reversing engineering a web application - for fun, behavior and detection
DESCRIPTION
Presentation I did at AppSec and SectorTRANSCRIPT
![Page 1: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/1.jpg)
Sector 2014Toronto, Ontario
Reverse Engineering a Web Application - For Fun, Behavior &
WAF Detection
Rodrigo “Sp0oKeR” MontoroSucuri Security
![Page 2: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/2.jpg)
$ whois @spookerlabs
➢ Senior Security Administrator at Sucuri Security
➢ Author of 2 patent pending technologies➢ Researcher➢ Open Source enthusiast ➢ Triathlete➢ Dad
![Page 3: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/3.jpg)
Over 50 Security Professionals Making a Safer Web
About Sucuri Security
SECURITY SCANNING & ANALYSIS
Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net
MALWARE CLEANUP
Cleaning and remediating 300 – 400 hacked or infected websites everyday.
ATTACK PROTECTION
Blocking over 33 million attacks and instances of malicious traffic every month
EDUCATION
Providing detailed and actionable security information through our blog at http://blog.sucuri.net
![Page 4: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/4.jpg)
This talk is based on WordPress / NGINX, but the concepts can apply to any
Web Application / CMS.
A Note on the Examples
![Page 5: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/5.jpg)
Motivations
➢ Trying different approach than a regular WAF
➢ Protect specific content (CMS)➢ Malware reinfections ➢ Less rules with better detection =
performance➢ Protected against "new vulnerabilities"
![Page 6: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/6.jpg)
➢ Introduction
➢ Detection steps○ Reverse Engineering a CMS’s traffic
○ Analyzing Application structure (Files / Directories)
○ Local protection & hardening
○ Statistical Data
➢ Challenges
➢ Conclusions
Agenda
![Page 7: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/7.jpg)
Introduction
Normalizing concepts
![Page 8: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/8.jpg)
“Reverse engineering is taking apart an object to see how it works in order to duplicate or
enhance the object. ”
Reverse Engineering
![Page 9: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/9.jpg)
1 "equal" 2
1 "not equal" a
Whitelisting
![Page 10: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/10.jpg)
➢ Traffic Analysis○ Requests○ Responses
➢ Application Structure Analysis○ Directories○ Headers○ Files
➢ Behavior○ Log correlation○ Application○ Honeypots
Our Scope: WAF Detection
REPEAT
![Page 11: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/11.jpg)
4 Detection steps
![Page 12: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/12.jpg)
Detection steps
![Page 13: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/13.jpg)
Reversing Traffic
![Page 14: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/14.jpg)
The HTTP Protocol
![Page 15: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/15.jpg)
➢ Methods➢ URI➢ Parameters➢ Headers
Traffic Analysis
![Page 16: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/16.jpg)
Crawling the Application
![Page 17: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/17.jpg)
GET Request
![Page 18: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/18.jpg)
POST Request
![Page 19: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/19.jpg)
Oh wait! Get a job from the headers...
![Page 20: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/20.jpg)
Full Request
![Page 21: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/21.jpg)
Sucuri Beta pcap traffic parser v0.0.1 (Matched)
URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=\d+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=\d+$' URI: /wordpress_lab_test/?s=sucuri with parameter s=sucuri matched regex 's=[\d\w\s]+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=\d+$' URI: /wordpress_lab_test/?s=test+2 with parameter s=test+2 matched regex 's=[\d\w\s]+$' URI: /wordpress_lab_test/?s=Sp0oKeR+Labs+Team with parameter s=Sp0oKeR+Labs+Team matched regex 's=[\d\w\s]+$' URI: /wordpress_lab_test/?m=201409 with parameter m=201409 matched regex 'm=\d+$' URI: /wordpress_lab_test/?page_id=2 with parameter page_id=2 matched regex 'page_id=\d+$'
After basic manual analysis, a tool ...
Sucuri Beta pcap traffic parser v0.0.1 (Not Matched)
URI: /wordpress_lab_test/?author=1 with parameter(s) author=1 didn't match any regexURI: /wordpress_lab_test/wp-includes/js/jquery/jquery.js?ver=1.11.0 with parameter(s) ver=1.11.0 didn't match any regexURI: /wordpress_lab_test/wp-content/themes/twentyfourteen/js/functions.js?ver=20140319 with parameter(s) ver=20140319 didn't match any regex
![Page 22: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/22.jpg)
Some simple NGINX configs
if ($http_user_agent !~ <something>) {return <status_code>}
if ($query_strings ~ <something>) {return <status_code>}
if ($request_uri !~ <something>) {return <status_code>}
if ($request_method !~ <something>) {return <status_code>}
if ($http_cookie !~ <something>) {return <status_code>}
![Page 23: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/23.jpg)
What’s wrong here?
![Page 24: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/24.jpg)
What about here?
![Page 25: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/25.jpg)
Summary of Flow Parsing
![Page 26: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/26.jpg)
But ...
![Page 27: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/27.jpg)
Something could go wrong …
Traffic Analysis
Analyzing Application Structure /
Local Hardening
Monitoring
DETECTION
FLOW
Bypass rulesCredentials stolen
Cookie hijackBad administrator
DETECTION
FLOW
Analyzing Application Structure /
Local Hardening
Monitoring
Counter Intelligence / Statical Data
![Page 28: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/28.jpg)
Analyzing Application Structure (Files / Directories)
![Page 29: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/29.jpg)
➢ Files➢ Directories➢ Permissions➢ Monitoring
File Structure
![Page 30: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/30.jpg)
Lot of files ….
index.phpwp-activate.phpwp-admin/wp-blog-header.phpwp-comments-post.phpwp-config.phpwp-content/wp-cron.phpwp-includes/wp-load.phpwp-login.phpwp-mail.phpwp-settings.phpwp-trackback.phpxmlrpc.php
WordPress Tarball
![Page 31: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/31.jpg)
➢ config files & installation files➢ Administration directories (/wp-admin/)➢ Core files (/wp-includes/) ➢ Themes, plugins, uploads … (/wp-content/)➢ xmlrpc.php
The Basic WP Structure
![Page 32: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/32.jpg)
➢ Comments (Spammers)➢ PingBacks (DDoS Attacks)➢ User-Auth (wp.GetUsersBlogs) (Brute
Force)
xmlrpc.php
Some fun, redirect to a honeypot
<IfModule mod_alias.c> Redirect 301 /xmlrpc.php http://honeypot/xmlrpc.php</IfModule>
![Page 33: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/33.jpg)
XMLRPC Login Attempt
![Page 34: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/34.jpg)
Brute forcing
![Page 35: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/35.jpg)
$ curl -D - "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim.com</string></value></param><param><value><string>www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'
Pingback
![Page 36: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/36.jpg)
/wp-admin/ “Access”
![Page 37: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/37.jpg)
/uploads/Options -Indexes<Files *.php>deny from all</Files>
/wp-admin/<files *>order allow,denydeny from allallow from 1.2.3.4</files>
<files xmlrpc.php>order Deny,Allowdeny from all</Files>
Restriction Samples
/wp-includes/ <Files *.php>deny from all</Files>
/wp-content/<Files *.php>deny from all</Files>
/<Files *.txt>deny from all</Files>
<Files *.log>deny from all</Files>
location ~* ^/wp-content/uploads/.*.(php|pl|py|jsp|asp|htm|html|shtml|sh|cgi)$ { types { } default_type text/plain; }
location ~* wp-admin/includes { deny all; }location ~* wp-includes/theme-compat/ { deny all; }location ~* wp-includes/js/tinymce/langs/.*.php { deny all; }location /wp-includes/ { internal; }
![Page 38: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/38.jpg)
Local protection, monitoring & hardening
![Page 39: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/39.jpg)
Mitigating Attack Surface
![Page 40: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/40.jpg)
<localfile><log_format>apache</log_format><location>/var/log/httpd/access_log</location></localfile>
<!-- Frequency that syscheck is executed - set to every 4 hours --><frequency>14400</frequency><!-- Directories to check (perform all possible verifications) --><directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories><directories realtime="yes" check_all="yes">/bin,/sbin</directories><directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">/var/www/html/</directories><alert_new_files>yes</alert_new_files><scan_on_start>no</scan_on_start><auto_ignore>no</auto_ignore><alert_new_files>yes</alert_new_files>
Realtime Monitoring w/ OSSEC
![Page 41: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/41.jpg)
➢ Too many 404➢ GET per time same IP Source➢ POST per time same IP Source
Threshold ideas
![Page 42: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/42.jpg)
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.php
spooker@spookerhome:/tmp/wordpress$ cat test.php Malware Content
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.phpspooker@spookerhome:/tmp/wordpress$ lsattr test.php ----i--------e-- test.php
spooker@spookerhome:/tmp/wordpress$ echo "Malware Content" >> test.phpbash: test.php: Permission denied
spooker@spookerhome:/tmp/wordpress$ ls -lah test.php -rw-rw-r-- 1 spooker spooker 16 Set 12 14:12 test.phpspooker@spookerhome:/tmp/wordpress$
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
Special File Permissions ( bit paranoid =) )
![Page 43: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/43.jpg)
Statistical Data
![Page 44: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/44.jpg)
… where false positives become good information =)
A Unique Place...
![Page 45: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/45.jpg)
➢ Behavior➢ Alerts➢ New trends➢ Honeypots / New Attacks
Counter Intelligence
![Page 46: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/46.jpg)
User-Agent: Something ABCD WXYZ
User-Agent: My UA with ABCD PBC
User-Agent: ABCD is a malicious
Behavior: How you look at problems
![Page 47: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/47.jpg)
GEO IP Block: Top Attack Countries
![Page 48: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/48.jpg)
Top Methods
![Page 49: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/49.jpg)
HTTP Version 1.0
![Page 50: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/50.jpg)
Quick history (Spambot Stealrat)
Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)
![Page 51: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/51.jpg)
In summary...
![Page 52: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/52.jpg)
➢ Bad codes➢ Themes➢ Plugins (33.5K+)➢ Languages
The Challenges
![Page 53: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/53.jpg)
➢ Integration with SCAP (Security Content Automation Protocol) checks
➢ Create an OpenSource tool to regex traffic○ Database of regexes per Application
➢ Build a rule set for CMS (WordPress, Joomla, Drupal, vBulletin, Magento …) under OWASP Projects
Looking to the Future
![Page 54: Reversing Engineering a Web Application - For fun, behavior and detection](https://reader035.vdocument.in/reader035/viewer/2022070302/547e610db47959a2508b4b2f/html5/thumbnails/54.jpg)
Rodrigo “Sp0oKeR” Montoro
@spookerlabs / @sucuri_security
http://blog.sucuri.nethttp://www.sucuri.net
Contact