Cracking the Lens: Targeting HTTP's Hidden Attack Surface

Nytro · July 27, 2017

James Kettle - james.kettle@portswigger.net - @albinowax

Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This almost invisible attack surface has been largely overlooked for years. In this paper, I'll show how to use malformed requests and esoteric headers to coax these systems into revealing themselves and opening gateways into our victim's networks. I'll share how by combining these techniques with a little Bash I was able to thoroughly perforate DoD networks, trivially earn over $30k in vulnerability bounties, and accidentally exploit my own ISP. While deconstructing the damage, I'll also showcase several hidden systems it unveiled, including not only covert request interception by the UK's largest ISP, but a substantially more suspicious Colombian ISP, a confused Tor backend, and a system that enabled reflected XSS to be escalated into SSRF. You'll also learn strategies to unblinker blind SSRF using exploit chains and caching mechanisms. Finally, to further drag these systems out into the light, I'll release Collaborator Everywhere - an open source Burp Suite extension which augments your web traffic with a selection of the best techniques to harvest leads from cooperative websites.

Outline
Introduction
Methodology
Listening
Research Pipeline
Scaling Up
Misrouting Requests
Invalid Host
Investigating Intent - BT
Investigating Intent - Metrotel
Input Permutation
Host Override
Ambiguous Requests
Breaking Expectations
Tunnels
Targeting Auxiliary Systems
Gathering Information
Remote Client Exploits
Preemptive Caching
Conclusion

Download: https://www.blackhat.com/docs/us-17/wednesday/us-17-Kettle-Cracking-The-Lens-Exploiting-HTTPs-Hidden-Attack-Surface-wp.pdf