tools have not kept up. In fact, they often represent the largest single remaining barrier to continuous delivery.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
DevSecOps, or SecDevOps has the ambitious goal of integrating development, security and operations teams together, encouraging faster decision making and reducing issue resolution times. This session will cover the current state of DevOps, how DevSecOps can help, integration pathways between teams and how to reduce fear, uncertainty and doubt. We will look at how to move to security as code, and integrating security into our infrastructure and software deployment processes.
AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...Amazon Web Services
In this deep-dive session, we outline how to leverage the appropriate AWS services for sending different types and sizes of data, such as images or streaming video. We'll cover common real-world scenarios related to authentication/authorization, access patterns, data transfer and caching for more performant Mobile Apps. You learn when you should access services such as Amazon Cognito, Amazon DynamoDB, Amazon S3, or Amazon Kinesis directly from your mobile app, and when you should route through Amazon API Gateway and AWS Lambda instead. Additionally, we cover coding techniques across the native, hybrid, and mobile web using popular open-source frameworks to perform these actions efficiently, and with a smooth user experience.
Getting Started with Serverless Architectures | AWS Public Sector Summit 2016Amazon Web Services
By building your application with AWS Lambda, Amazon API Gateway, and Amazon DynamoDB, you can free yourself from the burden of managing servers while gaining agility and simple scaling. After introducing the basics of building microservices with AWS Lambda and Amazon API Gateway, the session highlights how the Democratic National Committee (DNC) Technology Team uses AWS Lambda and Amazon DynamoDB microservices to provide campaigns and state parties customized applications on top of a core data platform. This serverless architecture has helped the DNC Technology Team improve their microservice functionality and development process, ensuring their applications are performant through the extremely erratic usage levels of a campaign cycle.
Pradeep Sharma from OSSCube presents on Securing your web server at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Apache Solr on Hadoop is enabling organizations to collect, process and search larger, more varied data. Apache Spark is is making a large impact across the industry, changing the way we think about batch processing and replacing MapReduce in many cases. But how can production users easily migrate ingestion of HDFS data into Solr from MapReduce to Spark? How can they update and delete existing documents in Solr at scale? And how can they easily build flexible data ingestion pipelines? Cloudera Search Software Engineer Wolfgang Hoschek will present an architecture and solution to this problem. How was Apache Solr, Spark, Crunch, and Morphlines integrated to allow for scalable and flexible ingestion of HDFS data into Solr? What are the solved problems and what's still to come? Join us for an exciting discussion on this new technology.
DevOoops (Increase awareness around DevOps infra security)
DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organisations can end up creating security vulnerabilities using the tools and products meant to protect them. What happens when these tools are used insecurely or - even worse - they are just insecure? Technologies discussed will encompass AWS, Puppet, Hudson/Jenkins, Vagrant, Docker and much, much more. Everything from common misconfigurations to remote code execution.
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organisations can end up creating security vulnerabilities using the tools and products meant to protect them. What happens when these tools are used insecurely or - even worse - they are just insecure? Technologies discussed will encompass AWS, Puppet, Hudson/Jenkins, Vagrant, Docker and much, much more. Everything from common misconfigurations to remote code execution.
Custom, in depth 5 day PHP course I put together in 2014. I'm available to deliver this training in person at your offices - contact me at rich@quicloud.com for rate quotes.
Introduction to the Administration of the Apache Web Server. More information can be found at https://www.spiraltrain.nl/course-apache-administration/?lang=en
• PHP stands for PHP: Hypertext Preprocessor
• PHP is a server-side scripting language like ASP
• PHP scripts are executed on the server
• PHP supports many databases (MySQL, Informix, Oracle, Sybase, Solid, PostgreSQL, Generic ODBC, etc.)
• PHP is an open source software
• PHP is free to download and use
Solr Recipes provides quick and easy steps for common use cases with Apache Solr. Bite-sized recipes will be presented for data ingestion, textual analysis, client integration, and each of Solr’s features including faceting, more-like-this, spell checking/suggest, and others.
Node.js 101 with Rami Sayar
Presented on September 18 2014 at
FITC's Web Unleashed Toronto 2014 Conference
More info at www.fitc.ca
OVERVIEW
Node.js is a runtime environment and library for running JavaScript applications outside the browser. Node.js is mostly used to run real-time server applications and shines through its performance using non-blocking I/O and asynchronous events. This talk will introduce you to Node.js by showcasing the environment and its two most popular libraries: express and socket.io.
TARGET AUDIENCE
Beginner web developers
ASSUMED AUDIENCE KNOWLEDGE
Working knowledge of JavaScript and HTML5.
OBJECTIVE
Learn how to build a chat engine using Node.js and WebSockets.
FIVE THINGS AUDIENCE MEMBERS WILL LEARN
Node.js environment and basics
Node Package Manager overview
Web Framework, express, basics
WebSockets and Socket.io basics
Building a chat engine using Node.js
Similar to Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities (20)
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
Докладчик покажет, как с помощью bare-metal programming подружить Raspberry Pi с GPIO, памятью и Ethernet, и пояснит, кому и зачем это может понадобиться.
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
Руткиты в мире основанных на ядре Linux операционных систем уже не являются редкостью. Рассказ будет о том, как попытки в современных реалиях определить то, скомпрометирована ли система, привели к неожиданному результату.
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса.
В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
1. SSRF attacks and
sockets: smorgasbord
of vulnerabilities
Vladimir Vorontsov, Alexander Golovko
ONsec: web applications security
2. Authors bio
• Vladimir Vorontsov - security researcher,
bug hunter awarded by Google/Yandex/
Adobe
• Alexander Golovko - security researcher,
Debian maintainer
• Working together in ONsec company on
web applications security
3. A few words about
modern web security
Input validation Format processing
External network access Internal network access
4. Forge your
protocol brands!
• Make a request from a server
• Attack internal network
• Forge packets
• Splitting/smuggling
• Other protocols!
• Universal ways such as gopher://
• Exploit anything ;)
5. SSRF - new type of
vulnerabilities?
• We mean that SSRF is a generalized class of
attacks
• Introduced and used for convenience
• Several vulnerabilities together or only one
can lead to SSRF attacks
• To vulns classification use CWE ;)
6. Where can i find SSRF?
• Export from remote files (like as «Upload
from URL», «Export RSS feed»)
• POP3/IMAP/SMTP connections from
webapps
• File format processing (XML, docx,
archives, etc)
• Databases
• Others ...
7. Writing to socket in
webapp code - bad way
• Host/port filtering is strange on webapp
level. Work for firewall and admins, right?
• Protocol smuggling (CRLF and others)
• What you mean when send in socket
«GET / HTTP/1.1rnHost: domrnrn» ?
• And what server mean when receive this?
8. Using HTTP clients -
bad way too
• When you using HTTP clients such as cURL
remember their features:
• ! Unsafe redirect (http:// --> file://)
• Various protocols support (gopher:// dict://
tftp:// rtsp:// )
• Maximum URL length is more than
browsers value (100Mb URL is OK)
9. Redirect tricks
header("Location: ".$_GET['r']);
• Bypass webapp filters i.e. preg_replace
using redirect
• any host -> localhost
• valid port -> any port
• valid schema -> any schema
• SOP for browsers, not for
HTTPClients
11. Gopher schema
• http://www.ietf.org/rfc/rfc1436.txt
• TCP packets with your content
• Without r n t chars by RFC (and 00 for
cURL). But all chars in LWP, Java, ASP.Net ;)
• By Polyakov/Chastukhin [ERPscan] at
BH_US_12 and CVE-2012-5085 (fixed now)
• curl gopher://localhost:8000/2MyData
# nc -vv -l -p 8000
listening on [any] 8000 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 64096
MyData
12. Gopher schema
• PHP doesn’t support gopher
protocol!
• Do not worry! PHP supports all
vulnerabilities!
• --with-curlwrappers provide gopher
protocol in file_get_contents and
others such as XXE
14. TFTP schema
• Currently working on splitting datagrams
to bypass 0x00 0x01 header in second
packet
• Without stable results now unfort ;(
15. Various format
processing issues
• XML - External Entities, Signatures, WS etc (see
http://erpscan.com/wp-content/uploads/
2012/11/SSRF.2.0.poc_.pdf and http://
www.slideshare.net/d0znpp/onsec-phdays-2012-
xxe-incapsulated-report)
• OpenOffice products (Draw, Calc and others)
• All soft which can open sockets (provide links
to external files in file format) - all modern soft
• others (see you at HITB 2013)
16. OpenOffice - pretty
good stuff
• Universal solution to convert office documents
• Common in Enterprise system and large portals
• Many forks (Libre and others)
• What happens while uploaded document is
converted?
• What about links to external files in the
documents?
17. OpenOffice - pretty
good stuff for SSRF
• RTFM http://docs.oasis-open.org/office/v1.2/
• Find all tags with xlink:href attribute
• Do not forget about macros and applets (but
really rare activated)
• Exploit it!
• <draw:image xlink:href="http://ololo.onsec.ru/?
i’mSSRFed" xlink:type="simple"
xlink:show="embed" xlink:actuate="onLoad"/>
18. OpenOffice - pretty
good stuff for SSRF
• Formula for happiness
• DDE is your friend
• =DDE("soffice","file://i-want-to-read-this-file...)
• Use simple formula to full path disclosure
=CELL("filename")
• Address links
• A1='file:///etc/hosts'#$Sheet1.A1:B31
• B1=INDIRECT(A1)
19. SSRF exploitation ways
• Open new socket
• Use already opened sockets/files
(authorized)
• Where can i find opened sockets/files?
20. File descriptors: basics
• Where does files in SSRF theme?
• Data streams basics: sockets and files, etc
• File descriptor - pointer to data stream
• Each process have their own FD
• dup, fork, exec - O_CLOEXEC
• New data stream - new FD
• Privileges while creating FD, not while
access
21. File descriptors: API
• FD have minimum number by default (easy brute)
• Access to already opened FDs:
• PHP 5.3.3 <= 5.3.14 provide special wrapper fd:// to
use FD simplest (later only on CLI mode)
• Java: java.io.FileDescriptor
• Perl: open AA, ‘>&2’; print AA ‘DataToFD’;
• Python: os.open + os.write
• Ruby: fd=IO.new(99,’w’);fd.write(‘ToFD-№99’);
• Shell I/O redirection: $echo 123 > &2
• Privileges for chuid programs
22. File descriptors: ProcFS
• Special pseudo files system
• Common in Linux, available in FreeBSD (not by default)
• While opening /proc/<PID>/fd/<N> new datastream will
be create with the same parameters (!not the same as
FD API access to FD directly!)
• You need together two FS privileges to access /proc
• privileges on /proc/<PID>/fd/<N>
• privileges on target file (!but not directories)
• Examples:
• RHEL /var/log/httpd/ - 0700, but access.log - 0644
• Debian before first rotate access.log - 0644, than 0640
23. File descriptors: cases
• Already opened FDs:
• May be opened with privileges greater than current
• In sockets case may be already authorized
• Typical case: starting Apache:
• open sockets to listen (80,443) by root
• open error/access.logs by root
• fork childs
• chuid() to www-data for all forks
• You may write to error/access.logs and sockets from
child processes
24. Stuff here:
File descriptors:
examples
• Write a HTTP packet into opened FD to forge
server output (to current client):
fd6.write("HTTP 200 OKrnHost:
localhostrn...");//also forge logs
• Write a MySQL packet into opened FD to do SQL
command:
fd1.write("x22x00x00x00x03INSERT
INTO aa VALUES(1,'fwrite')");
25. Database connections
pool
• Pool is array of sockets with
authorized sessions
• Start when application server
started and never close while app
server working
• May be many pools with different
privileges (but not different for
SSRF)
26. PHP fastcgi SSRF RCE
• Set php_admin_value, php_admin_ flag from Stuff here:
frontend
• Access to fastcgi over socket threw SSRF
• run any file as PHP script
• Set fastcgi headers in forged fastcgi packet and
overwrite php_admin_value, php_value
• allow_url_fopen + auto_prepend_file +data://
text/php,<?php phpinfo();?> = RCE
• doesn’t work when php_admin_{value, flag} set
in php fpm config
28. Memcached SSRF: easy
and very dangerously
• Host-basic auth in general
• TCP and UDP sockets by default
• At the same host with webapp
• Plain/text protocol (binary also available)
• Does not close the socket after an
improper request
• Needed only n (0x0a) injection to do this
29. Memcached SSRF:
exploitation
methodology
• Collect all available keys
• Sort keys by name, determine interesting
• Find interesting data
• Replace interesting data to arbitrary
30. Memcached SSRF: inject
sniffer
• Find html/js/etc template of login page in
memcached values
• Insert your login/password JS/etc sniffer
• Watch sniffer’s logs and get passwords ;)
• Profit
31. Memcached SSRF:
dynamic templates RCE
• Find template with interpreter’s code
• Modify code to arbitrary
• Call page with target template
• Profit
32. Memcached SSRF:
escalate your privileges
• Find session in memcached keys
• Determine key which contain privileges flag
of your current session (such as ‘Priv’)
• Modify your access level to «superadmin»
• You can also create a new «special» session
with TTL 100 years if you want
• Profit
33. Format SSRF answer to
read data (HTTP)
• In many cases webapp logic provide reading
only one output format (such as images or
XML)
• Use HTTP request smuggling to do this
• One connection but many requests
• If protocol support this, you get
concatenated output
• Try challenge http://
hackquest.zeronights.org/missions/ErsSma/
34. Format SSRF answer to
read data (HTTP)
$f=fsockopen("localhost",80);
fputs($f,"GET /$path HTTP/1.1rnHost:
localhostrnrn");
HTTP/1.1 200 OK
...
GET /1 HTTP/1.1
data 1
Host: localhost
HTTP/1.1 200 OK
GET /2 HTTP/1.1
...
Host: localhost
data 2
GET /3 HTTP/1.1
HTTP/1.1 200 OK
Host: localhost
...
data3
35. Format SSRF answer to
read data (HTTP)
GET /head HTTP/1.1 HTTP/1.1 200 OK
Host: localhost ...
<?xml version=‘1.0’?><root>
GET /data HTTP/1.1 <![CDATA[
Host: localhost
HTTP/1.1 200 OK
GET /foot HTTP/1.1 ...
Host: localhost
i want to read this
<secret>ololo</secret>
while($s = fgets($f))
$resp.=$s;
$resp=substr($resp,strpos($resp,"rnr HTTP/1.1 200 OK
n")); $doc = new DOMDocument(); ...
$doc->loadXML($resp);
echo $doc->getElementsByTagName("root")- ]]></root>
>item(0)->nodeValue;
36. Format SSRF answer to
read data (HTTP)
• How to create header and footer as you
want?
• Range HTTP header is your friend
• All web pages are your friends
• Make a mosaic of pieces - server responses
37. What about images?
• Valid JPG with data which you want
to read in EXIF
• GIF header and your data at EOF
• Inject data into image header which
hold even after resize (http://
ax330d.blogspot.ru/2011/06/mosaic-
of-attacks-from-image-upload.html)
• PHP getimagesize() bypass (http://
lab.onsec.ru/2012/05/php-all-
getimage-bypass.html)
38. What about hosting
centers?
• TFTP server contain machine images
• Machines get TFTP images until netboot
• Attacker may get images from TFTP and
get /etc/shadow and other staff
39. What the next?
• SSRF bible cheatsheet available now!
• https://docs.google.com/document/d/
1v1TkWZtrhzRLy0bYXBcdLUedXGb9njT
NIJXa3u9akHM
• Follow us: http://lab.onsec.ru [ENG]
@d0znpp
@ONsec_lab