Adventures in Large Scale HTTP Header Abuse. Zachary Wolff. About Me. SIEM Deployments, Research Engineer for LogRhythm (Labs) | 2+ years Threat Research Analyst for Webroot Software | 2+ years. Lets Talk About HTTP Headers. Browser. Web Server. HTTP Headers Basics.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
v2.3 – 8KB*
*Per Header Field
I want to break some logging applications!
Original Premise: GET Request returns 302, 200, (valid response) then send a second GET with a malicious User Agent string* to see if we can get 500 response
Data set: 400K URL’s
Non verbose IIS Errors…
and the x.x.gov sites….?
What did we find?
How extensive is the problem of improper HTTP header handling?
500’s are ok, but much to broad
What is a good indication of a possible SQLi vulnerability?
Run regular Expression against HTML.data response to match on, “you have an error in your sql syntax”
Improved error detection, basic SQLi & beyond
*Thanks to @j0emccray for contributing to regEx list
Byte Anomaly Detection Added (--bad)
Compare content-length of response data from original/clean GET to data from malicious GET.
*Set margin of alert to 150 bytes above and 150 bytes below clean request, log results (including HTML response data) to file
Cookie Support added. Server Sends us this:
PyLobster Responds with this:
And the server says?
Updated Testing Values: “,;,%00, %00’
“I Improved the crawler to harvest 500K+ URL’s a day. You should put my picture in your whitepaper”
Output additions (beyond SQLite):
Mark Vankempen, LogRhythm Labs
Added Footprint mode (-g)
pyLobsterwill now send your unique string/hash as a request like so:
Then, Wait for it… Days, Weeks, Months
Google/Bing/duckduckgo your hash/string to discover unprotected Log directories ;)
pyLobsteris currently a single threaded tool so I divided my 1.6 Million URL’s into 78 unique lists and spawned 78 instances
nohup python pyLobster.py -f a --bad -s -l -g &
nohup python pyLobster.py -f b --bad -s -l -g &
nohup python pyLobster.py -f c --bad -s -l -g &
nohup python pyLobster.py -f d --bad -s -l -g &
And so on……
Out of 1.6 Million Unique URL’s, 14,500 Error RegEx’sMatched!
*0,1 & 2 are MySQL errors, 18 & 19 are PHP
Of the 14,500 Error RegEx’s Matched
Error #0: “you have an error in you SQL syntax"
Byte Anomaly Detection Results
Creates this Log trail: