So Open Redirects debate always comes back again and again across security rooms. I often dig the claim that these should not get real attention since they hardly get used beyond PoCs, but there are still some situations in which they can become a real issue.
Having read a lot lately about hacks making use of open redirectors to accomplish all sorts of cool vuln chaining, I decided to tie up all my loose thoughts in a deck of slides, in the hopes that it can serve as a reference for the current and actual impact of delivering arbitrary redirects to your users.
While conducting black box security assessments on custom web applications, one wonders if any additional vulnerabilities await in the darkness. A darkness provided by the absence of source code to look at.
Revershal is a dirty script to search for particular formats and combination of known inputs that have been used to derive certain hash strings on custom web applications.
For example lets assume you have a hash and you know it is generated from something like:
From a security standpoint when the hash should not be guessable/predictable by an attacker (for example in a reset password function), at least one of those inputs should be a strong secret (key) known only by the application. However, multiple custom made applications generate hashes in this fashion just using predictable inputs such as email, full name, userid or the timestamp of the instant they are generated. For example:
In this situation, getting knowledge about the particular input format that the hashing function receives is the key to compromising the functionality (reset password in this case)
revershal does just that. Just feed it with your known predictable tokens and a valid hash obtained from the application and it will compute all potential formats, trying to come up with the one that was used.
$ cat test.txt
$ ./revershal.py -t test.txt -s `echo -n "token1.token3.token2" | md5sum | cut -d" " -f1` -g
[*] Guessing algorithm from hash...
[*] [WARNING] Guessing will only look at string length, not valid alphabet
[*] Hash looks like md5
[*] Target hash: 4615f95012f720eb5b23651debab6d78
[*] 3 total known tokens
[*] Total of 147 masks to compute...
[*] SUCCESS with mask: token1.token3.token2
Reading someone else’s code can be fun but usually is a daunting task, particularly when by reading one means searching for flaws.
aramaki is just a grep wrapper to conduct manual security code reviews on huge code bases in a more convenient and efficient manner. This type of reviews usually involves searching for common keywords which may help land your eyes on the interesting parts of the code, from where you can dive in and search on.
Now since just grepping for patterns usually leaves you with some unmanageable text output of several mb’s, aramaki comes handy to help you navigate this mess in a quick and efficient manner.
So, in a nutshell:
- Auditing codebases manually can be daunting
- Usually one searches (greps) for dangerous APIs
- Grep output is hard to manage efficiently
- We want something small that works out of the box on most systems
- No need to install anything else (ack, gui lib…)
- This code snippet is vulnerable, flag it
- This pattern only produces false positives, ignore it
- I need to open this file in my fav editor
- This file should be ignored
- I got tired. I will continue the review later
- Please, resume at the point I left
Of course this is just a quick and dirty hack to make my life easier. You have more expensive and probably better alternatives.
I am recently getting quite carried away about information gathering and open source intelligence in general. Following the publication of the Skip Tracing Framework I have been looking for new ways to extract useful information about particular targets from unexpected sources. It is surprising how much information is available out there just waiting to be discovered.
One of my unexplored grounds was Twitter. Given its insane popularity it can be very well included in traditional reconnaissance proccesses that used to gather people email addresses for various purposes. People now have Twitter accounts and you can sometimes reach them more easily through a @mention than via email. Furthermore, unlike traditional email, Twitter can also reveal special connections between certain individuals which can help to aim better when conducting investigations.
Tweetstars are a recent interesting phenomena. Fake, satirical or just anonymous accounts are becoming more and more popular in Twitter and receiving a lot of fuss even from the media. They sometimes are used to shout about controversial topics or disclose sensitive information. @masaenfurecida is one example of such accounts. This spanish account is getting a lot of attention due to his incendiary tweets about the political and social panorama of Spain.
But who is behind this account? Can we infer that just out of the available open data we have? Can we at least narrow down the ownership to a small group of individuals? Let’s see.
So, where to begin?
We are going to assume the owner of a certain Tweetstar account algo has his own parallel account for unrelated tweeting. If we consider this too much of a stretch, we can at least assume that people closely connected with the owner in some way will have twitter accounts. Now, tweetstars usually have A LOT of followers so finding interesting people in that sea is going to be tough.
What do we know to start with?
Some ground rules:
Tweetstars usually follow either nobody, a few tenths of people or tons of them. When they follow tenths of people we can probably find some interesting connections following that route.
Twitter apparently lists the people an account follows in chronological descending order, which means the first people the owner decided to follow are at the bottom (relevant). I am pretty positive about this one, could be wrong though.
People can follow an account through a public list without actually following it. Tweetstars appear sometimes in lists from people who actually do not follow them.
Given two twitter accounts, a not-so-obvious connection can be established between them just by comparing who they follow, who follow them, the lists they appear on…
To help conduct this type of investigations a new script was born. It has been coded in a hurry, it is fugly and hardly documented but it gets the job done. Input takes two twitter screen names to display the possible connections found between the two accounts. Since Twitter limits API calls to 150 per hour certain effort has been put to try to cache data and reduce the number of queries as much as possible. Just keep the script open so the cached data don’t go away and keep querying twitter for aditional screen name pairs. You will find Twittego getting the best out of those 150 calls.
The first lead
My first lead came from a friend of mine, who got from a very good source that @masaenfurecida is an account managed by several spanish TV script writers. Gossip should be always taken with a grain of salt but since I did not have any other clue, it was worth the shot.
Searching Twitter for script writers and guilds returns several hub accounts including: @encuentroguion, @fagaguionistas, @guionistasaida, @guonistaszd, @almaguionistas, @sologuion, @guidoitwitt, @tandemguion, @gagsigc. Matching those against @masaenfurecida using Twittego reveals several individuals who besides following @masaenfurecida, also actively follow several of these script writing guilds, festivals and so.
The most prominent of these individuals are @cristaljar, @juanjomoscardo, @galahan, @xcarlosares, @teresadiez, @erreimantada and @oscarbernacer. All very actively connected in this context.
Checking first follows
On the other hand, apparently the owner of @masaenfurecida is somewhat connected to @joseluisgarci. Now since @joseluisgarci is also a Tweetstar, issuing both names to Twittego yields too much noise so we need to carve deeper. How about the first follows of that account? Interesting accounts here include @johntones, @noelburgundy, @frunobulax and @caco3000, the first four. Also, comparing this list with the previous results of the script writing guilds, we get further related accounts such as @cristaljar and @vigalondo.
Googling around a bit
Ok so second Google result for “masaenfurecida” brings you to a forum thread about our tweetstar, started by @johntones, someone who already appeared in the previous step. Although the connection seems obvious, while discussing in the thread about him being the real culprit the connection is explicitly denied. They also point out that several authors could actually be behind @masaenfurecida, but several people seem pretty positive about a connection between the forum and the account. @noelburgundy, who appeared before appears on that thread too, which reveals nothing but means we are at least moving between a very close group of people.
Another quick Google search including the name of the forum (focoforo) reveals some anonymous comment on an article discussing the authorship of @masaenfurecida’s tweets. He claims @vigalondo, @johntones and several other people from @elfocoforo are behind @masaenfurecida. A reply points out how these guys actually denied this connection despite they apparently sell shirts about @masaenfurecida. Intriguing.
Wrapping things up
How about the names that came up while searching for script writers?. Inputting @elfocoforo with previous highlighted previous accounts into Twittego lights the Christmas Tree, making @Vigalondo, @fagaguionistas, @johntones, @joseluisgarci, @cristaljar… and several others appear all over the place.
So, what’s the conclusion? Can we safely point our finger to people like @vigalondo, @johntones, @cristaljar, or people related to @fagaguionistas? Well, probably not, but at least we have found a small network backing up that anon claim from the previous comment.
We have just seen a proof of concept about gathering information just by looking at Twitter connections between people with the help of a tool like Twittego. In this particular case we simply found incidental evidence, but from what I have seen I can assure you there are other cases where this kind of proccess would reveal more info than initially expected.
Experiment with Twittego using different twitter accounts. The results will probably surprise you.
Starting off, it must be said that I despise cheating. I have been in the past in the position of being able to cheat in different situations where I could have obtain a reasonable profit from doing so, and I decided not to. I am not trying to describe myself as a hero or anything. It is just something that fits here in a post of such a topic and I feel better including it, whether the reader (you) believes it or not.
Being said that, cheating can indeed be a lot of fun when you are not ruining anybody’s day with it. Case in hand is the game Words with Friends, some Scrabble clone made by Zynga which I was tricked into installing on my android phone a couple days ago. I have played Scrabble only a couple of times in my life when I was little, and the only rule I remember from it was: the words you build must appear on a standard dictionary.
Ok so English is not my mother tongue, I can cope with getting owned by foreigners and I was actually anticipating it before playing (I still thought it would be fun despite the handicap). But then I started playing with a friend of mine who I considered had my level of english vocabulary-wise, so it suddenly got interesting and competitive in certain way. Until I began seeing things like this:
KA? what the fuck is Ka? I thought it had to appear on a standard dictionary. Let’s take a peek at the rules:
Enhanced North American Benchmark Lexicon… that sounds like a weird dictionary. Googling and browsing it quickly reveals that it contains a lot of bizarre words such as “mucid”, “li”, “ag” and of course “ka”. By the time I discovered the ruse, I was way behind in the scoreboard, with only fifty or so letters remaining and almost a hundred points behind. I was also angry to discover I could have got rid of a Q letter which was giving me headaches since my second turn. If I had knew “QI” was actually a word for such a weird dictionary things would have been different.
My friend was owning me badly, so since I was going to lose, why not at least have a little fun trying to cut the score gap using other means. Resigning was no fun for anybody.
I guess there probably are algorithms to solve Scrabble games using a dictionary of words and a given table. But since I am not planning to turn myself into a professional cheater anytime soon and I couldn’t have my friend waiting for my next move for too long, I needed something quicker and dirtier.
So then I only needed to wait for my turn, check for the available starting/ending/in-between letters in the table, and execute something like:
After that, it was only a matter of manual reviewing a handful of possible words to choose the best option. I could even specify specific suffixes for bonus triple-word/letter cells to try to narrow down possibilities. The final score was 373 to 280. Not that bad considering how well my initially underestimated opponent fared.
For the record, I cheated only during second half of the game:
My words before I started cheating: ping, shelve, deeds, cart, tan, wine, see, pity, wow
My words after I started cheating: naif, too+lop, qi+li, ef+faqir, clavi, gaur, zeta+s, gob+os, het
My apologies to you again, Concha, and congratulations on your great vocabulary and non-cheating skills. I myself could not help it. After all, hacking is sometimes cheating too.