1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Abusing Open HTTP Proxies Mike Zusman Intrepidus Group, Inc Mike.zusman@intrepidusgroup.com June 18, 2008

2. OWASP 2 Hi everybody!  Mike Zusman, CISSP  Past  Web Application Developer  Whale Communications/Microsoft  ADP Application Security Team  Current  Senior Consultant @ Intrepidus Group

3. OWASP Don’t mind me, I’m just sniffing your ports! 3

4. OWASP What am I talking about?  Open HTTP Proxies  Remote Access appliances  Plain Old Web Applications 4

5. OWASP Using SSL? Come on in!  SSL VPN Remote Access Portals 5

6. OWASP One HTTP listener, many web servers  URL Rewriting 6

7. OWASP The Good, the bad, and the 0wned  Microsoft Intelligent Application Gateway  https://sslvpn.yourbiz.com/whalecom0AB387458CD84 347EF878763CCAEF78878723/path/to/app/index.asp  SonicWALL SSL VPN  https://sslvpn.yourbiz.com/cgi-bin/nph- httprp/http://192.168.151.100/exchange/ 7

8. OWASP The Good, the bad, and the 0wned 8

9. OWASP The Good, the bad, and the 0wned 9

10. OWASP But wait, there is more...  We just showed a client-side attack  We can also attack the network and other services  How does HTTP work?  And we can attack the application/proxy itself  Think beyond HTTP 10

11. OWASP Scanning the Network  HTTP is sent over TCP  https://www.kb.cert.org/CERT_WEB%5Cservices%5C vul-notes.nsf/id/150227 https://www.kb.cert.org/CERT_WEB%5Cservices%5C vul-notes.nsf/id/150227  Date Public02/19/2002  Open HTTP proxies will open arbitrary TCP sockets  /fetchurl.asp?url=http://192.168.1.1:139  Timing 11

12. OWASP Scanning the Network Trying: http://127.0.0.1:139http://127.0.0.1:139 Result: 500 Duration: 0.937832117081s Trying: http://127.0.0.1:443http://127.0.0.1:443 Result: timed out Duration: 30.0013480185s

13. OWASP Attacking the Proxy  Web Applications can act as proxies  Microsoft: WinHTTP, ServerXMLHTTP, XMLHTTP  PHP: Include(), fopen(), etc (if your bored)  Perl: request()  These Libraries can do more then fetch remote URLs  What about file:/// ?file:/// 13

14. OWASP SEO Web Sites (1)  Search Engine Optimize http://127.0.0.1 14

15. OWASP SEO Web Sites (2) Great Success!  Search Engine Optimize http://127.0.0.1 15

16. OWASP Blog Engine.NET  http://ha.ckers.org/blog/20080412/blogenginenet- intranet-hacking/ http://ha.ckers.org/blog/20080412/blogenginenet- intranet-hacking/  Widespread: “probably 100,000 public installs”  Local web site disclosure  /js.axd?path=http://localhost  Local file disclosure  /js.axd?path=/web.config 16

17. OWASP HTTP Request Amplification  Attacker sends X number of requests to the proxy  The proxy sends (x)(y) number of requests to the victim  Google RSS Reader: 2 to 1 request amplification on non-existing feeds  Transloading and WebTV users 17

18. OWASP Open Application Proxy Chaining  Anonymization  A large number of open app proxies (HTTP GET)  Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> Victim  Auto-Exploitation: Open Proxy Worm  A large number of open app proxies (HTTP GET)  Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> ProxyN  The Proxies are the Victims 18

19. OWASP Open Application Proxy Chaining  Embedding URLs  http://host1.com/?url=http%3A%2F%2Fhost2.c om%2F%3Furl%3Dhttp%253A%252F%252Fhos t3.com%252F%253Furl%253Dhttp%25253A%2 5252F%25252Fhost3.com%25252F%25253Furl %25253Dhttp%2525253A%2525252F%2525252 Fhost4.com%2525252F%2525253Dhttp …. 19

20. OWASP Open Application Proxy Chaining  Embedding URLs 20

21. OWASP URL Length .NET 260 char?  IIS: 32K chars http://support.microsoft.com/kb/820129 http://support.microsoft.com/kb/820129  How long of a URL can you have?  “In theory, there is no limit. In practice, IE imposes a limit of 2,083 bytes. Because nobody could need more than 640k. - Some Guy on the Internet 21

22. OWASP What about the HTTP Response?  Sometimes you see the proxied response, sometimes you don’t  What are your goals?  Timing can help (or hurt you)  Order of Execution  Confirmation  Make yourself the last hop  TCP Sequencing 22

23. OWASP No request propagation without exploitation!  Request Propagation  Attacker makes one request that turns into N requests  How can we exploit this?  Persistent XSS  Blind SQLi  Get code to run on a machine in the chain (or a web browser) 23

24. OWASP No request propagation without exploitation!  Persistent XSS  http://host1.com/?url=http://host2.com&param=  http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com% 2F%3Furl%3D … 24

25. OWASP Persistent XSS Exploitation 25

26. OWASP Demo  Hopefully, it will work. 26

27. OWASP No FUD  Attack Prerequisites  App must have a URL that makes arbitrary request  The same URL must have some other code execution vulnerability: /index.asp?url=[URL]&param=[EXPLOIT]  Order of Execution: Exploit then Propagate  Leg Work  Attacker must find targets ahead of time  Mitigating Factor  URL Length Limitations 27

28. OWASP This is OWASP…  …so how do we fix this stuff?  Input Validation  Displaying host names in URLs is bad  Manipulation  Information Leakage  Lock down the config  Use a product that supports white lists  Don’t allow.* hosts  Firewall configuration  Does your proxy NEED to… – talk to the Internet? – talk to every host on your LAN? 28

29. OWASP Thanks  Questions?  Comments?  Concerns?  Mike.zusman@intrepidusgroup.com Mike.zusman@intrepidusgroup.com  http://schmoil.blogspot.com http://schmoil.blogspot.com  http://blog.phishme.com http://blog.phishme.com 29