ht f01 top 10 web hacking techniques of 2014 final
TRANSCRIPT
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
1/54
SESSION ID:
Johnathan Kuskos Matt Johansen
Top 10 Web HackingTechniques of 2014
HT-F01
Senior Manager
WhiteHat Security / Threat Researc
@mattjay
Manager
WhiteHat Security / Threat Research Center
@JohnathanKuskos
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
2/54
About the Top 10
Every year the security community produces a stunninamount of new Web hacking techniques that are publish
in various white papers, blog posts, magazine articles,mailing list emails, conference presentations, etc. Within thousands of pages are the latest ways to attack website
web browsers, web proxies, and their mobile platformequivalents. Beyond individual vulnerabilities with CVEnumbers or system compromises, here we are solely
focused on new and creative methods of web-based attac
- Jeremiah Grossman
2
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
3/54
Previous Years
201220112010200920082007
565169807065NEW TECHNIQUES NEW TECHNIQUES
CRIMEBEASTPADDINGORACLECRYPTOATTACK
CREATINGA ROUGE
CA CERTIFICATE
GIRAF(GIF + JAR)
XSS VULNSIN COMMON
SHOCKWAVEFILES
NEW TECHNIQUES NEW TECHNIQUES NEW TECHNIQUES NEW TECHNI
3
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
4/54
2014 Top 10 We
1. Heartbleed
2. ShellShock
3. POODLE
4. Rosetta Flash
5. Misfortune Cookie
6. Hacking PayPal Accounts
7. Google Two-Factor Authe
Bypass
8. Apache Struts ClassLoadManipulation Remote Cod
9. Facebook Hosted DDoS w
10. Covert Timing Channels bHTTP Cache Headers
4
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
5/54
10
Covert Timing Channels
on HTTP Cache HeadersA covert channel is a path that can be used to tr
information in a way not intended by the systems(CWE-514)
A covert storage channel transfers information thsetting of bits by one program and the reading ofanother (CWE-515)
Covert timing channels convey information by mosome aspect of system behavior over time, so threceiving the information can observe system beinfer protected information (CWE-385)
Denis Kolegov, Oleg Broslavsky, Nikita Oleksov
http://www.slideshare.net/dnkolegov/wh1020145
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
6/54
9
Facebook Hosted DDoS w
notes appFacebook Notes allows users to include t
Whenever a tag is used, Facebook crawlsfrom the external server and caches it. Facebookcache the image once however using random gethe cache can be by-passed and the feature cancause a huge HTTP GET flood.
Chaman Thapa, aka chr13
http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website6
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
7/54
8
Apache Struts ClassLoad
Manipulation RCEA remote command execution vulnerability in Ap
versions 1.x ( class[classLoader]
Fixed by adding the following regex to struts exc(.*\.|^|.*|\[('|" ))(c|C)lass(\.|('|" )]|\[).*
Peter Magnusson, Przemyslaw Celej
https://cwiki.apache.org/confluence/display/WW/S2-0207
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
8/54
7
Google Two-Factor
Authentication BypassThe attack actually started with my cell phone pr
somehow allowed some level of access or socialinto my Google account, which then allowed the receive a password reset email from Instagram, gcontrol of the account.
Anonymous Hacker
http://gizmodo.com/how-hackers-reportedly-side-stepped-gmails-two-fa8
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
9/54
6
Hacking PayPal
Accounts with 1 ClickAn attacker can conduct a targeted CSRF attack
PayPal user and take full control over his accounare then forgeable and include but are not limited
1. Add/Remove/Confirm Email address
2. Add fully privileged users to business accoun
3. Change Security Questions
4. Change Billing/Shipping Address
5. Change Payment Methods
6. Change User Settings(Notifications/Mobile se
and obviously, any other functionality where prprotection is not present.
Yasser Ali
http://yasserali.com/hacking-paypal-accounts-with-one-click/
9
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
10/54
5
Misfortune Cookie
Researchers from Check Points Malware and V
Research Group uncovered this critical vulnerabmillions of residential gateway (SOHO router) dedifferent models and makers. It has been assigne2014-9222 identifier. This severe vulnerability alloattacker to remotely take over the device with adprivileges.
Lior Oppenheim, Shahar Tal
http://mis.fortunecook.ie/
10
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
11/54
Background: TR-069
11
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
12/54
ACS
Single Point of Failure
ACS very powerful asrequired by TR-069
Port 7547
12
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
13/54
TR-069 Diversity
Connection Request Server Technologies
13
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
14/54
Get to the hack already!
HTTP Header Fuzzing RomPager
{Authorization: Digest username=
Router Crashes
Unprotected String Copy
14
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
15/54
15
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
16/54
RomPager uses cookies
Cookie array is pre-allocated memory
10 40 byte cookies
C0, C1, C2 etc No more memory variations between firmwares
16
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
17/54
Misfortune Cookie Remediation
Most people will just need to wait for manufacturer fix
Technical people can flash firmware(DD-WRT, etc.)
Dont buy these:http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
17
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
18/54
4
Rosetta Flash
Rosetta Flash [is] a tool for converting any SWF
composed of only alphanumeric characters in ordJSONP endpoints, making a victim perform arbitto the domain with the vulnerable endpoint and epotentially sensitive data, not limited to JSONP rean attacker-controlled site. This is a CSRF bypasOrigin Policy.
Michele Spagnuolo
https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
18
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
19/54
What is it?
Rosetta Flash is a tool that converts normal binary SWF filand returns a compressed alphanumeric only equivalent
19
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
20/54
JSONP Widely used
callback parameter in URL
Only accepts , , and as valid
OrdinInvalid
20
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
21/54
JSONP
Just a handful of sites used JSONP and were vulnerable:
- Google- Yahoo!- YouTube- LinkedIn- Twitter
- Instagram
- Flickr - eBay- Mail.ru- Baidu- Tumblr
- Olark
21
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
22/54
SWF Header Formats
22
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
23/54
Faking valid zlib data First 2 bytes of zlib stream
Huffman Coding: Bit reduction
DEFLATE: Duplicate string elimination LZ77 algorithm ALDER32 Checksum
23
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
24/54
SWF to Alphanum
24
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
25/54
- HTML Po- Attacker - crossdom
25
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
26/54
Mitigations
Dont use JSONP on sensitive domains
HTTP Headers:
Content-Disposition: attachment; filename=f.txt X-Content-Type-Options: nosniff
Latest versions of Flash are patched by Adobe
26
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
27/54
3
POODLE
Encryption downgrade attack to SSLv3.0
Like BEAST and CRIME, a successful exploit tarnot the server
Requires determined MitM attacker
Bodo Mller, Thai Duong, Krzysztof Kotowiczhttps://www.openssl.org/~bodo/ssl-poodle.pdf
27
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
28/54
Magic
Plaintext
Key
C
28
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
29/54
SensitiveData
29
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
30/54
MACSensitiveData
30
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
31/54
Padding
DES uses 8 BytesAES uses 16
bytes
MACSensitiveData
31
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
32/54
Padding
DES uses 8 BytesAES uses 16
bytes
MACSensitiveData
S
CBC32
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
33/54
CBC Encryption is occurring
PaddingDES uses 8 Bytes
AES uses 16 bytesMAC
SensitiveData
CBC
CBC
CBC
CBC
CBC
CBC
CBC
33
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
34/54
CBC Encryption is occurring
PaddingDES uses 8 Bytes
AES uses 16 bytesMAC
SensitiveData
CBC
CBC
CBC
CBC
CBC
CBC
CBC
34
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
35/54
PaddingDES uses 8 Bytes
AES uses 16 bytesMAC
SensitiveData
CBC
CBC
CBC
CBC
CBC
CBC
CBC
CBC
35
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
36/54
Padding
DES uses 8 BytesAES uses 16
bytes
MACSensitiveData
S
CBC
36
Requirements
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
37/54
Requirements
A motivated and active MITM attacker.
A webserver set up to force the JS requests to break m
encryption blocks.
Solution Disable SSLv3.0 in the client.
Disable SSLv3.0 in the server. Disable support for CBC-based cipher suites when using SSL
either client or server.
37
ShellShock
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
38/54
2
ShellShock
Also known as Bashdoor
CVE-2014-6271
Disclosed on September 24, 2014.
Simply put () { :; }; echo win
Stphane Chazelas
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
38
Example with MassScan by @ErrataRob
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
39/54
Example with MassScan by @ErrataRobtarget-ip = 0.0.0.0/0port = 80banners = truehttp-user-agent = () { :; }; ping -c 3 xxx.xxx.xxx.xxxhttp-header[Cookie] = () { :; }; ping -c 3 xxx.xxx.xxx.xxxhttp-header[Host] = () { :; }; ping -c 3 xxx.xxx.xxx.xxxhttp-header[Referer] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx
39
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
40/54
40
Before we had fancy GUIs
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
41/54
Before we had fancy GUI s
41
ShellShock explained simply
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
42/54
ShellShock explained simply
VAR=This is something I'd really l ike to remember.VAR=This should also be treated as text, not syntaxVAR=rm -rf /
VAR=() { :;}; rm -rf /
echo $VAR
42
Heartbleed
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
43/54
1
Heartbleed
It allows an attacker to anonymously download achunk of memory from a server using OpenSSL.
A Catastrophic vulnerability to be accompanied b
~17%(500k) of all secure servers were vulnera
Neel Mehta
http://heartbleed.com/
43
Market share of the busiest sites
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
44/54
Market share of the busiest sites
44
Market share of the active sites
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
45/54
Market share of the active sites
45
What is a heartbeat anyways and why?
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
46/54
What is a heartbeat anyways and why?
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b822b1
Found in:
/ssl/d1_both.c
/ssl/t1_lib.c
Both containing the following:
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
Fixed in this commit:
https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6 The payload is now bound checked and cant exceed the intended 16 byte payl
Ultimately, this boiled down to a very simple bug in a very small piece of code very small fix ~ @TroyHunt
46
TLS Request 1
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3%23diff-2https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3%23diff-2http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 -
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
47/54
Client STLS Request 2
TLS Response 2
TLS Request n
TLS Responsen
TLS Response 1
N 47
TLS Request 1
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
48/54
Client SHeartbeat Request
Keep Alive
TLS Response 1
Heartbeat Request
TLS Response 2
48
TLS Request 1
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
49/54
Client SHeartbeat Request
Keep Alive
TLS Response 1
Payload,Size
Payload,Some Padding
49
TLS Request 1
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
50/54
Hacker SHeartbeat Request
TLS Response 1
Payload, 1 ByteSize, 65,536 Bytes
50
ServeTLS Request 1
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
51/54
HackerHeartbeat Request
TLS Response 1
Payload, 1 ByteSize, 65,536 Bytes Server Me
RANDOMDATAR
TARANDOMDAT
DATAPayloadDA
MDATARANDOM
DOMDATARAND
ANDOMDATARA
ARANDOMDATA
ATARANDOMDA
MDATARANDOM
51
ServeTLS Request 1
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
52/54
HackerHeartbeat Request
TLS Response 1
Payload, 1 ByteSize, 65,536 Bytes Server Me
RANDOMDATAR
TARANDOMDAT
DATAPayloadDA
MDATARANDOM
DOMDATARAND
ANDOMDATARA
ARANDOMDATA
ATARANDOMDA
MDATARANDOM
Keep Alive
PayloadDATARAND
OMDATARANDOMD
ATAANDOMDATARA
NDOM
52
What weve learned
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
53/54
Encryption is King: Manyweb hacks and Transport L
are always feared and resp Creativity is Rare: Utilizin
under our noses in new anways is always impressive
Web Security Prevails: Ohacks of 2014, web hacks headlines. Web is where thand data is what we all hol
53
-
7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final
54/54
SESSION ID:
Johnathan Kuskos Matt Johansen
Top 10 Web HackingTechniques of 2014
HT-F01
Senior Manager
WhiteHat Security / Threat Researc
@mattjay
Manager
WhiteHat Security / Threat Research Center
@JohnathanKuskos
Special thanks to the community who voted and to our panel of experts:Jeff Williams, Zane Lackey, Daniel Miessler, Troy Hunt, Giorgio Maone, Peleus Uhley, a