1 / 29

Abusing Open HTTP Proxies

Abusing Open HTTP Proxies. Mike Zusman Intrepidus Group, Inc Mike.zusman@intrepidusgroup.com. June 18, 2008. Hi everybody!. Mike Zusman, CISSP Past Web Application Developer Whale Communications/Microsoft ADP Application Security Team Current Senior Consultant @ Intrepidus Group.

ranger
Download Presentation

Abusing Open HTTP Proxies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abusing Open HTTP Proxies Mike Zusman Intrepidus Group, Inc Mike.zusman@intrepidusgroup.com June 18, 2008

  2. Hi everybody! • Mike Zusman, CISSP • Past • Web Application Developer • Whale Communications/Microsoft • ADP Application Security Team • Current • Senior Consultant @ Intrepidus Group

  3. Don’t mind me, I’m just sniffing your ports!

  4. What am I talking about? • Open HTTP Proxies • Remote Access appliances • Plain Old Web Applications

  5. Using SSL? Come on in! • SSL VPN Remote Access Portals

  6. One HTTP listener, many web servers • URL Rewriting

  7. The Good, the bad, and the 0wned • Microsoft Intelligent Application Gateway • https://sslvpn.yourbiz.com/whalecom0AB387458CD84347EF878763CCAEF78878723/path/to/app/index.asp • SonicWALL SSL VPN • https://sslvpn.yourbiz.com/cgi-bin/nph-httprp/http://192.168.151.100/exchange/

  8. The Good, the bad, and the 0wned

  9. The Good, the bad, and the 0wned

  10. But wait, there is more . . . • We just showed a client-side attack • We can also attack the network and other services • How does HTTP work? • And we can attack the application/proxy itself • Think beyond HTTP

  11. Scanning the Network • HTTP is sent over TCP • https://www.kb.cert.org/CERT_WEB%5Cservices%5Cvul-notes.nsf/id/150227 • Date Public02/19/2002 • Open HTTP proxies will open arbitrary TCP sockets • /fetchurl.asp?url=http://192.168.1.1:139 • Timing

  12. Scanning the Network Trying: http://127.0.0.1:139 Result: 500 Duration: 0.937832117081s Trying: http://127.0.0.1:443 Result: timed out Duration: 30.0013480185s

  13. Attacking the Proxy • Web Applications can act as proxies • Microsoft: WinHTTP, ServerXMLHTTP, XMLHTTP • PHP: Include(), fopen(), etc (if your bored) • Perl: request() • These Libraries can do more then fetch remote URLs • What about file:/// ?

  14. SEO Web Sites (1) • Search Engine Optimize http://127.0.0.1

  15. SEO Web Sites (2) Great Success! • Search Engine Optimize http://127.0.0.1

  16. Blog Engine .NET • http://ha.ckers.org/blog/20080412/blogenginenet-intranet-hacking/ • Widespread: “probably 100,000 public installs” • Local web site disclosure • /js.axd?path=http://localhost • Local file disclosure • /js.axd?path=/web.config

  17. HTTP Request Amplification • Attacker sends X number of requests to the proxy • The proxy sends (x)(y) number of requests to the victim • Google RSS Reader: 2 to 1 request amplification on non-existing feeds • Transloading and WebTV users

  18. Open Application Proxy Chaining • Anonymization • A large number of open app proxies (HTTP GET) • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> Victim • Auto-Exploitation: Open Proxy Worm • A large number of open app proxies (HTTP GET) • Attacker -> Proxy1 -> Proxy2 -> Proxy3 … -> ProxyN • The Proxies are the Victims

  19. Open Application Proxy Chaining • Embedding URLs • http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3Dhttp%253A%252F%252Fhost3.com%252F%253Furl%253Dhttp%25253A%25252F%25252Fhost3.com%25252F%25253Furl%25253Dhttp%2525253A%2525252F%2525252Fhost4.com%2525252F%2525253Dhttp ….

  20. Open Application Proxy Chaining • Embedding URLs

  21. URL Length • .NET 260 char? • IIS: 32K charshttp://support.microsoft.com/kb/820129 • How long of a URL can you have? • “In theory, there is no limit.In practice, IE imposes a limit of 2,083 bytes.Because nobody could need more than 640k.- Some Guy on the Internet

  22. What about the HTTP Response? • Sometimes you see the proxied response, sometimes you don’t • What are your goals? • Timing can help (or hurt you) • Order of Execution • Confirmation • Make yourself the last hop • TCP Sequencing

  23. No request propagation without exploitation! • Request Propagation • Attacker makes one request that turns into N requests • How can we exploit this? • Persistent XSS • Blind SQLi • Get code to run on a machine in the chain (or a web browser)

  24. No request propagation without exploitation! • Persistent XSS • http://host1.com/?url=http://host2.com&param=<img src=“http://tinyurl.com/xyz”> • http://tinyurl.com/xyz --302Redir--> http://host1.com/?url=http%3A%2F%2Fhost2.com%2F%3Furl%3D …

  25. Persistent XSS Exploitation

  26. Demo • Hopefully, it will work.

  27. No FUD • Attack Prerequisites • App must have a URL that makes arbitrary request • The same URL must have some other code execution vulnerability: /index.asp?url=[URL]&param=[EXPLOIT] • Order of Execution: Exploit then Propagate • Leg Work • Attacker must find targets ahead of time • Mitigating Factor • URL Length Limitations

  28. This is OWASP… • …so how do we fix this stuff? • Input Validation • Displaying host names in URLs is bad • Manipulation • Information Leakage • Lock down the config • Use a product that supports white lists • Don’t allow .* hosts • Firewall configuration • Does your proxy NEED to… • talk to the Internet? • talk to every host on your LAN?

  29. Thanks • Questions? • Comments? • Concerns? • Mike.zusman@intrepidusgroup.com • http://schmoil.blogspot.com • http://blog.phishme.com

More Related