HTTP status codes can be used defensively to confuse scanners and script kiddies. The document discusses how different browsers interpret various status codes, and this behavior can be leveraged to fingerprint browsers or detect proxy usage. Status codes can also be used to introduce false positives and negatives in vulnerability scanners, or slow them down by returning non-standard codes from all URLs.
14. This talk contains:
- Numbers
- Bad Jokes
- Traces of peanuts
- Did I mention numbers?
15. HTTP Status Codes
o Majority part of RFC 2616 (HTTP/1.1)
o 5 main classes of response
o 1XX informational
o 2XX success
o 3XX redirection
o 4XX client error
o 5XX server error
17. 1XX Informational
o Indicates response received
o Processing is not yet completed
o 100 Continue
o 101 Switching Protocols
o 102 Processing (WebDAV RFC 2518)
18. 2XX Success
o Indicates response received
o Processed and understood
o 200 OK
o 201 Created
o 202 Accepted
o 203 Non-Authoritative Information
o 204 No Content
19. 2XX Success (cont.)
o 205 Reset Content
o 206 Partial Content
o 207 Multi-Status (WebDAV RFC 4918)
o Codes not supported by Apache
o 208 Already Reported
o 226 IM Used
o 250 Low on Storage Space
20. 3XX Redirection
o Action required to complete request
o 300 Multiple Choices
o 301 Moved Permanently
o 302 Found / Moved Temporarily
o 303 See Other
o 304 Not Modified
21. 3XX Redirection (cont.)
o 305 Use Proxy
o 306 Switch Proxy
o 307 Temporary Redirect
o Codes not supported by Apache
o 308 Permanent Redirect
22. 4XX Client Error
o Client caused an error
o 400 Bad Request
o 401 Unauthorized
o 402 Payment Required
o 403 Forbidden
o 404 Not Found
o 405 Method Not Allowed
23. 4XX Client Error (cont.)
o 406 Not Accessible
o 407 Proxy Authentication Required
o 408 Request Timeout
o 409 Conflict
o 410 Gone
o 411 Length Required
24. 4XX Client Error (cont.)
o 412 Precondition Failed
o 413 Request Entity Too Large
o 414 Request-URI Too Long
o 415 Unsupported Media Type
o 416 Request Range Not Satisfiable
o 417 Expectation Failed
o 418 I’m a Teapot (WebDAV RFC 2324)
25. 4XX Client Error (cont.)
o 419 / 420 / 421 Unused
o 422 Unprocessable Entity (RFC 4918)
o 423 Locked (RFC 4918)
o 424 Failed Dependency (RFC 4918)
o 425 No Code / Unordered Collection
o 426 Upgrade Required (RFC 2817)
26. 4XX Client Error (cont.)
o Codes not supported by Apache
o 428 Precondition Required
o 429 Too Many Requests
o 431 Request Header Fields Too Large
o 444 No Response (NGINX)
o 449 Retry With (Microsoft)
o 450 Blocked by Win. Parental Controls
o 451 Unavailable For Legal Reasons
27. 4XX Client Error (cont.)
o Codes not supported by Apache
o 494 Request Header Too Large (NGINX)
o 495 Cert Error(NGINX)
o 496 No Cert (NGINX)
o 497 HTTP to HTTPS (NGINX)
o 499 Client Closed Request (NGINX)
28. 5XX Server Error
o Server error occurred
o 500 Internal Server Error
o 501 Not Implemented
o 502 Bad Gateway
o 503 Service Unavailable
o 504 Gateway Timeout
o 505 Method Not Allowed
29. 5XX Server Error (cont.)
o 506 Variant Also Negotiates (RFC 2295)
o 507 Insufficient Storage (WebDAV RFC 4918)
o 508 Loop Detected (WebDAV RFC 5842)
o 509 Bandwidth Limit Exceeded (apache ext.)
o 510 Not Extended (RFC 2274)
30. 5XX Server Error (cont.)
o Codes not supported by Apache
o 511 Network Authentication Required (RFC
6585)
o 550 Permission Denied
o 598 Network Read Timeout Error (Microsoft
Proxy)
o 599 Network Connect Timeout Error
(Microsoft Proxy)
53. o MITMproxy
o Python-based
o Simple to setup proxy / reverse proxy
o Script-based actions
54. o PHP
o Ability to set response code
o Must be at the top of the PHP code
o Can be added to php.ini
o auto-prepend-file=
o Limited by web-server (apache)
55. o Testing browsers automatically
o Created PHP file to set status code
- http://c22.cc/POC/respcode.php?code=XXX
58. Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
100 X X X X d/load X X X X
101 X X X X d/load X X X X
102 X X X X d/load X X X X
200
201
202
203
204 X X X X X X X X X
205 X X X X X X
206
207
300 X
301 X X X X
302 X X X X
303 X X X X
304 X X X X X X X X X
305 X
306 X
307 X X X X
59. Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
400 X X X X
401 X X X
402 X X X
403 X X X X
404 X X X X
405 X X X X
406 X X X X
407 X Proxy Proxy Proxy X
408 X X X X X X
409 X X X X
410 X X X X
411 X X X
412 X X X
413 X X X
424 X X X
425 X X X
426 X X X
60. Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
500 X X X X
501 X X X X
502 X X X
503 X X X
504 X X X
505 X X X X
506 X X X
507 X X X
508 X X X
509 X X X
510 X X X
64. o HTML Responses
o Almost all response codes are rendered by
the browser correctly
o iFrames
o Some special cases for IE, but other
browsers handle this the same as HTML
65. o JavaScript/CSS
o Limited accepted status codes
o Limited 3XX support
o Chrome is the exception here
o No support for 4XX/5XX codes
71. Just because the RFC says
a specific status code
must have an associated
header doesn’t mean it
HAS to…
72. o Redirection codes (301-304, 307)
o No Location header, no redirect
o 401 Unauthorized
o No WWW-Authenticate header, no
authentication prompt
o 407 Proxy Authentication Required
o No Proxy-Authenticate header, no prompt
73. Just because the RFC says
a specific status code
shouldn’t have an
associated header
doesn’t mean it can’t…
74. o 300 Multiple Choices w/ Location Header
o Firefox/IE6 follows the redirect
o Chrome doesn’t
o More research needed in this direction
81. Firefox
o Doesn’t load JavaScript returned with a 300
‘Multiple Choices’ status code
o Other browsers tested DO (IE/Chrome)
o Request JS from server
o Respond using 300 ‘Multiple Choices’
o If JS doesn’t run in the browser - it’s FF
82. Chrome
o Loads JavaScript returned with a 307
‘Temporary Redirect’ status code
o Other browsers tested DON’T (IE/FF)
o Request JS from server
o Respond with 307 ‘Temporary Redirect’
o If JS runs in the browser - it’s Chrome
83. Internet Explorer
o Loads JavaScript returned with a 205 ‘Reset
Content’ status code
o Other browsers tested DON’T (FF/Chrome)
o Request JS from server
o Respond using 205 ‘Reset Content’
o If JS runs in the browser - it’s IE
84. o Other options to fingerprint browsers
o 300 Redirect (Chrome)
o 305/306 JavaScript (Firefox)
o 400 iFrame (Internet Explorer)
o …
o There are probably more
89. Chrome
o Chrome handles proxy configuration
differently to other browsers
o 407 status code isn’t rendered
o Unless an HTTP proxy is set!
o Allows us to detect if an HTTP proxy is in use
o Just not which proxy
o Can only detect HTTP proxies ;(
90. Chrome Proxy Detection
o Request page from server
o Respond using 407 ‘Proxy Authentication
Required’
o - w/o Proxy-Authenticate header
o If Chrome responds, it’s configured to use an
HTTP proxy
91.
92. Side-Effect: Owning Proxies
o Privoxy 3.0.20 (CVE-2013-2503)
o 407 Proxy Authentication Required
o w/ Proxy-Authenticate header
o User prompted for username/password
o Prompt appears to be from Privoxy
o Privoxy passes username/password to
remote site
o Profit???
94. What we have
o Status codes all browsers treat as content
o Status codes all browsers can’t handle
o 10X, etc..
o Lots of browser quirks
95. What can we do
o F*ck with things
o Screw with scanner monkeys
o Make RFC lovers cry into their beer
o Break things in general
96. Let’s try to…
o Use what we’ve discovered to…
o Break spidering tools
o Cause false positives / negatives
o Slow down attackers
o The fun way!
o Blocking successful exploitation
105. o Most scanners use status codes
o At least to some extent
o Initial match (prior to more costly regex)
o Speed up detection
106. o What happens if:
o Every response is a 200
o Every response is a 404 / 500
o Every response is random*
* Using codes that are accepted by all browsers as content
107. Vulnerability Baseline
o w3af
o Information 79 points
o Vulnerabilities 65
o Shells 0 shells
o Scan time 1h37m23s
108. Every response 200 OK
o No change
o All points discovered - per baseline
o 79/65/0
o Scan time 9h56m55s
o Lots more to check ;)
109. Every response 404 Not Found
o Less to scan == Less to find
o False negatives
o 44 Information points (-35)
o 37 Vulnerabilities (-28)
o Scan time 7m13s
o Much quicker scan
o Less paths traversed
110. Every response 500
o Server error == OMG VULN!
o False positives+++
o 9540 Information points (+9461)
o 9526 Vulnerabilities (+9461)
111. Random Status Codes
o Multiple runs
o All tests produced False positives++
o avg. 619 Information points (+540)
o avg. 550 Vulnerabilities (+485)
o Avg. scan time 11m37s
o Much quicker scan
112. Random Status Codes
o Skipfish + $rand = chaos
o False Positives and False Negatives
o Scan jobs killed due to lack of resources
o Scan times
o 1st scan time 10h3m35s
o 2nd scan time 0h0m4s
o 3rd scan time 16h47m41s
124. HTTP Tarpit Scenario
o WAF detects scan / attack
o Adds source IP to “naughty” list
o All responses from the server are
rewritten
o 100|101|102 status codes only (random)
o 204|304 might also be useful (no content)
132. HTTP Tarpit
o HTTP Tarpit Results*
o Slow scans (nikto)
o 340x as long
o Unreliable / aborted scans (w3af / skipfish)
o 100% less findings
* Not scientifically sound ;)
136. Now let’s stop the
sk1dd13s using
Metasploit to pop
$hells
137. o How often does Metasploit reference
status codes?
rgrep -E 'res[p|ponse]?.code' **
rgrep -E 'res[p|ponse]?.code'
846*
* Not scientifically sound ;)
139. if (res.code < 200 or res.code >= 300)
case res.code
when 401
print_warning("Warning: The web site
asked for authentication: #{res.headers
['WWW-Authenticate'] || res.headers
['Authentication']}")
end
fail_with(Exploit::Failure::Unknown,
"Upload failed on #{path_tmp}
[#{res.code} #{res.message}]")
end
142. o Using status codes to our benefit is fun
o … and useful!
o Browsers can be quirky
o Scanners / attack toolkits are sometimes
set in their ways
o Take the easy route
o Easy to fool
143. o WAFs need to get more offensive about
their defense
o More than just blocking a request with a
snazzy message
o Hacking back is bad
o Slowing down known attacks is good
o Make life harder for skiddies is pricele$$
144. o Current tools are much the same as APT
o APT (Adequate Persistent Threat)
o Only as advanced as they NEED to be
146. o Less reliance on status codes
o More reliance on content / headers
o Pros
o Better matching / intelligence
o Cons
o Slower? (regex)
o More resource intensive