DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov...
Transcript of DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov...
![Page 1: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/1.jpg)
DEFENCE,CHANGE MY MIND!
Egor Karbutov @ShikariSenpaiSergey Belov @SergeyBelove
for WebVillage
![Page 2: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/2.jpg)
Who are we?
Yandex & Mail.Ru appsec teams
![Page 3: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/3.jpg)
Agenda
•XSS Contexts•How to generate CSRF-token•SSRF• Impossible to patch•Let’s play!
![Page 4: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/4.jpg)
XSS Contexts
![Page 5: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/5.jpg)
Escaping vs Sanitizing vs Filtering
•EscapingHTML€ hexadecimal numeric character reference€ decimal numeric character reference€ named character reference
CSS\20AC must be followed by a space if the next character is one of a-f, A-F, 0-9\0020AC must be 6 digits long, no space needed (but can be included)
![Page 6: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/6.jpg)
Escaping vs Sanitizing vs Filtering
•Sanitizing
Hello, <b>test</b><script>alert(1)</script>
to
Hello, <b>test</b>
![Page 7: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/7.jpg)
Escaping vs Sanitizing vs Filtering
•Filtering
<a href=”javascript:alert(1)”>test</a>
to
<a></a>
![Page 8: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/8.jpg)
HTML Sanitizer DOM Purify
![Page 9: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/9.jpg)
Where?
•Two options• Before saving user’s data to database• During the rendering
•Template engines• During the rendering
•For Django {{|safe}} will lead to XSS
•Client Side validation isn’t best way
![Page 10: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/10.jpg)
Escaping special chars
•To mitigate most of the problem with XSS• ><&”’• < -> <• > -> >• & -> &• " -> "• ' -> ' / '
•But what about XSS contexts?
![Page 11: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/11.jpg)
XSS Contexts• Don't forget about it• Super-uber blind vector• In real life it might not work
Contexts game:http://polyglot.innerht.ml/
![Page 12: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/12.jpg)
XSS Contexts
•Dangerous special char is ‘
•Dangerous special chars are ><
•Dangerous special chars are “
![Page 13: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/13.jpg)
XSS Contexts
•Don't ever do that!
•Dangerous special chars are “ and browser scheme
•Scheme whitelist: • mailto: • https:• http:
![Page 14: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/14.jpg)
XSS Contexts
•Dangerous special chars are >< and ‘” for JSON/var escape
- difficult case
•Don’t forget about DOM XSS • Do not allow a user to control parameters for eval functions
![Page 15: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/15.jpg)
- window.opener- CSS leaks- “perfect pixel”- timing attacks
Another attacks to break SOP
•Do not allow a user to control these tags+ CSS
![Page 16: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/16.jpg)
How to generate CSRF-token
![Page 17: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/17.jpg)
•Stateful - easiest• Random token• A part of session• Depends on actions
•Stateless• JWT• Cookie based (cookie injection problem)• and more
Stateless/ful
![Page 18: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/18.jpg)
Defence dilemma
![Page 19: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/19.jpg)
Defence dilemma
![Page 20: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/20.jpg)
Our CSRF-Token Scheme
• Integrity control•Depending on the time•Depending on the action •Secret_key for different application•Something else?
![Page 21: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/21.jpg)
Ruby on Rails CSRF
![Page 22: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/22.jpg)
Escaping special chars
Hash table:http://valerieaurora.org/hash.html
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
![Page 23: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/23.jpg)
Our CSRF-Token Scheme
•HMAC mitigate • length extension attack • hash collisions*
•Danger:• HMAC (user_data, secret_key) – is wrong order leads to simple collision• If len(K) > block size: K:=H(K)• I can signature message with my user_data - H(user_data)
*https://dankaminsky.com/2015/05/07/the-little-mac-attack/
![Page 24: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/24.jpg)
CSRF-Token
•How to send a CSRF-token?• GET parameter
• Bad options• Violation of RFC7231 about GET requests• Don’t forget about server logs• Referrer leaks your token
• POST parameter• Header
• For JS Requests• Double Submit Cookie Problem with subdomains
•Same-Site Cookie
How to develop good web application:https://habr.com/company/yandex/blog/265569/
![Page 25: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/25.jpg)
SSRF Problem
![Page 26: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/26.jpg)
Usual mitigation
•SSRF via scheme
• I want to download my cats pic from
•SSRF via domain/IPv4 address
•SSRF via port
![Page 27: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/27.jpg)
Something more
•SSRF via different domain format address
•SSRF via IPv6 address
•SSRF via different encoding(enclosed alphanumerics and URL encode)
![Page 28: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/28.jpg)
Usual mitigation
•SSRF via redirects
•SSRF via parsing tricks
•SSRF DNS A record + sometimes race condition
![Page 29: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/29.jpg)
SSRF Scheme
Browser Frontend
Application 1
Application 2
Database
Cache
Storage
…cats.mydomain.com
![Page 30: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/30.jpg)
SSRF Proxy
Browser Frontend
Application 1
Application 2
Database
Cache
Storage
…cats.mydomain.com
Proxy
![Page 31: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/31.jpg)
SSRF Proxy
•Don't forget • About usual mitigation• Extra hardening
•Proxy in docker container make bonus security• Issues that still hard to restrict in case of RCE:
• Access to repository• Docker hub• Monitoring• Logs
•Use orchestration for mitigation
![Page 32: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/32.jpg)
Impossible to patch
![Page 33: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/33.jpg)
Impossible to patch
OAuth via iFrame without consent screen - WTF?
https://blog.innerht.ml/google-yolo/
![Page 34: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/34.jpg)
Let’s Play
![Page 35: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/35.jpg)
Useful Links
•Contexts game:• http://polyglot.innerht.ml/
•XSS contexts payloads:• https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/XSS-WITH-CONTEXT-JHADDIX.txt
•Hash Table:• http://valerieaurora.org/hash.html
•Best practice for web application:• https://habr.com/company/yandex/blog/265569/
•Ruby CSRF Protect:• https://medium.com/rubyinside/a-deep-dive-into-csrf-protection-in-rails-19fa0a42c0ef
• Post about CSRF:• https://habr.com/post/318748/
![Page 36: DEFENCE, CHANGE MY MIND! · DEFENCE, CHANGE MY MIND! Egor Karbutov @ShikariSenpai Sergey Belov @SergeyBelove for WebVillage](https://reader035.fdocuments.us/reader035/viewer/2022062506/5f69326bf044da625519c2a3/html5/thumbnails/36.jpg)
THANKS FOR ATTENTION@author
Egor Karbutov @ShikariSenpai
Sergey Belov@SergeyBelove