Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Response Codes

Defense by Numbers: Making problems for script kiddies and scanner monkies

Since early 2012 I’ve been working on a simple theory…

The Theory:

By varying [response|status] codes, it should be possible to slow down attackers and automated scanners.

If you’ve met me at a conference any time in the last year I’ve probably talked about it at length and bored the hell out of you (sorry about that BTW).

After researching a number of aspects of this theory I put forward a presentation for BSidesLondon to talk about my findings and how it might be applied to application defense.

The topic can be a little complex due to the various ways browsers handle [response|status] codes. Even within a specific browser the handling of different content types varies. JavaScript is a prime example of that. Where as a browser will happily show you a webpage received with a 404 “Not Found” code, the same browser may not accept active script content with the same code.

During testing I also discovered a couple of interesting issues with Proxy servers that could be used by attackers to expose credentials… as well as some very interesting browser quirks that are probably only interesting to a handful of people. Still, I like edge-case stuff, it’s weird and that suits me just right ;)

BSidesLondon Abstract

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites

If the topic is something that interests you (and I’m sure there’s a lot more research to be done here) feel free to take a snoop at the slides… The talk was recorded also, so keep an eye on the BSidesLondon website and twitter feed for information on the video/audio release.

 

 

Links:

  • Some thoughts on HTTP response codes –> HERE
  • Privoxy Proxy Aauthentication Credential Exposure [cve-2013-2503] –> HERE
  • mitm-proxy scripts used in testing –> HERE

Privoxy Proxy Authentication Credential Exposure – CVE-2013-2503

Privoxy Proxy Authentication Credential Exposure

Product: Privoxy
Project Homepage: privoxy.org
Advisory ID: c22-2013-01
Vulnerable Version(s): 3.0.20 (and possibly prior)
Tested Version: 3.0.20-1 (tested using Debian Sid)
Vendor Notification: March 6, 2013
Public Disclosure: March 11, 2013
Vulnerability Type: Insufficiently Protected Credentials [CWE-522]
CVE Reference: CVE-2013-2503
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Discovery: Chris John Riley ( http://blog.c22.cc )

Advisory Details:

During research into browser and proxy server handling of HTTP Response Codes, an issue with the way that Privoxy handles HTTP Response code 407 “Proxy Authentication Required” was discovered. Privoxy in versions 3.0.20 (and possibly prior) ignores the presence of “Proxy-Authenticate” and “Proxy-Authorization” headers and allows these values to be passed to and from a remote server without modification. The resulting behavior could allow a malicious websites to spoof a  Proxy-Authentication response appearing to originate from the Privoxy service. The Privoxy user will then be prompted for a username and password that appears to originate from the Privoxy software.

Scenario:

  1. A Privoxy user visits a website using a browser of their choice
  2. The remote website responds to the request with a 407 “Proxy Authentication Required” HTTP response code and the appropriate “Proxy-Authenticate: Basic” HTTP response header
  3. This response is passed through the Privoxy service without modification to the users browser
  4. As the browser is configured to use a proxy server, the browser believes that the upstream proxy (Privoxy) has requested authentication and prompts the user for a username and password. This prompt states that the proxy server at “127.0.0.1:8118″ requires authentication (this prompt may vary if Privoxy is running on a machine other than localhost and/or on a non-default port number)
  5. If the user enters a username and password, the browser will send a request through Privoxy to the remote website with a “Proxy-Authorization: XXXXXXXX” HTTP request header (where XXXXXXX is a base64 encoded version of the username and password the user entered at the browsers proxy authentication prompt)
  6. The remote website receives this header and can store or re-use these captured credentials

Proof of Concept:

http://c22.cc/POC/c22-2013-01.php

The above URL will respond with a “Proxy-Authenticate: basic” header when a request is received that does no contain a “Proxy-Authorization” header. This will prompt the users browser to request a username/password from the user. If you enter a value in the username/password box and click ok, it will send a Base64 encoded version to the remote website (the server will display the response headers at the bottom of the resulting page under request headers (one of the values will be “Proxy-Authorization” with a base64 encoded version of the entered username/password). For a full walkthrough it is suggested to capture this in your favourite packet capture program and walk through the requests to view the entire process. 

Note –> The above POC does not store any data sent to the server, however it is suggested to use bogus credentials if testing this proof of  concept.

Solution:

The following solution was suggested and implemented in Privoxy 3.0.21 stable.

Proxy authentication headers are removed unless the new directive enable-proxy-authentication-forwarding is used. Forwarding the headers potentionally allows malicious sites to trick the user into providing it with login information.

References:
Privoxy 3.0.21 ChangeLog –> http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/ChangeLog?revision=1.188&view=markup

Vulnerability Timeline:

March 5, 2013 20:00 – Initial discovery of vulnerability
March 6, 2013 14:48 > Emailed Privoxy developer list to request a security contact
March 6, 2013 15:26 < Received response with dedicated security contact information
March 6, 2013 16:01 > Emailed details of the vulnerability to security contact
March 6, 2013 17:19 < Received response acknowledging issue. Fix indicated in upcoming release
March 6, 2013 18:38 > Acknowledged receipt of email and advised of updated CVSSv2 score
March 7, 2013 15:50 < Received response detailing proposed fix, including link to CVS check-in of new code
March 7, 2013 18:48 > Acknowledged receipt of email
March 9, 2013 16:54 > Emailed CVE number to security contact and requested information on release plans
March 10, 2013 14:28 < Received confirmation of release timeline
March 10, 2013 14:58 – Release of Privoxy 3.0.21 stable
March 11, 2013 07:30 – Release of advisory

{QuickPost} Research Teaser – HTTP Response Codes

So I’ve been a little slack recently when it comes to blog posts… and conferences… and, well pretty much everything. Still, I’ve been doing some interesting things (for me at least) in the background that I’m hoping to be talking about later this year. I don’t want to give too much away, but I’m sure people can figure it out based on stuff I’ve previously put out… if not, then here’s just a pretty picture of 3 browsers side by side ;)

teaser

… and no, the above isn’t doing anything with the user-agent string (you’re thinking of the wrong research ;).

Here’s hoping that the fine folks over at BSidesLondon accept my talk so I can talk about it in April… and that everything pans out so I don’t look like a moron on stage… again! ;)

Some thoughts on HTTP response codes

I’ve been playing on and off over the last year with HTTP response codes (yeah, I know, I’m a sad panda). As part of my research I’ve been looking at how various browsers handle content returned with the various standard response codes (some of the newer ones aren’t supported in Apache and the like and therefore aren’t that interesting for my uses at the moment).

I setup a simple tester script (JavaScript required, sorry) that loads images from a server setup to deliver them with specific response codes. You can have a play with it yourself if you’re interested[1] (I suggest running the requests through a proxy to see the fun happen).

The results are interesting [2] and could be used for a few interesting defensive tricks I’m mulling over. There are also a few interesting applications possible when it comes to fingerprinting browsers (and scripting languages for that matter). Although this level of granularity is never going to give you a specific version of browser and list of plugins installed, it could offer a simple test for checking if the browser is Internet Explorer or Opera for example. It’s also interesting to think that scripts/tools that fake the user-agent string might be detectable using some carefully crafted response code tricks. User-Agent string are fun and all, but the old adage “trust but verify” springs to mind. I also included some details on a couple of scripting languages which are interesting. I’m certainly not foolish enough to think that these issues can’t be coded around, but it’s interesting to see the initial state of things when it comes to 3 of the more popular scripting languages (Perl, Python and Ruby).

I’ll leave it to the reader to think over further uses for this stuff… I’ve certainly got a few interesting ideas that have been keeping my brain busy for a while. Hopefully I’ll be moving forward on the research and coming up with a few interesting things in the future. Maybe even a presentation that’s NOT about SAP… that would be nice wouldn’t it ;) It’s therapeutic to think defensively for a while. It’s especially fun when you can use defensive research to screw with script kiddies and scanner junkies <insert evil laugh here>

Note: I’m constantly updating and tweaking the results spreadsheet as I find new results… I’ve also tweaked some of the results I previously noted due to some false positives with specific browsers. If you see anything that looks wrong, just let me know!

Follow

Get every new post delivered to your Inbox.

Join 127 other followers