caro2012 attack large-modern_web_applications
DESCRIPTION
Caro2012 reportAttack on large modern web applicationsVladimir Vorontsov, ONsec, RussiaMunich, May 14-15, 2012TRANSCRIPT
Attacks on large modern Web ApplicationCARO2012, Munich, Germany, 15/05/2012
Author bioVladimir Vorontsov @d0znpp, [email protected]
•Have engaged in research in the field of web application security (since 2004);•Founder and security expert of ONsec company (since 2009); •Now days: development of self-learning systems for the detection of attacks on web applications and heuristic analysis.
Web Applications: what is large?
• > 1000 unique visitors per day
• > 4 subdomains
• 1+ internal network
• Distributed architecture (BE+FE+DB)
• Commercial advantage
Web Applications: what is modern?
• Cross-browser markup
• AJAX used
• HTML5
• External web services used
• API generally provided (SOAP or REST)
Web Applications: typical case• Social network• News portal• Job search portal• Internet auction• Big online store• Professional portal• Enterprise portals
100+ webapps since 2009 statistics
Web Applications: typical arch
DB servers
DB servers
Load balancer
Load balancerApp
serversApp
serversrequest(HTTP)request
(SQL)
request(HTTP)
responseresponse response
Attack #1. Denied of ServiceIt is possible to take down a web application from 5-10 special crafted HTTP request
•Not the same as DDoS attacks•Based on vulnerabilities•Doesn’t require a large number of bots•Doesn’t require a large number of requests•Require a vulnerabilities in web application
83% of webapps are vulnerable
DoS #1.1 App servers under attackArchitecture of attacks
DB servers
DB servers
Load balancer
Load balancer
App server #1
App server #1
App server #2
App server #2
request(HTTP)
special request(HTTP)
responsetimeout
timeout
request(HTTP)timeout
and more…until nothing left
DoS #1.1 App servers under attackVulnerabilities statistic
DoS #1.2 DB servers under attackArchitecture of attacks
DB servers
DB servers
Load balancer
Load balancer
App server #1
App server #1
App server #2
App server #2
request(HTTP)
special request(HTTP)
responsetimeout
timeout
request(HTTP)timeout
and more…until nothing left
request(SQL)timeout
request(HTTP)timeout
DoS #1.2 DB servers under attackVulnerabilities statistic
Attack #2. Infrastructure attackFind and exploit a vulnerabilities in webapp infrastructure
•Network scan (IP range)•Subdomains scan
73% of webapps was exploited by infrastructure attacks
Typical subdomains
Infrastructure attack Example from a wild
example.comexample.com
beta.example.combeta.example.com svn.beta.example.com
svn.beta.example.com
svn.example.comsvn.example.com
1. Fined subdomains2. 403 forbidden at
beta3. X-Forwarded-From
header bruteforced4. Find a vuln in beta5. Exploit beta’s vuln,
gain a webshell6. Observe beta
server, find a SVN password
7. Backdoored code at svn.beta.
8. Daily release gain backdoor at host domain.
9. Profit
References between subdomainsCrossdomain.xml:•Adobe Flash and MS Silverlight both policy configuration file•Used to configure Same Origin Policy in browsers•May be used by attacker to get page content from subdomain’s page.
X-Crosser. Tool for scan cross-refsSubdomain scanner:•Wordlist bruteforce•DNS reverse-lookup (IP scan)•Service discovery (port list)•Find records in crossdomain.xml, robots.txtCrossdomain analyzer:•Collect all crossdomain.xml•Analyze references between subdomains and draw it (graphviz)Will be published soon as open-source tool
X-Crosser. Tool for scan cross-refs
Subdomains and cookies managementRFC 6265, April 2011:Cookie are set for all subdomains together
Now XSS at subdomains are dangerous as at host domain
Only 3% of webapps used HTTPOnly cookies
Attack #3. SSRF: Server Side Request Forgery
• Like as CSRF, but on the server side• Provide to make requests in internal
(protected network)• May be used by many type of vulns:
• Any including (LFI / RFI)• Any readings (LFR / RFR)• XXE• etc
SSRF: example from a wild
• Yandex is the leading internet company in
Russia, operating the most popular search
engine and the most visited website
• Competition “Yandex’s Month of Security
Bugs” was held in November 2011
• A vuln called “Mass XXE in Yandex’s
services” won a 1st place and $5000 prize
SSRF: example from a wild• Classic XXE for local file reading:<!DOCTYPE test [
<!ENTITY asd SYSTEM ‘/etc/passwd’ > ] >• XXE for SSRF (portscan)<!DOCTYPE test [
<!ENTITY asd SYSTEM ‘http://intN1:22’ > ] >• XXE for SSRF (read internal network page)<!DOCTYPE test [
<!ENTITY asd SYSTEM ‘http://wiki.local/budget/’ > ] >• XXE for SSRF (read internal network page)<!DOCTYPE test [
<!ENTITY asd SYSTEM ‘ldap://exim.local/?O=*’ > ] >
SSRF: attack architecture
Back-endsBack-ends
App server #1
App server #1
request(HTTP)
special request(HTTP)
response
SSRFrequest(way #1)
SSRFrequest(way #2)
App server #N
App server #N
Protected internal
resource (i.e. wiki)
Protected internal
resource (i.e. wiki)
SSRFrequest(way #3)
External resourceExternal resource
SSRFrequest(way #4)
Load balancer
Load balancer
???CARO2012, Germany, Munich, 15/05/2012