attack chaining for web exploitation
TRANSCRIPT
Attack chaining for web exploitation
--- Abhijeth Dugginapeddi
#whoami
Security Analyst at Adobe Systems
Hacking since 14 and gave sessions in most engineering colleges
Like many, found bugs in Google, Facebook, Yahoo, Microsoft and more than 50 sites. Among Top 5 Bug hunters in Synack
A Telugu movie buff and a start up enthusiast
No organization or no company is responsible for whatever I talk for the next 30 minutes!!
Where to start
What to start
How to start
Do you know him!!
Hackers hacked
Called up amazon and add a new credit card to amazon account
Associated emailBilling AddressRandom Credit card number
Now they call again saying they lost the password
NameBilling addressCredit card number
The attackers now got access to his amazon account
Billing addressLast 4 digits of credit card
Chaining of web attacks• Used majorly by Real attackers• Understanding the application code and infrastructure in depth• Using multiple vulnerabilities• Knowledge on various technologies
Impacts• Defacing sites• Denial of service• Deleting code, DBs, user profiles, customer data etc.
The other 42% of vulnerabilities are caused because of weak configurations/administration
Only 58% of vulnerabilities are caused because of weak code
Source: PTSecurity
Vulnerability in Code + Vulnerability in Configuration = Large Impact
Do you think a vulnerability like CSRF or Mixed content in isolation can directly lead to a Security breach?
May not be true.
But a Security Breach is definitely possible if the attacker can chain these attacks
Normal attack
Attack chain
Vulnerabilities reported in a Web Application
Mixed Content Unwanted methods allowed
Cookie Flags missingURL Redirection
Directory traversalWeak Ciphers
Banner Grabbing
Insecure Direct Object Reference
Few stories
This particular Request uses Insecure Transmission which will allow the attacker to sniff the request
Using BurpSuite Decoder, the encoded value is decoded in plain text
Encoded back by adding ‘ ‘or’ ‘1’ =‘1
Mixed Content
Weak Encryption
SQL Injection
Complete credit card details
Targeted attack
Insecure Direct Object Reference
Parameter Tampering
Access control Violation
Cross Site Request Forgery
Insecure Direct Object Reference
Parameter tampering
CSRF
Perform illegal transactions from a victim’s account
Access control violation
Target= AbhijethAbhijeth’s Bank Details
Access to someone’s details
Bruteforce and get Abhijeth’s details
Use this details to make illegal transaction!!
Jo dar gaya samjo mar gaya
Some company’s email Inbox
Upload exe files
#begbounty!!!
Improper CSRF and Access controls
Spread malware using your application!!!
And then!!
Security misconfiguration
PUT /foo
Cross Site Scripting
Malicious file upload
But no SHELL
Privilege Escalation
Aise the bhayya bajrangi!!
Security misconfiguration
Stored Cross Site Scripting
Session Hijacking
Privilege Escalation
Arbitrary file upload
Remote Code Execution
How can you start chaining?
Find more vulnerabilities
Understand the application
Analyze the bugs
Research on customer’s business
Make a story
Moral of the story!!
Every vulnerability needs to fixed irrespective of the risk
Remember it is Vulnerable Code + Weak Configuration
The other chainsInfrastructure Chains
Mobile chains
Data center attacks
Wireless hacks
Thanks
What to do with the bounties??
Educate a child
For more details
Questions??!!