reversing engineering a web application - for fun, behavior and detection
DESCRIPTION
Presentation I did at AppSec and SectorTRANSCRIPT
Sector 2014Toronto, Ontario
Reverse Engineering a Web Application - For Fun, Behavior &
WAF Detection
Rodrigo “Sp0oKeR” MontoroSucuri Security
$ whois @spookerlabs
➢ Senior Security Administrator at Sucuri Security
➢ Author of 2 patent pending technologies➢ Researcher➢ Open Source enthusiast ➢ Triathlete➢ Dad
Over 50 Security Professionals Making a Safer Web
About Sucuri Security
SECURITY SCANNING & ANALYSIS
Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net
MALWARE CLEANUP
Cleaning and remediating 300 – 400 hacked or infected websites everyday.
ATTACK PROTECTION
Blocking over 33 million attacks and instances of malicious traffic every month
EDUCATION
Providing detailed and actionable security information through our blog at http://blog.sucuri.net
This talk is based on WordPress / NGINX, but the concepts can apply to any
Web Application / CMS.
A Note on the Examples
Motivations
➢ Trying different approach than a regular WAF
➢ Protect specific content (CMS)➢ Malware reinfections ➢ Less rules with better detection =
performance➢ Protected against "new vulnerabilities"
➢ Introduction
➢ Detection steps○ Reverse Engineering a CMS’s traffic
○ Analyzing Application structure (Files / Directories)
○ Local protection & hardening
○ Statistical Data
➢ Challenges
➢ Conclusions
Agenda
Introduction
Normalizing concepts
“Reverse engineering is taking apart an object to see how it works in order to duplicate or
enhance the object. ”
Reverse Engineering
1 "equal" 2
1 "not equal" a
Whitelisting
➢ Traffic Analysis○ Requests○ Responses
➢ Application Structure Analysis○ Directories○ Headers○ Files
➢ Behavior○ Log correlation○ Application○ Honeypots
Our Scope: WAF Detection
REPEAT
4 Detection steps
Detection steps
Reversing Traffic
The HTTP Protocol
➢ Methods➢ URI➢ Parameters➢ Headers
Traffic Analysis
Crawling the Application
GET Request
POST Request
Oh wait! Get a job from the headers...
Full Request
Sucuri Beta pcap traffic parser v0.0.1 (Matched)
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=\d+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=\d+$' URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[\d\w\s]+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=\d+$' URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[\d\w\s]+$' URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched regex 's=[\d\w\s]+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=\d+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=\d+$'
After basic manual analysis, a tool ...
Sucuri Beta pcap traffic parser v0.0.1 (Not Matched)
URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regexURI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0 didn't match any regexURI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with parameter(s) ver=20140319 didn't match any regex
Some simple NGINX configs
if ($http_user_agent !~ <something>) {return <status_code>}
if ($query_strings ~ <something>) {return <status_code>}
if ($request_uri !~ <something>) {return <status_code>}
if ($request_method !~ <something>) {return <status_code>}
if ($http_cookie !~ <something>) {return <status_code>}
What’s wrong here?
What about here?
Summary of Flow Parsing
But ...
Something could go wrong …
Traffic Analysis
Analyzing Application Structure /
Local Hardening
Monitoring
DETECTION
FLOW
Bypass rulesCredentials stolen
Cookie hijackBad administrator
DETECTION
FLOW
Analyzing Application Structure /
Local Hardening
Monitoring
Counter Intelligence / Statical Data
Analyzing Application Structure (Files / Directories)
➢ Files➢ Directories➢ Permissions➢ Monitoring
File Structure
Lot of files ….
index.phpwp-activate.phpwp-admin/wp-blog-header.phpwp-comments-post.phpwp-config.phpwp-content/wp-cron.phpwp-includes/wp-load.phpwp-login.phpwp-mail.phpwp-settings.phpwp-trackback.phpxmlrpc.php
WordPress Tarball
➢ config files & installation files➢ Administration directories (/wp-admin/)➢ Core files (/wp-includes/) ➢ Themes, plugins, uploads … (/wp-content/)➢ xmlrpc.php
The Basic WP Structure
➢ Comments (Spammers)➢ PingBacks (DDoS Attacks)➢ User-Auth (wp.GetUsersBlogs) (Brute
Force)
xmlrpc.php
Some fun, redirect to a honeypot
<IfModule mod_alias.c> Redirect 301 /xmlrpc.php http://honeypot/xmlrpc.php</IfModule>
XMLRPC Login Attempt
Brute forcing
$ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'
Pingback
/wp-admin/ “Access”
/uploads/Options -Indexes<Files *.php>deny from all</Files>
/wp-admin/<files *>order allow,denydeny from allallow from 1.2.3.4</files>
<files xmlrpc.php>order Deny,Allowdeny from all</Files>
Restriction Samples
/wp-includes/ <Files *.php>deny from all</Files>
/wp-content/<Files *.php>deny from all</Files>
/<Files *.txt>deny from all</Files>
<Files *.log>deny from all</Files>
location ~* ^/wp-content/uploads/.*.(php|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$ { types { } default_type text/plain; }
location ~* wp-admin/includes { deny all; }location ~* wp-includes/theme-compat/ { deny all; }location ~* wp-includes/js/tinymce/langs/.*.php { deny all; }location /wp-includes/ { internal; }
Local protection, monitoring & hardening
Mitigating Attack Surface
<localfile><log_format>apache</log_format><location>/var/log/httpd/access_log</location></localfile>
<!-- Frequency that syscheck is executed - set to every 4 hours --><frequency>14400</frequency><!-- Directories to check (perform all possible verifications) --><directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories><directories realtime="yes" check_all="yes">/bin,/sbin</directories><directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">/var/www/html/</directories><alert_new_files>yes</alert_new_files><scan_on_start>no</scan_on_start><auto_ignore>no</auto_ignore><alert_new_files>yes</alert_new_files>
Realtime Monitoring w/ OSSEC
➢ Too many 404➢ GET per time same IP Source➢ POST per time same IP Source
Threshold ideas
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php
spooker@spookerhome:/tmp/wordpress$ cat test.php Malware Content
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.phpspooker@spookerhome:/tmp/wordpress$ lsattr test.php ----i--------e-- test.php
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.phpbash: test.php: Permission denied
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.phpspooker@spookerhome:/tmp/wordpress$
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
Special File Permissions ( bit paranoid =) )
Statistical Data
… where false positives become good information =)
A Unique Place...
➢ Behavior➢ Alerts➢ New trends➢ Honeypots / New Attacks
Counter Intelligence
User-Agent: Something ABCD WXYZ
User-Agent: My UA with ABCD PBC
User-Agent: ABCD is a malicious
Behavior: How you look at problems
GEO IP Block: Top Attack Countries
Top Methods
HTTP Version 1.0
Quick history (Spambot Stealrat)
Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)
In summary...
➢ Bad codes➢ Themes➢ Plugins (33.5K+)➢ Languages
The Challenges
➢ Integration with SCAP (Security Content Automation Protocol) checks
➢ Create an OpenSource tool to regex traffic○ Database of regexes per Application
➢ Build a rule set for CMS (WordPress, Joomla, Drupal, vBulletin, Magento …) under OWASP Projects
Looking to the Future
Rodrigo “Sp0oKeR” Montoro
@spookerlabs / @sucuri_security
http://blog.sucuri.nethttp://www.sucuri.net
Contact