Aditya K Sood's (0kn0ck) Blog

Hakin9 has published a new paper. This paper discusses the generic approach of detecting the HTTP interface of embedded devices. These devices perform a number of different functions based on the infrastructural need.

Check

Regards
0kn0ck

Its matter of immense pleasure that researchers all over the world are getting collaborated together for the cause of charity. Be a part of it. Its a very good initiative by Johnny Long. We appreciate his concern and Secniche will be a pure part of it.

This is a sincere request for all talent all around to play your part in it.

About Informer:
"The Informer is a fund raising effort run by Hackers For Charity. It is designed to give subscribers a "backstage pass" to the world of Information Security."

Informer - Why?

Hackers for Charity

Get on the same boat for a great cause.

Regards
0kn0ck

Fingerprinting of web servers can be done in different ways. It has been noticed that the HTTP methods are not interpreted in an appropriate manner by number of web servers. It can be seen while fuzzing web servers ( if the particular HTTP method is included ). With the advent of new scripting languages number of different web servers are in a race. Let's first look at the some of the web servers which are in use now a days. The list is under mentioned:-

[Zope Web Server]Zope is an open source application server for building content management systems, intranets, portals, and custom applications. The Zope community consists of hundreds of companies and thousands of developers all over the world, working on building the platform and Zope applications. Zope is written in Python, a highly-productive, object-oriented scripting language.

[Mongrel Web Server]
Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby
web applications of any kind using plain HTTP rather than FastCGI or SCGI.

[Jetty]
Jetty is an open-source, standards-based, full-featured web server implemented entirely in Java.

These are number of web servers which are used in open source development extensively. The IIS and Apache (different variants)are always on the role.

The point that needs to be scrutinized is the request acceptance by the web server and the ability of open source web servers to understand the HTTP method properly. The IIS and Apache are efficient in handling rogue requests. But other web servers fail to instantiate this kind of behavior( interpreting HTTP requests efficiently].

This talk serves over two basic principles:

1. Effectiveness and Pervasiveness of Web servers in interpreting the HTTP Call Method.
2. Type of response send by the server.
3. The type of exceptions occur.

There are number of tools that fingerprint web servers. There is no doubt that 70% of web servers deployed globally can be traced by fetching banners. But our aim is to perform fingerprinting with minimum information. That's where fuzzing becomes really critical. We have critically examined the behavior of under mentioned entities and their collective use to fingerprint web servers.

1. Rogue HTTP Method Call Invocation.
2. Long String of /\/\/\/\/\/\/\/\ Expression.

We have used back slash character. According to regular expression and pattern matching theory the backslash character can be used for following purposes.

1) stand for itself,
2) quote the next character,
3) introduce an operator,
4) do nothing.

It depends a lot in the context in which backslash character is used. We will see the behavior of number of web servers when a specific request is sent.

$ nc www.example.com 80
JAG /\/\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 13:48:37 GMT
Server: Mongrel 1.1.3
Status: 404 Not Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Content-Length: 708
Set-Cookie: _session_id=5537174372e814e02fee588aa67c4a2a; path=/
Connection: close

It responds with HTTP/1.1 specification and 404 (The server has not found anything matching the URI given )Not Found. That's right. Another point that should not be neglected in Mongrel web servers is that it adds a Status parameter in a response. This behavior is only shown by the Mongrel web server. On the contrary the server does not point out the HTTP method used for call invocation.

$ nc example.org 80
JAG /\/\/\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 405 Method Not Allowed
Date: Tue, 24 Feb 2009 13:53:29 GMT
Server: Jetty/5.1.14 (SunOS/5.10 x86 java/1.6.0_03
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: xn_visitor=4537fb13-e021-4cdb-bb50-4e3a8bfbb6fa;Path=/;Domain=.z1014
ba.ningops.com;Expires=Fri, 22-Feb-19 13:53:29 GMT
X-XN-Trace-Token: 8702916f-3dbd-4d51-978c-06abbe2adf73
Allow: GET, HEAD, POST, PUT, DELETE, MOVE, OPTIONS, TRACE
Content-Type: text/html
Content-Length: 1246
Connection: close

The Jetty web server responds back 405 (the client has tried to use a request method that the server does not allow.The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource). As Jetty is written in Java the HTTP methods are always configured most of the time which are allowed to be executed.

For Zope server we will consider two cases as structured below.

$ nc example.com 80
JAG /\ HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 24 Feb 2009 14:11:37 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Content-Length: 59
Content-Type: text/plain; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close
webdav.NullResource.NullResource object at 0x2aaaacda0b18

The server responds back with 200(the request is fulfilled) OK response code. There is an null pointer exception too at the end. Let's look at the different layout

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 404 Not Found
Date: Tue, 24 Feb 2009 14:03:42 GMT
Server: Zope/(Zope 2.9.6-final, python 2.4.4, linux2) ZServer/1.1 Plone/2.5.1
Bobo-Exception-Line: 66
Content-Length: 1403
Bobo-Exception-Value: See the server error log for details
Bobo-Exception-File: NullResource.py
Bobo-Exception-Type: NotFound
Content-Type: text/html; charset=iso-8859-15
Via: 1.0 www.example.com
Connection: close

We are not considering the exceptions here. You can see the server responds back with 404(This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.)
The response is different with string manipulation. The ambiguity is there or the code does not handle the request effectively.

Let's try this behavior for Microsoft IIS and Apache

$ nc microsoft.com 80
JAG /\/\/\/\/\/\/\ HTTP/1.0


HTTP/1.1 501 Not Implemented
Content-Length: 0
Server: Microsoft-IIS/6.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo C
NT COM INT NAV ONL PHY PRE PUR UNI'
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Tue, 24 Feb 2009 14:06:06 GMT
Connection: close

The response code is 501(The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource). It is quite perfect as per the desired logic.

$ nc apache.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.1 501 Method Not Implemented
Date: Tue, 24 Feb 2009 14:50:58 GMT
Server: Apache/2.2.9 (Unix)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Vary: Accept-Encoding
Content-Length: 337
Connection: close
Content-Type: text/html; charset=iso-8859-1

The same result is returned by Apache as 501. The differential pattern is under mentioned as:

IIS Server Response String -- HTTP/1.1 501 Not Implemented
Apache Server Response String -- HTTP/1.1 501 Method Not Implemented

The word "method" is not present in the IIS response. This is a generic behavior.

The most widely used web servers track down the HTTP method invocation check which is quite missing in other web servers. Two points arise:-

1. Do web server implements a check on HTTP Method Call Invocation?
2. Are web servers processing request based on URI only ?

This all depends on the web server development. Lets try this logic on proxies:

$ nc example.org 80
JAG /\/\/\/\/\/\ HTTP/1.0

HTTP/1.0 400 Bad Request
Server: squid/2.7.STABLE6
Date: Tue, 24 Feb 2009 14:00:52 GMT
Content-Type: text/html
Content-Length: 1207
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from cache5.zmh.zope.net
Via: 1.0 cache5.zmh.zope.net:8300 (squid/2.7.STABLE6)
Connection: close

The proxy server responds back with 400 Bad Request with same HTTP/1.0. The proxy
intercepts and scrutinize the HTTP method and URI request at the perimeter level.

The behavior is again different if compared to web servers. This analysis lay stress on the HTTP Method call check which is required to prune down the fingerprinting process based on this factor.

If all web servers responds back with 501 code then it should be consider as a unanimous behavior among different web browsers.

Regards
0kn0ck

Clickjacking. You will find number of definitions about this attack. In generalized manner it is a kind of attack that simulate not only MOUSE EVENTS, while performing malicious operations but also hijacking of user interface components that are displayed by a specific site.

Usually, the aim is to trap the handling of hidden events, when a mouse is clicked over the user interface component such as buttons.I am considering all types of web based variants that can be triggered through browsers. The point of dissemination about clickjacking is to scrutinize the behavior of user interfaces(buttons). The events can be generated dynamically or manually. When an user interface is clicked , a hidden event is executed at the back.

A recent simple POC which was released based on this concept. The proof of concept revolves around the activation of a code (div) through a generic mouse event that binds to hidden structure with div tags. We are not actually sticking to general JavaScript call i.e. location.href. It is used as a one part but what is more interesting, is the pure use of hidden event through mouse clicking, which triggers it. The proof of concept clearly defines that. The clickjacking POC is a very simple variant to just show the browser request handling. More devastated actions can be performed where user authentication is required.

Well it is quite view specific here. The major trend revolves around:

1. Execution of hidden frames by triggering mouse interface with components(buttons).
2. Mouse coordinates play even a critical role to match the positions.

The coordinates function:

function clickjack_armor(evt)
{
clickjack_mouseX=evt.pageX?evt.pageX:evt.clientX;
clickjack_mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById('mydiv').style.left=clickjack_mouseX-1;
document.getElementById('mydiv').style.top=clickjack_mouseY-1;
}

When we are talking about hidden, we use DIV tags or other manually drafted codes to generate hidden frames.

3. The victims has to be trapped..

If we consider this definition of clickacking
"A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page"

Clickjacking is based on a similar principle: to convince the end user to provide information that does not seem to have any value to the user, but factually has power over the user's assets or ID, if applied in a particular context.

Again I think real issue behind clickjacking have been clearly on the cards.I sincerely feel that the SecTheory has given a clear explanation here:ClickJacking Paper.

Rest its a browser issue and the events can be triggered in a number of ways. Browser interaction with users always at the verge of exploitation. So this is a threat and we have to collaborate in working against it.

Security is a prime motive so lets drive by it.

Cheers