OAST (Out-of-band Application Security Testing)

๐Ÿ” Introduction

OAST๋Š” Out-of-band application security testing์˜ ์•ฝ์ž๋กœ OOB(Out-Of-Band)๋ฅผ ์ด์šฉํ•œ ๋ณด์•ˆ ํ…Œ์ŠคํŒ… ๋ฐฉ๋ฒ•์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. OOB ์ž์ฒด๋งŒ์œผ๋กœ ๋ณด์•ˆ ์ด์Šˆ๊ฐ€ ๋ฐœ์ƒํ•˜๋Š”๊ฑด ์•„๋‹ˆ์ง€๋งŒ, ์ด๋ฅผ ํ†ตํ•ด์„œ Blind ๊ณ„ํ†ต์˜ ์ทจ์•ฝ์ (Blind RCE, Blind XSS, Blind SSRF ๋“ฑ)์„ ์‹๋ณ„ํ•˜๊ฑฐ๋‚˜ ์ค‘์š”์ •๋ณด๋ฅผ ์œ ์ถœํ•˜๋Š” ๋“ฑ ํ™œ์šฉ๋„๊ฐ€ ์•„์ฃผ ๋†’์€ ๋ถ„์„ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

๊ทธ๋ฆฌ๊ณ  OAST๋Š” ZAP, Burp ๋“ฑ DAST(Dynamic Application Security Testing)์—์„œ ์ฃผ์š” ์Šค์บ” ๋ชจ๋ธ๋กœ ์„ ํƒ๋˜๊ธฐ๋„ ํ•˜๋ฉฐ ์ด๋Š” ์‹ค์ œ๋กœ ์Šค์บ” ์„ฑ๋Šฅ์— ํฐ ์˜ํ–ฅ์„ ๋ฏธ์นฉ๋‹ˆ๋‹ค. (ํƒ์ง€์œจ ์ƒ์Šน)

DNS Reaction

OAST์˜ ํ•ต์‹ฌ์€ DNS Reaction ์ž…๋‹ˆ๋‹ค. ์„œ๋น„์Šค๋ฅผ ์šด์˜ํ•˜๋Š” ํšŒ์‚ฌ๋“ค์€ ๊ฐ ์ธํ”„๋ผ ํ™˜๊ฒฝ์— ๋”ฐ๋ผ ๋‹ค๋ฅด๊ฒ ์ง€๋งŒ ๋ณดํ†ต์€ Outbound์˜ ๊ฒฝ์šฐ ๊ธฐ๋ณธ์€ ์ฐจ๋‹จํ•˜๊ณ  ์กฐ๊ฑด ๋˜๋Š” ์˜ˆ์™ธ์ ์œผ๋กœ ํ—ˆ์šฉํ•˜๋Š” ํ˜•ํƒœ์˜ ๋ณด์•ˆ ์ •์ฑ…์„ ๊ฐ€์ง‘๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ OAST ๋“ฑ์œผ๋กœ Reaction ์š”์ฒญ์ด ๋ฐœ์ƒํ•˜์—ฌ๋„ Outbound๊ฐ€ ์ฐจ๋‹จ๋˜์—ˆ๊ธฐ ๋•Œ๋ฌธ์— ์š”์ฒญ์„ ๋ฐ›์„ ์ˆ˜ ์—†๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Šต๋‹ˆ๋‹ค.

๋‹ค๋งŒ DNS์˜ ๊ฒฝ์šฐ ํ•ด๋‹น ์„œ๋ฒ„์—์„œ ์ง์ ‘ ์š”์ฒญํ•˜๋Š” ๊ฒƒ์ด ์•„๋‹Œ Infra ๋‚ด/์™ธ๋ถ€์˜ Resolver๋ฅผ ํ†ตํ•ด์„œ DNS Query๊ฐ€ ๋ฐœ์ƒํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ด๋Ÿฌํ•œ Outbound ์ •์ฑ…๊ณผ๋Š” ๋ณ„๊ฐœ๋กœ DNS Reaction์€ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ ์ „ํ†ต์ ์ธ HTTP ๊ธฐ๋ฐ˜์˜ Callback ๋ฐฉ์‹๋ณด๋‹ค DNS ๋“ฑ์„ ํฌํ•จํ•˜๋Š” OAST ๋ฐฉ์‹์ด ํ›จ์”ฌ ๋” ๊ฐ•๋ ฅํ•ฉ๋‹ˆ๋‹ค.

HTTP/Other Reaction

DNS Query ์ดํ›„ HTTP, SMTP ๋“ฑ์˜ Reaction์ด ๋ฐœ์ƒํ–ˆ๋‹ค๋ฉด Outbound๊ฐ€ ๊ฐ€๋Šฅํ•œ ์ƒํƒœ๋ผ๊ณ  ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. DNS Reaction ์ด ์‹๋ณ„ ๋ชฉ์ ์ด ๊ฐ•ํ–ˆ๋‹ค๋ฉด ์ด์™ธ ๋‚˜๋จธ์ง€ Reaction์€ ์‹ค์ œ ์˜ํ–ฅ๋ ฅ๊ณผ ๊ด€๋ จ์ด ์žˆ์Šต๋‹ˆ๋‹ค. ๊ฐ„๋‹จํ•œ๊ฒŒ๋Š” ์ด๋ฅผ ํ†ตํ•ด์„œ ๋‚ด๋ถ€ ์ •๋ณด๋ฅผ ์œ ์ถœํ•˜๊ฑฐ๋‚˜ SSRF, XSS ๋“ฑ ๋‹ค๋ฅธ Blind ์ทจ์•ฝ์ ์œผ๋กœ ์—ฐ๊ฒฐํ•  ์ˆ˜ ์žˆ๋Š” ํฌ์ธํŠธ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Protocols

HTTP/HTTPS, DNS 2๊ฐœ๋ฉด ๋Œ€๋ถ€๋ถ„์˜ ์š”์ฒญ์„ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ์ง€๋งŒ, ํ…Œ์Šคํ„ฐ์—๊ฒŒ ์กฐ๊ธˆ ๋” ์–‘์งˆ์„ ์ •๋ณด๋ฅผ ์ฃผ๊ธฐ ์œ„ํ•ด SMTP, LDAP ๋“ฑ์˜ ์—ฌ๋Ÿฌ ํ”„๋กœํ† ์ฝœ์„ ์ง€์›ํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ์•„๋ž˜๋Š” ๋Œ€ํ‘œ์ ์œผ๋กœ ์‚ฌ์šฉ๋˜๋Š” ํ”„๋กœํ† ์ฝœ์ž…๋‹ˆ๋‹ค.

  • HTTP/HTTPS
  • DNS
  • SMTP
  • LDAP
  • NTLM
  • SMB
  • FTP
  • Etc..

Provider

ZAP Burp Nuclei CLI Receiver OSS Self-Host
BOAST O X X O DNS, HTTP(S) Yes Yes
Interactsh O O O O DNS, HTTP(S), SMTP, LDAP, SMB, FTP Yes Yes
Burp Collaborator X O O O DNS, HTTP(S), SMTP No Yes
TukTuk X X X O DNS, HTTP(S), SMTP, LDAP, SMB, FTP, TCP Yes Yes

Interfaces

ZAP

ZAP์—์„  OAST ๋ฉ”๋‰ด๋ฅผ ํ†ตํ•ด์„œ OAST ๋„๋ฉ”์ธ์„ ์–ป๊ณ , Pollingํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋˜ํ•œ Active Scan ์‹œ OAST ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ž๋™์œผ๋กœ ์ƒ์„ฑํ•˜๊ณ  ์‚ฌ์šฉํ•˜๋ฉฐ ์Šค์บ๋‹์„ ์ง„ํ–‰ํ•ฉ๋‹ˆ๋‹ค.

ZAP์—์„  BOAST, Interactsh, Callback(IP๊ธฐ๋ฐ˜) ์ด๋ ‡๊ฒŒ 3๊ฐ€์ง€์˜ OAST ์„œ๋น„์Šค๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Burpsuite

Burpsuite์—์„  Burp Collaborator๋ฅผ ์ด์šฉํ•˜์—ฌ ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Tarborator๋ž€ Extension ์„ค์น˜ ํ›„ ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ƒ์„ฑํ•˜๊ณ , ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ZAP๊ณผ ๋™์ผํ•˜๊ฒŒ Active Scan ์‹œ OAST ํŽ˜์ด๋กœ๋“œ๋ฅผ ์ž๋™์œผ๋กœ ์ƒ์„ฑํ•˜๊ณ  ์‚ฌ์šฉํ•˜๋ฉฐ ์Šค์บ๋‹์„ ์ง„ํ–‰ํ•ฉ๋‹ˆ๋‹ค.

Burpsuite์—์„  Burp Collaborator, Interactsh 2๊ฐ€์ง€์˜ OAST ์„œ๋น„์Šค๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

CLI interface

CLI ํ™˜๊ฒฝ์—์„  Interactsh๊ฐ€ CLI client๋„ ์ง€์›ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ์ด์šฉํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค. ์ด์™ธ์—๋„ BOAST, TukTuk์˜ ๊ฒฝ์šฐ API ํ˜•ํƒœ๋กœ๋Š” ์ œ๊ณต๋˜๊ธฐ ๋•Œ๋ฌธ์— Code(BOAST), Web(TukTuk) ์œผ๋กœ ์‚ฌ์šฉํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
4
5
# Public server
interactsh-client

# Self-hosted server
interactsh-client -server <YOUR-SELF-HOSTED-SERVER> -token <YOUR-SECRET>

OAST in DAST

DAST์—์„œ Blind ๊ณ„์—ด์˜ ์ทจ์•ฝ์ , ๊ทธ๋ฆฌ๊ณ  OOB๋ฅผ ํ†ตํ•œ ์ทจ์•ฝ์  ์‹๋ณ„์„ ์œ„ํ•ด OAST๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๋ณดํ†ต ์•„๋ž˜์™€ ๊ฐ™์€ ์ˆœ์„œ๋กœ ๋™์ž‘ํ•ฉ๋‹ˆ๋‹ค.

  1. ๋งค๋ฒˆ ์š”์ฒญ ์‹œ OAST ์„œ๋น„์Šค๋ฅผ ํ†ตํ•ด ๋„๋ฉ”์ธ์„ ์ƒ์„ฑํ•จ (e.g o5rglw6hawoivfmeylovdxtqji.odiss.eu)
  2. ํ•ด๋‹น ๋„๋ฉ”์ธ์„ ํฌํ•จํ•œ ํŽ˜์ด๋กœ๋“œ๋กœ ํ…Œ์ŠคํŒ… ์ง„ํ–‰
  3. ์ง€์ •๋œ ์‹œ๊ฐ„๋งŒํผ Polling ํ•˜๋ฉฐ ํ•ด๋‹น ๋„๋ฉ”์ธ์„ ๋Œ€์ƒ์œผ๋กœ Reaction์ด ์žˆ๋Š”์ง€ ์ฒดํฌ

Bypass techniques

๐Ÿ›ก Defensive techniques

OAST(OOB)๋Š” ๋ฐฉ์–ด์ž ์ž…์žฅ์—์„  ์‹œ์Šคํ…œ ํ•˜๋“œ๋‹์œผ๋กœ ์–ด๋Š์ •๋„ ๋Œ€์‘ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ OOB๊ฐ€ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ์—ฌ์ง€๋ฅผ ์ตœ์†Œํ•œ์œผ๋กœ ์ค„์ด๊ณ , ๋ฐฉํ™”๋ฒฝ ์ •์ฑ… ๋“ฑ ๋„คํŠธ์›Œํฌ์ ์ธ ์š”์†Œ๋กœ ์ผ๋ถ€ ํ•ด์†Œํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Known OAST Service Address

  • ZAP
    • *.odiss.eu
  • Burpsuite
    • *.oastify.com
    • *.burpcollaborator.net
  • Interactsh
    • *.oast.pro
    • *.oast.live
    • *.oast.site
    • *.oast.online
    • *.oast.fun
    • *.oast.me

๐Ÿ•น Tools

๐Ÿ“š Articles

Licensed under CC BY-NC-SA 4.0
Last updated on May 27, 2022 23:16 +0900