Misconfigured GraphQL implementations can allow for attackers to bypass authorization and access internal APIs. These “secondary context attacks” exploit the gap between GraphQL’s frontend interface and backend REST services, often turning simple path traversal into significant data access.

The Backend for Frontend Pattern

In the Backend for Frontend (BFF) pattern, a middleware layer combines multiple backend services into customized REST endpoints for each frontend, eliminating the need for clients to make separate calls to individual microservices. For example, the infrastructure layout could look like:

The @trickest Inventory project is an interesting resource. It has a massive set of hostnames, live services, spidered URLs, and cloud data organized by Bug Bounty program. There is so much more data than I have interest in storing for my needs. In fact, the only thing I am interested in is the hostnames resource. Here is a quick and dirty way to pull the hostnames.txt file from every program without cloning the entire project.

Edit: 1.1b fixes an auto shutdown issue in burpsuite, I would highly recommend this release over 1.1a. The rest of the post still applies.

This is a small release but a useful one.

Release 1.1b adds the ability to parse projects for portions of siteMap and proxyHistory. For example, the following will only respond with the proxyHistory request.headers and request.body. Note, the URL is always included:

1
2

java -jar -Djava.awt.headless=true [PATH_TO burpsuite_pro.jar] --project-file=[PATH TO PROJECT FILE] \
  proxyHistory.request.headers, proxyHistory.request.body

This should result in significant speed improvements as parsing will ignore response.body which can be very large. Conversely, if you only wanted to parse the proxyHistory response body for interesting things you could do:

In this two part series we are going to take Burp Suite Project files as input from the command line, parse them, and then feed them into a testing pipeline.

The series is broken down into two parts:

1. Getting at the Data (i.e. from the CLI to feeding the pipeline)
2. 8 Bug Hunting Examples with burpsuite-project-parser (i.e. from the pipeline to testing)

This post is focused on bug hunting examples. Check out the previous post if you haven’t already setup the environment.

In this two part series we are going to take Burp Suite Project files as input from the command line, parse them, and then feed them into a testing pipeline.  

The series is broken down into two parts:

1. Getting at the Data (i.e. from the CLI to feeding the pipeline)
2. 8 Bug Hunting Examples with burpsuite-project-parser (i.e. from the pipeline to testing)

Introduction

Two years ago I pushed to Github a Burp Suite plugin with a mouthful of a name: burpsuite-project-parser. It started out to solve a very simple problem.

SSRF protocol smuggling involves an attacker injecting one TCP protocol into a dissimilar TCP protocol. A classic example is using gopher (i.e. the first protocol) to smuggle SMTP (i.e. the second protocol):

1

gopher://127.0.0.1:25/%0D%0AHELO%20localhost%0D%0AMAIL%20FROM%3Abadguy@evil.com%0D%0ARCPT%20TO%3Avictim@site.com%0D%0ADATA%0D%0A ....

An common example of using Gopher to protocol smuggle SMTP

The key point above is the use of the CRLF character (i.e. %0D%0A) which breaks up the commands of the second protocol. This attack is only possible with the ability to inject CRLF characters into a protocol.

I recently (May 2018) published odle which is a Ruby gem and binary that takes XML data from various security tools and outputs their JSON equivalent. The goal is to be (1) simple, (2) fast, and (3) work on many platforms with only one dependency – nokogiri.

Quick Example of Piping Security Results

Below are two examples using odle to convert output from one tool (e.g. burpsuite) as input for something else (e.g. nmap scans). From the command line I typically use odle with gron which is an awesome tool that “makes json greppable” =).

Recently ColdFusion was shown vulnerable to XXE based attacks in OXML documents; CVE-2016-4264. The blog post linked gives an example building the file using python; cool!

It’s easy to backdoor files in a similar fashion with OXML XXE. The fastest way to do this is using the “Overwrite File inside DOCX/etc” function.

You can add any XLSX at this point, OXML_XXE ships with a sample.xlsx.

You will want to specify the XML file to overwrite; e.g. “[Content_Types.xml]”. The “_rels/.rels” file is another option.

Finding hosts or domain names associated with a company where the domain name does not include the name of the company can sometimes be difficult. There are common ways to do it such as ASN or scope information (e.g. bug bounty ToE or IP block).

One technique that I use (and I am guessing others do as well) is through an Organization field in a SSL Certificate that is shared by multiple domains. For example, a certificate from https://www.facebook.com and https://parse.com are signed by the same organization.

Just wanted to post some details from my BH USA 2015 briefing “Exploiting XXE In File Upload Functionality”.

https://www.youtube.com/watch?v=LZUlw8hHp44

I also gave an updated version of the presentation in November for the Blackhat Webcast Series. It included more file types; PDF, JPG, and GIF. The link is here: https://www.blackhat.com/html/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.html