Attacking with HTTP requests

Finding stuff on web servers

Hanno Böck
https://hboeck.de/
Twitter: @hanno

Don't put secret information on your public web servers
Drupal module backup_migrate creates Database backups
They are protected via an .htaccess file, a feature of Apache HTTPD
Drupal also runs on other web servers like Nginx, thus this is an insufficient protection

GIT

https://example.com/.git/config https://github.com/internetwache/GitTools
Volksverschlüsselung
They used the very secure password "safran", which was stored in their publicly accessible git repository
Golem, 2017-05-17
According to a statement the password wasn't used in any production system

VIM

vim wp-config.php creates a temporary file .wp-config.php.swp
These get removed upon exit, but not if vim crashes or gets killed
https://example.com/.wp-config.php.swp
Many editors (including EMACS) automatically create backup files with appended ~
https://example.com/wp-config.php~

Database dumps

mysqldump MySQL documentation - mysqldump
https://example.com/dump.sql
Database with 200,000 addresses from German postal service (Deutsche Post).
Database with 600,000 addresses from Australian online pharmacy.
Zeit Online, 2017-07-05

Private Keys

https://example.com/example.com.key
Certificates with compromised keys should be revoked by the CA within 24 hours
How do you check whether a private key belongs to a certificate?

Let's talk about cryptography (don't be scared)

Keys are just large numbers

Public and Private Keys (RSA)

  • Public key: N, e
  • Private key: N, e, d, p, q, dP, dQ, qinv
RSA public key: two numbers called N and e.
RSA private key: the same N and e and some more numbers.
You're a Certificate Authority and someone reports a compromised key. What do you do?
Compare N, e of the private key with N, e of the certificate's public key?
Good idea?
Take RSA public key (N, e), add bogus private key values
Symantec
Hanno's blog, 2017-07-20

Abandoned Domain takeover

<script type="text/javascript" src="https://example.org/fancy.js"></script>
What if the service from which you include Javascript ceases to operate?
piwiklionshare
Nonexisting Azure subdomain
Azure free account
Code included by dozens of web pages, mostly local US newspapers.
Most removed code after contacting them.
The Saline Courier didn't answer. Tried to contact them via mail, no answer, code remained
Saline Courier
Compete
How long will they keep their domain? And who will get it afterwards?
You should know whose code you execute on your web page and if you can trust it
Equifax’s Latest Security Foil: A Defunct Web Service

Wall Street Journal, 2017-10-13

HTTP

HTTP uses "methods", a normal HTTP request is a GET, a form submission is usually a POST.
What other HTTP methods are there?

OPTIONS

Shows you which HTTP methods a server supports 
Allow: ,GET,,,POST,OPTIONS,HEAD,,
Allow: POST,OPTIONS,,HEAD,:09:44 GMT
Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
Allow: GET,HEAD,OPTIONS,=write HTTP/1.0,HEAD,,HEAD,POST,,HEAD,TRACE
Certain Apache configurations leaked arbitrary pieces of memory in the reply to OPTIONS requests. Fuzzing Project, 2017-09-18
Support for Various HTTP Methods on the Web, Arxiv, 2014-05-08

Optionsbleed was already discovered in 2014, but nobody noticed it's a security problem.
One month after Heartbleed!

Summary

  • Don't put secret stuff on web servers
  • Sometimes simple attacks are the best
  • Have more ideas? Talk to me!
  • I'm gonna release a tool to scan for all these issues soon.

Thanks for listening!

https://hboeck.de/
Twitter: @hanno