Posts Tagged ‘PortSwigger’
[DefCon32] Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
Email addresses, seemingly mundane, harbor complexities that can unravel security controls. Gareth Heyes, a security researcher at PortSwigger, exposes how arcane RFC standards governing email parsing enable attackers to bypass access controls. By crafting RFC-compliant email addresses, Gareth demonstrates spoofing domains, accessing internal systems, and executing blind CSS injection. His toolkit, integrated with Burp Suite, automates these attacks, revealing vulnerabilities in applications and libraries.
Gareth’s exploration, rooted in parser discrepancies, shows how seemingly valid emails can route to unintended destinations, undermining Zero Trust architectures. His methodology and open-source tools empower researchers to probe email-handling systems, urging developers to fortify defenses against these subtle yet potent attacks.
The Chaos of Email RFCs
Gareth begins with the convoluted RFCs defining email syntax, which allow exotic encodings like Unicode overflows and encoded words. These standards, often misunderstood, lead to parser inconsistencies. For example, an email ending in @example.com might route elsewhere due to mishandled Unicode or Punycode, breaking domain-based authorization.
Case studies illustrate real-world exploits, including bypassing employee-only registrations and accessing internal systems by exploiting parser flaws.
Exploiting Parser Discrepancies
Using tools like Hackverter and Turbo Intruder, Gareth automates the generation of malicious email addresses. His Punycode fuzzer, for instance, substitutes placeholders with random characters, uncovering exploitable parser behaviors. A notable exploit involved GitHub’s handling of null characters, found via Turbo Intruder, leading to unauthorized access.
These techniques transform harmless inputs into payloads that misroute emails or inject CSS, compromising application security.
Defensive Strategies
Gareth advocates filtering encoded words and verifying email addresses before use, even from trusted SSO providers. Relying solely on domains for authorization is perilous, as demonstrated by his exploits. Regular expression sanitization and strict validation can mitigate risks, ensuring emails route as intended.
He references influential blog posts by researchers like Pep Villa, emphasizing community knowledge-sharing to bolster defenses.
Tools and Future Research
Gareth’s toolkit, including a Burp Suite wordlist and a vulnerable Joomla Docker instance, enables researchers to replicate his attacks. A Web Security Academy CTF further hones skills in email splitting. He encourages exploring additional parser vulnerabilities, such as those in mailer libraries, to uncover new attack vectors.
Links:
[DefCon32] Listen to the Whispers: Web Timing Attacks that Actually Work
Timing attacks, long dismissed as theoretically potent yet practically elusive, gain new life through innovative techniques. James Kettle bridges the “timing divide,” transforming abstract concepts into reliable exploits against live systems. By amplifying signals and mitigating noise, Kettle unveils server secrets like masked misconfigurations, blind injections, hidden routes, and untapped attack surfaces.
Traditional hurdles—network jitter and server noise—once rendered attacks unreliable. HTTP/2’s concurrency, enhanced by Kettle’s single-packet method, synchronizes requests in one TLS record, eliminating jitter. Coalescing headers via sacrificial PING frames counters sticky ordering, making attacks “local” regardless of distance.
Server noise, from load variances to cloud virtualization, demands signal amplification: repeating headers for cumulative delays or denial-of-service tactics like nested XML entities. Repetition exploits caching, reducing variability; trimming requests minimizes unnecessary processing.
Parameter Discovery and Control Flow Insights
Kettle adapts Param Miner for time-based parameter/header guessing, uncovering hidden features on thousands of bug bounty sites. Timing reveals parameters altering responses subtly, like JSON-validated headers or cache keys signaling web cache poisoning risks.
Control flow changes, such as exceptions, emerge vividly. A Web Application Firewall (WAF) bypass exemplifies: repeated “exec” parameters trigger prolonged analysis, escalating to denial-of-service; excess parameters expose max-header limits, enabling evasion.
IP spoofing headers like “True-Client-IP” induce DNS caching delays, confirmed via pingbacks. Non-caching variants suggest third-party geo-lookups, bypassing with hostnames.
Server-Side Injection Vulnerabilities
Timing excels at blind injections in non-sleep-capable languages. Serde JSON injections manifest as microsecond differentials; combining with client-side reflections infers standalone processing, aiding exploitation.
Blind Serde parameter pollution contrasts reserved/unreserved characters, yielding exploits. Doppelgangers—non-blind equivalents—guide understanding, turning detections into impacts.
SQL injections via sleep evade WAFs but overlap existing tools; timing shines where sleep fails, though exploitation demands deep target insight.
Scoped Server-Side Request Forgery Detection
Overlooked for years, scoped SSRF—proxies accessing only target subdomains—defies DNS pingbacks. Timing detects via DNS caching or label-length timeouts: valid hostnames delay; invalids accelerate or prolong.
Automating exploration, Kettle probes subdomains directly and via proxies, flagging discrepancies like missing headers. Exploits span firewall bypasses, internal DNS resolutions uncovering staging servers, pre-launch consoles, and frontend circumventions.
Frontend impersonation leverages trusted internal headers for authentication bypasses, exploitable via proxies, direct backend access, or smuggling. Timing guesses header names, enabling severe breaches.
Links:
EN_DEFCON32MainStageTalks_004_005.md