Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SecAppDev - Fantastic API Security Vulnerabilit...

SecAppDev - Fantastic API Security Vulnerabilities and where to find them

Abhay Bhargav

June 26, 2022
Tweet

More Decks by Abhay Bhargav

Other Decks in Technology

Transcript

  1. abhaybhargav Yours Truly • Founder @ we45 • Founder @

    AppSecEngineer • AppSec Automation Junkie • Trainer/Speaker at DEF CON, BlackHat, OWASP Events, etc world-wide • Co-author of Secure Java For Web Application Development • Author of PCI Compliance: A De fi nitive Guide
  2. abhaybhargav SSRF works… • When there’s a GET request involved

    • Most Webhooks make POST requests (some PUT cases as well) • That are di ffi cult to weaponize as an SSRF • Most 3XX Redirects require clients NOT to follow redirects
  3. abhaybhargav HTTP 303 See other • Is a response that

    can be triggered for an originated POST/PUT request • Usually used when a resource has been replaced • Redirect response is a GET (which works for us) • Prompts clients to follow with a GET request to the speci fi ed location
  4. abhaybhargav What we want…. Webhook POST request HTTP 303 Redirect

    to Metadata/Internal Service 😈 GET request to Metadata/Internal URL
  5. abhaybhargav Custom Headers FTW! • Several apps (providers) allow you

    to con fi gure custom headers for Webhooks • So all you have to do now is use Cloud Metadata Headers in the Custom Headers and you’re in!
  6. Why does SSRF happen? • Application makes HTTP requests based

    on URIs in Headers and/or Payload => Controlled by attacker • Application Library makes requests based on URIs in Header and/or Payload => Controlled by attacker • Application/Library includes content based on URIs from Header and/or payload => Controlled by attacker
  7. Only HTTP? • URI? • http(s):// • fi le:// •

    gopher:// • ssh:// Depends on the Client
  8. PDF Gen and Libraries • PDF Generation Libraries - Popular

    for export, report gen, etc • PDF Generation Libraries: • HTML Rendering => HTML and CSS to PDF • Headless Browsers => Webkit/Headless Chrome
  9. Exploiting PDF Libraries • Typically allow users to load speci

    fi c HTML tags: • <img> • <iframe> • <style>
  10. WeasyPrint SSRF • Technique discovered by @NahamSec and CodyBrocious •

    Converts HTML to PDF with very support for limited user-generated HTML tags • Allows you to use <link> tag
  11. abhaybhargav we45 The situation • Maya travels a lot for

    work. Pre-COVID of course 😄 • She submits expense reports and invoices in an internal expense- management system that her company has developed • Each expense is reviewed by her Project Manager and approved after review • Once approved, these bills automatically go into a Payment System where the employee is reimbursed with a bank transfer
  12. abhaybhargav we45 The Problem • Maya has run into a

    bit of a debt problem. She has bills she can’t pay. • She’d love nothing more than getting “larger” approvals for all the bills submitted • But how does she do that?
  13. abhaybhargav we45 What is an IDOR? • Authorization Bypass (some

    cases for Elevation of Privileges) • Adversary is able to leverage a vulnerable authorization system to gain access to records that should be unauthorized to access • Two Modes: • Primary Key • Mass-Assignment
  14. abhaybhargav we45 Mass Assignment public class User { private String

    id; private String email; private String password; private Boolean isAdmin; //getters and setters for other fields }
  15. abhaybhargav we45 Exploiting Mass Assignment public static Result form(){ Form<User>

    filledForm = newUserForm.bindFromRequest(); } Adversary can guess isAdmin=True and change user privileges