Sniffing Out Security Flaws in Your Web App

all right can when I start with a quick show of hands how many developers do I have in the audience good one two over there one over here okay oh this is gonna be interesting because it's talk that was sort of contrived for developers in the first place but hopefully everyone will learn something from it a lot of it focuses on basics when people stop making basic mistakes I'll stop giving talks about basics it's so a little bit about me my name is Mike sometimes people call me Mick as well like the entire United Kingdom for example a true story I'd work with a UK company for a whole bunch of years and so I'm a should know what I do I was

senior security consultant at secure idea so I do mostly pen tests that's not entirely true I spent half my time doing hypen tests and half my time writing reports and half of that is fun and half of that is nobody likes I've got a lot of development experience I started in the eighties which is probably hard to believe looking at me I hope still I started writing like das das batch scripts and then basic kind of in some time around 88 and just kind of kept slinging code and kept slinging code through you know when I my age hit the double digits finally and through my teenage years and basically around some somewhere around 97 I started throwing

stuff on the internet which didn't know what I was doing at the time someone that was geo cities sites yeah everybody remember those fun stuff with frame sets eventually I ended up putting in about 10 years of web app development 5 as a system integration consultant so that's that's pretty much my resume not that I'm looking for a job of course I got a reputation kind of among people that know me mainly my coworkers for being particularly nasty if I find a cross-site scripting flaw it's not to be mean sometimes only have time to throw an alert pop-up anyway but I tend to be able to insert some code into the flow that doesn't break

anything and everybody thinks that's mean I don't think that's me and I think I'm being nice but that's when I did my web app development I did a bunch in Java I did a bunch of dotnet I did a little bit of Ruby I did a little bit of node I've done a lot of different things back in kept changing the front-end was a constant yeah it stayed the same and a lot of the time I had full stack responsibilities because people don't like hiring user interface guys I guess I don't know and so because of that I ended up picking up more JavaScript experience that everything else not put stuff in production in I could try to

rattle off a bunch of languages but I'd probably stumble over it cuz I'm gonna ever speaker and I ramble but yeah I put stuff in production and parole I put stuff in in VBA jammed into an excel file I've done some horrible things though I need to confess and and I've done some some pretty slick stuff too over the years that experience has sort of taught me when I look at a web app which I do a lot of web apps when I look at a web app I have a pretty good idea a lot of the time where I would have made a mistake as a developer or where a developer would make a mistake and

usually what that comes from is an assumption that is not entirely correct it's say 75% correct and that I think for me has made me a pretty good attacker on the other side one of my favorite parts of the job is constructing attack scenarios and that's that's you get a little flaw here a little flaw there you start piecing them together and you see what you could maybe do with them and being able to narrate that I find particularly fun that's it's a really interesting mental exercise so I would say just because something looks like a minor flaw on its own or you know it's a medium it's not a shell it's not a cross-site scripting it

doesn't mean you need to write it off it might click together with something else you find prone to seeing Zed so I did my first 'besides talk at Charleston last year and I spent I'll probably spend five minutes trying to point out a Zed on the screen and nobody knew what I was talking about because I'm actually originally from Canada and I was pointing at a Z and everyone thought I was strange and crazy and so you hear Canadian isms but if I start talking about something and and it sounds a little funny that's that's probably where it's coming from I put my Twitter handle up there as well the last time I was in I was in kind of the end of the

day slot and everybody went for beer like the people from my own group up and around Charlotte we're tweeting it from the bar and I was picking it up and okay that's great you're you're having a beer and I'm you know super nervous and hiding behind a podium so I told everyone that time pick up take out your phone tweet I had five people in the audience tweet tweet about how awesome this talk is that everybody's missing I don't think I'm gonna say that this time but you're certainly welcome to okay so I've got what I have today I've got five sort of case studies and they all follow the structure of what I call the smell sort

of sort of the same ideas of code smell it's something that I see immediately observable in the application that makes me go there might be something wrong there I should take a closer look sometimes it's legitimate functionality sometimes it's a false positive but a lot of the time it is also something else something bad and originally it wasn't planned to be a talk all about stuff in the in the URL in the address bar but a lot of it kind of worked out that way when I picked the cases it's not going to be comprehensive it's gonna be kind of a greatest hits and we're gonna talk a lot about various things that you'll see in the query

string and and what it could mean what I think I might be able to use that as an attacker depending on what you've done or what a developer has done and how that should be remediated which for the I think three developers in the room might be useful or for anybody who has to write a report about it after they find it okay so case number one is a simple one you see it all the time somebody has put a URL in a request parameter right you see often in the like in this example it's it's a some part of the authentication process and it's the the person's been directed there you kick them into the login page

because they don't have a session you want them to log back in right you see that all the time that is not in itself a flaw however and there are two things to look at there's the request parameter and the endpoint however how does it work right and that's you're gonna have to play with it to figure that out does the server use it to retrieve a thought so if it's actually referencing a file on the system or it's a pending an extension onto it in this case or if it's got a file with an extension it doesn't guarantee anything like and that's gonna be the case with all of these and I'll try not to repeat that

too often but it doesn't guarantee anything but and I don't see this as often anymore the better ones are coming up there's a potential there for a directory traversal if you try throwing a like a dot dot dot right navigate up the file system navigate laterally maybe if you have an idea what's something else in there might be called try some common file names there's a potential for that if it happens to be going into some sort of command there's a potential for command injection maybe as well and that's a bit of a long shot that's sort of the best-case scenario and and and most of the time that's not what you'll see even when it is flawed what I find a

lot is that it'll take an absolute path which means I can have a URL on your website point to something on my server that's usually bad in almost every case I mean there there are certainly a few exceptions but you usually don't want to see that so I can put an absolute path in let's start from there what's it doing if it's redirecting since an open redirect so it's good for social engineering I can have a link that points to your domain that actually lands you in mine site at the end where that is particularly especially nice if you see one that has some sort of authentication process where it goes does this person have a session then

forwards them to the correct page or it kicks them to the login page and then forwards them to the supplied page I'm going to persist that parameter and I've seen this several times it's really handy for a cross-site request forgery attack right because they have to have a session so you get them to log in on their own website and then redirect them to your page with your with your C served payload everybody know what how cross-site request forgery works that's something I should cover show hands if you'd like me to cover chronic disease URF we got a few so the short version the easiest way to explain it is if you have a cookie from

a website let's call it facebook.com/ you have a cookie from facebook.com and you can issue requests on facebook.com with that cookie submit the form it checks that you have a valid session it does the thing if you go over to my site evil site calm and I my site submits requests to facebook.com from your browser your browser will append that cookie and that's where you see things like on a password change and this is for me it's kind of the classic C surf example a password change prompts you for your old password because if you can't validate that my see SERP site can't validate that unless like trick you into putting it in if I if you can't

validate that then it's not a legitimate request and that's also where the tokens come in if you've seen C surf tokens is a piece of information that is not exposed to the attacker who's standing up a see surf site so whereas if you just took the new password not the old password even had it on there twice for the confirmation and I knew the structure of the request and you were logged in on on that side you had a session and I submitted that request when you browse to my page then I can change your password essentially is what it comes down to if I haven't explained that well if you want me to go over that

more or again find me after I got one of the tables out in the lobby the other parts the endpoint and that's where I was talking about it's it's it's it how it's used is important and another example I saw that took a took an absolute path didn't go there at all it actually it wasn't a redirect I couldn't tell what was happening until I pointed it at a site that I controlled and then I could see that I was getting an HTTP request but not from me not from my browser that request was coming from the server it was an API call so they put the URL and they put put rate in the query

string the URL that they were gonna submit their API call to that's what it idea I pointed it at my server and made the API call to me and then returned data and this is one of those when I was talking about assumptions that are mostly true but there are exceptions too it's an opportunity you find something like that I'm sending my response instead of a response from a server they think they control I'm introducing my payload into a context that is supposed to be trustworthy and that's where you'll see the mists escaping that sort of thing that can get you an injection and so those are really those are my two favorite cases of things I can do with

an open redirect it's always nice to just be able to go okay this is target's late comm not not target the store obviously because I would not be involved in something like that Walmart it's a bad joke why didn't why didn't want get hacked all right cuz they're not a target this is yesterday I was I was teaching a class with my with my with my boss that was his joke I stole it from him because he's not here

so mitigating it what do you do it economy it's always gonna be something like this it's gonna be well it's probably better not to do that if you can avoid it if you can if you can design your application so it's not necessary that is your best fix however if it if you're expecting a relative path you're expecting something else you you expecting it to only direct two things on the same site then enforce that relative path make sure nobody's tacking a protocol and a domain onto the front of it I would do that with regular expressions I'm sure there are other things that people who might use to do that and a lot of libraries probably

have built-in tools to validate that sort of thing directory traversal if you have the ability to expand and I think everything does PHP even has this ability to expand a relative path into an absolute path and compare it that's a common way to check for directory traversal if the directory that it resolves to in the absolute path is not downstream from the from the relative path that you were expecting it to land and then somebody's trying to traverse if you have to do something like that API case where you're pointing to other servers that you control use a whitelist right it's you have a finite number of servers you know that I can only go to those ones

make sure it's going to those ones and with anything like that and this is people are really good about validating that text boxes don't contain malicious stuff people forget all the time various other parameters hidden fields' stuff in the URL and that's so treated as user supplied input escape that if you're gonna echo it you know that sort of thing I always use HTTP why is that there because people don't use HTTP for one thing and right now I don't think there's a valid reason that I've heard not two for the entire internet but there's also a corner case I wanted to deal with and that's why I put that up there so you have a legitimate redirect

to another absolute path to another domain and it's supposed to go to that domain under HTTPS and I take the S off of it I'm able to remove the encryption from the transport layer hopefully you have other protections to prevent that anyway but downgrading it removing the encryption opens up opportunities and takes things like passing credentials it makes them a lot more vulnerable to stuff like man-in-the-middle attacks right so that's I think about all I wanted to say about that before I go on to the next case did anybody have any particular follow-up questions to that one No cool ok JSON object there's an asterisk on there in the URL I told you we're gonna

spend a bunch of time up there and this one okay here's a hint it's not a JSON object they're taking a string representation of a JavaScript object which is not explicitly the same as a JSON object and this one's gonna get a little code heavy and there's four warning it's the only one I think that I did that has a bunch of code in it so it's a JavaScript object and they're gonna take that they're gonna unsafely interpret that as a JavaScript object and I saw this first first what time I found this was in a security product flagship product from a security company in their web interface immediately I see this sort of thing in

the address bar of course I'm gonna play with it right I'm gonna see what I can put in there executable code is what I really want to put in there so I did it I did it that's just for convenience sake I've taken away that you URL and coding on it okay so and I did what most of this stuff with the JavaScript console hopefully you can read it all right it's kind of a smallest font in the whole deck so yeah so I've done an example it's functionally equivalent to what I saw and what I've seen elsewhere I haven't picked apart every one and seen how they've unsafely handled it but this is a really simple example of it I have

a cursor up there yeah eval don't use it ever there's if you're at a point where you're using an eval and your JavaScript for anything that could have user input appended to it you're you're already insecure but in this case okay taking it through quickly line by what line I took that payload that was in the the the URI and on the title slide and decoded it into into a string now I pass it into this eval that's gonna assign it to a variable and if with that payload it's producing the object just as somebody would expect but it's it's obviously I think most people are in the room have probably realized it's obviously an unsafe thing to do and

here are a few ways that I've tried that work for exploiting this sort of thing so if you look here I've jammed an object in there with the the two string override in JavaScript which is basically I assigned to function to that object called to string in this case I had it log the letters access s out to the console its cross-site scripting and return the value of string because this object got swapped into the field that returned the type but which was string before so I pass it into the same eval function what I got out of it is slightly different it has an object where there was a string before and that's where you see and this

is important when I look at somebody javascript code and I see a lot of equality operators that are double equal signs I I immediately get suspicious that their Java developers it's maybe a bit of snobbery on my part but I get suspicious that their JavaScript developers don't know what they're doing because does anybody know the difference between two equal signs and three equal signs in JavaScript

that's right two equal signs will do type coalescence so it will try to convert it three equal signs it will not and if they're not the same type they don't match and which is why you can see when when I compared it with three equal signs it never called to string never called that to string I inject it in there so it came back false and that's all that happened when I compared it with two equal signs to a string it actually came back true for one thing which it's not and it ran my ran like my console.log commanded ran executed my cross-site scripting because that two two string function got called in order to do that

comparison so this is an okay example it's not ideal I've changed the structure of the object it's a little bit broken now but it is one tool that is that is available for that sort of thing I have one more enough I think it's better I like to show both but I think my second one is better Java Script closures if you want to build really good cross-site scripting payloads being comfortable with closures helps in this case what I've done so I have this function let's start by just looking at the function it logs my command it returns the string with the word string in it that's fine it's also surrounded in a set of brackets and

followed by a set of brackets and what that will do is cause it to get executed right away so in they in the eval statement now you can see when it's called my code gets executed immediately in the eval as soon as it becomes an object that's getting executed and if you look down here the type is actually string as it was before as it as it was in the in the benign example the the non non exploited one so they're getting the same object back downstream in the app but my script is just run obviously bad things right cross-site scripting generally gets rated way up near the top of the you know the danger scale the whichever risk

index you're using and there's a really good reason for it because if I have cross-site scripting I can control your entire experience with your app basically I had a really good one a little while ago it's just a couple of weeks ago and it was it was cool because within the app although there was there's some some protections I could build the payload in in something that I controlled within the app it was a task list I think and invite somebody else to look at it I could invite anybody by email address but there was also a contact list built into the app what's cool about that is as soon as I get execution in that person's session as

soon as they accept my invitation and go look at my list I can pillage their contact lists send the same sort of invitation out to everybody they know just one cross-site scripting payload injected there could snowball through everybody who knows everybody in the app you know six degrees of separation situation and as soon as I'm working off their contact list there's a level of trust as well which makes it even that much more likely to succeed

mitigation right best way to do it there's a function built right in there JSON dot parse you do it with a legitimate object that doesn't contain functions doesn't contain closures doesn't contain executable code which is not supported by JSON and that's that's an important distinction it'll work fine and and that's what I've done here it's the same normal expected payload as before it gets parsed into the same object as before it's fine I stick my cross-site scripting payload in there any valid cross-site scripting payload that I know fails it won't parse because you can't have executable code in there everything in JSON has to be both both that say key and value will use that as

the term both the key and value have to be enclosed in quotes or you could have arrays with braces but within them unless you're dealing with numerix so you can't shove a function in there cuz you're gonna end up having a string representation of your function that is just the function unless it's mishandled by like an eval statement downstream you don't have execution that way that's good before we move on and this is obviously I've already popped up the title slide this is obviously something that people have to do all the time right Dropbox wouldn't exist without this sort of thing before I go on to this did anybody have cross-site scripting questions that I can answer quickly

if not we you can also like I said before come and find me no okay so user-supplied files from doubt for download the problem with files is the same as the problem with query string parameters and that's that they're not necessarily always treated as input fields and they are input fields doesn't yeah so this is a directory on my off my laptop these are files if you give me an upload I'm gonna upload all of these and try a few other things there are a lot of parts of a cross-site scripting payload that can be escaped and and in a way that you can actually have an intact payload to upload in in the form of a

file alert pop-ups right when I'm showing a bunch of alert pop-ups and I said alert pop-ups they don't really show much they suck that's true I have a script and I really need to do a character count on it's approximately the size of a tweet it's about 140 characters it does an XML HTTP request out to a server of my choosing fetch is a file javascript file in evals it right if I can get enough in to do that then I can run whatever I want so yeah looking here this one your listing files in the context that looks like HTML they show us something like that in there by the way common way to access dibs and stuff

and throw stuff in there see using or HTML right if there's user input in there that's not escaped it can contain HTML and it'll get rendered it's always something that's worth a look this one and this is this is a somewhat more modern I believe in es6 convention if I remember right I've used back ticks wife somebody's probably blocking brackets right that'll run it's part of the literal template system in newer JavaScript but I throw that in it'll actually execute an alert one with that try to get into multiple parameters it gets to be a problem but for one you can do that and it's just a filter evasion technique usually although these say je Gilliam which so I stick my

brothers picture in there I actually often stick my Kevin to CEO of the company who whose joke I stole I often stick his head in there and and he hates it kinda but I think he secretly likes it so then I screenshot in the report of course the clucky is a report with like three pictures of Kevin's head in there and in in various cross-site scripting attacks he just found that out of the heathered hey it's been going on for a while he went to review a report and said why am I looking at myself [Music] and then directory traversal of course which if somebody has found a way to stick two dots into a filename in and in

in this case it was OS X but Monnaie UNIX filesystem I sure would like to find out what that is because I have tried and and I haven't gotten it but you can do that by using your your man the middle proxy and and shoving it in that way playing with it so directory traversal and that's that's not so much on the upload part that's more on the download you're just gonna if there's a download you may as well try a directory traversal especially if the user supplied files because it's not necessarily just can I navigate out of the web directory and grab the Etsy password it's also can I navigate up a level over a level and back down one and

steal another person's and other users stuff right potential off bypass protect the file name from injection payloads yes please it's a user in but it's supplied by a user don't trust it any more than you trust anything else that comes from a user users always lie ideally a sign and identify or use it to access it storing stuff accessing particularly these referencing things by their file name down the line is where a lot of this stuff works and although there are safe ways to do that people do dumb things all the time if you tokenize it basically if you if you generate some identifiers for it and use that when you need to retrieve it

you're a lot less likely to fall prey to those dumb things and that's it's always good to just have habits of doing things in a way that is safer that's kind of one of my rules on life right it's well I got my I got my my passport on go time to go to the plane tomorrow I'm packing the night before am I gonna put it on the counter where I need to grab it now I'm gonna stuck stick it in the bag that I'm definitely taking no matter what the only way I'm not taking the passport to the airport is if I forget my whole bag it's it's the same sort of thing as

excuse me do something in a way that will prevent you from being able to make a mistake when you can and consider renaming it on disk as well you can return it with any file name you want but but just random things like like like that or maybe it's just me be complaining that it's ugly on the file system and I've put them on my own laptop I think I would prefer file names especially if they're handled by other processes as well as this potential to exploit another application of using a piece of middleware it's just generally nicer to to normalize them somehow that's about all I had about that I think we're gonna be struggling to get

for there to get a fifth case in here but did anybody have any questions about files anybody want my directory of ugly files maybe all right hash driven single page apps what oh I meant to take that jQuery went off that's a spoiler okay yeah so you see a lot of single page apps now and and that's a you load into the app it loads up the interface it fetches everything through asynchronous requests and you never reload the page and give the sensation of navigating between pages but snappier a lot of the time to use that the hash several different routing solutions use that there are good ways and bad ways to do it is angular a good way or a bad way hey

thoughts I don't like angular very much left foot about a half dozen angular apps in production anyway it's a good way it's in general if you use the the routing library for angular it is believed to be generally secure in terms of its handling of it that jQuery one and that particular version is not a coincidence as an old version I see that old version probably every other test or or a version older than it that and to be clear I also see react applications built on top of rails 5 back-end so it's not like everything I'm looking at is ancient but people don't update their JavaScript ever they don't they they stick the JavaScript library on there on

the server and they don't want to touch it because they're afraid it's gonna break and I understand that because I've been on the development side a lot yeah I understand that fear that's not a good enough reason not to try and and nobody does it everybody gets I can't remember the last time I tested a web app and didn't put outdated JavaScript of some kind in the report that particular version has a known cross-site scripting flaw and and any version prior to that and it was the handling of the location dot hash inside the Jaya the jQuery selector so dollar sign brackets location dot hash often with a concatenation with something else in there that was used for a lot of fun

user interface things like scrolling to a certain part by clicking a button or showing and hiding tabs and the thing with jQuery was that I'm talking about it in the past ends it's not really fair the thing about jQuery is that jQuery plugins became a really big thing a long time ago when I started web development jQuery wasn't really around but the is one of those things it kind of makes me makes it feel older anybody watching or have watched any of the iron fist on on Netflix nobody it's not very popular a little bit over there so guy survives air crash 15 years ago comes back to New York he's got the music player that he had for 15 years ago what

is it an iPod just made me feel really old because it's like I've got it I've got a stack of blank cassettes where I still make mixtapes and this this dude crashes for 15 years shows up again he's got an iPod that's a bit of a tangent as a distraction but I actually put in my speaker notes because I wanted to tell that story yeah so there below that was an example of one of those jQuery plugins probably the same guy who has this outdated jQuery might be used in VO dated version of that plug-in by the way that plug-in did change their code to mitigate that problem anyway although they shouldn't have had to it wasn't

their fault it was it was a jQuery problem not a scroll pain jas problem and it's not the only plug-in that it's been called out for that problem they they took steps to mitigate it anyway once it was reported but again we find old things because nobody updates and I put backbone up there I was wondering I just yeah I was wondering if anybody would recognize it backbone it just kind of faded away didn't it backbone also was frequently used with the hash routing I think there is at least one react routing solution that does but not all of them do so update your JavaScript it is a big lesson there people don't do it enough I would like

to see everybody go out and try to update that you have a script it's gonna break stuff you know it is jQuery in particular has done a pretty good job creating a migration roadmap for people to move up unless you still have to support ie8 which happens all the time and on makes me sad but in unless you have to still have to support ie8 you can move off of the 1x branch if you're on the one dot X branch you may as well move up to the top of it because it'll mitigate stuff like that which is a well-documented and known attack that is still out in the wild location dot hash the hash everything

that comes after that hash sign user-supplied just like the filenames just like the other query string parameters treated as such escape that if it's yeah if it's being echoed anywhere and this has the thing with the with but it could be echo that's another thing you could do somebody could have a thing where their router goes and this is a way that you potentially could bend over backwards to make yourself insecure with angular putting on an escaped version of that string in the top of the page regardless of what it is we're not validating that you have a legitimate route for it I think you would have to try really hard to do that but you could and things that

I think that you would have to try really hard to do to make yourself insecure somebody somewhere thinks is a good idea inevitably it happens heavily used frameworks are more likely to have floss detected that's involved for a reason it's safer to use something that's out there it's got more eyes on it it just is something that is popular doing it because it's popular is not good button having a lot of users looking at especially did all this JavaScript stuff is open source having a lot of users looking at it means it's more likely that flaws will be found and fixed so if you're updating and you're using something that is is reasonably popular you are less likely although

certainly not guaranteed to be without those sort of flaws anybody gonna drag me off stage oh stay behind my podium that parameters and static resource requests is what I thought I might run out of cases i sim this in there this morning to be honest because I just had these nightmares of it I'm gonna have 15 minutes left and they're still here if anybody wants to go and get some food right now you won't hurt my feelings but I am gonna keep talking for a couple more minutes unless they tell me that I can't which they haven't so why does it matter right and CSS files and JavaScript files that's what I'm talking about I start seeing

request parameters on request to those maybe it's nothing and a lot of time it's nothing and this is a trickier one because you see it all the time now they're almost always on at least the analytics JavaScript you see they're almost always extra parameters and they they're often extra parameters now but sometimes they're a little fishy sometimes you tweak them a little bit you get a different response back and you start wondering okay why am I getting a different response am i supplying something that's tied to a user where I'm gonna get back something else that's potentially an off bypass particularly and I said JavaScript and CSS it's more JavaScript is it generating something that points

to a specific resource that's this it's dynamically generated but hard-coded into the JavaScript file pointing to some resource that's specific to that user that doesn't have authorization on it reflection is the best one though right it's his is whatever I'm sticking the query string showing up in the file because if it is I can probably get something to execute and it's the same same story again and this is a short one don't generate JavaScript dynamically at runtime and whether they had a really good reason and I haven't heard one yet if you don't need to do it don't do it you're much better off with you can do it as part of your build process right

bundler or other bundling tools browserify there are a lot of good tools for putting together something like that but that's that's that's a build step it's not a run time thing and it's not taking user input which is the real problem and again business as usual through guard to request request parameters their request parameters treat them as user input always treat them as user input if it's in the request it's user input basically hey questions we headed to the end sort of anybody have any questions everybody's want to get out of here all right have a good 'besides everybody thanks for coming out [Applause]