Session:Hacking with wget
| Description | A surprisingly simple problem turns out to be a major security risk:
Downloading publicly accessible files from web servers with private data. |
|---|---|
| Website(s) | |
| Type | Talk |
| Kids session | No |
| Keyword(s) | |
| Tags | wget |
| Processing assembly | Assembly:Free Software Foundation Europe |
| Person organizing | User:Eal |
| Language | en - English |
| Other sessions... | |
| Starts at | 2017/12/28 18:00 |
|---|---|
| Ends at | 2017/12/28 19:00 |
| Duration | 60 minutes |
| Location | Room:CCL Hall 3 |
A surprisingly simple problem turns out to be a major security risk:
Downloading publicly accessible files from web servers with private
data.
In the course of this research the speaker was able to find weak database passwords of the German social democrats, the so-called "Volksverschlüsselung" and others via Git and Subversion repositories. Many sites, including a large online pharmacy and the German postal service, exposed database dumps with standard filenames like dump.sql [1]. Countless sites were found with backup files and VIM swap files exposed in the web root revealing source code (often complete with passwords and API keys) to anyone who knows where to look. Dozens of sites were vulnerable to complete take over because the maintainers have failed to remove references to abandoned subdomains [2]. In addition to recovering source code and passwords, it turns out that simple HTTP requests are sometimes enough to steal private keys. Let's have a look on how to get other people's certificates revoked if they have exposed their private key - and also how to revoke them if you don't have their private key by simply faking one [3].
Investigating further methods to talk to web servers over HTTP led to the discovery of the Optionsbleed bug in the Apache web server [4]. Optionsbleed is a memory corruption bug that exposes parts of the server’s memory in certain configurations when sending a special HTTP request.
Let's look at how sometimes the simple attacks can be the best and how to hack with wget and HTTP requests. The speaker will publish a free tool that can be used to scan for all the vulnerabilities presented in the talk.
- [1]http://www.zeit.de/digital/datenschutz/2017-07/customer-data-how-2000-unsecured-databases-landed-online
- [2]https://blog.hboeck.de/archives/889-Abandoned-Domain-Takeover-as-a-Web-Security-Risk.html
- [3]https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html
- [4]https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
Slides:
The talk hasn't been recorded, but previous versions of similar talks are available online:
The scan tool mentioned in the talk is now released:
