Download presentation
Presentation is loading. Please wait.
Published byJessica Reeves Modified over 9 years ago
1
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Abusing Open HTTP Proxies Mike Zusman Intrepidus Group, Inc Mike.zusman@intrepidusgroup.com June 18, 2008
2
OWASP 2 Hi everybody! Mike Zusman, CISSP Past Web Application Developer Whale Communications/Microsoft ADP Application Security Team Current Senior Consultant @ Intrepidus Group
3
OWASP Don’t mind me, I’m just sniffing your ports! 3
4
OWASP What am I talking about? Open HTTP Proxies Remote Access appliances Plain Old Web Applications 4
5
OWASP Using SSL? Come on in! SSL VPN Remote Access Portals 5
6
OWASP One HTTP listener, many web servers URL Rewriting 6
7
OWASP The Good, the bad, and the 0wned Microsoft Intelligent Application Gateway https://sslvpn.yourbiz.com/whalecom0AB387458CD84 347EF878763CCAEF78878723/path/to/app/index.asp SonicWALL SSL VPN https://sslvpn.yourbiz.com/cgi-bin/nph- httprp/http://192.168.151.100/exchange/ 7
8
OWASP The Good, the bad, and the 0wned 8
9
OWASP The Good, the bad, and the 0wned 9
10
OWASP But wait, there is more... We just showed a client-side attack We can also attack the network and other services How does HTTP work? And we can attack the application/proxy itself Think beyond HTTP 10
11
OWASP Scanning the Network HTTP is sent over TCP https://www.kb.cert.org/CERT_WEB%5Cservices%5C vul-notes.nsf/id/150227 https://www.kb.cert.org/CERT_WEB%5Cservices%5C vul-notes.nsf/id/150227 Date Public02/19/2002 Open HTTP proxies will open arbitrary TCP sockets /fetchurl.asp?url=http://192.168.1.1:139 Timing 11
12
OWASP Scanning the Network Trying: http://127.0.0.1:139http://127.0.0.1:139 Result: 500 Duration: 0.937832117081s Trying: http://127.0.0.1:443http://127.0.0.1:443 Result: timed out Duration: 30.0013480185s
13
OWASP Attacking the Proxy Web Applications can act as proxies Microsoft: WinHTTP, ServerXMLHTTP, XMLHTTP PHP: Include(), fopen(), etc (if your bored) Perl: request() These Libraries can do more then fetch remote URLs What about file:/// ?file:/// 13
14
OWASP SEO Web Sites (1) Search Engine Optimize http://127.0.0.1 14
15
OWASP SEO Web Sites (2) Great Success! Search Engine Optimize http://127.0.0.1 15
16
OWASP Blog Engine.NET http://ha.ckers.org/blog/20080412/blogenginenet- intranet-hacking/ http://ha.ckers.org/blog/20080412/blogenginenet- intranet-hacking/ Widespread: “probably 100,000 public installs” Local web site disclosure /js.axd?path=http://localhost Local file disclosure /js.axd?path=/web.config 16
17
OWASP HTTP Request Amplification Attacker sends X number of requests to the proxy The proxy sends (x)(y) number of requests to the victim Google RSS Reader: 2 to 1 request amplification on non-existing feeds Transloading and WebTV users 17
18
OWASP Open Application Proxy Chaining Anonymization A large number of open app proxies (HTTP GET) Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> Victim Auto-Exploitation: Open Proxy Worm A large number of open app proxies (HTTP GET) Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> ProxyN The Proxies are the Victims 18
19
OWASP Open Application Proxy Chaining Embedding URLs http://host1.com/?url=http%3A%2F%2Fhost2.c om%2F%3Furl%3Dhttp%253A%252F%252Fhos t3.com%252F%253Furl%253Dhttp%25253A%2 5252F%25252Fhost3.com%25252F%25253Furl %25253Dhttp%2525253A%2525252F%2525252 Fhost4.com%2525252F%2525253Dhttp …. 19
20
OWASP Open Application Proxy Chaining Embedding URLs 20
21
OWASP URL Length .NET 260 char? IIS: 32K chars http://support.microsoft.com/kb/820129 http://support.microsoft.com/kb/820129 How long of a URL can you have? “In theory, there is no limit. In practice, IE imposes a limit of 2,083 bytes. Because nobody could need more than 640k. - Some Guy on the Internet 21
22
OWASP What about the HTTP Response? Sometimes you see the proxied response, sometimes you don’t What are your goals? Timing can help (or hurt you) Order of Execution Confirmation Make yourself the last hop TCP Sequencing 22
23
OWASP No request propagation without exploitation! Request Propagation Attacker makes one request that turns into N requests How can we exploit this? Persistent XSS Blind SQLi Get code to run on a machine in the chain (or a web browser) 23
24
OWASP No request propagation without exploitation! Persistent XSS http://host1.com/?url=http://host2.com¶m= http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com% 2F%3Furl%3D … 24
25
OWASP Persistent XSS Exploitation 25
26
OWASP Demo Hopefully, it will work. 26
27
OWASP No FUD Attack Prerequisites App must have a URL that makes arbitrary request The same URL must have some other code execution vulnerability: /index.asp?url=[URL]¶m=[EXPLOIT] Order of Execution: Exploit then Propagate Leg Work Attacker must find targets ahead of time Mitigating Factor URL Length Limitations 27
28
OWASP This is OWASP… …so how do we fix this stuff? Input Validation Displaying host names in URLs is bad Manipulation Information Leakage Lock down the config Use a product that supports white lists Don’t allow.* hosts Firewall configuration Does your proxy NEED to… – talk to the Internet? – talk to every host on your LAN? 28
29
OWASP Thanks Questions? Comments? Concerns? Mike.zusman@intrepidusgroup.com Mike.zusman@intrepidusgroup.com http://schmoil.blogspot.com http://schmoil.blogspot.com http://blog.phishme.com http://blog.phishme.com 29
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.