The Patsy Proxy
-
Upload
baronzor -
Category
Technology
-
view
1.288 -
download
1
description
Transcript of The Patsy Proxy
The Patsy ProxyGetting Others To Do Your Dirty Work
Who we are
Jen Savage◦Software Developer ◦@savagejen
Dan Crowley◦Managing Consultant at Trustwave
SpiderLabs◦@dan_crowley
What is a patsy proxy?
Patsy (noun): A person who is easily taken advantage of
Proxy (noun): A person authorized to act on the behalf of another
A patsy proxy is anything that can be used to unwittingly perform an attack on the behalf of another.
Advantages of a patsy proxyProxy owner is unaware of proxyTarget is unaware that victim acts
as proxy◦Not publicly listed as a proxy◦No traditional proxy service on victim
Logging unlikelyIP may be privileged
Disadvantages of a patsy proxyAttack capabilities may be
limited◦May be blind◦May change the traffic◦May have a time delay◦May pass only certain types of traffic
What is inside the black box?◦May be logged
On patsy limitationsPatsy only allows GET params
◦Many applications accept POST params in GET
Patsy only makes HEAD requests◦Many applications process HEAD/GET
the same No data will be returned DoS capability severely limited
Patsy is blind◦Many attacks can be launched blind
Malicious uses of a patsy proxy
Frame SomeonePost threats, harass people, etcAccess illegal materialsLaunch attacks
Anonymize an attackAttack will trace back to the
patsy◦Is the patsy logging?
Traditional attacks◦SQLi◦RFI◦DoS
Bypass IP address filteringEvade IP blacklist
◦IP ban◦Sites which disallow proxies
Exploit IP trust relationships◦Business partnerships◦Proxies usually disallow internal
access Not the case with unintentional proxying
Methods to achieve a patsy proxy
Automated ServicesURL shorteners & un-shortenersWeb SpidersTwitter bots“Upload from URL” functionalityWebpage translation utilitiesLink preview functionality
GOOGLE TRANSLATE“Translate” a web page
FACEBOOKStatus update preview
Automated ServicesMalware Scanning UtilitiesMail Gateway Scanners
◦Thanks to Jcran for his Project Tuna data: tuna.pentestify.com/emails
Other
Good job Google on the Google Safe Browsing Database!
CLAMAVIn certain configurations, URLs in emails are checked for malware
GEOCITIES-IZERHack like it’s 1996
UNKNOWN MAIL GATEWAY AVWith ROT13 power
Traditional VulnsXSS / HTML InjectionXML injection (XXE)SQLiRFI
Social EngineeringWorth mentioningNot worth in-depth explanation
Could it be a vulnerability?
Recursive DoSPoint the patsy back at itselfTraffic amplification factor:
◦MAX_URI / patsy URI length * 2Tack a large resource onto the
last iteration20 requests resulted in 30
minutes downtime◦Over the LAN!
RECURSIVE DOS“If it’s stupid but it works, it isn’t stupid.”patsy.php contained fopen($_GET['site'], 'r');
WAF bypassRecurse onceDouble encode attack
Web Server
WAFMal
DDoS through patsiesI have 2MB upI have 30 patsies, each 15MB upI have Python
By your powers combined……I AM CAPTAIN DOWNTIME
Access to Internal NetworksModern proxies enforce
boundaries between internal / external
Unintentional proxies may allow boundary violation◦http://patsy.com/?site=http://
10.0.0.1/admin.htm
ConclusionAttribution is Hard(er)
◦An IP address is not a personIP address filtering is ineffectiveThink before generating traffic
for usersUser education is valuable for
users, too◦Don’t Take Candy from Internet
Strangers