Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Past, Present and Future By Eoin Keary and Jim Manico
Advertisements

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Chapter 2 Application Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 6: Hostile Code Guide to Computer Network Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
19-Aug-15 About the Chat program. 2 Constraints You can't have two programs (or two copies of the same program) listen to the same port on the same machine.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2000 eMation SECURITY - Controlling Data Access with
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Engineering we define Web Engineering as follows: 1) Web Engineering is the application of systematic and proven approaches (concepts, methods, techniques,
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Application Security Testing A practitioner’s rambling advice & musings.
Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
BlueOS 1.5 Hello and Blue is loading your system files, and if you are a new user, welcome to Blue, our virtual assistant, Clara, will guide you on how.
0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
WWW and HTTP King Fahd University of Petroleum & Minerals
Security: Exploits & Countermeasures
Tutorial (4): HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
HTML Level II (CyberAdvantage)
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Active Man in the Middle Attacks
Securing web applications Externally
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP Abusing Open HTTP Proxies Mike Zusman Intrepidus Group, Inc June 18, 2008

OWASP 2 Hi everybody!  Mike Zusman, CISSP  Past  Web Application Developer  Whale Communications/Microsoft  ADP Application Security Team  Current  Senior Intrepidus Group

OWASP Don’t mind me, I’m just sniffing your ports! 3

OWASP What am I talking about?  Open HTTP Proxies  Remote Access appliances  Plain Old Web Applications 4

OWASP Using SSL? Come on in!  SSL VPN Remote Access Portals 5

OWASP One HTTP listener, many web servers  URL Rewriting 6

OWASP The Good, the bad, and the 0wned  Microsoft Intelligent Application Gateway  347EF878763CCAEF /path/to/app/index.asp  SonicWALL SSL VPN  httprp/ 7

OWASP The Good, the bad, and the 0wned 8

OWASP The Good, the bad, and the 0wned 9

OWASP But wait, there is more...  We just showed a client-side attack  We can also attack the network and other services  How does HTTP work?  And we can attack the application/proxy itself  Think beyond HTTP 10

OWASP Scanning the Network  HTTP is sent over TCP  vul-notes.nsf/id/ vul-notes.nsf/id/  Date Public02/19/2002  Open HTTP proxies will open arbitrary TCP sockets  /fetchurl.asp?url=  Timing 11

OWASP Scanning the Network Trying: Result: 500 Duration: s Trying: Result: timed out Duration: s

OWASP Attacking the Proxy  Web Applications can act as proxies  Microsoft: WinHTTP, ServerXMLHTTP, XMLHTTP  PHP: Include(), fopen(), etc (if your bored)  Perl: request()  These Libraries can do more then fetch remote URLs  What about file:/// ?file:/// 13

OWASP SEO Web Sites (1)  Search Engine Optimize 14

OWASP SEO Web Sites (2) Great Success!  Search Engine Optimize 15

OWASP Blog Engine.NET  intranet-hacking/ intranet-hacking/  Widespread: “probably 100,000 public installs”  Local web site disclosure  /js.axd?path=  Local file disclosure  /js.axd?path=/web.config 16

OWASP HTTP Request Amplification  Attacker sends X number of requests to the proxy  The proxy sends (x)(y) number of requests to the victim  Google RSS Reader: 2 to 1 request amplification on non-existing feeds  Transloading and WebTV users 17

OWASP Open Application Proxy Chaining  Anonymization  A large number of open app proxies (HTTP GET)  Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> Victim  Auto-Exploitation: Open Proxy Worm  A large number of open app proxies (HTTP GET)  Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> ProxyN  The Proxies are the Victims 18

OWASP Open Application Proxy Chaining  Embedding URLs  om%2F%3Furl%3Dhttp%253A%252F%252Fhos t3.com%252F%253Furl%253Dhttp%25253A%2 5252F%25252Fhost3.com%25252F%25253Furl %25253Dhttp% A% F% Fhost4.com% F% Dhttp …. 19

OWASP Open Application Proxy Chaining  Embedding URLs 20

OWASP URL Length .NET 260 char?  IIS: 32K chars  How long of a URL can you have?  “In theory, there is no limit. In practice, IE imposes a limit of 2,083 bytes. Because nobody could need more than 640k. - Some Guy on the Internet 21

OWASP What about the HTTP Response?  Sometimes you see the proxied response, sometimes you don’t  What are your goals?  Timing can help (or hurt you)  Order of Execution  Confirmation  Make yourself the last hop  TCP Sequencing 22

OWASP No request propagation without exploitation!  Request Propagation  Attacker makes one request that turns into N requests  How can we exploit this?  Persistent XSS  Blind SQLi  Get code to run on a machine in the chain (or a web browser) 23

OWASP No request propagation without exploitation!  Persistent XSS   Redir--> 2F%3Furl%3D … 24

OWASP Persistent XSS Exploitation 25

OWASP Demo  Hopefully, it will work. 26

OWASP No FUD  Attack Prerequisites  App must have a URL that makes arbitrary request  The same URL must have some other code execution vulnerability: /index.asp?url=[URL]&param=[EXPLOIT]  Order of Execution: Exploit then Propagate  Leg Work  Attacker must find targets ahead of time  Mitigating Factor  URL Length Limitations 27

OWASP This is OWASP…  …so how do we fix this stuff?  Input Validation  Displaying host names in URLs is bad  Manipulation  Information Leakage  Lock down the config  Use a product that supports white lists  Don’t allow.* hosts  Firewall configuration  Does your proxy NEED to… – talk to the Internet? – talk to every host on your LAN? 28

OWASP Thanks  Questions?  Comments?  Concerns?   

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.