2. Hi!
I’m Beched, and I love hacking an solving problems.
Let’s observe overall trends and some recently
published papers, vulnerabilities and techniques,
connected with web application security.
3. Classification
Questions to classify the vulnerabilities:
• Is the exploitation technique new or known?
• Is the attack target new or known technology?
• How large is a potential attack surface?
5. Community opinion
• 30.77% of respondents from rdot.org will go
to dance a ballet, because web hacking is
gonna become way too complex =)
6. Obvious remarks
• Growth of security awareness of developers
makes their code more secure
• At the same time new products and
technologies are often released without
careful security audit
• Old software is often considered as safe and
trusty but contains severe vulnerabilities
• Business logic bugs are alive
7. Obvious remarks
• Infosec is part of CS and IT, and it inherits
global trends
• The global trend is a wide spread of various
gadgets and mobile devices
• The global trend is making houses and
vehicles smart
• The global trend is making web interfaces rich
and self-contained in the browsers
8. Take a look
• There’re loads of papers and presentations at BlackHat
archives. If we filter those, which are connected with
web security, and range the topics, we get the
following scoreboard of trends:
• client-side && mobile
• clouds && big data && social networks
• misc && classic
• TLS && SSL
• IoT && routers
• PRNG && SSRF && etc
• old soft
9. Client-side && Mobile
• Known technologies, new life
• There’re loads of papers on client-side security
• Loads of bug bounties are given for XSS or
something like that
• There’re a lot of tricky techniques, and we can
see a long war between browser developers and
XSS hunters
• Mobile browsers are also targeted. Some mobile
OS interfaces are HTML5-based, which increases
impact of XSS
10. Client-side && Mobile
DISSECTING CSRF ATTACKS & COUNTERMEASURES
JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME
MILLION BROWSER BOTNET
PIXEL PERFECT TIMING ATTACKS WITH HTML5
ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS
CLICKJACKING REVISITED: A PERCEPTUAL VIEW OF UI SECURITY
THE WEB IS VULNERABLE: XSS DEFENSE ON THE BATTLEFRONT
CALL TO ARMS: A TALE OF THE WEAKNESSES OF CURRENT CLIENT-SIDE XSS FILTERING
REFLECTED FILE DOWNLOAD - A NEW WEB ATTACK VECTOR
REVISITING XSS SANITIZATION
SAME ORIGIN METHOD EXECUTION (SOME) - EXPLOITING A CALLBACK FOR SAME ORIGIN POLICY BYPASS
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER - XSS-BASED ABUSE OF BROWSER PASSWORD
MANAGERS
TWO FACTOR FAILURE
THE INNER WORKINGS OF MOBILE CROSS-PLATFORM TECHNOLOGIES
JS SUICIDE: USING JAVASCRIPT SECURITY FEATURES TO KILL JS SECURITY
UI REDRESSING ATTACKS ON ANDROID DEVICES REVISITED
ULTIMATE DOM BASED XSS DETECTION SCANNER ON CLOUD
11. Client-side && Mobile
• UXSS, MXSS
• ChromeOS, FirefoxOS
• Browser extensions hacking
• Endless security features vs bypass war
• XSS Auditor, CSP, HttpOnly, SOP, CORS
• Funny things like RFD (reflected file download)
• OAuth bugs
12. Example
• Chrome XSS auditor breaks a lot of attacks, but in most cases it
can be bypassed, or at least an attack can be modified
• The idea is that it looks for complete tag names or attributes
from the page in the HTTP request packets
• There’re plenty of bypasses, take a look at
http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/
http://www.thespanner.co.uk/2015/02/19/another-xss-auditor-
bypass/
https://www.blackhat.com/docs/us-14/materials/us-14-Johns-
Call-To-Arms-A-Tale-Of-The-Weaknesses-Of-Current-Client-Side-
XSS-Filtering.pdf
14. Example
• Secure CMS and XSS Auditor can be spoiled with
plugins
• Look at this typographic plugin for Drupal:
var result = Typographus_Lite_UTF8.typo_text( $(this).text() );
$(this).after(result).remove();
• JQuery method after() is insecure. As a result, div
contents become HTML-decoded, and all your
reflected or stored <script> stuff becomes
active
15. Example
• OAuth is often vulnerable to open redirect due to
lack of redirect_uri validation
https://*.ru/oauth/authorize?client_id=4f81a884015911e2b24a6c626d99879
c&response_type=code&redirect_uri=http://*.ru.incsecurity.ru/&state=&sco
pe=...&action=login&csrf=69a1dc0caf28d791cb1998c8dc37a257
After authorization redirects to:
http://*.ru.incsecurity.ru/site/login?service=*&state=&code=ba0ba85
458d0db1c65792d52c8bef3c4407374b2
• Access token (code) value is enough for account
takeover
16. Clouds && Big data && Social networks
• Fairly new technologies
• Cloud computing and machine learning are
heavily used for different purposes
• As for infosec, this can be used both for attack
and defense
• Social networks and big data providers can be
exploited for deanonymization and fraud
• Machine learning can be used for building WAF
17. Clouds && Big data && Social networks
PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER
USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER
WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS
BIG DATA FOR WEB APPLICATION SECURITY
FLOATING CAR DATA FROM SMARTPHONES: WHAT GOOGLE AND WAZE KNOW ABOUT
YOU AND HOW HACKERS CAN CONTROL TRAFFIC
PIVOTING IN AMAZON CLOUDS
BRINGING A MACHETE TO THE AMAZON
BABAR-IANS AT THE GATE: DATA PROTECTION AT MASSIVE SCALE
SECURE BECAUSE MATH: A DEEP-DIVE ON MACHINE LEARNING-BASED MONITORING
BLENDED WEB AND DATABASE ATTACKS ON REAL-TIME, IN-MEMORY PLATFORMS
HADOOP SECURITY: SEVEN WAYS TO KILL AN ELEPHANT
HOW TO LEAK A 100-MILLION-NODE SOCIAL GRAPH IN JUST ONE WEEK? - A REFLECTION
ON OAUTH AND API DESIGN IN ONLINE SOCIAL NETWORKS
18. Example
• Post-exploitation of distributed web applications is
often a bit tricky – you don’t exactly know which
node will process your request
• Nodes can often be enumerated via HTTP response
headers or cookies
• Sometimes some nodes are not updated and contain
vulnerabilities
• This creates mind-blowing phantom vulnerabilities =)
• Take a look at cool talk about Amazon EC2 post-
exploitation: https://www.blackhat.com/docs/us-
14/materials/us-14-Riancho-Pivoting-In-Amazon-
Clouds.pdf
19. Example
• Data providers are often used for targeted
marketing. However, their data can sometimes be
stolen and used for deanonymisation or fraud.
This is documented API request:
https://*.ru/api/id?pid=PARTNER_SHORTNAME&url=htt
p://incsecurity.ru/?adv_id=$UID
• $UID will be replaced with actual cookie value by
the server and will be sent to attacker host
• Information about user can be obtained via JSONP
hijacking, even if session id is checked.
21. Misc & Classic
• There’re a lot of works which continue previous
researches and bug reports
• They improve exploitation of classical
vulnerabilities like SQL injection and
testing/analysis methods
• The raise of penetration testing industry
pushed up demand for .NET and J2EE
applications hacking methods
22. Misc & Classic
') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION
TECHNIQUES’)%00
INVISIBILITY PURGE – UNMASKING THE DORMANT EVENTS OF INVISIBLE
WEB CONTROLS – ADVANCED HACKING METHODS FOR ASP.NET, MONO
AND RIA
CONTEMPORARY AUTOMATIC PROGRAM ANALYSIS
FINGERPRINTING WEB APPLICATION PLATFORMS BY VARIATIONS IN PNG
IMPLEMENTATIONS
I KNOW YOUR FILTERING POLICY BETTER THAN YOU DO: EXTERNAL
ENUMERATION AND EXPLOITATION OF EMAIL AND WEB SECURITY
SOLUTIONS
WHAT GOES AROUND COMES BACK AROUND - EXPLOITING
FUNDAMENTAL WEAKNESSES IN BOTNET C&C PANELS!
SCALA SECURITY: EXAMINING THE PLAY AND LIFTWEB FRAMEWORKS
23. Example
• The paper about hacking C&C panels reminded
me of the RCE vulnerability in Zeus C&C, which I
published near 2010. I opened these links now:
http://ahack.ru/bugs/zeus-vulnerability-
exploit.htm
https://github.com/Visgean/Zeus/
• Guess what I see there since 5 years? ;)
24. Example
• The name of function has changed, but vulnerability is still there,
AFAICS
...
function fsarcCreate($archive, $files)
...
$cli = 'zip -r -9 -q -S "'.$archive.'" "'.implode('" "', $files).'"';
exec($cli, $e, $r);
...
foreach($_POST['files'] as $file)$list[] = $_CUR_PATH.'/'.$file;
...
if(!function_exists('fsarcCreate') || ($arcfile = fsarcCreate($arcfile, $list))
=== false)die('Failed to create archive, please check
"system/fsarc.php" script.');
...
25. Example
• This is a small example, probably there’re more critical
vulnerabilities in this popular botnet C&C. BTW, how
do you find vulnerabilities in the source code?
• Paper on contemporary automatic program analysis
mostly tells about grep =)
• Personally I use grep with lovely regular expressions:
w*(include|require)(_once)?[s(]+(?!s*('[^']*'|"[^"]*"|
)[@s.]*(urlencode|rand|rawurlencode|basename|le
venshtein|doubleval|sizeof|base64_encode|strlen|flo
or|crypt|strrpos|filter_input|abs|bin2hex|bindec|has
h|intval|max|decbin|strpos|crc32|ord|md5|count|sh
a1|min|pathinfo|floatval|round|hexdec)s*()[^;]*$.
*
27. Example
• 2014 has gone, and here comes 2015, but PHP
and Apache are still broken
• Several UAF vulnerabilities in PHP fixed
recently, still a lot of restriction bypasses and
RCE vulnerabilities live deep there
• Apache has not yet learnt RFC
• Other popular miscellaneous words among
hackers: NoSQL, SSJS, SCADA, SAP
28. TLS && SSL
• As old as the world
• There’re still a lot of misconfiguration issues
with HTTPS
• Also there’re a lot of scary words like BEAST,
CRIME, BREACH, HeartBleed, POODLE,
SSLStrip and others
• Many configuration mistakes are result of
trade-off between performance and security
29. TLS && SSL
SSL, GONE IN 30 SECONDS - A BREACH BEYOND
CRIME
TLS 'SECRETS'
TRUNCATING TLS CONNECTIONS TO VIOLATE BELIEFS
IN WEB APPLICATIONS
A PERFECT CRIME? ONLY TIME WILL TELL
THE BEAST WINS AGAIN: WHY TLS KEEPS FAILING TO
PROTECT HTTP
BYPASSING HTTP STRICT TRANSPORT SECURITY
30. IoT && Routers
• This is one of the most popular new IT trends
everyone heard about
• New means untested. Untested means
vulnerable
• Seriously, the Internet of things is broken, and
many yell about it
• People hack RF protocols of alarms, people find
smart houses without doors via Shodan, etc,
etc
31. IoT && Routers
EXPLOITING NETWORK SURVEILLANCE CAMERAS
LIKE A HOLLYWOOD HACKER
HOME INVASION V2.0 - ATTACKING NETWORK-
CONTROLLED HARDWARE
A SURVEY OF REMOTE AUTOMOTIVE ATTACK
SURFACES
ABUSING THE INTERNET OF THINGS: BLACKOUTS,
FREAKOUTS, AND STAKEOUTS
OWNING A BUILDING: EXPLOITING ACCESS
CONTROL AND FACILITY MANAGEMENT SYSTEMS
35. Example
• BTW, side note: why doesn’t XSS Auditor
perform HTTP response splitting check?
• As you could see on the screenshot above,
response splitting kills XSS Auditor, because
we can inject header X-XSS-Protection: 0.
36. PRNG && SSRF && etc
• XXE, SSRF and randomness hacking were hot
topics of 2012-2013
• They are popular today too, new applications
and attack vectors are developed
37. PRNG && SSRF && etc
BLACK-BOX ASSESSMENT OF PSEUDORANDOM
ALGORITHMS
XML OUT-OF-BAND DATA RETRIEVAL
THE NEW PAGE OF INJECTIONS BOOK:
MEMCACHED INJECTIONS
ICSCORSAIR: HOW I WILL PWN YOUR ERP
THROUGH 4-20 MA CURRENT LOOP
38. Example
• Autodiscover interface in OWA reveals an internal
IP address of the mail server
• Ev.owa interface with cPfdDC parameter can be
used to send some LDAP requests and connect to
different hosts (“domain controllers”)
Microsoft.Exchange.Data.Directory.SuitabilityVerifie
r.CreateConnectionAndBind(String fqdn, Int32
portNumber, NetworkCredential credential)
• If there was bypass for anti-CSRF canary, you
could possibly steal NTLM credentials
39. Example
• vBulletin forum CMS allows to upload attachments
from remote URL (class_upload.php,
class_vurl.php)
• First it checks the file size via HEAD request, then it
downloads the file
• You can use HTTP multiplexor to exploit race
condition and return code 200 and valid file size
for the first request and 302 redirect for the
second request
• Some configuration options and old versions of
cURL allow file:// URL wrapper in Location header
40. Old soft
• We’ve witnessed several critical vulnerabilities
in well-known and widely used software in
2014
• HeartBleed, GHOST, ShellShock, POODLE, goto
fail, etc
• Probably it’s an important moment, when we
stop trusting and begin reviewing all the
fundamental old software that we use
everywhere
41. Old soft
EPIDEMIOLOGY OF SOFTWARE
VULNERABILITIES: A STUDY OF ATTACK
SURFACE SPREAD
SSL VALIDATION CHECKING VS. GO(ING) TO FAIL
42. Example
• Although these famous vulnerabilities are not
caused by web applications, they deeply affect
them
• ShellShock and GHOST affect webapp<->OS
interaction layer
• HeartBleed, goto fail, POODLE, affect mainly
webapp<->encryption<->network interaction
layer
43. Example
• This is another proof of why shouldn’t we
consider any part of the software as trusted.
Each component of the system can be broken
• BTW, newspapermen also started the era of
nicknames for vulnerabilities
• I find this a bit ridiculous but funny =)
44. Summary
• The Internet is broken
• The WWW is broken
• Hackers gonna hack
• Web applications become smarter
• Hacking becomes smarter