security audits 200+ since 2009
total bug bounties $1M and rewards
application 20+ security researches What is an application? Application is not a software What the application is?
Web application is not software
Business It’s a process: business->coding->testing->release->business
It’s impossible to secure process by using software coding release Web application security is a process
CI/CD DevOps SecOps testing What the security is?
Business security
coding release
testing
Information security
WHERE and WHAT
Send the HTTP request with the payload inside
Where should you put the payload?
What is the payload? WHERE. The coverage problem
Crawling - the worst part of the scanning
Units/regressions/functional coverage
DPI: JSON, XML, Base64, GZIP, matryoshkas
Custom encodings/encryption
Application logic understanding. Models other than request-response WHAT. Attack vectors
Known vectors - vulnerability scanners
Unexpected data/random/anything - fuzzers
New vulnerabilities = new payloads
Input validation - payloads
Behaviors and logic issues - ??? What is the difference? Fuzzing payloads
Vuln. scanners payloads How to fuzz?
1. Methods scrapping (/user/debug, SET / HTTP/1.1, etc) 2. Type miscasting ({"login":true}) 3. Last byte modification: ?username=admi%00 4. Random byte modification: ?username=ad%00in 5. Add payload to the end: ?username=admin%27 6. Parameters from other requests (password to logout) 7. Numbers increasing/decreasing: /user/100001/status 8. Filenames by fuzz.txt (check Github) Fuzzing optimizations for lists
You need to know your data contexts first. And then:
● Machine learning (everything you can from HMM to RNN) ● Linguistic patterns (verbs and nouns) ● Templates (RegExp, syllable) http://pdev.org.uk/#browse?q=;f=A Example 1. 1-byte fuzzer
?ref=http://aaa/%00aaaaaaaaaaaaaaaaaaaaa memory corruption inside of the Nginx module. Random memory reading (heartbleed analogue) https://bugfuzz.com/vulns/nginx-mem.txt Example 2. 1-byte fuzzer
{"method":"test%26method%3ddeleteUser"}
SSRF inside the URL string to the backend API
727 call('/api/?method='+$data)
…
GET /api/?method=test&method=deleteUser
HOST internal.api.host Example 3. 1-byte fuzzer
RCE by newline injection
Also, Yandex RCE (2014) Re: [Ticket#13111203410381979] Market feedparser - yet another RCE (#3) in python
Does not covered by standard payloads such as: `id` $((id)) |id| Example 4. 1-byte fuzzer https://research.facebook.com/search?q=a%20 HTTP 200 https://research.facebook.com/search?q=a%22 HTTP 500
$1000 reward for injection into JSON to ElasticSearch
But it might be RCE... Example 5. 1-byte fuzzer
GET / HTTP/1.1
COOKIE: sessionid=a8cf5d724a7f56e490cab37%0a
Newline byte is a trigger for server timeout 504
%0aset+key+0+1+3600+10%0a1234567890%0a https://www.blackhat.com/docs/us-14/materials/us-14-Novi kov-The-New-Page-Of-Injections-Book-Memcached-Injectio ns-WP.pdf Example 6. List-based fuzzer Example 7. List-based fuzzer
SET /user/data HTTP/1.1
Host: api.test.com HTTP non-CRUD methods, CRUD aliases and WebDAVish things ● SET ● REMOVE (instead of DELETE, I don’t know why) ● DEBUG ● TRACK ● FORWARD ● MOVE ● INFO
How to find? Just run fuzzing by all the verbs list Example 8. Fuzzing nouns https://github.com/wallarm/fast-detects/blob/master/spring- cloud-infoleaks.yaml also related to Jolokia by Artsploit (Veracode) CVE-2019-xxx
POST /endpoint/env HTTP/1.1 Example 9. Type casting
POST /user/login HTTP/1.1
HOST: api.somethings.com
{"token":true, ...} Example 10. Type casting
PUT /api/v1/user HTTP/1.1
Content-Type: application/json
PUT /api/v1/user HTTP/1.1
Content-Type: application/xml H4ckers points of view on API requests
GET /user/7456438/add HTTP/1.1
Scanners produce vulnerabilities and false positives
Fuzzers produce abnormalities
How to analyze this data? Who will do this work? Collaborating/integration problem
Testing policy examples
● No 5xx errors ● No 1+ms response Tools for fuzzing
Universal tools
● Burp suite (portswigger) ● ZAProxy ● FAST https://fast.wallarm.com
Custom tools
● https://github.com/asmyczek/popcorn (for JSON) ● https://github.com/krypt/FuzzBert (for Ruby)
Own tools Fuzzing for the continuous Unit tests security Collect all the requests by unit/manual tests
Proxy Fuzzy Apply all the fuzzing policies requests generated collector tests Generating x10’000 new unit tests by fuzzing
Run all of them
Staging Apply the rules to proof is this release ready or not environment ! We are looking for early adopters Thanks! @d0znpp Fb/Tg/Twi/Medium https://blog.wallarm.com [email protected]