DeepSec 2022 Talk: Attacking Developer Environment Through Drive-by Localhost Attacks – Joseph Beeton
There is a widespread belief that services that are only bound to localhost are not accessible from the outside world. Developers for convenience sake will run services they are developing configured in a less secure way compared to how they would (hopefully!) do in higher environments.
By compromising websites developers use, just injecting JS into adverts served on those sites or just a phishing attack that gets the developer to open a web browser on a compromised page, it is possible to reach out via non pre-flighted http requests to those services bound to localhost, by exploiting common misconfigurations in Spring, or known vulnerabilities found by myself and others. I’ll demonstrate during the talk, it is possible to generate a RCE on the developer’s machine or other services on their private network.
As developers have write access to codebases, AWS keys, server creds etc., access to the developer’s machine gives an attacker a great deal of scope to pivot to other resources on the network, modify or just steal the codebase.
We asked Joseph Beeton a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Just because you bind a service to localhost doesn’t make it secure.
- 3rd parties can access services bound to localhost or your internal network from your browser.
- HTTP Simple Requests are more powerful than most people think.
- Keep services running on internal networks patched.
- A tutorial website you are following may not be what it seems…
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I found two vulnerabilities in a Feature Toggle web console which when combined allowed RCE on the server. But gaining access to the server in the first place was potentially difficult. So I looked for scenarios that would allow a attacker to access that web console.
Why do you think this is an important topic?
A developer is in a unique position in an organisation. Their job is to write code which will be executed in production and even in organisations with strict IT policies. Developer’s machines are usually some of the least locked down to allow them to more effectively do their job and combined with the unique privileges developers have make them a prime target.
Is there something you want everybody to know – some good advice for our readers maybe?
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I think the only way for this attack vector to be fixed would be a change made in the browser. A browser extension would be able to detect/block this. But realistically very few developers would use such an extension
Joseph Beeton is a recovering Java Developer. He started his career as a Java developer writing Archive/Backup software before moving to a large financial company working on webapps and the backend APIs. However, after a while writing yet another microservice isn’t that much fun anymore, but breaking them was. So he moved to Application Security and from their to Research. Now he works as Security Researcher for Contrast Security.