Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Deserialization with the JavaScript for the lulz

164 vues

Publié le

This was my presentation for the OWASP Omaha Feb 2018 meeting. The abstract for the presentation was: "Deserialization attacks are a hot topic in security, but often times these attacks seem like magic. Exploitation of these attacks tend to happen in complex systems that require knowledge in the setup of all the things. To help you better understand why and how these attacks work, we’re using an intentionally broken system with a quick and easy setup.".

Publié dans : Logiciels
  • Identifiez-vous pour voir les commentaires

Deserialization with the JavaScript for the lulz

  1. 1. DESERIALIZATION WITH THE JS FOR THE LULZ ANDREW FREEBORN
  2. 2. AGENDA ▸Background ▸Demo ▸What’s even going on
  3. 3. BACKGROUND - SUB-AGENDA ▸Why would you care? ▸Where is this an issue? ▸Surely there are tools to detect issues, right?
  4. 4. TELL ME THE “SO, WHAT” FACTOR, OR HOWEVER THAT SAYING GOES ▸The hot new vulnerability everyone has talking about since 2015
 
 
 ▸Forshaw talked about in 2012, but may have been an issue for longer, but my Google didn’t say
  5. 5. MARSHALING? PICKLES? Justin: This is from Rick and Morty
  6. 6. TOMATO, TOMATOE ▸ Marshalling, Serialization, etc. are the same ▸ Example: Take an object like an integer, package it up to stream somewhere (like across the internet), and take it out of the package on the receiving end ▸ Terrible example,
 even Gordon hates it,
 and the meme isn’t
 relevant
  7. 7. BINARY, 1S AND 0S ▸ https://www.geeksforgeeks.org/serialization-in-java/
  8. 8. THIS IS WHERE THE FUN BEGINS
  9. 9. VERY TECHNICAL PROCESS DIAGRAM
  10. 10. BUT WHY ▸ Sometimes, programs want to be helpful ▸ The other side interprets the type of object that it received and may not be doing any type checking ▸ If the distant end gets an XML object, it’s going to call a constructor to make an XML object ▸ If the distant end gets a request to make a “shell”, it may have access to the libraries to do so and make one
  11. 11. THIS IS ONLY A JAVA PROBLEM BECAUSE MICROSOFT, RIGHT? (LULZ) ▸ Its a problem with any language that doesn’t automatically enforce strong typing ▸ Python, .Net, Java, Ruby, JavaScript, probably Perl as well but no one uses it ▸ Super easy to miss and requires more awareness ▸ It’s a real thing now in the OWASP Top 10!
  12. 12. OWASP TOP TEN 2017 ▸ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  13. 13. EVERYONE IS TALKING ABOUT IT ▸ “Started” with Marshalling Pickles by @frohoff and @gebl ▸ Alvaro Munoz messed with Java Deserialization ▸ Apache Commons Collection was a free-for-all (FoxGlove has a great paper on this) ▸ James Forshaw, Alvaro Munoz talked about the .Net side ▸ More people are talking about this problem
  14. 14. ARE YOU AFRAID OF THE DARK…. OR DESERIALIZATION? ▸ Your apps may be using serialization techniques without you knowing it ▸ Do you create and write files? ▸ Do you transmit things over a network? ▸ Do you even lift bro? ▸ Do you allow user defined input that could be a JSON object and use that?
  15. 15. TOOLS CAN SOLVE THIS, RIGHT? ▸ Kinda, but if they did, these problems would already be fixed, right? ▸ There’s: ▸ Burp has plugins to investigate serialization ▸ Linters and tools like ysoserial, ysoserial.net ▸ Static / Dynamic assessment tools ▸ Postman, VSCode ▸ There’s one tool that’s better than all of those
  16. 16. REBECCA BLACK BELIEVES IN YOU, AND SO DO I ▸ You in your environment is the best tool ▸ I couldn’t find a good enough pic of Taylor Swift pointing
  17. 17. SHOW ME SOME TOOLS ▸ I checked out a few tools to see what I could find ▸ SWAMP
  18. 18. TOOLS ▸snyk.io ▸Didn’t identify the intentional deserialization vulnerability with the free version
 
 
 
 
 
 
 
 
 
 ▸Node Security Project may be better? BitHound.io had issues
  19. 19. ALMOST DEMO TIME ▸ Remember when I said the best tool is you? Well you are, with knowledge of what to look for ▸ The issue is very different in each instance ▸ Alvaro exploited JSON in .Net ▸ @frohoff exploited pickling in Python ▸ Breen exploited Java and Apache ▸ Forshaw exploited XML and broken Microsoft… I mean BinaryFormatter ▸ I’m going to show something in JavaScript
  20. 20. JUST PLEASE DEMO NOW, KTHXBAI ▸ OWASP Juice Shop will be the target ▸ JavaScript, the latest hotness ▸ NPM, Express, Angular, Rectangular, Octagon ▸ Bjorn recently added deserialization challenges ▸ Not a live demo today ▸ The screenshots are big though!
  21. 21. DEMO: OWASP JUICE SHOP
  22. 22. DEMO: OWASP JUICE SHOP
  23. 23. DEMO: OWASP JUICE SHOP ▸ The tools should have picked up a few of these challenges
  24. 24. DEMO: OWASP JUICE SHOP - 1 STAR CHALLENGES
  25. 25. DEMO: OWASP JUICE SHOP - 5 STAR CHALLENGES
  26. 26. DEMO: OWASP JUICE SHOP - PWNING JUICE SHOP ▸ https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/deserialization.html
  27. 27. DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
  28. 28. DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
  29. 29. DEMO: OWASP JUICE SHOP - ZOOMING AHEAD
  30. 30. DEMO: OWASP JUICE SHOP - DEV TOOLS ARE AWESOME ▸ A lot of challenges can be solved with the Dev Tools
  31. 31. DEMO: OWASP JUICE SHOP - DEV TOOLS | NETWORK
  32. 32. DEMO: OWASP JUICE SHOP - HEADERS
  33. 33. DEMO: OWASP JUICE SHOP - AUTH TOKENS
  34. 34. DEMO: OWASP JUICE SHOP - PAYLOAD AND CURL EXAMPLE
  35. 35. DEMO: OWASP JUICE SHOP - CURL IN TERMINAL IS PRETTY… SAD ▸ Sending a payload with curl interacting with the API
  36. 36. DEMO: OWASP JUICE SHOP - USING POSTMAN IS SO 2018
  37. 37. DEMO: OWASP JUICE SHOP - POSTMAN: USING APIS THE RIGHT WAY
  38. 38. DEMO: OWASP JUICE SHOP - LET’S SEND A NASTY GRAM
  39. 39. DEMO: OWASP JUICE SHOP - SOLVED THE CHALLENGE, HOW BOW DAH
  40. 40. DEMO: OWASP JUICE SHOP - RUN MY JAVASCRIPT BRO ▸ The stack trace from the exception handler
  41. 41. DEMO: OWASP JUICE SHOP - I SEE WHAT YOU DID THERE ▸ What’s this guy do
  42. 42. DEMO: OWASP JUICE SHOP - B2BORDER.JS <INSERT BACKSTREET BOYS JOKE>
  43. 43. WHATS EVEN GOING ON ▸ Despite all of the cereal, serialization, deserialization, we as testers need to know as well as possible our apps ▸ Start with understanding the technologies used at work ▸ Play with intentionally vulnerable apps that somewhat resemble your environment ▸ Try to exploit the test apps as much as possible and see if you can find unintentional bugs, or add to the project to make new broken things ▸ In Juice Shop, you can change “vm” to “vm2” which is broken, or use “eval” instead of “not-evil” or “safeEval” ▸ Review closed issues to see what was broken and why
  44. 44. THANKS! ▸ Slacks to join: ▸ OmaSec: https://omasec.herokuapp.com ▸ DEFCON402: Email adam@dc402.org ▸ OWASP: https://owasp.herokuapp.com ▸ More web app hackery: ▸ https://vivirytech.blogspot.com

×