A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

Presented at Black Hat Asia 2018, March 22, 2018, 2:15 p.m. (60 minutes).

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress, vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection in real bug bounty programs and achieve RCE (Remote Code Execution) in our GitHub Enterprise case.

Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.


Presenters:

  • Orange Tsai - DEVCORE,
    Cheng-Da Tsai, also as known as Orange Tsai, is member of DEVCORE and CHROOT from Taiwan. He is a speaker at conferences such as HITCON, WooYun and AVTokyo. He participates in numerous Capture-the-Flags (CTF), and won 2nd place in DEF CON 22 as team member of HITCON. Orange is currently focusing on vulnerability research & web application security. Orange enjoys finding vulnerabilities and participates in Bug Bounty Program. He is enthusiastic about finding Remote Code Execution (RCE) on big vendors, and uncovered RCE in several vendors, such as Facebook, Uber, Apple, GitHub, Yahoo and Imgur.

Links:

Similar Presentations: