Critical vulnerabilities in the online services of a romanian telephony company - DefCamp 2012
Blended Threat Concept in Web Applications - DefCamp 2012
description
Transcript of Blended Threat Concept in Web Applications - DefCamp 2012
![Page 1: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/1.jpg)
“Blended Threat” Concept in web applications
Bogdan Sergiu Dragos
a.k.a Domnul.Do
Student at Drăgan European University in Lugoj
![Page 2: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/2.jpg)
Legal Disclame
This is only a proof of concept ,
for demostrating only .
![Page 3: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/3.jpg)
“Blended Threat Concept”
• It has no clear definition because it’s more a concept that an attack .
• But we have the following definition from different sites:
![Page 4: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/4.jpg)
Blended Threat Concept
• Definition from Wikipedia:
“A blended threat is a software vulnerability which in turn involves
a combination of attacks against different vulnerabilities. For example, many worm, a trojan horse and a computer virus exploit multiple techniques to attack and propagate. It is a kind of computer threat.”
Link: http://en.wikipedia.org/wiki/Blended_threat
![Page 5: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/5.jpg)
Blended Threat Concept
• Definition from TrendMicro:
“ (…) A blended threat refers to a single threat that attacks via multiple vectors (e.g., a worm gains entry via email and then leverages back-door vulnerabilities for further infection and destruction). “
Link:
http://apac.trendmicro.com/apac/threats/enterprise/threats-summary/blended-threats/
![Page 6: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/6.jpg)
Blended Threat Concept
• My own definition:
“A Blended Threat: is a non-limited vector that need two or more different attack,that are mutually dependent, for manipulation of the usual application logic.“
![Page 7: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/7.jpg)
History of Blended Threat’s
• The person who introduce this kind of method was: Billy (BK) Rios
• In his presentation: “Will it Blend”
• With this P.o.C : Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
![Page 8: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/8.jpg)
The P.o.C
My Proof Concept is:
• In a Yahoo! Service , called YQL• Based on CSRF and one user interaction
In this presentation I will show a method to validate YQL commands, without the console , more exactly :
! To change the status in the Yahoo! Profile
YQL = Yahoo Query Language
![Page 9: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/9.jpg)
What is YQL
YQL is:
• A SQL-like language
• A clowd service
• W can create API’s or using other API’s and manipulating the rezults in the “cloud”
• We can make authentificated YQL commands in Yahoo!Inbox or Yahoo!Profile
![Page 10: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/10.jpg)
YQL- Open Data Tables
• It’s a way to connect to the remote web API (EndPoint) and understanding what to do with the data that will get
• How it look like:
![Page 11: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/11.jpg)
YQL-Open Data Table Example
![Page 12: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/12.jpg)
YQL –Use verb
• We can use simple server side javascripts in the <execute> tab of the xml ,here some exemple:
• To make an object request we can use request:Request.accept(‘application/json’)
.header(‘Authorization’, ‘…’) .query(‘searchterm’, ‘foo’).get()
• The response.object can transmit the user the final result :
Response.object = data
![Page 13: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/13.jpg)
YQL – JS API
• Some key feature , what can do:
- use external JS files
- convert between XML JSON
- can make other YQL in the same YQL
![Page 14: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/14.jpg)
How it look like in console
Link: http://developer.yahoo.com/yql/console/#h=update%20social.profile.status%20set%20status%3D%22EasterEgg%22%20where%20guid%3Dme
![Page 15: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/15.jpg)
How it look like in request
• First the console read the crumb (Yahoo! Token )
• Second the console send the YQL command with the crumb to the “cloud”
![Page 16: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/16.jpg)
First Step: Read the crumb
Note: The crumb is generated no matter if the user is logged in
![Page 17: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/17.jpg)
Second step: Sending the data
![Page 18: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/18.jpg)
The P.o.C
• I have the “location” of the crumb
• I know where to send the data,but how to convise the user to give us the crumb?!
![Page 19: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/19.jpg)
The P.o.C
• I have the “location” of the crumb
• I know where to send the data,but how to convise the user to give us the crumb?!
• Is simple …
![Page 20: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/20.jpg)
Meanwhile …
• Why do dogs (and other animals) eat poop?
“Herbivores such as rabbits eat their own poop because their diet of plants is hard to digest efficiently, and they have to make
two passes at it to get everything out of the meal.“
![Page 21: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/21.jpg)
The P.o.C
This is another version of the attack named “Fake Captcha” by Kotowicz
![Page 22: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/22.jpg)
The sourse of the P.o.C
![Page 23: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/23.jpg)
How to gather the status
We can confirm by using the YQL command:
Link :
http://developer.yahoo.com/yql/console/#h=select%20message%20from%20social.profile.status%20where%20guid%3Dme
![Page 24: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/24.jpg)
My recommendation is:
Is enough to add the response header:
”X-FRAME-OPTIONS”
![Page 25: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/25.jpg)
Credits
• Billy (BK) Rios• Kotowicz
• Dragan European University , Lugoj , Timis
• Dan Kaminsky , in 2008 he “own-ed” the internet. His work must not be forgoten!
![Page 26: Blended Threat Concept in Web Applications - DefCamp 2012](https://reader034.fdocuments.in/reader034/viewer/2022051612/54bd12094a795954428b4718/html5/thumbnails/26.jpg)
Want to ask something?