multi-post xsrf webapp exploitation · 2020-05-17 · multi-post xsrf webapp exploitation adrien de...
TRANSCRIPT
![Page 1: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/1.jpg)
Multi-Post XSRF WebApp Exploitation
Adrien de Beaupré SANS ISC Handler and
Certified SANS Instructor Intru-Shun.ca Inc.
![Page 2: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/2.jpg)
Introduction
• Web application vulnerabilities
• What is XSRF
• Code
• Demo
https://isc.sans.edu/diary/18507
https://www.youtube.com/watch?v=t9kyQPDQoh4&list=UUtzOhHovEkcX3MKUbC9_zBQ
![Page 3: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/3.jpg)
Doing a pen test
• I enjoy performing penetration tests, I also enjoy teaching how to do penetration testing correctly.
• Never consider the vulnerabilities in isolation, using them in combination truly demonstrates the risk and impact.
• The list of things that it was vulnerable to was quite impressive!
![Page 4: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/4.jpg)
Vulnerabilities
• Content can be framed
• XSS
• Method interchange
• DoS, application hangs on long abnormal inputs, relies on client side validation
• Able to upload files, including malicious content
![Page 5: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/5.jpg)
…
• Information leakage, internal server names, IP addresses, install locations...
• XSRF
• User enumeration via forgot password function
• Administrators can disable their own account
![Page 6: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/6.jpg)
XSS
• Cross Site Scripting, aka XSS, script injection
• Create trouble ticket
• Ticket will be first viewed by administrator
• Script executes in the administrator browser
• Administrator can perform all of the functions vulnerable to XSRF
![Page 7: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/7.jpg)
XSRF
• A significant number of the functions were vulnerable to Cross Site Request Forgery (CSRF or XSRF), which is also known as session riding and transaction injection.
• Traditionally does ONE TRANSACTION
• The functions that were vulnerable had absolutely no anti-XSRF protection, and the interesting ones were all in the administrator part of the site.
![Page 8: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/8.jpg)
What could we do?
• Add a new user and in administrator group
• Lockout the super-user account
• Logout the super-user account
• Did the functions in the correct order
• Each function would wait for last to complete
• Was all in one HTML page
• Would force the administrator to view a certain Rick Astley video :)
![Page 9: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/9.jpg)
Rick Astley
OK, we didn't do the last one, that would be WAY too mean.
![Page 10: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/10.jpg)
Pseudo code
• HTML to inject in XSS
• 1 form per transaction
• 1 iframe per form
• <body onload="runme();">
• JavaScript:
–The runme submits the forms
![Page 11: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/11.jpg)
Omeka
• Is vulnerable to XSRF
• I could not use the application that I did the pen test for as a demonstration or public PoC
• Omeka is easy to install and easy to exploit!
![Page 12: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/12.jpg)
![Page 13: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/13.jpg)
![Page 14: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/14.jpg)
Demo
Now we cross our fingers
![Page 15: Multi-Post XSRF WebApp Exploitation · 2020-05-17 · Multi-Post XSRF WebApp Exploitation Adrien de Beaupré SANS ISC Handler and Certified SANS Instructor Intru-Shun.ca Inc. Introduction](https://reader033.vdocuments.mx/reader033/viewer/2022042302/5ecd81112fb9bf0104494bc3/html5/thumbnails/15.jpg)
Thanks!
Adrien de Beaupré SANS ISC Handler
Certified SANS Instructor Independent Consultant
Intru-Shun.ca Inc. Bsides Ottawa
@adriendb [email protected]