Fast (and almost automatic) SSRF detection Eldar Zaitov.

Slides:

Advertisements

Similar presentations

SOAP SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol * SOAP is a communication protocol * SOAP is for communication.

Advertisements

© 2008 MindTree Consulting© 2010 MindTree Limited CONFIDENTIAL: For limited circulation only Going Open Source in Performance Testing July 2010.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Some HTTP Examples. A utility which shows all data from incoming requests is here: It is.

A simple PHP application We are going to develop a simple PHP application with a Web interface. The user enters two numbers and the application returns.

1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

CSC 450/550 Part 6: The Application Layer Example: The World Wide Web.

CS320 Web and Internet Programming Generating HTTP Responses

1 The World Wide Web Architectural Overview Static Web Documents Dynamic Web Documents HTTP – The HyperText Transfer Protocol Performance Enhancements.

! { "action": { "type": "http", "request": { "uri": " "method": "GET",

ASHIMA KALRA.  INTRODUCTION TO JSP INTRODUCTION TO JSP  IMPLICIT OBJECTS IMPLICIT OBJECTS  COOKIES COOKIES.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

European Space Astronomy Centre (ESAC) Villafranca del Castillo, MADRID (SPAIN) Aurélien Stébé Homogeneous Access to Tabular Data Beijing, China - May.

Web Services Overview Ashraf Memon. 2 Overview Service Oriented Architecture Web service overview Benefits of Web services Core technologies: XML, SOAP,

Google Cloud Messaging for Android (GCM) is a free service that helps developers send data from servers to their Android.

PACKET ANALYSIS WITH WIRESHARK DHCP, DNS, HTTP Chanhyun park.

GET Examples – db.org/sops/3/experimental_conditions/55http://seek.sysmo- db.org/sops/3/experimental_conditions/55 –

Copyright © Orbeon, Inc. All rights reserved. Erik Bruchez Applications of XML Pipelines XML Prague, June 16 th, 2007.

CollectionSpace Service REST-based APIs June 2009 Face-to-face Aron Roberts U.C. Berkeley IST/Data Services.

James Holladay, Mario Sweeney, Vu Tran. Web Services Presentation Web Services Theory James Holladay Tools – Visual Studio Vu Tran Tools – Net Beans Mario.

Ez3950 SOAP & Z39.50 ZIG December 2000 at LC Poul Henrik Jørgensen, DBC

Dyalog’09. Overview of MildServer Morten Kromberg Dyalog’09 – Princeton, NJ.

Introducing CoMI Aligned with RestCONF (draft-ietf-netconf-restconf-04) Common data modeling language (YANG defined in RFC 6020) Protocol (CoAP instead.

Or, Hey can’t we just do it using HTTP for the envelope?

JAVA SERVER PAGES CREATING DYNAMIC WEB PAGES USING JAVA James Faeldon CS 119 Enterprise Systems Programming.

OWL Jan How Websites Work. “The Internet” vs. “The Web”?

Lecture 17. Side remark: for-each equivalence again Second-hand cars Item Model Engine Size Price

AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions.

The Inter-network is a big network of networks.. The five-layer networking model for the internet.

Robert Lyon  Design Review  November 11, 2011.

1 Basic Perl CGI Programming. 2 Issues How and when your program is invoked. Generating Response –HTTP Headers –HTML (or whatever document type you want)

Web Technologies Interactive Responsiveness Function Hypertext Web E-Publishing Simple Response Web Fill-in Forms Object Web « Full-Blown » Client/Server.

Simple Object Access Protocol. Web Services: SOAP2 Why Simple Object Access Protocol Light weight replacement for complicated distributed object technology.

Form Data Encoding GET – URL encoded POST – URL encoded

INTEGRATION OF BACKBONE.JS WITH SPRING 3.1. Agenda New Features and Enhancements in Spring 3.1 What is Backbone.js and why I should use it Spring 3.1.

Appendix E: Overview of HTTP ©SoftMoore ConsultingSlide 1.

AngularJS AJAX.

IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.

Introduction to Web Services. SOAP SOAP originally stood for "Simple Object Access Protocol". Web Services expose useful functionality to Web users through.

The Basics of HTTP Jason Dean

RESTful Web Services What is RESTful?

Adapted from  2012 Prentice Hall, Inc. All rights reserved. 5 th ed: Chapter 2 and th ed: 4.11 SY306 Web and Databases for Cyber Operations.

ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

AJAX CS456 Fall Examples Where is AJAX used? Why do we care?

Server-side http General form of http response/request GET request method POST request method Responses Servlet support.

Web Services Essentials. What is a web service? web service: software functionality that can be invoked through the internet using common protocols like.

Web Programming Week 1 Old Dominion University Department of Computer Science CS 418/518 Fall 2007 Michael L. Nelson 8/27/07.

How to consume a RESTful service using jQuery. Introduction  In this post we see how to consume the RESTful service described in the post Design a RESTful.

WStore Programmer Guide Resources management integration.

Web Programming with PHP (3) Superglobals, Form & File processing.

Jackson, Web Technologies: A Computer Science Perspective, © 2007 Prentice-Hall, Inc. All rights reserved Chapter 9 Web Services: JAX-RPC,

AJAX AJAX = Asynchronous JavaScript and XML.

Node.js Express Web Applications

Node.js Express Web Services

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Using local variable without initialization is an error.

HTTP Request Method URL Protocol Version GET /index.html HTTP/1.1

Enforcing Interoperability with the Open Archives Initiative Repository Explorer Hussein Suleman, Digital Library Research Laboratory Virginia.

Generate Header & URL Install PostMan for Chrome (looks like a man with a jetpack) Under the auth tab, set it to basic Put in the admin username and password.

Techniques to Invoke Web Services from SAS

Push-Based SET Token Delivery Using HTTP

Please request to your IT team. Check for right side servers access.

Presentation transcript:

Fast (and almost automatic) SSRF detection Eldar Zaitov

Fast (and almost automatic) SSRF detection Whoami Yandex More Smoked Leet Chicken CTF team CTFtime.org

Fast (and almost automatic) SSRF detection Server Side Request Forgery

Fast (and almost automatic) SSRF detection SSRF sources XXE and variations Declared functionality Errors in URL generation

Fast (and almost automatic) SSRF detection POST /ws/mail/v2.0/jsonrpc Content-Type: application/json { "method":"GetUserData", "params":[ {"includeUnverifiedExtAcct":true} ] }

Fast (and almost automatic) SSRF detection POST /ws/v3/batch HTTP/1.1 Content-Type: application/json { "requests": [ { "method":"POST", "uri":"/ws/mail/v2.0/jsonrpc", "payload": { "method":"GetUserData", "params":[{"includeUnverifiedExtAcct":true}]} } ] }

Fast (and almost automatic) SSRF detection Detection Output / Error based Backconnect DNS

Fast (and almost automatic) SSRF detection POST /ws/v3/batch HTTP/1.1 Content-Type: application/json { "requests": [ { "method":"POST", "uri":“.zndemo.kyprizel.net/", "payload": { "method":"GetUserData", "params":[{"includeUnverifiedExtAcct":true}]} } ] }

Fast (and almost automatic) SSRF detection

Fast (and almost automatic) SSRF detection Detection / DNS snifferINA zndemoINNSsniffer.kyprizel.net

Fast (and almost automatic) SSRF detection Fuzzing Request parameters, headers Request body: multipart/formdata XML application/json whatever

Fast (and almost automatic) SSRF detection Detection / tools Burp suite plugin Fuzzer DNS server (optional)

@kyprizel