Attacks on large modern Web ApplicationCARO2012, Munich, Germany, 15/05/2012

Author bioVladimir Vorontsov @d0znpp, d0znpp@onsec.ru

•Have engaged in research in the field of web application security (since 2004);•Founder and security expert of ONsec company (since 2009); •Now days: development of self-learning systems for the detection of attacks on web applications and heuristic analysis. 

Web Applications: what is large?

• > 1000 unique visitors per day

• > 4 subdomains

• 1+ internal network

• Distributed architecture (BE+FE+DB)

• Commercial advantage

Web Applications: what is modern?

• Cross-browser markup

• AJAX used

• HTML5

• External web services used

• API generally provided (SOAP or REST)

Web Applications: typical case• Social network• News portal• Job search portal• Internet auction• Big online store• Professional portal• Enterprise portals

100+ webapps since 2009 statistics

Web Applications: typical arch

DB servers

DB servers

Load balancer

Load balancerApp

serversApp

serversrequest(HTTP)request

(SQL)

request(HTTP)

responseresponse response

Attack #1. Denied of ServiceIt is possible to take down a web application from 5-10 special crafted HTTP request

•Not the same as DDoS attacks•Based on vulnerabilities•Doesn’t require a large number of bots•Doesn’t require a large number of requests•Require a vulnerabilities in web application

83% of webapps are vulnerable

DoS #1.1 App servers under attackArchitecture of attacks

DB servers

DB servers

Load balancer

Load balancer

App server #1

App server #1

App server #2

App server #2

request(HTTP)

special request(HTTP)

responsetimeout

timeout

request(HTTP)timeout

and more…until nothing left

DoS #1.1 App servers under attackVulnerabilities statistic

DoS #1.2 DB servers under attackArchitecture of attacks

DB servers

DB servers

Load balancer

Load balancer

App server #1

App server #1

App server #2

App server #2

request(HTTP)

special request(HTTP)

responsetimeout

timeout

request(HTTP)timeout

and more…until nothing left

request(SQL)timeout

request(HTTP)timeout

DoS #1.2 DB servers under attackVulnerabilities statistic

Attack #2. Infrastructure attackFind and exploit a vulnerabilities in webapp infrastructure

•Network scan (IP range)•Subdomains scan

73% of webapps was exploited by infrastructure attacks

Typical subdomains

Infrastructure attack Example from a wild

example.comexample.com

beta.example.combeta.example.com svn.beta.example.com

svn.beta.example.com

svn.example.comsvn.example.com

1. Fined subdomains2. 403 forbidden at

beta3. X-Forwarded-From

header bruteforced4. Find a vuln in beta5. Exploit beta’s vuln,

gain a webshell6. Observe beta

server, find a SVN password

7. Backdoored code at svn.beta.

8. Daily release gain backdoor at host domain.

9. Profit

References between subdomainsCrossdomain.xml:•Adobe Flash and MS Silverlight both policy configuration file•Used to configure Same Origin Policy in browsers•May be used by attacker to get page content from subdomain’s page.

X-Crosser. Tool for scan cross-refsSubdomain scanner:•Wordlist bruteforce•DNS reverse-lookup (IP scan)•Service discovery (port list)•Find records in crossdomain.xml, robots.txtCrossdomain analyzer:•Collect all crossdomain.xml•Analyze references between subdomains and draw it (graphviz)Will be published soon as open-source tool

X-Crosser. Tool for scan cross-refs

Subdomains and cookies managementRFC 6265, April 2011:Cookie are set for all subdomains together

Now XSS at subdomains are dangerous as at host domain

Only 3% of webapps used HTTPOnly cookies

Attack #3. SSRF: Server Side Request Forgery

• Like as CSRF, but on the server side• Provide to make requests in internal

(protected network)• May be used by many type of vulns:

• Any including (LFI / RFI)• Any readings (LFR / RFR)• XXE• etc

SSRF: example from a wild

• Yandex is the leading internet company in

Russia, operating the most popular search

engine and the most visited website

• Competition “Yandex’s Month of Security

Bugs” was held in November 2011

• A vuln called “Mass XXE in Yandex’s

services” won a 1st place and $5000 prize

SSRF: example from a wild• Classic XXE for local file reading:<!DOCTYPE test [

<!ENTITY asd SYSTEM ‘/etc/passwd’ > ] >• XXE for SSRF (portscan)<!DOCTYPE test [

<!ENTITY asd SYSTEM ‘http://intN1:22’ > ] >• XXE for SSRF (read internal network page)<!DOCTYPE test [

<!ENTITY asd SYSTEM ‘http://wiki.local/budget/’ > ] >• XXE for SSRF (read internal network page)<!DOCTYPE test [

<!ENTITY asd SYSTEM ‘ldap://exim.local/?O=*’ > ] >

SSRF: attack architecture

Back-endsBack-ends

App server #1

App server #1

request(HTTP)

special request(HTTP)

response

SSRFrequest(way #1)

SSRFrequest(way #2)

App server #N

App server #N

Protected internal

resource (i.e. wiki)

Protected internal

resource (i.e. wiki)

SSRFrequest(way #3)

External resourceExternal resource

SSRFrequest(way #4)

Load balancer

Load balancer

???CARO2012, Germany, Munich, 15/05/2012

@d0znppd0znpp@onsec.ru