mining · 2020-04-22 · @timmedin what are websockets rfc 6455 in 2011 provides full-duplex...
TRANSCRIPT
M IN ING
@TIMMEDIN
@TIMMEDIN
T I M M E D I N
Founder, Red Siege Information Security
Red Team, Penetration Testing > 10 years
Kerberoast Inventor
Principal SANS Instructor
DerbyCon, ShmooCon, nullSingapore, …
@TIMMEDIN
W H AT I S M E T E O R ?
Open-source javascript framework
Uses Node.js
Real-time framework
@TIMMEDIN
M E T E O R M AT T E R S
#1 rated web app framework on GitHub
@TIMMEDIN
D E V E L O P E R H A P P I N E S S
Does not come with whiskey!
@TIMMEDIN
W H AT A R E W E B S O C K E T S
RFC 6455 in 2011
Provides full-duplex communications over a TCP connection
Also provides bidirectional communications
If the connection starts HTTP or HTTPS the switch to WebSocket is an upgrade HTTP 101 to WS:// or WSS://
Currently supported by most browsers and servers
The application must also support it
@TIMMEDIN
W H AT A R E W E B S O C K E T S
Designed for performance and convenience
Little security was built into the protocol
No authentication beyond upgrade request is performed
HTTP cookie is passed over during the handshake
Same Origin Policy is not enforced
@TIMMEDIN
H A C K I N G W E B S O C K E T S
Lack of tools, automated scanners miss it
Manual tools:
• Burp can proxy WebSocket traffic
• OWASP ZAP can proxy and fuzz WebSocket traffic
• Chrome offers a WebSocket client and developer tools (F12)
@TIMMEDIN
M E T E O R C O D E
JavaScript (or CoffeeScript)
Same language on the front and back end
Client-side rendering
No matching server generated HTML with client JavaScript!
@TIMMEDIN
M O N G O D ATA B A S E
NoSQL format
Protections against traditional SQLi injection
@TIMMEDIN
M A N A G I N G D ATA W I T H D D P
Protocol based on JSON
Based on WebSockets and SockJS
Handles Remote Procedure Calls (RPC)
Manages Data
@TIMMEDIN
D D P M E S S A G E S
ref: https://meteorhacks.com/introduction-to-ddp/
1.{"msg":"method", "method": "transferMoney", "params": ["1000USD", "arunoda", "sacha"], id": "randomId-1"} 2.{"msg": "result", id": "randomId-1": "result": "5000USD"} 3.{"msg": "updated", "methods": ["randomId-1"]}
@TIMMEDIN
S U B S & P U B S
Client – Data requested via subscription
Server – Pushes data via a publication
Client subscriptions map to user publications
Pub/sub can use additional params
@TIMMEDIN
M I T I G AT I N G AT TA C K S
XSS – Output data is escaped by default
Mongo – No Traditional SQLi
CSRF – Server requests via specialized calls (normally)
@TIMMEDIN
S U B S & P U B S
Subscription Meteor.subscribe('myAccount', myAccountId);
Publication Meteor.publish('myAccount', function(myId){ return Accounts.find({ _id: myId }); });
@TIMMEDIN
S U B S & P U B S
The same data can be pushed by multiple publications
The publication can push too much data
• Too many fields
• Too many records
Look at the JavaScript console
@TIMMEDIN
M E T E O R < 1 . 4
Everything loaded into the global namespace
> 1.4, likely migrated from older code, may be in global namespace
@TIMMEDIN
C L I E N T- S I D E L E A K A G E
The rendering and routing is done on the client
The client has to know what to load
The client has to know what data to request
@TIMMEDIN
C O L L E C T I O N N A M E S
Meteor.connection._mongo_livedata_collections
@TIMMEDIN
C O L L E C T I O N N A M E S
cols = []; for (var globalObject in window) { if (window[globalObject] instanceof Meteor.Collection) { cols.push(window[globalObject]); } } return cols;
pretty
@TIMMEDIN
C O L L E C T I O N D ATA
CollectionName.find().fetch()
Fields may be different for each record, we might find a leak
@TIMMEDIN
E X T R A C T I N G S U B S C R I P T I O N S
Meteor.connection._subscriptions
@TIMMEDIN
E X T R A C T I N G R O U T E S
Router.routes
@TIMMEDIN
AT TA C K A U T O M AT I O N
Chrome Web Extension – DOM is accessible but JavaScript variables are not
Firefox Web Extensions – Based on Chrome’s Web Extensions…no go
Firefox Add-on – Variables are accessible, but dev environment is horrific
IE – LOL
@TIMMEDIN
TA M P E R M O N K E Y
Allows access to page (and JavaScript variables) via unsafeWindow
Access Meteor variables with unsafeWindow.Meteor
@TIMMEDIN
M E T E O R M I N E R D E M O
Demo goes here
Drink `em if you got `em, it appeases the demo gods
Tim Medin [email protected] @TimMedin
Offensive Services from Offensive Minds
Code https://github.com/nidem/MeteorMiner https://github.com/nidem/MeteorTodosGoat
Presentation http://bit.ly/2i3bP7v