Practical Fuzzing for Modern Web and Apis

Home , Payload (computing)

security audits 200+ since 2009

total bug bounties $1M and rewards

application 20+ security researches What is an application? Application is not a software What the application is?

Web application is not software

Business It’s a process: business->coding->testing->release->business

It’s impossible to secure process by using software coding release Web application security is a process

CI/CD DevOps SecOps testing What the security is?

Business security

coding release

testing

Information security

WHERE and WHAT

Send the HTTP request with the payload inside

Where should you put the payload?

What is the payload? WHERE. The coverage problem

Crawling - the worst part of the scanning

Units/regressions/functional coverage

DPI: JSON, XML, Base64, GZIP, matryoshkas

Custom encodings/encryption

Application logic understanding. Models other than request-response WHAT. Attack vectors

Known vectors - vulnerability scanners

Unexpected data/random/anything - fuzzers

New vulnerabilities = new payloads

Input validation - payloads

Behaviors and logic issues - ??? What is the diﬀerence? Fuzzing payloads

Vuln. scanners payloads How to fuzz?

1. Methods scrapping (/user/debug, SET / HTTP/1.1, etc) 2. Type miscasting ({"login":true}) 3. Last byte modiﬁcation: ?username=admi%00 4. Random byte modiﬁcation: ?username=ad%00in 5. Add payload to the end: ?username=admin%27 6. Parameters from other requests (password to logout) 7. Numbers increasing/decreasing: /user/100001/status 8. Filenames by fuzz.txt (check Github) Fuzzing optimizations for lists

You need to know your data contexts ﬁrst. And then:

● Machine learning (everything you can from HMM to RNN) ● Linguistic patterns (verbs and nouns) ● Templates (RegExp, syllable) http://pdev.org.uk/#browse?q=;f=A Example 1. 1-byte fuzzer

?ref=http://aaa/%00aaaaaaaaaaaaaaaaaaaaa memory corruption inside of the Nginx module. Random memory reading (heartbleed analogue) https://bugfuzz.com/vulns/nginx-mem.txt Example 2. 1-byte fuzzer

{"method":"test%26method%3ddeleteUser"}

SSRF inside the URL string to the backend API

727 call('/api/?method='+$data)

…

GET /api/?method=test&method=deleteUser

HOST internal.api.host Example 3. 1-byte fuzzer

RCE by newline injection

Also, Yandex RCE (2014) Re: [Ticket#13111203410381979] Market feedparser - yet another RCE (#3) in python

Does not covered by standard payloads such as: `id` $((id)) |id| Example 4. 1-byte fuzzer https://research.facebook.com/search?q=a%20 HTTP 200 https://research.facebook.com/search?q=a%22 HTTP 500

$1000 reward for injection into JSON to ElasticSearch

But it might be RCE... Example 5. 1-byte fuzzer

GET / HTTP/1.1

COOKIE: sessionid=a8cf5d724a7f56e490cab37%0a

Newline byte is a trigger for server timeout 504

%0aset+key+0+1+3600+10%0a1234567890%0a https://www.blackhat.com/docs/us-14/materials/us-14-Novi kov-The-New-Page-Of-Injections-Book-Memcached-Injectio ns-WP.pdf Example 6. List-based fuzzer Example 7. List-based fuzzer

SET /user/data HTTP/1.1

Host: api.test.com HTTP non-CRUD methods, CRUD aliases and WebDAVish things ● SET ● REMOVE (instead of DELETE, I don’t know why) ● DEBUG ● TRACK ● FORWARD ● MOVE ● INFO

How to ﬁnd? Just run fuzzing by all the verbs list Example 8. Fuzzing nouns https://github.com/wallarm/fast-detects/blob/master/spring- cloud-infoleaks.yaml also related to Jolokia by Artsploit (Veracode) CVE-2019-xxx

POST /endpoint/env HTTP/1.1 Example 9. Type casting

POST /user/login HTTP/1.1

HOST: api.somethings.com

{"token":true, ...} Example 10. Type casting

PUT /api/v1/user HTTP/1.1

Content-Type: application/json

PUT /api/v1/user HTTP/1.1

Content-Type: application/xml H4ckers points of view on API requests

GET /user/7456438/add HTTP/1.1

HTTP/1.1 Analysing the results

Scanners produce vulnerabilities and false positives

Fuzzers produce abnormalities

How to analyze this data? Who will do this work? Collaborating/integration problem

Testing policy examples

● No 5xx errors ● No 1+ms response Tools for fuzzing

Universal tools

● Burp suite (portswigger) ● ZAProxy ● FAST https://fast.wallarm.com

Custom tools

● https://github.com/asmyczek/popcorn (for JSON) ● https://github.com/krypt/FuzzBert (for Ruby)

Own tools Fuzzing for the continuous Unit tests security Collect all the requests by unit/manual tests

Proxy Fuzzy Apply all the fuzzing policies requests generated collector tests Generating x10’000 new unit tests by fuzzing

Run all of them

Staging Apply the rules to proof is this release ready or not environment ! We are looking for early adopters Thanks! @d0znpp Fb/Tg/Twi/Medium https://blog.wallarm.com [email protected]