abusing open http proxies
Download
Skip this Video
Download Presentation
Abusing Open HTTP Proxies

Loading in 2 Seconds...

play fullscreen
1 / 29

Abusing Open HTTP Proxies - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Abusing Open HTTP Proxies. Mike Zusman Intrepidus Group, Inc [email protected] June 18, 2008. Hi everybody!. Mike Zusman, CISSP Past Web Application Developer Whale Communications/Microsoft ADP Application Security Team Current Senior Consultant @ Intrepidus Group.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Abusing Open HTTP Proxies' - ranger


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
abusing open http proxies

Abusing Open HTTP Proxies

Mike Zusman

Intrepidus Group, Inc

[email protected]

June 18, 2008

hi everybody
Hi everybody!
  • Mike Zusman, CISSP
    • Past
      • Web Application Developer
      • Whale Communications/Microsoft
      • ADP Application Security Team
    • Current
      • Senior Consultant @ Intrepidus Group
what am i talking about
What am I talking about?
  • Open HTTP Proxies
    • Remote Access appliances
    • Plain Old Web Applications
using ssl come on in
Using SSL? Come on in!
  • SSL VPN Remote Access Portals
the good the bad and the 0wned
The Good, the bad, and the 0wned
  • Microsoft Intelligent Application Gateway
    • https://sslvpn.yourbiz.com/whalecom0AB387458CD84347EF878763CCAEF78878723/path/to/app/index.asp
  • SonicWALL SSL VPN
    • https://sslvpn.yourbiz.com/cgi-bin/nph-httprp/http://192.168.151.100/exchange/
but wait there is more
But wait, there is more . . .
  • We just showed a client-side attack
  • We can also attack the network and other services
    • How does HTTP work?
  • And we can attack the application/proxy itself
    • Think beyond HTTP
scanning the network
Scanning the Network
  • HTTP is sent over TCP
    • https://www.kb.cert.org/CERT_WEB%5Cservices%5Cvul-notes.nsf/id/150227
    • Date Public02/19/2002
  • Open HTTP proxies will open arbitrary TCP sockets
    • /fetchurl.asp?url=http://192.168.1.1:139
  • Timing
scanning the network1
Scanning the Network

Trying: http://127.0.0.1:139

Result:

500

Duration: 0.937832117081s

Trying: http://127.0.0.1:443

Result:

timed out

Duration: 30.0013480185s

attacking the proxy
Attacking the Proxy
  • Web Applications can act as proxies
    • Microsoft: WinHTTP, ServerXMLHTTP, XMLHTTP
    • PHP: Include(), fopen(), etc (if your bored)
    • Perl: request()
  • These Libraries can do more then fetch remote URLs
    • What about file:/// ?
seo web sites 1
SEO Web Sites (1)
  • Search Engine Optimize http://127.0.0.1
seo web sites 2 great success
SEO Web Sites (2) Great Success!
  • Search Engine Optimize http://127.0.0.1
blog engine net
Blog Engine .NET
  • http://ha.ckers.org/blog/20080412/blogenginenet-intranet-hacking/
  • Widespread: “probably 100,000 public installs”
  • Local web site disclosure
    • /js.axd?path=http://localhost
  • Local file disclosure
    • /js.axd?path=/web.config
http request amplification
HTTP Request Amplification
  • Attacker sends X number of requests to the proxy
  • The proxy sends (x)(y) number of requests to the victim
  • Google RSS Reader: 2 to 1 request amplification on non-existing feeds
  • Transloading and WebTV users
open application proxy chaining
Open Application Proxy Chaining
  • Anonymization
    • A large number of open app proxies (HTTP GET)
    • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> Victim
  • Auto-Exploitation: Open Proxy Worm
    • A large number of open app proxies (HTTP GET)
    • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> ProxyN
    • The Proxies are the Victims
open application proxy chaining1
Open Application Proxy Chaining
  • Embedding URLs
  • http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3Dhttp%253A%252F%252Fhost3.com%252F%253Furl%253Dhttp%25253A%25252F%25252Fhost3.com%25252F%25253Furl%25253Dhttp%2525253A%2525252F%2525252Fhost4.com%2525252F%2525253Dhttp ….
url length
URL Length
  • .NET 260 char?
  • IIS: 32K charshttp://support.microsoft.com/kb/820129
  • How long of a URL can you have?
    • “In theory, there is no limit.In practice, IE imposes a limit of 2,083 bytes.Because nobody could need more than 640k.- Some Guy on the Internet
what about the http response
What about the HTTP Response?
  • Sometimes you see the proxied response, sometimes you don’t
    • What are your goals?
  • Timing can help (or hurt you)
    • Order of Execution
  • Confirmation
    • Make yourself the last hop
    • TCP Sequencing
no request propagation without exploitation
No request propagation without exploitation!
  • Request Propagation
    • Attacker makes one request that turns into N requests
  • How can we exploit this?
    • Persistent XSS
    • Blind SQLi
    • Get code to run on a machine in the chain (or a web browser)
no request propagation without exploitation1
No request propagation without exploitation!
  • Persistent XSS
    • http://host1.com/?url=http://host2.com¶m=
    • http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3D …
slide26
Demo
  • Hopefully, it will work.
no fud
No FUD
  • Attack Prerequisites
    • App must have a URL that makes arbitrary request
    • The same URL must have some other code execution vulnerability: /index.asp?url=[URL]¶m=[EXPLOIT]
    • Order of Execution: Exploit then Propagate
  • Leg Work
    • Attacker must find targets ahead of time
  • Mitigating Factor
    • URL Length Limitations
this is owasp
This is OWASP…
  • …so how do we fix this stuff?
    • Input Validation
    • Displaying host names in URLs is bad
      • Manipulation
      • Information Leakage
    • Lock down the config
      • Use a product that supports white lists
      • Don’t allow .* hosts
    • Firewall configuration
      • Does your proxy NEED to…
        • talk to the Internet?
        • talk to every host on your LAN?
thanks
Thanks
  • Questions?
  • Comments?
  • Concerns?
  • [email protected]
  • http://schmoil.blogspot.com
  • http://blog.phishme.com
ad