Abusing open http proxies
Download
1 / 29

Abusing Open HTTP Proxies - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Abusing Open HTTP Proxies. Mike Zusman Intrepidus Group, Inc [email protected] June 18, 2008. Hi everybody!. Mike Zusman, CISSP Past Web Application Developer Whale Communications/Microsoft ADP Application Security Team Current Senior Consultant @ Intrepidus Group.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Abusing Open HTTP Proxies' - ranger


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Abusing open http proxies

Abusing Open HTTP Proxies

Mike Zusman

Intrepidus Group, Inc

[email protected]

June 18, 2008


Hi everybody
Hi everybody!

  • Mike Zusman, CISSP

    • Past

      • Web Application Developer

      • Whale Communications/Microsoft

      • ADP Application Security Team

    • Current

      • Senior Consultant @ Intrepidus Group



What am i talking about
What am I talking about?

  • Open HTTP Proxies

    • Remote Access appliances

    • Plain Old Web Applications


Using ssl come on in
Using SSL? Come on in!

  • SSL VPN Remote Access Portals



The good the bad and the 0wned
The Good, the bad, and the 0wned

  • Microsoft Intelligent Application Gateway

    • https://sslvpn.yourbiz.com/whalecom0AB387458CD84347EF878763CCAEF78878723/path/to/app/index.asp

  • SonicWALL SSL VPN

    • https://sslvpn.yourbiz.com/cgi-bin/nph-httprp/http://192.168.151.100/exchange/




But wait there is more
But wait, there is more . . .

  • We just showed a client-side attack

  • We can also attack the network and other services

    • How does HTTP work?

  • And we can attack the application/proxy itself

    • Think beyond HTTP


Scanning the network
Scanning the Network

  • HTTP is sent over TCP

    • https://www.kb.cert.org/CERT_WEB%5Cservices%5Cvul-notes.nsf/id/150227

    • Date Public02/19/2002

  • Open HTTP proxies will open arbitrary TCP sockets

    • /fetchurl.asp?url=http://192.168.1.1:139

  • Timing


Scanning the network1
Scanning the Network

Trying: http://127.0.0.1:139

Result:

500

Duration: 0.937832117081s

Trying: http://127.0.0.1:443

Result:

timed out

Duration: 30.0013480185s


Attacking the proxy
Attacking the Proxy

  • Web Applications can act as proxies

    • Microsoft: WinHTTP, ServerXMLHTTP, XMLHTTP

    • PHP: Include(), fopen(), etc (if your bored)

    • Perl: request()

  • These Libraries can do more then fetch remote URLs

    • What about file:/// ?


Seo web sites 1
SEO Web Sites (1)

  • Search Engine Optimize http://127.0.0.1


Seo web sites 2 great success
SEO Web Sites (2) Great Success!

  • Search Engine Optimize http://127.0.0.1


Blog engine net
Blog Engine .NET

  • http://ha.ckers.org/blog/20080412/blogenginenet-intranet-hacking/

  • Widespread: “probably 100,000 public installs”

  • Local web site disclosure

    • /js.axd?path=http://localhost

  • Local file disclosure

    • /js.axd?path=/web.config


Http request amplification
HTTP Request Amplification

  • Attacker sends X number of requests to the proxy

  • The proxy sends (x)(y) number of requests to the victim

  • Google RSS Reader: 2 to 1 request amplification on non-existing feeds

  • Transloading and WebTV users


Open application proxy chaining
Open Application Proxy Chaining

  • Anonymization

    • A large number of open app proxies (HTTP GET)

    • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> Victim

  • Auto-Exploitation: Open Proxy Worm

    • A large number of open app proxies (HTTP GET)

    • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> ProxyN

    • The Proxies are the Victims


Open application proxy chaining1
Open Application Proxy Chaining

  • Embedding URLs

  • http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3Dhttp%253A%252F%252Fhost3.com%252F%253Furl%253Dhttp%25253A%25252F%25252Fhost3.com%25252F%25253Furl%25253Dhttp%2525253A%2525252F%2525252Fhost4.com%2525252F%2525253Dhttp ….



Url length
URL Length

  • .NET 260 char?

  • IIS: 32K charshttp://support.microsoft.com/kb/820129

  • How long of a URL can you have?

    • “In theory, there is no limit.In practice, IE imposes a limit of 2,083 bytes.Because nobody could need more than 640k.- Some Guy on the Internet


What about the http response
What about the HTTP Response?

  • Sometimes you see the proxied response, sometimes you don’t

    • What are your goals?

  • Timing can help (or hurt you)

    • Order of Execution

  • Confirmation

    • Make yourself the last hop

    • TCP Sequencing


No request propagation without exploitation
No request propagation without exploitation!

  • Request Propagation

    • Attacker makes one request that turns into N requests

  • How can we exploit this?

    • Persistent XSS

    • Blind SQLi

    • Get code to run on a machine in the chain (or a web browser)


No request propagation without exploitation1
No request propagation without exploitation!

  • Persistent XSS

    • http://host1.com/?url=http://host2.com&param=<img src=“http://tinyurl.com/xyz”>

    • http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3D …



Demo

  • Hopefully, it will work.


No fud
No FUD

  • Attack Prerequisites

    • App must have a URL that makes arbitrary request

    • The same URL must have some other code execution vulnerability: /index.asp?url=[URL]&param=[EXPLOIT]

    • Order of Execution: Exploit then Propagate

  • Leg Work

    • Attacker must find targets ahead of time

  • Mitigating Factor

    • URL Length Limitations


This is owasp
This is OWASP…

  • …so how do we fix this stuff?

    • Input Validation

    • Displaying host names in URLs is bad

      • Manipulation

      • Information Leakage

    • Lock down the config

      • Use a product that supports white lists

      • Don’t allow .* hosts

    • Firewall configuration

      • Does your proxy NEED to…

        • talk to the Internet?

        • talk to every host on your LAN?


Thanks
Thanks

  • Questions?

  • Comments?

  • Concerns?

  • [email protected]

  • http://schmoil.blogspot.com

  • http://blog.phishme.com


ad