Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/19/2017
10:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Major Websites Vulnerable to their Own Back-End Servers

DoD, other websites found with back-end server flaws and misconfigurations that could give attackers an entryway to internal networks, researcher will demonstrate at Black Hat USA next month.

A UK researcher hacked his way through the public websites of the US Department of Defense and several major commercial organizations via some  not-so visible weaknesses and vulnerabilities that netted him a grand total of $30,000 in bug bounty rewards.

James Kettle, head of research at PortSwigger Web Security, used homegrown hacking tools to find holes in certain public websites and to then drop payloads of malformed Web requests and phony headers on those sites in order to work his way into the backend servers – and in some cases, gain access to the internal network of the organization.

Back-end servers are the oft-forgotten pieces of the website infrastructure: they can include Web caching, Web analytics, proxy, and load-balancing servers, for instance.

"People are basically just plopping down really complex servers to do caching, analytics, and loads of fancy complex functionality in front of their Web server without much thought as to whether these features might carry risks," says Kettle, who next month at Black Hat USA in Las Vegas will reveal the details of the hacks in his Cracking The Lens: Targeting Http's Hidden Attack-Surface presentation there.

"I found that a large number of these systems are really easy to exploit because they are built to stay out sight," he says. "So when people have a penetration test or an audit, they don't think the infrastructure around the app matters very much: 'It's not going to get targeted because nobody looks at it.'"  

But as Kettle found in his research, when these servers surrounding a Web application have even minor flaws in them, an attacker can burrow more deeply from the public website into the organization's internal network.

"Even as a security tester, you may well miss out on how many different systems your packets are going through and what effect" they are having, he says. He says you can actually mine information from analytics systems, for example, that can be useful for hacking into the internals of the organization.

Kettle hacked into at least 70 servers, some of which were located at some very high-profile brand name websites, which he would not disclose prior to Black Hat. He used a homegrown hacking tool to send a payload to a large number of websites within a 10-minute window. That tool allowed him to earn $18,000 in bug bounty money in a few hours' time, he says, via HackerOne's program. He will share details about the payloads during his Black Hat talk.

He also plans to demonstrate and release a free, open-source tool he created called Collaborator Everywhere, a Burp Suite extension that works like a penetration test and is focused on individual websites. That tool netted him some $15,000 in bug bounties during his research. In addition, he will release another free tool he built, a Web-based tool that audits the attack surface of clients that connect to it, he says.

Findings

Misconfigured servers were the among the most common security issues he discovered. "Someone hadn't set up a server front-end correctly and as a result, I was able to take complete control over their systems," he says. "In one case, someone wrote good code for the front-end that had a bug in it."

Among the software vulnerabilities he found were Server Side Request Forgery (SSRF), a bug that allows an attacker to send a malicious Web request to reach internal or other back-end servers.

In a bizarre twist, Kettle also inadvertently hacked his own ISP while conducting his research against one of his target websites. "My own ISP routed it [the payload] into its own system and got exploited by it, which was quite shocking," he says. "I wasn't authorized to hack the ISP, so I kind of panicked."

He says he was able to remediate and smooth things over with the UK ISP, which he declined to name, and once they were apprised of his research, they weren't "too angry," he says.

In another case, he sent a payload to "an extremely well-known company" website that allowed him to reach a back-end server that left its internal network accessible. "I would be able to reconfigure that server to whatever I wanted" as an attacker, he says, giving him complete control over most of that company's public websites.

"People need to treat this like an attack surface. They need to realize shiny features in back-end analytics" can come with security holes, he says.

The other problem, Kettle says, is that internal networks he was able to reach were left wide open with little security.

"Most of the networks I broke into had access to insane stuff, admin panels with no authentication, no login and password," he says. "If you design your network well enough, then someone who breaks into the DMZ shouldn't have access to that … If you [an attacker] get inside of the network, you're absolutely trusted" and the network, vulnerable, he says.

Best Defense

Kettle says a well-architected Web infrastructure has multiple distinct networks, as well as a sandbox for the website back-end in order to keep it separated from the internal network so it is protected  from outsiders. He says organizations often either don't realize or don't bother to segment their Web infrastructure. "If you're using things like load-balancing, caching, proxy, reverse-proxy and such, they should only have access to a DMZ … network."

The good news is that the majority of the vulnerabilities Kettle discovered have since been fixed, and in many cases were remedied quickly, he says. One exception is a critical flaw in DoD's website that is taking longer to patch, he says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27217
PUBLISHED: 2021-03-04
An issue was discovered in the _send_secure_msg() function of Yubico yubihsm-shell through 2.0.3. The function does not correctly validate the embedded length field of an authenticated message received from the device. Out-of-bounds reads performed by aes_remove_padding() can crash the running proce...
CVE-2021-22128
PUBLISHED: 2021-03-04
An improper access control vulnerability in FortiProxy SSL VPN portal 2.0.0, 1.2.9 and below versions may allow an authenticated, remote attacker to access internal service such as the ZebOS Shell on the FortiProxy appliance through the Quick Connection functionality.
CVE-2021-23126
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret.
CVE-2021-23127
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.
CVE-2021-23128
PUBLISHED: 2021-03-04
An issue was discovered in Joomla! 3.2.0 through 3.9.24. The core shipped but unused randval implementation within FOF (FOFEncryptRandval) used an potential insecure implemetation. That has now been replaced with a call to 'random_bytes()' and its backport that is shipped within random_compat.