Demo: Software and Data Integrity Failures
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 37 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> I don't often get to do
00:00
videos or walkthroughs of the labs,
00:00
especially in this OWASP course,
00:00
but I wanted to make this one
00:00
more of a walkthrough for you just because
00:00
insecure deserialization is little tricky
00:00
and I tried to make it a little
00:00
>> bit more straightforward,
00:00
>> I guess, I should say.
00:00
Then some of the other labs you
00:00
have to figure out on your own.
00:00
I'll show you some examples of how you can test for
00:00
this and then leave it up to
00:00
you to go further if you want.
00:00
But here's the lab that you'll be using.
00:00
If you see some networking issue pop up here,
00:00
don't worry about it, everything is
00:00
going to be done locally.
00:00
You actually don't need any networking.
00:00
You'll log in with the password cybrary,
00:00
I know that's insecure.
00:00
But again, we're not on any network but our own.
00:00
What will happen is,
00:00
we'll have a few applications here.
00:00
We'll have Burp Suite,
00:00
which we'll need for this.
00:00
Also we need to see what's going on with
00:00
the insecure application that we're going to be testing.
00:00
I also gave a little cheat sheet,
00:00
if you will, down here for command.txt.
00:00
Just know if you're going to be using this from
00:00
the command line because it's on your desktop,
00:00
you need to be using this command from the desktop.
00:00
I'll explain a little bit what
00:00
this command actually does.
00:00
Let's go back to Burp Suite.
00:00
As you'll notice, this is the community edition,
00:00
which means we don't need this part here.
00:00
That's for pro, a little advertisement
00:00
from Burp Suite for that.
00:00
Go to proxy, go to open browser.
00:00
I always like using the imbedded
00:00
browser because I don't have to worry about
00:00
proxy anything through things like Firefox.
00:00
What I want to do is I'm going to go to 127.0.0.1,
00:00
8,000.
00:00
Now, there's a Docker running here and
00:00
the application that's running is
00:00
Java insecurity serialization lab.
00:00
This is intentionally vulnerable.
00:00
It gives you some idea as
00:00
far as what injection points we have.
00:00
We have some use state variables here.
00:00
On parameters we have some cookie values that we
00:00
can try to deserialize.
00:00
You can test for all of these.
00:00
In this case, why don't we look at the cookie values?
00:00
You'll notice if we go to the application itself,
00:00
if we inspect this,
00:00
if we look at the cookie values,
00:00
it doesn't have any currently.
00:00
We're going to have to add that.
00:00
Let's go to target and let's go to the first GET request.
00:00
We're going to send this to repeater.
00:00
Now it's always good to understand or
00:00
know what extensions that we
00:00
have or use extensions in Burp Suite.
00:00
There's a lot of great ones.
00:00
There's a lot of great extensions that are in Burp Suite.
00:00
If you go to extender,
00:00
then you go to the BApp Store,
00:00
there's a whole bunch here.
00:00
We have two, we have logger plus,
00:00
plus, then we have the deserialization scanner.
00:00
What I can do here in repeater,
00:00
is I can go back here.
00:00
We can add this cookie value here.
00:00
Let's just throw that in right there.
00:00
Sometimes it gets a little interesting trying to
00:00
pace things within the lab itself.
00:00
But what we can do from here is we can right click,
00:00
we can go to extensions,
00:00
Java deserialization scanner,
00:00
and we can go to manual testing.
00:00
That should take that GET request and put it in here.
00:00
Now, if we look back at the application,
00:00
this is a cookie value.
00:00
Really, I could put anything here,
00:00
we could just put test.
00:00
If we look back here,
00:00
it says is Base64 or Gzip and Base64 in the cookies.
00:00
What I'm going to do is I'm going to
00:00
set my insertion point here in test.
00:00
We're just going to use encode in Base64.
00:00
Now what this is going to do is
00:00
a few different timing type attacks using ysoserial.
00:00
If you were paying attention,
00:00
ysoserials are actually on our desktop.
00:00
I'm going to quote the GitHub repo for ysoserial,
00:00
but it's a collection of utilities
00:00
and property oriented programming.
00:00
Gadget chains discovered in
00:00
common Java libraries that can under
00:00
the right conditions exploit job applications
00:00
performing unsafe deserialization of objects.
00:00
The main driver program takes
00:00
a user specified command and wraps it and
00:00
the user specified gadget chain then
00:00
serializes these objects to standard output.
00:00
An application with the required gadgets
00:00
on the class path on the safely to serializes this data,
00:00
the chain will automatically be invoked and
00:00
cause the command to be executed on the application host.
00:00
Should be noted that the vulnerability lies in
00:00
the application performing the unsafe
00:00
to serialization and not in
00:00
having gadgets on the class path.
00:00
Simply having those gadgets there is that error,
00:00
don't even worry about this. You can exit out of that.
00:00
Simply having the gadgets
00:00
in the class path is not the vulnerability.
00:00
The vulnerability lies in the application itself.
00:00
I'm going to attack. You can
00:00
see it's a scanning in progress.
00:00
These are timing based attacks.
00:00
If I look at logger plus plus,
00:00
that's why I like logger plus plus
00:00
because it gives me a whole lot more information.
00:00
I can see how long it took.
00:00
I can see the request.
00:00
I can see the output from this and that and how
00:00
long it took for the data to be deserialized.
00:00
If I wanted to repeat this attack,
00:00
I could do something like send a repeater. Let's go back.
00:00
You see it's potentially vulnerable to
00:00
Apache Commons collection 3 with sleep.
00:00
There's an alternate payload it used.
00:00
If we send that to repeater I believe,
00:00
yes, let's get rid of this.
00:00
We send this request with
00:00
this cookie value and this Base64 encoded,
00:00
we should see it takes a little bit of time,
00:00
maybe something like 10 seconds.
00:00
We can see it did take about 10 seconds if
00:00
we take this cookie value out or if we just replace
00:00
that with our original or we go back
00:00
here and we send this,
00:00
we can see it took,
00:00
that's one millisecond right there.
00:00
There's definitely something going
00:00
on with this application.
00:00
If we actually take this value that is Base64 encoded,
00:00
we can use within Burp Suite the decoder.
00:00
Throw this in here.
00:00
Decoder is Base64.
00:00
You can see what it's doing here with
00:00
the gadget chains and read it a little bit.
00:00
Seek Apache common collections.
00:00
We should see sleep somewhere in here too.
00:00
This is the payload that it used
00:00
to cause the application to sleep for.
00:00
There we see sleep right there.
00:00
Sleep for those 10 seconds.
00:00
Now, we can make this more malicious,
00:00
simply doing timing attacks
00:00
is somewhat boring as a hacker.
00:00
That's why I have this command here.
00:00
Now this uses ysoserial.
00:00
Come collections five is what I'm using,
00:00
I know I said three,
00:00
but for me five worked.
00:00
I think you can try using three and see if that works.
00:00
I'm curling the ETC password file
00:00
to my controlled server.
00:00
Again, this is on local host on port 4444.
00:00
You saw we had Base64 as well as Gzip.
00:00
This payload is using Gzip as well as Base64,
00:00
putting it all on one line,
00:00
so I can copy and paste it easily.
00:00
When you use ysoserial,
00:00
that's only one part of it.
00:00
It's not actually going to do
00:00
anything until you put it into that cookie value.
00:00
I'm going to change directory to the desktop.
00:00
I know ysoserial is on the desktop,
00:00
so I'm going to let this go execute.
00:00
What I'm going to do now is copy this entire payload.
00:00
I'm going to replace this
00:00
with the other payload, the timing attack.
00:00
But remember we need to have our own server
00:00
running on port 4444.
00:00
I'll go back to Burp Suite,
00:00
I will go back to repeater,
00:00
and I will paste the new value in here.
00:00
Make sure that that's correct and I will send this.
00:00
Now, it will be verbose.
00:00
It will tell you if you were
00:00
successful in deserializing anything.
00:00
We have an error
00:00
here and we see that it actually didn't do anything here.
00:00
That could be a few different reasons.
00:00
What I can do is I can try
00:00
to paste this here and see if that
00:00
changes anything and I can see it didn't.
00:00
I'm still having this error here.
00:00
To do a little bit of debugging off camera,
00:00
but basically what happened is
00:00
I didn't copy my payload correctly.
00:00
I had to do that command again.
00:00
Sometimes it's difficult with
00:00
these labs using them in the browser.
00:00
But just make sure the end of your payload,
00:00
if you're using this has BwAA at the end.
00:00
What that did is when I sent this,
00:00
you can see it says data deserialized.
00:00
It tells you if you're right,
00:00
your payload was right, I should say.
00:00
We can see that we now have the ETC password file.
00:00
Of course, you could pivot to getting
00:00
over a shell or something
00:00
like that and do something malicious like that.
00:00
But what I encourage you to do
00:00
is do your own experimentation,
00:00
use Burp Suite,
00:00
use this deserialization scanner.
00:00
See how that works.
00:00
Look at the different payloads depending on if
00:00
you use Base64 encoding or Gzip.
00:00
You can try to decode these and the decoder
00:00
and see what they actually say or do.
00:00
Of course, you can have your
00:00
own enter something different
00:00
here instead of currently the ETC password file.
00:00
You can see if this is running as root and trying
00:00
the ETC shadow file or anything that you want to do.
00:00
Take it from here, try this,
00:00
and try to expand upon this attack.
00:00
With that, good luck.
Up Next
Scenario: The SolarWinds Breach
10m
Lab: Software and Data Integrity Failures
1h
Instructed By
