Sunday, May 12, 2019

Three days ago I saw Erlend Oftedal speak at the Norwegian Developers Conference on modern web application bugs.

2017 is the latest version of the OWASP top ten. Some of the new things on this list are XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring. I get the impression of a bit of muddy waters in terms of the boundaries between the first two of these. In short, if you have an endpoint that takes a post (the verb) and consumes XML (and does something with it) there are security concerns to think about. There is a way to hand in XSLT (it's XML after all) and run queries. You can get a list of files that sit on a webserver in this manner and then grab files off of the server. I don't understand it well enough to give you instructions on how to hack. Perhaps that is for the best. In one of the slides Erlend Oftedal offered he is handing in some XML wherein the third node deep is "handler" with an inline attribute of "class" specifying "java.lang.EventHandler" and just inside of that is the "target" node with "class" set to "java.lang.ProcessBuilder" and a "command" node inside of it with several "string" nodes in a sequence furthermore inside of that yet! The "string" nodes open up a Bash shell and run commands... at the server. Oh no! You may disable XXE at an XML parser in C#. You have to do so explicitly. It is recommended, obviously. Document Type Definitions or DTDs should comparably be removed. In deserializing to C# you could end up with a string getsetter that has some sort of templating in it that will play all too "nicely" with Razor, Apache FreeMarker and Apache Velocity (Java template engines both), Twig templates of PHP, Jade, etc. Where a string is meant to bubble up to HTML at {{variable}} in AngularJS you might run some sinister command instead like eval("variable") to expose gunk. eval in JavaScript evaluates JavaScript code as interpreted as a string! It is very hard to blacklist IP addresses, harder than you might think. If you have a number in an IP address that is up beyond 255, well, the number wraps the wheel, so to speak, and becomes upon interpretation a number from zero to two hundred fifty-five that is the number you started with minus the highest possible multiple of 256 that fits inside your number without surpassing it. 666 is thus another way to write 154. You can also have hexadecimal values and leading zeros in other variants. The amount of variations make it hard to block any one IP. SSRF is Server-Side Request Forgery and involves sending sinister URLs to a server to adversely affect it. If you once had a subdomain pointed to another IP in DNS beyond where your main web presence is, perhaps to make a landing page for a signup form for an event or something like that, and you get rid of the hosting one day but forget to clean up the DNS record this opens the door to some sort of subdomain takeover/hijacking. There is a trick to redirect that subdomain elsewhere, someplace very bad. Clearly, Access-Control-Allow-Origin in CORS shouldn't just be set to the asterisk. Did you know that you can Google Translate HTTP to English? Erlend showed the crowd some comic examples of that with bad usages of Access-Control-Allow-Origin. At crt.sh you may see a list of certificates for a given domain name. Web cache poisoning is a thing. You may have an XSS attack that, instead of bubbling stuff up to the UI, puts something terrible in the cache. Then another user gets that from the cache! Fun!

No comments:

Post a Comment