Pentesting Modern Web Apps: A Primer

so obviously a lot to go over and half an hour we'll give it a shot so I'm Brian this is actually my first conference talk so I mostly do what that pen test work and just general pens work at tiny company called Accenture with four hundred thousand please so in terms of motivation so most introductory resources about like application security kind of go over kind of more old-school applications that in terms of presentation logic business logic most of that is happening off of the server side maybe there's a little bit of jQuery thrown in there but it's pretty much all going on the server side so I wanted to do some more introductory material but related to modern

applications so by modern I mean stuff that's using a front-end framework kind of like angularjs or just plain angular because there's a version difference there view or react and then it does a lot of the business logic and presentation logic on the client-side using those and then in terms of some more a little more the business logic happens on the server side communicating by an API usually restful sometimes in like really bleeding edge they might use something like graphic you'll want to note this is going to be most based on my own experience so as some of you probably know if you're familiar like for example react is probably one of the most important frameworks in this I'm

not gonna go over that a whole lot and that's not because it's not important it's just because that's not where my testing experience lies so first I want to go over XSS in front-end frameworks so one of the things you have in these frameworks is the concept of data binding and client-side templates so in kind of an older very jQuery heavy app of the kind of thing you might see is manual Dom traversal using CSS selectors things like that too grab elements of the Dom manually replace their HTML and these kind of frameworks you can actually go in and put things like here we got this message variable in the data model and then for

instance we can bind this input field to that message in the dad model and then it'll be dynamically updated at runtime so as I add or remove from here it'll get updated so that's a lot cleaner so these expressions are actually protect against XSS by default they go ahead and encode their common XSS characters a client-side so this protects you against your usual dom-based xss that you might see with those there's kind of two ways then that we might look at getting exercise anyway right there so the first one most obvious is okay so has these protections all these frameworks have some way to disable those protections as a developer so desires if you disable

that protections someone get dom-based xss for that that's not really that interesting the kind of more interesting thing and the thing that might be new to some of you you might have seen it in like a burp scanner report as client-side template injection but not really knowing what it is is these expressions I showed showed before you know I just have a variable message but they can get a little more complicated so you got some fancier like single page applications which are very very much like all client-side stuff but a lot of applications especially if it's an older one that's kind of being given an update will mix server-side and client-side presentation logic so if there's some

kind of point in the page where you know what the PHP echo or JSP or you know a timely template or something like that that we could inject our own expression in there potentially we could do something dangerous so one thing to bear in mind as we talk about this is that a server-side templating engine to protect against XSS is going to look at encoding angle brackets quotation marks usually so we just saw though these expressions are demarcating braces so angle jeaious expressions are more powerful than just we just we what we just saw but they're not as powerful as just plain JavaScript they're kind of JavaScript asks they run in the browser's JavaScript interpreter

but before that they get run through a parser by angularjs and so you can do simple operations access object properties but you can't access like important Global's like window or document and so like for example alert you want to pop an alert box word is actually window dot alert or document dot cookie obviously that's undocumented so you can't just do like a straightforward XSS attack like this one thing to note real quick is that the technique I'm going to go over here versions of angularjs before 1.6 I had to sandbox to prevent these but it didn't really work researchers found the whole bunch of ways to get around it they removed it since it didn't work but uh if you find

an older version of angularjs just go on like the port sugar website look up an escape and you'll be fine so starting out what we're talking about is for example we've got like PHP echo get whoo so we might as an attacker provide is this expression and this will pop an alert box for us and so if we want to break that down so we're starting out with is we just got an empty object and then if we do to add to string to that now that's a function we haven't called that and then if we do constructor then we get the function constructor and that's not just the constructor for to string is the constructor just for

functions in general and the script and so JavaScript's function constructor we can pass raw JavaScript to it and dynamically create new functions at runtime so then if we call that by adding those parentheses then we'll pop our alert box so same thing exactly verbatim works in view and this technique right here is actually from the source code of angularjs where they say hey you could do this so the next thing so I mentioned that so we're not doing angular brackets so that'll get us around those filters and encoding but what about quotation marks so we use single quotes to surround our string there so there's a couple things that come to mind first one thing that came

to mind when I was looking at this one time was okay maybe I'll use backticks if you're not aware there's a new ECMO script standard called template literals that are denoted by backticks and create strings that way but like I said angularjs expressions are not really javascript that run through a parser first and that parser doesn't parse them so that doesn't work can't do just straight string that from char code because just like the window global and the document global you can't just grab that willy-nilly so okay what we saw before our kind of object that to string that constructor thing so maybe we can launch off of that to get a string so that by itself is not going to work

either because like I said this constructor we got here is the function constructor for all functions not the string constructor so if we call from char code on there that's not going to work so a quick disclaimer we there's a very there's a simpler way to do this than what I'm going to present when I was first making the presentation I tried the simple way didn't work when I was practicing it I tried it and it did work but this way is kind of interesting and you might learn some things from it so I think it's kind of cool quiz question does anyone know what that is nope notebook for you the so the JavaScript's an interesting language and

it's got all these weird automatic type conversions some less weird than others the one that's like really weird to me maybe I'm just don't know enough is I mean if in an expression you give an exclamation point and empty square braces that will evaluate to the boolean value false empty braces of course that's just an empty array plus that's concatenation or arithmetic so if you add these together with the plus operator what you'll end up getting is the string false so now and if you're interested in this kind of weird stuff because I am this book web application obfuscation is really good also these guys Mario Heydrich and Eric Hayes they've got a lot of cool stuff on the

Internet so you break that down now so we've got a string and don't have any quotes so now if we do constructor we can get from char code and then run that and we can put in our stuff and so the whole purpose of that is now we can do XSS and this time evade pretty much any server-side XSS filter that you would normally see and also a lot of laughs and even like XSS auditor in Chrome so that's pretty cool so like I said there's actually simpler way to do that so before I said okay object that to string that's just a function well if we just do object that to string and then

call that function that's an empty string huh so this works too it's simpler in my opinion not as cool another question so here we got this shot too six hash attribute in our script and I've used that before this is part of a new security standard for web pages does anyone know that what that's called you guys come on it's called sub resource integrity you should read about it it's actually pretty cool anyone know who this is or what he's from corporate politics so enumeration obviously that's one of our more important things to do as pen testers and there's some kind of unique opportunities that we'll get in some of these applications that we might not get

in normal normal like old one quickly just as a point of reference so for our kind of general architecture we're talking about here we've got a front end running the browser and that handles the presentation logic at least most of it and also a lot of the business logic be running framework like one of these easier quiz question what company made angular okay too many people said that I don't know okay okay someone raised their hand or what company made react okay he predicted the future so what is it that guy oh sorry that guy's a psychic first yeah so come get this so first thing I don't care whatever so first thing we want to

look at in terms of enumeration kind of easier so I've been done but when a developer is putting together an application in view or angularjs whatever they're going to develop a whole bunch of modules are gonna be different files everything but then they're gonna run them through this abomination called web pack and it's all going to get mushed together in one single mangled minified file and so there's a good chance that the functionality for different roles is going to be in there so potentially as an unprivileged user or even maybe an unauthenticated user you could see the client-side business logic for admin roles for example so if you go and look around there and you look for xhr calls

or in this random example they've got their own little wrapper there you might be able to find part of me you might be able to find sensitive REST API calls that you want to test see if there's any authorization issues so another thing of course more on the server end of things we're dealing with REST API is the application we're looking at in terms of the front-end business logic might not actually be covering all the possible API functionality so if we can get the API documentation especially in the machine readable format like open API is like or waddle that'll really help us to map out the API if we're doing like a white box or gray box assessment we can

just like ask the developers for it but a lot of different rest frameworks actually auto-generate it so you can first just try just kind of typical paths where you might see it is and then depending on the framework there might other might be other places so it's not necessarily default but for example for Jersey I see this application got waddle a lot and so you can see as an example here as a random example from the internet of a dot Waddell file that you can see has different resources and parameters and all that stuff and that's going to help you out find maybe even functionality that's not even used by the application as is and so they didn't

even really think much about the security behind it so next for logic and authorization testing so quick kind of basic rundown the rest if you're not familiar so rest you know there's kind of conventions and maybe things you should do versus what people ever actually do but general conventionally what you'll do is say I've got an app that handles books so I want to get a list of all the books to get flush API slash books I want to create a book do a post to that same URL I want to retrieve a book okay I've done an ID for that to get edit same URL but with a put or more rarely a patch and these are just HTTP request

methods and one delete a book I just use a little eat delete request mess so the reason I go over that is because of two reasons well three so the first and foremost as some of you already probably he didn't on is because so much of the business logic is actually done on the client side of course we all know client side business logic there could be security issues there things maybe we can buy so and to give you an idea of how extensive business logic is in terms of how much Israel put on the server saw it put on the client-side in terms of presentation business logic you'll very frequently see even just for something

as simple as putting your user name in the right-hand corner they'll actually get to do like get slash users slash current so that's a common place where you'd have mistakes just in terms of general okay bypassing client-side business logic another thing is just in my experience at least so rest as we kind of saw before with the books and encourages you to think of what you're doing in terms of like the resources underlying resources the users the books the roles not necessarily like an action so you're doing oftentimes a put against the users resource not specifically calling some like struts action that is meant specifically to change user emails things like that and at least what I

found is because of that kind of change in mindset people are a little more prone to forget to add necessary authorization checks that they might normally be second nature to them so in terms of couple of real-world examples of this hopefully clear that up a bit so in one case I was looking at an application like I said it just to get my basic user information to display called gets less users slash current and I said going back to conventions said okay there's a good chance that I could that the way it modifies this is not through some explicit action but just through a put or patch request to that URL so lo and behold it took some client

it took some trial and error getting exactly the right thing but all I had to do was issue a put request to that with an admin admin as my role and I became an Advent similarly kind of same situation thank you kind of same situation looking at is saw the get flesh get user slash current and just did a post made up a post didn't necessarily know that it was there just guessed maybe could be there and created new admin users similar type of things this is more of a basic ID or but just in a REST API did it get to another did it get to other users and was able to get their password or set

questions out of their profiles another one was did a patch request to other users and could reset their password reset pins and so what I mean in terms of the conventions here is normally when you're trying to provide an application unless you're unless you're explicitly given you know again in more of a white box gray bus situation explicitly given admin credentials so you can compare you know what you see is a normal user what you see in is admin and you see oh here's change user rolled up PHP you don't even necessarily know what you would even try to do to check if there are any authors of authorization on those types of things but here because they use pretty

standard conventions in many cases you can just guess oh let me try to put and that might just work same thing in terms of the fact that you may be able to just look in the client side source and find those rest API calls when in an older application than what those might never be revealed to you so quickly actually going down in details on this is kind of a lightning talk unto itself but if you if you ever find yourself as I've done before manually writing a whole bunch of REST API requests and for Peter or in curl yourself a favor and download postman which is a graphical API client for arrest api's it

can import API documentation like those waffle and swagger files I mentioned and it also has these features called environments and collections that you go look them up those can be really helpful for easily switching between different roles in the application and different sample data to very quickly do manual authorization testing compared to if you were going to tediously go around with FERPA curl or whatever and keep switching around your token so kind of some miscellaneous things so cores or oh I don't define it in here so someone cannot question someone raised their hand what does cores stand for yeah yeah so hopefully a lot of you are already familiar with this but to understand cross-origin resource there you need to

have a little bit understanding of same origin policy and what's protecting against so as you know you can do Ajax requests with the xmlhttprequest object and JavaScript can do requests give the response to it read that if you set the with credentials to that you can actually use cookies authors client certificates things like that so what stops attacker com from doing you know email comm slash API slash inbox and if I'm logged in just stealing all my emails well that's it is written policy if you try to do that your browser will compare your origin which is compare your origin to Gmail's origin and decide they're not the same at the same origin policy and forbid using that response

quickly origin to scheme hostname a port so like HTTP you know comm 443 so sometimes you may need to as a developer explicitly get around that policy for your legitimate functionality in the application so developers thank you so bell perks like I said can override that functionality with something called course cross-origin resource sharing a bit more involved in this but say Brian calm made an example a thx call it the high school comm high school comm could then turn around and give two headers one access control allow origin HTTP Brian calm note the HTTP is in there because it's on origins not just host names and scheme as part of the origin the port is implicit and also access

control allow credentials to true which would allow the calling JavaScript to use that with credentials property and so then in that case the browser would send that request in most cases would send the request user which is a CSRF issue but then it would allow Brian calm to actually read that response so course pitfalls or at least I guess a pitfall so you may have seen again in little burp scan but maybe not under not quite understood it a thing called cross-origin resource sharing arbitrary origin accepted so what is that so when your browser is making this request with Ajax or a lot of other requests it sends a header called origin and so you got

your extra quest on attacker comm sends origin htps attacker comm there's a surprising number of misconfigured applications that will just take that origin header and reflect it straight back into access control allow origin and at the same time they may also set access control allow credentials to true if that's the case and you know not that this would happen but if Google did have that issue then we could just get everything from the inbox with our page you know you're kind of wondering why this is because this is a little odd actually it's gonna take you long to explain a point is it happens sometimes and it's insecure so test for it quickly I don't know how modern this is just a

very and a basic thing so people are not are not generally just handwriting of their rest code they're using some kind of rest framework especially when they're in like the Java world a lot of those have various vulnerabilities sometimes pretty bad ones another quiz question hopefully someone will know so there's a stress stress rest API stress rest rcee issue year-and-a-half ish ago this was due to it passing X untrusted XML to a certain Java library does anyone know that library was its one called extreme it basically turns XML into arbitrary Java objects and it because of that you can get basically a job at the DC realization attack so point of this is check your rest

frameworks for vulnerabilities this presentation in particular unsafe jax-rs breaking rest api is and can these two are pretty good I'll leave that up the last thing one minute we got one minute for QA actually less prize named a non main character from Aqua Teen Hunger Force not one of the four main characters yep any like 30 second question I'll post them on my Twitter which is in the guide and also it's just at frying hazel just my name