Сканирование с использованием бэкслэша: подключаем интуицию
•
2 j'aime•709 vues
This document describes a technique called "backslash powered scanning" for automating vulnerability detection. It addresses the limitations of traditional scanners by iteratively probing websites using "probe pairs" to identify suspicious behaviors rather than scanning for known vulnerabilities. Probe pairs allow the technique to interrogate websites as a "black box" to determine input contexts and available functions. Attributes of responses are compared to gather evidence of potential vulnerabilities, which are then further explored. The technique aims to solve the "million payload problem" of testing all inputs and contexts exhaustively.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Сканирование с использованием бэкслэша: подключаем интуицию
Similaire à Сканирование с использованием бэкслэша: подключаем интуицию (20)
Plus de Positive Hack Days
Plus de Positive Hack Days (20)
Dernier
Dernier (20)
Сканирование с использованием бэкслэша: подключаем интуицию
- 1. BACKSLASH POWERED SCANNING James Kettle AUTOMATING HUMAN INTUITION
- 2. ©PortSwigger Ltd 2017 All Rights Reserved marketizer1 Invalid username or password
- 3. ©PortSwigger Ltd 2017 All Rights Reserved OUTLINE • The three failures of scanners • Solving the 'Million Payload Problem' • Black-box interrogation • Exploit iteration • Payload sets • Findings&illustrations • Further research • Q&A
- 4. ©PortSwigger Ltd 2017 All Rights Reserved WHOAMI @albinowax Head of Research at PortSwigger Web Security My Background: pentesting & bug-bounty hunting I automate vulnerability detection: • Cross-Site Request Forgery, PRSSI/RPO, Burp Collaborator • Server-Side Template Injection
- 5. ©PortSwigger Ltd 2017 All Rights Reserved BLIND SPOT 1/3: RARE TECHNOLOGY • Security through obscurity works (versus scanners) • How many types of Server-Side Template Injection does your scanner support? • 2014: { } {Amber, Apache Velocity, action4JAVA, ASP.NET (Microsoft), ASP.NET (Mono), AutoGen, Beard, Blade, Blitz, Casper, CheetahTemplate, Chip Template Engine, Chunk Templates, CL-EMB, CodeCharge Studio, ColdFusion, Cottle, csharptemplates, CTPP, dbPager, Dermis, Django, DTL::Fast (port of Django templates), Djolt-objc, Dwoo, Dylan Server Pages, ECT, eRuby, FigDice, FreeMarker, Genshi (templating language), Go templates, Google-ctemplate, Grantlee Template System, GvTags, H2o, HAH, Haml, Hamlets, Handlebars, Hyperkit PHP/XML Template Engine, Histone template Engine, HTML- TEMPLATE, HTTL, Jade, JavaServer Pages, jin-template, Jinja, Jinja2, JScore, Kalahari, Kid (templating language), Liquid, Lofn, Lucee, Mako, Mars- Templater, MiniTemplator, mTemplate, Mustache, nTPL, Open Power Template, Obyx, Pebble, Outline, pHAML, PHP, PURE Unobtrusive Rendering Engine, pyratemp, QueryTemplates, RainTPL, Razor, Rythm, Scalate, Scurvy, Simphple, Smarty, StampTE, StringTemplate, SUIT Framework, Template Attribute Language, Twital, Template Blocks, Template Toolkit, Thymeleaf, TinyButStrong, Tonic, Toupl, Twig, Twirl, uBook Template, vlibTemplate, WebMacro, ZeniTPL, BabaJS, Rage, PlannerFw, Fenom} http://artsploit.blogspot.co.uk/2016/08/pprce2.html
- 6. ©PortSwigger Ltd 2017 All Rights Reserved BLIND SPOT 2/3: Variants & filters • How do we detect blind eval() injection? ".sleep(10)." • If parenthesis is filtered? False Negative ".`sleep 10`." • If there's a WAF? False Negative ".sl%D0%B5ep(10)." (Cyrillic е) • If " is filtered? False Negative {${sleep(10)}} • SQLi in double quotes
- 7. ©PortSwigger Ltd 2017 All Rights Reserved BLIND SPOT 3/3: Buried vulnerabilities GET /search/?q=david HTTP/1.1 Host: sea.ebay.com.sg User-Agent: Mozilla/5.0 etc Firefox/49.0 Accept: text/html Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://sea.ebay.com.sg/ Cookie: session=pZGFjciI6IjAkLCJlx2V4cCI6MTA4 Connection: close Origin: null X-Forwarded-For: 127.0.0.1 X-Forwarded-Host: evil.com http://secalert.net/2013/12/13/ebay-remote-code-execution/ &q[1]=sec{${phpinfo()}}
- 8. ©PortSwigger Ltd 2017 All Rights Reserved THE MILLION PAYLOAD PROBLEM •For every request •For every input • For every vulnerability class • For every technology • For every variant • For every filter • Send the payload!
- 9. ©PortSwigger Ltd 2017 All Rights Reserved IDENTIFYING SUSPECTS Don't scan for vulnerabilities Scan for suspicious behavior Iteratively gather evidence
- 10. ©PortSwigger Ltd 2017 All Rights Reserved text=foo 200 OK text=foo' 500 Error text=foo' 200 OK PROBE-PAIR FUZZING • You have an error in your SQL syntax… • Invalid input
- 11. ©PortSwigger Ltd 2017 All Rights Reserved ' ' VULN PROBE-PAIR CONTROL FLOW VULNVULN MATCH MATCH NO MATCH NO MATCH
- 12. ©PortSwigger Ltd 2017 All Rights Reserved BLACK-BOX INTERROGATION Question Probe pair Am I in a single-quoted string? Am I in a numeric context? Am I in a file path? Am I a function invocation? Am I in a JSON value? z'z vs z'z X/0 vs X/1 ","a"," vs ","a":" sprintg vs sprintf ./../x vs ././x
- 13. ©PortSwigger Ltd 2017 All Rights Reserved BLACK-BOX ITERATION Question Probe pair What type of quotes am I in? How can I concatenate? Can I call a generic function? Which language am I executing? z'z vs z'z z"z vs z"z z"z"z vs z"."z z"z"z vs z"||"z z"z"z vs z"+"z "+abz(1)+" vs "+abs(1)+" "+phpversioz()+" vs "+phpversion()+" "+to_numbez(1)+" vs "+to_number(1)+" "+isFinitez(1)+" vs "+isFinite(1)+"
- 14. ©PortSwigger Ltd 2017 All Rights Reserved Attributes: status code, content type, tag structure, line count, word count , input reflection count, keyword count, leading/trailing characters We need at least one attribute with two properties • Consistently different between probe1 and probe2 • Consistently the same across repeats Burp Extender API: responseDetails.updateWith(response1); responseDetails.updateWith(response2); List<String> consistentDetails = responseDetails.getInvariantAttributes(); RESPONSE COMPARISON
- 15. ©PortSwigger Ltd 2017 All Rights Reserved foo 200 1393 25 foo' 200 1392 23 foo' 200 1393 24 String - apostrophe foo' foo' word_count 1392 1393 Evidence Probe Code Words Lines
- 16. ©PortSwigger Ltd 2017 All Rights Reserved Probe Code Words 7 200 139 7/0 500 27 7/1 200 121 7/0 500 27 7/1 200 142 Divide by 0 /0 /1 status_code 500 200 word_count 27 *121* Released today Evidence
- 17. ©PortSwigger Ltd 2017 All Rights Reserved PROBE SELECTION&DELIVERY •Random content • Repeat probes •Alternating responses • Shuffle probe order •Deterministic random content • Use probe batches (cosmetic) • Before: 7/0 vs 7/1 • After: {7/0, 7/00, 7/0*0} vs {7/1, 7/01, 7/1*1}
- 18. ©PortSwigger Ltd 2017 All Rights Reserved 221 965 221' 965 221/0 327 221/1 327 221,abz(1) 0 221,abs(1) 965 221,abs(0,1) 0 221,abs(01) 965 221,power(current_request_idz(),0) 0 221,power(current_request_id(),0) 965 221,power(current_request_ic(),0) 0 221,power(current_request_id(),0) 965 SAMPLE REQUEST LOG
- 19. ©PortSwigger Ltd 2017 All Rights Reserved HUNTING FINDINGS
- 20. ©PortSwigger Ltd 2017 All Rights Reserved TESTING AT SCALE • Requirements • Per-domain throttling • High net speed • Attack-surface optimisation • distributeDamage • Interleave target hosts • Extract URLs to file for spidering • Scan each parameter once per site per response type
- 21. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - MySQLi Basic fuzz z`z'z" `z'z" content_length 5357 5263 String - apostrophe z'z z'z Concatenation: '|| z||'z'z zz'||'z Basic function injection '||abz(1)||' '||abs(1)||' MySQL injection '||power( unix_timestanp(),0 )||' '||power( unix_timestamp(),0 )||'
- 22. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE – TRICKIER String - doublequoted " " error 1 0 tag_count 3 0 Concatenation: ". ."z"z z"."z error 1 0 tag_count 3 0 Interpolation: dollar ${{ }}$ error 1 0 tag_count 3 0
- 23. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - INTERRUPTED Order-by injection ,abz(1) ,abs(1) word_count *0* 1023 MSSQL Injection ,power( current_request_iz() ,0) ,power( current_request_id() ,0) word_count 0 1023 403 Forbidden
- 24. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE – REGEX INJECTION java.lang.illegalargumentexception: character to be escaped is missing java.util.regex.matcher.appendreplacement(matcher.java:809) org.tuckey.web.filters.urlrewrite.utils.regexmatcher.replaceall(regexmatcher.java:72) GET /folder?q=foo0bar HTTP/1.1 HTTP/1.1 301 Moved Permanently Location: https://zz.com/folder/?q=foohttp://zz.com/folder/bar Backslash ( vs ) Regex breakout: q=foo/<regex flags> q=${sleep(1)}/e%00
- 25. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - FALSE POSITIVE WAF grepping for 'substr' Fixed by adding substr('',0,9) vs substr('',0,0) Function Injection '||substrz('',0,0)||' '||substr('',0,0)||' status_code 302 403
- 26. ©PortSwigger Ltd 2017 All Rights Reserved SAMPLE - INTEL •A WAF is re-writing requests to remove comments •Use this to bypass browser XSS filters Comment Injection 0/**z'*/ 0*/*/z'*/ status_code 200 500 Tag stripping 0->zz<- <-zz-> status_code 200 500 Released today
- 27. ©PortSwigger Ltd 2017 All Rights Reserved MYSTERY SAMPLE Backslash <div 24 32 Escape - unicode g0041 u0041 <div 24 32 Released today String - singlequoted z' z' <div 24 32
- 28. ©PortSwigger Ltd 2017 All Rights Reserved http://example.com/?q=pub ->http://backend/?q=pub&city=london http://example.com/?q=pub%26city=';exploit%23 ->http://backend/?q=pub&city=';exploit#&city=london HTTP PARAMETER POLLUTION Backend Parameter Injection $<x%zz &<x%zz status_code 500 200 Released today
- 29. ©PortSwigger Ltd 2017 All Rights Reserved HPP – BACKEND PARAMETER GUESSING Released today Backend param: city %26city=<a'"<% %26cityz=<a'"<% <script count 5 11 <div count 89 1095
- 30. ©PortSwigger Ltd 2017 All Rights Reserved COLD-START BRUTEFORCE ATTACKS •Enumerating inputs with no prior knowledge •parameters •usernames/passwords •files/folders •gadgets/classes
- 31. ©PortSwigger Ltd 2017 All Rights Reserved ENUMERABLE INPUT DETECTION /edit_profile?id=734 •Is id enumerable? •id=734, id=735 and id=736 are distinct •Is there a finite number of entries? •id=100735 and id=100736 are the same
- 32. ©PortSwigger Ltd 2017 All Rights Reserved RESOURCES Backslash Powered Scanner code: https://github.com/portswigger/backslash-powered-scanner DistributeDamage code: https://github.com/portswigger/distribute-damage Original whitepaper: http://blog.portswigger.net/2016/10/backslash-powered-scanning.html
- 33. ©PortSwigger Ltd 2017 All Rights Reserved TAKE-AWAYS @albinowax Email: james.kettle@portswigger.net Scanners can find research grade vulnerabilities Enhance, don't replace, the pentester This is still just the beginning
Notes de l'éditeur
- Imagine if you could conduct a pentest, and only do the interesting bits Skip the hours of repetitive fuzzing and trawling through meaningless results, and jump straight to that one page that reacts in a mysterious way to your every input that turns out to be code injection into a language you'd never even heard of, or SQLi behind a heavyweight filter that *almost* stops you from cracking open the database. The kind of page no black-box vulnerability scanner would ever find. In this session, I'll share with you the conception and development of a new type of scanner that can find *research grade* injection vulnerabilities 45 plus questions
- This all got started around four years ago. I'd just started a pentest on a company we'll call marketizer, and I had a problem that's probably familiar to many of you. No credentials. This was really upsetting. Just from the 90s visual design of the login page I could hear vulnerabilities screaming out at you? No attack surface Didn't even know a valid username. when I did get access, dumped out passwords naturally stored in plaintext and found director's password: [companyName1] His username was more secure than his password next time, I'll get access before the client gives me credentials. Letmein Sometimes it worked spectacularly, but it mostly failed horribly while trying to fix it, realised if I could use the response diffing tech for something far cooler, and that's what I'm here to share with you today
- Three huge blind spots = million payload problem I've avoided these issues by using a new approach, implemented in an open source scanner Showcase the results of running this on live sites By the end you'll know why scanners suck, how to build and modify a better scanner, how to use that scanner for maximum effectiveness
- I work at portswigger where we make a tool you may have heard of called burp suite My role is to design scanner checks So although I'm about to spent some time slagging off scanners, it's coming from a position of respect I think scanners are great I know they aren't close to their full potential at the moment I also research new vulnerabilities. I spoke at black hat USA about a new type of vulnerability called Server-Side Template Injection. One of the objectives is to make a scanner that can do research for me.
- Those are just the well known ones @artsploit got RCE on demo.paypal.com via Dust.js There's a huge tail of obscure tech. If you use it scanners will miss vulnerabilities, Can happen in unexpected ways. For example, some scanners read the etc passwd file to identify XXE and LFI. Using SELinux can prevent a scanner from finding LFI. (the vuln still exists). That's pretty bad.
- So, we're limited to languages we explicitly support like, say, PHP But how well can we do those? of these three examples, two are from pentests Most scanners will miss SQLi in double quotes
- Assuming vulnerability is in a known technology, and there are no filters Found because q has a spellchecker
- Scanners can't do this, so they're reduced to best-effort payloads Leads to people saying "scanners are good for finding low-hanging fruit" which is a statement that breaks my heart what we need and deserve is a scanner that finds high hanging fruit
- If we want to make a scanner that doesn't have these blind spots, we need to harness the intuition that human testers have Rather than sending a specific payload that says "find me injection into a double-quoted string being evaluated in PHP", we send a generic payload that says "find me something suspicious" If they find something interesting, they focus on that area and gather further evidence
- Concept: pairs of probes To build something powerful, we need to start out with something crude and simple This payload is about as simple as it gets "nice try but there's no sqli here" as a human, we can look at see what's going on scanners try to simulate this by grepping for error messages: flawed – miss handled exceptions We can use a property of the vulnerability to send a payload that is really similar but doesn't break everything I'm going ot show you is built on this concept of pairs of almost identical probes
- Concept: visual overview of last slide base response - application's original response before we did any tampering Does it change if we supply ' once again, we have something that's very efficient Does it change back if we supply \' => something interesting is happening the application is probably putting out input in a single quoted string this decision tree underlies all the probe pairs
- Using this concept of probe-pairs, we can ask questions of the application You've already seen how to ask if we're in a single-quoted string You can also ask... This is a tiny sample of the questions you can ask If you can think of a vulnerability you can express as a probe pair, you can add it yourself in five lines of code.
- Concept: iteration So that's cool, but the true power we can use the answers from these questions to decide what to do next This can detect variants, it can handle filters, it can handle unknown languages This is just one possible outcome from hundreds of combinations Iteration makes this highly efficient - one request to majority of inputs So it addresses all three blind spots!
- I've got ahead of myself slightly - haven't defined how to know when two responses are different simple equality will never work - meaningless junk In order to use probes, we need to answer the question 'are these two responses significantly different'? Originally tried to solve this by generating a regular expression Most important thing to note is that at no point do we predict what effect a specific payload will have on the application
- Here's a simple example - one valid attributes This scanner has found real sqli vulnerabilities where the only tell is a single word disappearing If there are multiple valid attributes they'll all appear in a table
- Status code is normal But the word count isn't static - it's changing randomly Two causes - words attribute is overloaded, or our payload flawed As of todays update, italics + starred Should be taken with a pinch of salt
- This diffing strategy is good, but we need to back it up with carefully crafted probes Although the probe pairs look quite simple, the way they're chosen and delivered is really important. This approach will only work if Cosmetic variations
- hopefully made sense View from server log
- This isn't relevant to interpreting results, so it could be skipped Application expects specific input value Syntax error indistinguishable from incorrect value
- that's enough about how the scanner works in theory
- 'Black box' doesn't do this justice
- The goal was to be polite and avoid flooding people with traffic, but the result (if you're just using backslash powered scanner) is really quite stealthy. From the server's point of view, you're sending a tiny number of innocuous payloads really slowly. So it might come in useful if you're on a red team.. .mil blah
- Helps to think of the scanner as a highly enthusiastic rookie security tester Give them a well known vulnerability with no filters, they will identify exactly what's happening Real report from a live website That's cool but no better than any other scanner really.
- The strength of this scanner will tell you "I've found something interesting" This was the first critical vuln my scanner found Can anyone tell me what this is? Yep, blind spot #2. PHP with parenthesis filtered out Missed because the input was in the path Kind of thing you expect from an internet of crap device, not a household name website
- Whenever you see a partial issue, you can be sure things won't be straightforward When I tried to verify, all requests were being blocked by a WAF - got ip banned! Affects over 100 servers guess other scanners got banned before they finished the scan
- if you spend hours investigating, possibly the most disappointing outcome
- False positives are caused by flaws in the probe pairs, The ones in backslash powered scanner have been gradually refined But if you add your own probes, you'll need to refine then Something's odd – 403 on valid function Example of why payloads should be as similar as possible By bringing the payloads syntactically closer, we've avoided the vulnerability
- Another use of iteration!
- Almost matches Java eval on single-quoted regex \" causes an error when it shouldn't
- Server-side HTTP Parameter pollution If the frontend fails to URL-encode the input, they can injection extra paramters
- after implementing that, got flooded
- http://ir.teslamotors.com/corporate-governance-document.cfm?DocumentID=7152 /1 /0 /(1-1) /(1-0) /12 /13 -1 -0 HPP on yahoo? Facebook?
- It's easy to enumerate usernames if you start with a username you know is valid. It's the same for parameters – you don't know in advance what the response to a valid parameter will be Files/folders easy to do basic, needs this to be reliable (hello mass assignment&extract) Edge case detection: Integer overflows {2147483647 vs 2147483648}
- With a bit of creativity, we can go far beyond injection vulnerabilities As a human, you can read that URL and know what it does All the scanner sees is an input that's a number Enumerable – we're accessing a set of items. Need three unique responses because if we get two, then it could be the intended response, and something saying 'invalid id' Kinda works but it will find things like calendars and other things than transform your input. We can filter out such things by asking the question.. Prototype of this has found all kinds of crazy things, planning on implementing next week
- If you simply want to install it, it's in the bapp store This is not one of those security tools that gets released in a presentation and never updated. It has huge potential and I'm planning on loads of improvements to it over the next few months.