Transcription
Ryan Hamrick CBTS Principal Security Engineer Former Software Developer (ASP.net/C#, Perl, Python) Professional Security Practitioner for over 12 yearsNate Fair CBTS Information Security Engineer Adjunct Professor – Penetration Testing @ UC Information Security & Penetration Tester for 5 years
(AT LEAST ON THE ATTACK SIDE) ADVANCED TOPICS LIKE PROTOCOL SMUGGLING SMTP OVER HTTPS (SNI) CR-LF INJECTION EXPLOITING URL PARSERS CURL (LIBCURL), GO (NET/URL),(ADDRESSABLE), NODEJS (URL)PHP (PARSE URL), RUBYYOU CAN FIND ALL OF THAT AND MUCH MORE -TRENDING-PROGRAMMING-LANGUAGES.PDF
Vulnerability class thatencompasses behavior inwhich a server request isinitiated by an attackerApplications willtake a URL from auser performsome actionTo exploit an SSRFvulnerability, anattacker can:setting youravatar via URL,Image/Linkpreview in chatconvince server tomake requests oninternal resourcesbypass firewallrestrictions touncover newhosts
//getimage.php content file get contents( GET['url']);file put contents(‘image.jpg’, content);GET /getimage.php?url https://website.com/images/cat.jpgGET /getimage.php?url http://127.0.0.1/api/v1/getuser/id/1GET /getimage.php?url http://169.254.169.254/latest/meta-data/GET /getimage.php?url file:///etc/passwd
Source: 034c27978
Basic Target application provides a response back to attacker Often in the form of HTTP response codes, application errors,other salient behavior High degree of confidence vulnerability is present, exploitabilitylikely possibleBlind Target application does not provide response back to attacker Vulnerability presence is unknown/uncertain, exploitabilitymore difficult Often requires more analysis & testing to confirm/denyMixed Largely application specific Time Based – inverse mapping through time/responsesvariations Error Based – “access denied” combined with inverse mapping
EXTREME VULNERABLE WEB APPLICATION (XVWA) PHP/MYSQL HTTPS://GITHUB.COM/S4N7H0/XVWA OWASP NODEGOAT – TOP 10 NODE JS/MONGODB, HEROKU APP AVAILABLE HTTPS://GITHUB.COM/OWASP/NODEGOAT PORTSWIGGER WEB SECURITY ACADEMY (AWESOME!) HTTPS://PORTSWIGGER.NET/WEB-SECURITY/SSRF C1 HTTPS://APPLICATION.SECURITY/ INTERACTIVE, RECONSTRUCT DATA BREACH
EXTREME VULNERABLE WEB APPLICATION (XVWA) PHP/MYSQL HTTPS://GITHUB.COM/S4N7H0/XVWA OWASP NODEGOAT – TOP 10 NODE JS/MONGODB, HEROKU APP AVAILABLE HTTPS://GITHUB.COM/OWASP/NODEGOAT PORTSWIGGER WEB SECURITY ACADEMY (AWESOME!) HTTPS://PORTSWIGGER.NET/WEB-SECURITY/SSRF C1 HTTPS://APPLICATION.SECURITY/ INTERACTIVE, RECONSTRUCT DATA BREACH
North/South and East/West WAF for North/South East/West firewalling is critical for this sort ofattack detection Position to inspect traffic between web serverand back end infrastructure/data sourcesLogging!!! Centralized logging from WAF, additionalfirewalls, web server, other infrastructure systems Due to the nature of the exploit, there will bemany failed requests, watch for scanning typeactivity Ensure that logging levels are correct to captureall the potential events. Debugging notnecessary, but INFO level should be collectedand reviewed.
es Sanitize and filter user input, limiting toknown good data inputs Potential for regex-style data matchingfor validation Restrict access to internal resourcesusing a specific whitelist oforganizational domains Log ALL requests, highlight improperrequests and alert User and group access review andvalidation, especially important in cloudenvironments (Capital One) Proper error and response handling!!!(Again, Capital One)
7792000
358fd5e249a
HTTPS://PORTSWIGGER.NET/WEB-SECURITY/SSRF 434 ULNS-FOR-THE-PRICE-OF-ONE/ HTTPS://MEDIUM.COM/@LOGICBOMB -TO-AWSCREDENTIALS-COMPROMISE-B250FB40AF82 HTTPS://HACKERONE.COM/REPORTS/713 REQUEST-FORGERY-SSRF BYXBCDLUEDXGB9NJTNIJXA3U9AKHM/EDIT -REQUEST-FORGERY-VULNERABILITY/ -FORGERY-VULNERABILITY-AND
SMTP OVER HTTPS (SNI) CR-LF INJECTION . Target application provides a response back to attacker Often in the form of HTTP response codes, application errors, other salient behavior High degree of confidence vulnerability is present, exploitability likely possible