WIXLIB

Ryan Hamrick CBTS Principal Security Engineer Former Software Developer (ASP.net/C#, Perl, Python) Professional Security Practitioner for over 12 yearsNate Fair CBTS Information Security Engineer Adjunct Professor – Penetration Testing @ UC Information Security & Penetration Tester for 5 years

(AT LEAST ON THE ATTACK SIDE) ADVANCED TOPICS LIKE PROTOCOL SMUGGLING SMTP OVER HTTPS (SNI) CR-LF INJECTION EXPLOITING URL PARSERS CURL (LIBCURL), GO (NET/URL),(ADDRESSABLE), NODEJS (URL)PHP (PARSE URL), RUBYYOU CAN FIND ALL OF THAT AND MUCH MORE -TRENDING-PROGRAMMING-LANGUAGES.PDF

Vulnerability class thatencompasses behavior inwhich a server request isinitiated by an attackerApplications willtake a URL from auser performsome actionTo exploit an SSRFvulnerability, anattacker can:setting youravatar via URL,Image/Linkpreview in chatconvince server tomake requests oninternal resourcesbypass firewallrestrictions touncover newhosts

//getimage.php content file get contents( GET['url']);file put contents(‘image.jpg’, content);GET /getimage.php?url https://website.com/images/cat.jpgGET /getimage.php?url http://127.0.0.1/api/v1/getuser/id/1GET /getimage.php?url http://169.254.169.254/latest/meta-data/GET /getimage.php?url file:///etc/passwd

Source: 034c27978

Basic Target application provides a response back to attacker Often in the form of HTTP response codes, application errors,other salient behavior High degree of confidence vulnerability is present, exploitabilitylikely possibleBlind Target application does not provide response back to attacker Vulnerability presence is unknown/uncertain, exploitabilitymore difficult Often requires more analysis & testing to confirm/denyMixed Largely application specific Time Based – inverse mapping through time/responsesvariations Error Based – “access denied” combined with inverse mapping

EXTREME VULNERABLE WEB APPLICATION (XVWA) PHP/MYSQL HTTPS://GITHUB.COM/S4N7H0/XVWA OWASP NODEGOAT – TOP 10 NODE JS/MONGODB, HEROKU APP AVAILABLE HTTPS://GITHUB.COM/OWASP/NODEGOAT PORTSWIGGER WEB SECURITY ACADEMY (AWESOME!) HTTPS://PORTSWIGGER.NET/WEB-SECURITY/SSRF C1 HTTPS://APPLICATION.SECURITY/ INTERACTIVE, RECONSTRUCT DATA BREACH

EXTREME VULNERABLE WEB APPLICATION (XVWA) PHP/MYSQL HTTPS://GITHUB.COM/S4N7H0/XVWA OWASP NODEGOAT – TOP 10 NODE JS/MONGODB, HEROKU APP AVAILABLE HTTPS://GITHUB.COM/OWASP/NODEGOAT PORTSWIGGER WEB SECURITY ACADEMY (AWESOME!) HTTPS://PORTSWIGGER.NET/WEB-SECURITY/SSRF C1 HTTPS://APPLICATION.SECURITY/ INTERACTIVE, RECONSTRUCT DATA BREACH

North/South and East/West WAF for North/South East/West firewalling is critical for this sort ofattack detection Position to inspect traffic between web serverand back end infrastructure/data sourcesLogging!!! Centralized logging from WAF, additionalfirewalls, web server, other infrastructure systems Due to the nature of the exploit, there will bemany failed requests, watch for scanning typeactivity Ensure that logging levels are correct to captureall the potential events. Debugging notnecessary, but INFO level should be collectedand reviewed.

es Sanitize and filter user input, limiting toknown good data inputs Potential for regex-style data matchingfor validation Restrict access to internal resourcesusing a specific whitelist oforganizational domains Log ALL requests, highlight improperrequests and alert User and group access review andvalidation, especially important in cloudenvironments (Capital One) Proper error and response handling!!!(Again, Capital One)

7792000

358fd5e249a

HTTPS://PORTSWIGGER.NET/WEB-SECURITY/SSRF 434 ULNS-FOR-THE-PRICE-OF-ONE/ HTTPS://MEDIUM.COM/@LOGICBOMB -TO-AWSCREDENTIALS-COMPROMISE-B250FB40AF82 HTTPS://HACKERONE.COM/REPORTS/713 REQUEST-FORGERY-SSRF BYXBCDLUEDXGB9NJTNIJXA3U9AKHM/EDIT -REQUEST-FORGERY-VULNERABILITY/ -FORGERY-VULNERABILITY-AND

SMTP OVER HTTPS (SNI) CR-LF INJECTION . Target application provides a response back to attacker Often in the form of HTTP response codes, application errors, other salient behavior High degree of confidence vulnerability is present, exploitability likely possible