DeepSec 2013 Talk: The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend
In past centuries attackers used battering rams to break down doors and siege artillery to blast holes into solid fortification walls. These were very tedious undertakings, so using alternate routes – possibly back-doors – were always highly regarded. Nowadays wonderful World of „Cyber“™ is no exception. The modern web-obsessed infrastructure has seen web browsers in local networks being compromised to access web-based back-end systems (through DNS rebinding attacks for example). Management consoles are a prime target, because once you gain access you probably can make the most out of elevated privileges. What about turning the back-end around and attack applications by it? Shay Chen has explored this attack vector and will present details in his talk at DeepSec 2013. Applications security mechanisms, secure software development processes, web application firewalls – collections of countermeasures that turn hacking processes into living hell.
Enter session puzzling, which is an attack method that overrides server side flags and delivers malicious payloads to vulnerable locations from trusted backend resources; an attack that relies on infrastructure and coding flaws, and is unaffected by WAFs, common security mechanisms or modern SDLC processes.
The unique scope enables this attack vector to bypass authentication verifications, privilege related restrictions, input validation mechanisms and flow enforcement processes, not to mention exploiting seemingly non-vulnerable locations through values that are rarely validated.
With instances in leading software products, ERP systems, CMS systems, and even the gaming industry, vulnerable entry points can easily be the difference between a blank sheet to a vulnerability-packed report.
But while their detection in manual code reviews is fairly simple, they were notoriously hard to identify in black box assessments, at least until now.
Recent advancements in hacking toolsets have enabled detecting these exposures using processes that predict the memory structure in the server processes known as divination attacks, which can be performed automatically using a variety of toolsets and methods. The presentation will cover the attack vector mechanics, common uses, and the toolset that can be used to automatically identify vulnerable locations in black box assessments.
This talk is highly recommended for both pen-testers and developers who deal with authentication mechanisms and exposed interfaces. Application security cannot be achieved by filters and proxies alone.