ht f01 top 10 web hacking techniques of 2014 final

7/24/2019 Ht f01 Top 10 Web Hacking Techniques of 2014 Final

1/54

SESSION ID:

Johnathan Kuskos Matt Johansen

Top 10 Web HackingTechniques of 2014

HT-F01

Senior Manager

WhiteHat Security / Threat Researc

@mattjay

Manager

WhiteHat Security / Threat Research Center

@JohnathanKuskos


2/54

About the Top 10

Every year the security community produces a stunninamount of new Web hacking techniques that are publish

in various white papers, blog posts, magazine articles,mailing list emails, conference presentations, etc. Within thousands of pages are the latest ways to attack website

web browsers, web proxies, and their mobile platformequivalents. Beyond individual vulnerabilities with CVEnumbers or system compromises, here we are solely

focused on new and creative methods of web-based attac

- Jeremiah Grossman

2


3/54

Previous Years

201220112010200920082007

565169807065NEW TECHNIQUES NEW TECHNIQUES

CRIMEBEASTPADDINGORACLECRYPTOATTACK

CREATINGA ROUGE

CA CERTIFICATE

GIRAF(GIF + JAR)

XSS VULNSIN COMMON

SHOCKWAVEFILES

NEW TECHNIQUES NEW TECHNIQUES NEW TECHNIQUES NEW TECHNI

3


4/54

2014 Top 10 We

1. Heartbleed

2. ShellShock

3. POODLE

4. Rosetta Flash

5. Misfortune Cookie

6. Hacking PayPal Accounts

7. Google Two-Factor Authe

Bypass

8. Apache Struts ClassLoadManipulation Remote Cod

9. Facebook Hosted DDoS w

10. Covert Timing Channels bHTTP Cache Headers

4


5/54

10

Covert Timing Channels

on HTTP Cache HeadersA covert channel is a path that can be used to tr

information in a way not intended by the systems(CWE-514)

A covert storage channel transfers information thsetting of bits by one program and the reading ofanother (CWE-515)

Covert timing channels convey information by mosome aspect of system behavior over time, so threceiving the information can observe system beinfer protected information (CWE-385)

Denis Kolegov, Oleg Broslavsky, Nikita Oleksov

http://www.slideshare.net/dnkolegov/wh1020145


6/54

9

Facebook Hosted DDoS w

notes appFacebook Notes allows users to include t

Whenever a tag is used, Facebook crawlsfrom the external server and caches it. Facebookcache the image once however using random gethe cache can be by-passed and the feature cancause a huge HTTP GET flood.

Chaman Thapa, aka chr13

http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website6


7/54

8

Apache Struts ClassLoad

Manipulation RCEA remote command execution vulnerability in Ap

versions 1.x ( class[classLoader]

Fixed by adding the following regex to struts exc(.*\.|^|.*|\[('|" ))(c|C)lass(\.|('|" )]|\[).*

Peter Magnusson, Przemyslaw Celej

https://cwiki.apache.org/confluence/display/WW/S2-0207


8/54

7

Google Two-Factor

Authentication BypassThe attack actually started with my cell phone pr

somehow allowed some level of access or socialinto my Google account, which then allowed the receive a password reset email from Instagram, gcontrol of the account.

Anonymous Hacker

http://gizmodo.com/how-hackers-reportedly-side-stepped-gmails-two-fa8


9/54

6

Hacking PayPal

Accounts with 1 ClickAn attacker can conduct a targeted CSRF attack

PayPal user and take full control over his accounare then forgeable and include but are not limited

1. Add/Remove/Confirm Email address

2. Add fully privileged users to business accoun

3. Change Security Questions

4. Change Billing/Shipping Address

5. Change Payment Methods

6. Change User Settings(Notifications/Mobile se

and obviously, any other functionality where prprotection is not present.

Yasser Ali

http://yasserali.com/hacking-paypal-accounts-with-one-click/

9


10/54

5

Misfortune Cookie

Researchers from Check Points Malware and V

Research Group uncovered this critical vulnerabmillions of residential gateway (SOHO router) dedifferent models and makers. It has been assigne2014-9222 identifier. This severe vulnerability alloattacker to remotely take over the device with adprivileges.

Lior Oppenheim, Shahar Tal

http://mis.fortunecook.ie/

10


11/54

Background: TR-069

11


12/54

ACS

Single Point of Failure

ACS very powerful asrequired by TR-069

Port 7547

12


13/54

TR-069 Diversity

Connection Request Server Technologies

13


14/54

Get to the hack already!

HTTP Header Fuzzing RomPager

{Authorization: Digest username=

Router Crashes

Unprotected String Copy

14


15/54

15


16/54

RomPager uses cookies

Cookie array is pre-allocated memory

10 40 byte cookies

C0, C1, C2 etc No more memory variations between firmwares

16


17/54

Misfortune Cookie Remediation

Most people will just need to wait for manufacturer fix

Technical people can flash firmware(DD-WRT, etc.)

Dont buy these:http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf

17


18/54

4

Rosetta Flash

Rosetta Flash [is] a tool for converting any SWF

composed of only alphanumeric characters in ordJSONP endpoints, making a victim perform arbitto the domain with the vulnerable endpoint and epotentially sensitive data, not limited to JSONP rean attacker-controlled site. This is a CSRF bypasOrigin Policy.

Michele Spagnuolo

https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

18


19/54

What is it?

Rosetta Flash is a tool that converts normal binary SWF filand returns a compressed alphanumeric only equivalent

19


20/54

JSONP Widely used

callback parameter in URL

Only accepts , , and as valid

OrdinInvalid

20


21/54

JSONP

Just a handful of sites used JSONP and were vulnerable:

- Google- Yahoo!- YouTube- LinkedIn- Twitter

- Instagram

- Flickr - eBay- Mail.ru- Baidu- Tumblr

- Olark

21


22/54

SWF Header Formats

22


23/54

Faking valid zlib data First 2 bytes of zlib stream

Huffman Coding: Bit reduction

DEFLATE: Duplicate string elimination LZ77 algorithm ALDER32 Checksum

23


24/54

SWF to Alphanum

24


25/54

- HTML Po- Attacker - crossdom

25


26/54

Mitigations

Dont use JSONP on sensitive domains

HTTP Headers:

Content-Disposition: attachment; filename=f.txt X-Content-Type-Options: nosniff

Latest versions of Flash are patched by Adobe

26


27/54

3

POODLE

Encryption downgrade attack to SSLv3.0

Like BEAST and CRIME, a successful exploit tarnot the server

Requires determined MitM attacker

Bodo Mller, Thai Duong, Krzysztof Kotowiczhttps://www.openssl.org/~bodo/ssl-poodle.pdf

27


28/54

Magic

Plaintext

Key

C

28


29/54

SensitiveData

29


30/54

MACSensitiveData

30


31/54

Padding

DES uses 8 BytesAES uses 16

bytes

MACSensitiveData

31


32/54

Padding


bytes

MACSensitiveData

S

CBC32


33/54

CBC Encryption is occurring

PaddingDES uses 8 Bytes

AES uses 16 bytesMAC

SensitiveData

CBC

CBC

CBC

CBC

CBC

CBC

CBC

33


34/54

CBC Encryption is occurring



SensitiveData

CBC

CBC

CBC

CBC

CBC

CBC

CBC

34


35/54



SensitiveData

CBC

CBC

CBC

CBC

CBC

CBC

CBC

CBC

35


36/54

Padding


bytes

MACSensitiveData

S

CBC

36

Requirements


37/54

Requirements

A motivated and active MITM attacker.

A webserver set up to force the JS requests to break m

encryption blocks.

Solution Disable SSLv3.0 in the client.

Disable SSLv3.0 in the server. Disable support for CBC-based cipher suites when using SSL

either client or server.

37

ShellShock


38/54

2

ShellShock

Also known as Bashdoor

CVE-2014-6271

Disclosed on September 24, 2014.

Simply put () { :; }; echo win

Stphane Chazelas

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

38

Example with MassScan by @ErrataRob


39/54

Example with MassScan by @ErrataRobtarget-ip = 0.0.0.0/0port = 80banners = truehttp-user-agent = () { :; }; ping -c 3 xxx.xxx.xxx.xxxhttp-header[Cookie] = () { :; }; ping -c 3 xxx.xxx.xxx.xxxhttp-header[Host] = () { :; }; ping -c 3 xxx.xxx.xxx.xxxhttp-header[Referer] = () { :; }; ping -c 3 xxx.xxx.xxx.xxx

39


40/54

40

Before we had fancy GUIs


41/54

Before we had fancy GUI s

41

ShellShock explained simply


42/54

ShellShock explained simply

VAR=This is something I'd really l ike to remember.VAR=This should also be treated as text, not syntaxVAR=rm -rf /

VAR=() { :;}; rm -rf /

echo $VAR

42

Heartbleed


43/54

1

Heartbleed

It allows an attacker to anonymously download achunk of memory from a server using OpenSSL.

A Catastrophic vulnerability to be accompanied b

~17%(500k) of all secure servers were vulnera

Neel Mehta

http://heartbleed.com/

43

Market share of the busiest sites


44/54

Market share of the busiest sites

44

Market share of the active sites


45/54

Market share of the active sites

45

What is a heartbeat anyways and why?


46/54

What is a heartbeat anyways and why?

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b822b1

Found in:

/ssl/d1_both.c

/ssl/t1_lib.c

Both containing the following:

buffer = OPENSSL_malloc(1 + 2 + payload + padding);

Fixed in this commit:

https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6 The payload is now bound checked and cant exceed the intended 16 byte payl

Ultimately, this boiled down to a very simple bug in a very small piece of code very small fix ~ @TroyHunt

46

TLS Request 1
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3%23diff-2https://github.com/openssl/openssl/commit/96db9023b881d7cd9f379b0c154650d6c108e9a3%23diff-2http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1


47/54

Client STLS Request 2

TLS Response 2

TLS Request n

TLS Responsen

TLS Response 1

N 47

TLS Request 1


48/54

Client SHeartbeat Request

Keep Alive

TLS Response 1

Heartbeat Request

TLS Response 2

48

TLS Request 1


49/54

Client SHeartbeat Request

Keep Alive

TLS Response 1

Payload,Size

Payload,Some Padding

49

TLS Request 1


50/54

Hacker SHeartbeat Request

TLS Response 1

Payload, 1 ByteSize, 65,536 Bytes

50

ServeTLS Request 1


51/54

HackerHeartbeat Request

TLS Response 1

Payload, 1 ByteSize, 65,536 Bytes Server Me

RANDOMDATAR

TARANDOMDAT

DATAPayloadDA

MDATARANDOM

DOMDATARAND

ANDOMDATARA

ARANDOMDATA

ATARANDOMDA

MDATARANDOM

51

ServeTLS Request 1


52/54

HackerHeartbeat Request

TLS Response 1

Payload, 1 ByteSize, 65,536 Bytes Server Me

RANDOMDATAR

TARANDOMDAT

DATAPayloadDA

MDATARANDOM

DOMDATARAND

ANDOMDATARA

ARANDOMDATA

ATARANDOMDA

MDATARANDOM

Keep Alive

PayloadDATARAND

OMDATARANDOMD

ATAANDOMDATARA

NDOM

52

What weve learned


53/54

Encryption is King: Manyweb hacks and Transport L

are always feared and resp Creativity is Rare: Utilizin

under our noses in new anways is always impressive

Web Security Prevails: Ohacks of 2014, web hacks headlines. Web is where thand data is what we all hol

53


54/54

SESSION ID:

Johnathan Kuskos Matt Johansen

Top 10 Web HackingTechniques of 2014

HT-F01

Senior Manager

WhiteHat Security / Threat Researc

@mattjay

Manager

WhiteHat Security / Threat Research Center

@JohnathanKuskos

Special thanks to the community who voted and to our panel of experts:Jeff Williams, Zane Lackey, Daniel Miessler, Troy Hunt, Giorgio Maone, Peleus Uhley, a

ht f01 top 10 web hacking techniques of 2014 final

Documents