abusing open http proxies
DESCRIPTION
Abusing Open HTTP Proxies. Mike Zusman Intrepidus Group, Inc [email protected]. June 18, 2008. Hi everybody!. Mike Zusman, CISSP Past Web Application Developer Whale Communications/Microsoft ADP Application Security Team Current Senior Consultant @ Intrepidus Group. - PowerPoint PPT PresentationTRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Abusing Open HTTP Proxies
Mike ZusmanIntrepidus Group, [email protected]
June 18, 2008
OWASP 2
Hi everybody!
Mike Zusman, CISSPPast
Web Application Developer Whale Communications/Microsoft ADP Application Security Team
Current Senior Consultant @ Intrepidus Group
OWASP
Don’t mind me, I’m just sniffing your ports!
3
OWASP
What am I talking about?
Open HTTP ProxiesRemote Access appliancesPlain Old Web Applications
4
OWASP
Using SSL? Come on in!
SSL VPN Remote Access Portals
5
OWASP
One HTTP listener, many web servers
URL Rewriting
6
OWASP
The Good, the bad, and the 0wned
Microsoft Intelligent Application Gatewayhttps://sslvpn.yourbiz.com/
whalecom0AB387458CD84347EF878763CCAEF78878723/path/to/app/index.asp
SonicWALL SSL VPNhttps://sslvpn.yourbiz.com/cgi-bin/nph-httprp/
http://192.168.151.100/exchange/
7
OWASP
The Good, the bad, and the 0wned
8
OWASP
The Good, the bad, and the 0wned
9
OWASP
But wait, there is more . . .
We just showed a client-side attack
We can also attack the network and other servicesHow does HTTP work?
And we can attack the application/proxy itselfThink beyond HTTP
10
OWASP
Scanning the Network
HTTP is sent over TCPhttps://www.kb.cert.org/CERT_WEB
%5Cservices%5Cvul-notes.nsf/id/150227Date Public02/19/2002
Open HTTP proxies will open arbitrary TCP sockets /fetchurl.asp?url=http://192.168.1.1:139
Timing
11
OWASP
Scanning the Network
Trying: http://127.0.0.1:139Result:500Duration: 0.937832117081s
Trying: http://127.0.0.1:443Result:timed outDuration: 30.0013480185s
OWASP
Attacking the Proxy
Web Applications can act as proxiesMicrosoft: WinHTTP, ServerXMLHTTP, XMLHTTPPHP: Include(), fopen(), etc (if your bored)Perl: request()
These Libraries can do more then fetch remote URLsWhat about file:/// ?
13
OWASP
SEO Web Sites (1)
Search Engine Optimize http://127.0.0.1
14
OWASP
SEO Web Sites (2) Great Success!
Search Engine Optimize http://127.0.0.1
15
OWASP
Blog Engine .NET
http://ha.ckers.org/blog/20080412/blogenginenet-intranet-hacking/
Widespread: “probably 100,000 public installs”
Local web site disclosure /js.axd?path=http://localhost
Local file disclosure /js.axd?path=/web.config
16
OWASP
HTTP Request Amplification
Attacker sends X number of requests to the proxy
The proxy sends (x)(y) number of requests to the victim
Google RSS Reader: 2 to 1 request amplification on non-existing feeds
Transloading and WebTV users17
OWASP
Open Application Proxy Chaining
AnonymizationA large number of open app proxies (HTTP GET)Attacker -> Proxy1 -> Proxy2 -> Proxy3 … ->
Victim
Auto-Exploitation: Open Proxy WormA large number of open app proxies (HTTP GET)Attacker -> Proxy1 -> Proxy2 -> Proxy3 … ->
ProxyNThe Proxies are the Victims
18
OWASP
Open Application Proxy Chaining
Embedding URLs
http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3Dhttp%253A%252F%252Fhost3.com%252F%253Furl%253Dhttp%25253A%25252F%25252Fhost3.com%25252F%25253Furl%25253Dhttp%2525253A%2525252F%2525252Fhost4.com%2525252F%2525253Dhttp ….
19
OWASP
Open Application Proxy Chaining
Embedding URLs
20
OWASP
URL Length
.NET 260 char?
IIS: 32K charshttp://support.microsoft.com/kb/820129
How long of a URL can you have?“In theory, there is no limit.
In practice, IE imposes a limit of 2,083 bytes.Because nobody could need more than 640k. - Some Guy on the Internet
21
OWASP
What about the HTTP Response?
Sometimes you see the proxied response, sometimes you don’tWhat are your goals?
Timing can help (or hurt you)Order of Execution
ConfirmationMake yourself the last hopTCP Sequencing
22
OWASP
No request propagation without exploitation!
Request PropagationAttacker makes one request that turns into N
requests
How can we exploit this?Persistent XSSBlind SQLiGet code to run on a machine in the chain (or a
web browser)23
OWASP
No request propagation without exploitation!
Persistent XSS
http://host1.com/?url=http://host2.com¶m=<img src=“http://tinyurl.com/xyz”>
http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3D …
24
OWASP
Persistent XSS Exploitation
25
OWASP
Demo
Hopefully, it will work.
26
OWASP
No FUD
Attack PrerequisitesApp must have a URL that makes arbitrary
requestThe same URL must have some other code
execution vulnerability: /index.asp?url=[URL]¶m=[EXPLOIT]
Order of Execution: Exploit then Propagate
Leg WorkAttacker must find targets ahead of time
Mitigating FactorURL Length Limitations
27
OWASP
This is OWASP…
…so how do we fix this stuff? Input ValidationDisplaying host names in URLs is bad
Manipulation Information Leakage
Lock down the config Use a product that supports white lists Don’t allow .* hosts
Firewall configuration Does your proxy NEED to…
– talk to the Internet?– talk to every host on your LAN?
28
OWASP
Thanks
Questions? Comments? Concerns?
[email protected] http://schmoil.blogspot.com http://blog.phishme.com
29