Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A methodology using fuzzing and info disclosure

Frans Rosén
October 01, 2020
Research
0
210

A methodology using fuzzing and info disclosure

My keynote from the first BSides Ahmedabad in Oct 2019.

Youtube: https://www.youtube.com/watch?v=rAuuN0OohJc

Frans Rosén

October 01, 2020
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
780
Story of a RCE on Apple through hot jar swapping
fransrosen
0
950
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
160
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.7k
Web based format injection, dumping memory like it's 99 (or "Please help")
fransrosen
0
65
A story of the passive aggressive sysadmin of AEM
fransrosen
0
7.9k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.6k

Other Decks in Research

See All in Research
ミニ四駆AI用制御装置の事例紹介
aks3g
0
150
Как стать 10x экспертом
ikurochkin
1
180
SNLP2024:Planning Like Human: A Dual-process Framework for Dialogue Planning
yukizenimoto
1
310
20240725異文化融合研究セミナーiSeminar
tadook
0
150
RCEへの近道
kawakatz
1
800
JMED-LLM: 日本語医療LLM評価データセットの公開
fta98
5
1.1k
Generative Predictive Model for Autonomous Driving 第61回 コンピュータビジョン勉強会@関東 (後編)
kentosasaki
0
200
言語処理学会30周年記念事業留学支援交流会@YANS2024:「学生のための短期留学」
a1da4
1
230
Y.Morita_20240726_JBUG_Fukuoka#18
ymorita613
0
270
熊本から日本の都市交通政策を立て直す~「車1割削減、渋滞半減、公共交通2倍」の実現へ~@公共交通マーケティング研究会リスタートセミナー
trafficbrain
0
120
Isotropy, Clusters, and Classifiers
hpprc
3
600
marukotenant01/tenant-20240826
marketing2024
0
510

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
680
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
Happy Clients
brianwarren
97
6.7k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
For a Future-Friendly Web
brad_frost
175
9.4k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
13
1.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
Product Roadmaps are Hard
iamctodd
PRO
48
10k

Transcript

  1. FRANS ROSÉN A methodology using fuzzing and info disclosure

  2. FRANS ROSÉN Security Advisor @detectify CTO @centra HackerOne #5 @

    /leaderboard/all-time Blogs at labs.detectify.com @fransrosen

  3. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it

  4. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it • Real-life vulnerabilities found
 using these techniques

  5. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it • Real-life vulnerabilities found
 using these techniques • Many ways to do this, this is just one example!

  6. FRANS ROSÉN Structure of our imaginary app

  7. FRANS ROSÉN Client based micro services business.example.com SPA + a

    lot of JS

  8. FRANS ROSÉN Client based micro services invoice.example.com business.example.com conversation.example.com api.example.com

    CORS-requests to different apps SPA + a lot of JS

  9. FRANS ROSÉN Client based micro services business.example.com /api/v1/users /api/v1/users/123 …

    /api/v3/invoices /api/v3/invoices/123 … /api/v2/messages /api/v2/messages/123 … CORS-requests to different apps: SPA + a lot of JS invoice.example.com conversation.example.com api.example.com

  10. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used

  11. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find

  12. FRANS ROSÉN API-endpoints per microservice • invoice.example.com

  13. FRANS ROSÉN API-endpoints per microservice • invoice.example.com /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts

    /api/v3/accounts/1234 Found in JS:

  14. FRANS ROSÉN API-endpoints per microservice • invoice.example.com Found in JS:

    /invoices* /accounts* /api /api/v3 /api/v3/invoices* /api/v3/accounts* … Save to path-lists: /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts /api/v3/accounts/1234

  15. FRANS ROSÉN • invoice.example.com Found in JS: /invoices* /accounts* /api

    /api/v3 /api/v3/invoices* /api/v3/accounts* … Save to path-lists: /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts /api/v3/accounts/1234 The * tells us it supports direct requests or additional paths for IDs or similar: /invoices/123

  16. FRANS ROSÉN API-endpoints per microservice • conversation.example.com /api/v2/online /api/v2/conversations /api/v2/websocket

    Found in JS:

  17. FRANS ROSÉN API-endpoints per microservice • conversation.example.com /api/v2/online /api/v2/conversations /api/v2/websocket

    Found in JS: /online /conversations* /websocket /api/v2 /api/v2/conversations* … Save to path-lists:

  18. FRANS ROSÉN Continue to curate lists Find more endpoints: •

    Desktop client • Web-archive • PHP/Java/Golang-SDKs • npm/composer/yarn • Documentation

  19. FRANS ROSÉN Now we have this • List of all

    available endpoints: /conversations* /invoices* /users* …

  20. FRANS ROSÉN Now we have this • List of all

    available endpoints: • Also separate prefixes: /api /api/v3 /api/v2 /api/v1 … /conversations* /invoices* /users* …

  21. FRANS ROSÉN Now we have this • List of all

    available endpoints: • Also separate prefixes: /api /api/v3 /api/v2 /api/v1 … /conversations* /invoices* /users* … • And all subdomains used: invoice.example.com api.example.com business.example.com …

  22. FRANS ROSÉN Now, combine it all: • Test everything on

    everything
 subdomain-list * path-prefix-list * path-suffix-list • Add additional standard fuzz to suffix-list test " '
 # …

  23. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one


  24. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one
 
 Example of this happening IRL!

  25. FRANS ROSÉN { "boards": [ { "id": 123, "user": 124,

    "username": "test" … } ] } API currently in use, v2 /api/v2/boards/123

  26. FRANS ROSÉN /api/v4/boards/123 { "includes": {"user": false}, "boards": [ {

    "id": 123, "user": 124, "username": "test" … } ] v4 was a JSON-API not being used

  27. FRANS ROSÉN /api/v4/boards/123 { "includes": {"user": false}, "boards": [ {

    "id": 123, "user": 124, "username": "test" … } ] Tells us what to include

  28. FRANS ROSÉN /api/v4/boards/123? include=user { "includes": {"user": true}, "boards": [

    { "attributes": { "user": { "email": "[email protected]", "phone": "004324235342" … } "New version of JSON-API for message boards leaked emails + phone numbers for all users"

  29. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one • That the micro-services might connect server-side:
 SSRF, path-traversal, bypass query-strings used…


  30. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one • That the micro-services might connect server-side:
 SSRF, path-traversal, bypass query-strings used…
 
 Example of this happening IRL!

  31. FRANS ROSÉN Regular API-endpoint to fetch invoices /api/v3/invoices/123

  32. FRANS ROSÉN Regular API-endpoint to fetch invoices /api/v3/invoices/123 { "invoice":

    { "url": "/api/v3/invoices/ 123?token=xyz&expire=123 } }

  33. FRANS ROSÉN Different ID than my own invoices /api/v3/invoices/124 {

    "error": "access denied" }

  34. FRANS ROSÉN Fuzzing, double quote: /api/v3/invoices/" { "error": "Bad URI:

    /api/v1/ invoices/\"" }

  35. FRANS ROSÉN Sent to v3, error with v1? /api/v3/invoices/" {

    "error": "Bad URI: /api/v1/ invoices/\"" }

  36. FRANS ROSÉN Possible explanation Endpoint at /api/v3/invoices/{id} makes an internal

    call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })

  37. FRANS ROSÉN Possible explanation Endpoint at /api/v3/invoices/{id} makes an internal

    call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })

  38. FRANS ROSÉN Send valid accessible ID, fuzz query-params /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26

  39. FRANS ROSÉN Send valid accessible ID, fuzz query-params /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26

    Theory: server-side call: http://internal-api/api/v1/invoices/ 123?token=x&token=xxx

  40. FRANS ROSÉN Send valid accessible ID, fuzz query-params { "error":

    "access denied" } /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26 Theory: server-side call: http://internal-api/api/v1/invoices/ 123?token=x&token=xxx

  41. FRANS ROSÉN /api/v3/invoices/123%3ftoken%3dx%26 http://internal-api/api/v1/invoices/ 123?token=x&token=xxx { "error": "access denied" }

    We now know that token is being used! Theory: server-side call:

  42. FRANS ROSÉN Path-traversal, reach outside of invoices/ /api/v3/invoices/%2e%2e%2fFUZZ

  43. FRANS ROSÉN Path-traversal, reach outside of invoices/ /api/v3/invoices/%2e%2e%2fFUZZ We know

    token is used in query, move it to fragment: /api/v3/invoices/%2e%2e%2fFUZZ%23 internal-api/api/v1/invoices/../FUZZ#

  44. FRANS ROSÉN Traversing into accounts/ without the token query parameter

    /api/v3/invoices/%2e%2e%2faccounts%23

  45. FRANS ROSÉN Traversing into accounts/ without the token query parameter

    /api/v3/invoices/%2e%2e%2faccounts%23 { "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ]

  46. FRANS ROSÉN "Path-traversal getting access to all invoice accounts" /api/v3/invoices/%2e%2e%2faccounts%23

    { "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ] We can access all accounts and all their invoices!

  47. FRANS ROSÉN "Path-traversal getting access to all invoice accounts" {

    "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ] http://internal-api /api/v1/invoices/../accounts#token=xxx

  48. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files

  49. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets. 


  50. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 Example of this happening IRL!


  51. FRANS ROSÉN Zendesk SSO-key

  52. FRANS ROSÉN Zendesk SSO-key zdkey: "fafc5aef56caefa56fcea65" zdaccessurl: "https://example.zendesk.com /access/jwt?"

  53. FRANS ROSÉN Zendesk SSO-key • Not an API-key, used for

    JWT-signing for simple SSO

  54. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" }

  55. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID

  56. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated

  57. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated UserID to hijack account

  58. FRANS ROSÉN Zendesk SSO-key • Send JWT for UserID you

    want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX

  59. FRANS ROSÉN Zendesk SSO-key • Send JWT for UserID you

    want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0

  60. FRANS ROSÉN "Account hijack on support panel due to publicly

    disclosed Zendesk SSO-key" • Send JWT for UserID you want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0

  61. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 


  62. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 Another example of this happening IRL!


  63. FRANS ROSÉN Algolia API-key Intended to be public a =

    algolia('AFBKDE54', '7ace8b8c7fbea78caebcf78ecbfaebca7 8f'); idx = a.index('userdb');

  64. FRANS ROSÉN a = algolia('AFBKDE54', '7ace8b8c7fbea78caebcf78ecbfaebca7 8f'); idx = a.index('publicdb');

    App-ID Public API-key Algolia API-key Intended to be public Index name

  65. FRANS ROSÉN POST /1/indexes/publicdb/query?x- algolia-application-id=AppID&x- algolia-api-key=PublicApiKey HTTP/1.1 Host: AppId-dsn.algolia.net {"params":"query=*&hitsPerPage=1"}

    Algolia API call

  66. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x"}, … ]} POST /1/indexes/publicdb/query

  67. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api-key=PublicApiKey&… {"params":"query=*&hitsPerPage=1"} Try another index +

    Scoped API-key

  68. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api-key=PublicApiKey&… {"message":"Index not allowed with this

    API key","status":403} Try another index + Scoped API-key

  69. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api- key=AnotherPublicApiKey&… {"params":"query=*&hitsPerPage=1"} Unscoped API-key

  70. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x", "email": "[email protected]", "phone": "003234234.."}, … ]} Another index with sensitive data

  71. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x", "email": "[email protected]", "phone": "003234234.."}, … ]} Another index with sensitive data

  72. FRANS ROSÉN "Emails + phone for all users disclosed due

    to sensitive data in public AlgoliaDB" HTTP/1.1 200 OK {"result": [ {"id": 123, "user": "x", "email": "[email protected]", "phone": "003234234.."}, … ]}

  73. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets. • Secret ENV variables dumped in CI-minification
 If any minifications or 
 
 Example of this happening IRL!


  74. FRANS ROSÉN What we might find

  75. FRANS ROSÉN What we might find

  76. FRANS ROSÉN What we might find

  77. FRANS ROSÉN

  78. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files 4.Create wordlists

  79. FRANS ROSÉN Wordlists! • For every program:

  80. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  81. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  82. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  83. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context!

  84. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context! /api/v1/payment /api/v1/payment-methods /api/v1/shipping

  85. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context! /api/v1/payment /api/v1/payment-methods /api/v1/shipping /api/v1/shipping-methods Also add this

  86. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files 4.Create wordlists 5.Fuzz, fuzz, fuzz

  87. FRANS ROSÉN Fuzz with / without • All HTTP-methods POST

    PATCH DELETE PUT… • IDs or not /users/1 vs /users • / in the end /payments/ vs /payments • File extension users.json vs users

  88. FRANS ROSÉN Fuzz combination • Again, combine paths + endpoints

    on subdomains • Skip paths, try all methods, add regular fuzz characters: \ " ' & # .. ö % ? NULL

  89. FRANS ROSÉN • Curate your own context specific wordlists Takeaways

  90. FRANS ROSÉN • Curate your own context specific wordlists •

    Combine with regular fuzzing Takeaways

  91. FRANS ROSÉN • Curate your own context specific wordlists •

    Combine with regular fuzzing • Understand and learn what is being disclosed
 and how to abuse it. Takeaways

  92. FRANS ROSÉN Takeaways That’s it, thank you!
 Any questions? •

    Curate your own context specific wordlists • Combine with regular fuzzing • Understand and learn what is being disclosed
 and how to abuse it.