The X-Correlation between Frans & RCE - Research Drop (Ep. 86)

oh my

gosh people are doing shanky stuff yeah

I know I know I love it are you

kidding what

[Music]

yo yo yo sup critical thinkers we have a

little bit of a different type of

episode for you guys today okay um and

it all starts with a story I was in Los

Vegas and Mr fron Rosen himself comes up

to me and says Justin I wish I could do

a Swedish accent right now I can't do a

Swedish accent but he says Justin I've

got some amazing research that I want to

share with you and I want you to put out

on the Pod um and when fron says that

you say absolutely let's go record an

episode right now and uh and so we did

and it was awesome and it totally blew

my mind I think you're really going to

enjoy it but it is a presentation um and

it's typically typically on this pod we

try to keep things audio medium friendly

but this one might be the exception you

might want to head over to YouTube for

this one so that you can see what's

going on not to say that you won't be

able to get the general concept from

audio and I think the general concept is

also very valuable um but if you're

looking to see a little bit more the

details of the explation that he had um

then you might see that better on

YouTube so um you can go to the YouTube

channel at ctbb doow it'll redirect you

to the YouTube channel um and then you

should be able to see all of that there

really great research um definitely

recommend it's those uh it's about those

request IDs like X request ID headers um

or X correlation ID headers that you see

in the HTTP requests um pretty much with

every HTTP request to any major

um and how those can allow you to inject

way deep into all the pipelines uh of an

application because that request ID is

used everywhere to correlate requests

and actions that are be T being taken um

so very interesting research kind of

like a like a duh moment like why didn't

I test for this um so definitely

definitely some great content there um

trying to think if there's any other

announcements for today oh um we did

launch the swag store this past week all

right so if you're if you're watching

this which you should be cuz I already

told you to be watching this then you

can see my ctbb t-shirt um got some ctbb

stuff on the back too um there's a bunch

of different designs on there so if you

want to get your hands on some of that

head over to ctbb do ctbb doow ctbb doow

swag that's a little hard to say ctbb

doow swag there we go and uh you can

check out that swag store that we got

set up for you guys um all right I think

that's it enjoy the episode with frons

uh and yeah it's crazy research so get

ready for your mind to be blown all

right

peace cool we're here in Vegas uh fron

fron told me yesterday that there's

going to be some research that was going

to blow my mind so we're going to cover

that and I also want to cover a little

bit of this uh crazy bug bash event that

we are uh that we've witnessed awesome

this past Vegas so all right hit me so

this cimer this might not blow your mind

but rather like oh oh [ __ ] why did I not

think of that that's so it's not like I

I think when I present the title so I

did a I did a talk back in June on

midnight sun which is like a CTF in

Stockholm and when I presented there I

mean it wasn't that many people it was

mostly the CTF people that was just busy

but so I presented this H I hadn't

presented it anywhere else and I haven't

released the slides so I wanted to do it

with you and see see your reaction just

because I think I enjoy it so much and

the impact is is quite nice as well all

right let's see it so so the title will

give it away are you ready I'm ready boo

boom

boooom ex correlation

in okay do you what the heck is this

dude do do you know what that is I

don't okay this is fun this is fun so so

the talk is called EXC correlation

injections okay and the whole idea is to

how to break service ey context um and

what does that mean

probably some form of inje injection

okay so we the discussion here is going

to be struggles of course request

correlation now maybe

is and then service side Json injections

and autoband the RC and blindes okay you

ready oh my gosh dude first impression

what you the mind is spinning okay no no

hit with it hit okay okay this sounds

super easy it's going to sound super

easy it's going to sounds super obvious

and this is I'm going to talk about the

happy path like we struggled with this

for for a long time and but but this is

like straight on to the to the actual

you know

vulnerabilities um and yeah hunting cide

bugs how to reach them deep okay very

like how do I you know look at the front

end as a a as a border or like the API

that you're hitting how can I reach

deeper into your into your

infrastructure uh and one of those are

exporation okay dude I've seen these so

many freaking times dude okay I it's a

you know X request ID X correlation ID

they're everywhere they're customized

some of them are you know named by the

company that has them Etc the whole idea

with them is to correlate every single

action happening down to sometimes

queries to the database uh and the the

idea is to follow one thing so you can

get like TR M you can get everything to

to say that okay this request failed in

our micros service world what type of

things happen going down so this is a so

how I understood this was originally a

essentially a introspection tool for the

blue teams right where it's like okay uh

here's this weird error that I'm seeing

at the htgp layer yes got the

correlation ID and that correlation ID

is is attached to everything yes along

that full stack that occurs absolutely

okay the thing is when you say

everything that includes the

front which means that you the front and

see front you mean the front end of the

Cent client side oh really yeah so the

client side see generated on the client

side most of the time but what this

means what it means is that it it is

controllable by the by the by

the okay let's see uh and there's no

standard so there's like a [ __ ] ton of

of you know request different like

different type of formats geez that's a

lot of them is that is that across all

the different yeah I mean this is just

examples right so company name like they

will have you know whatever whatever

company so but yeah these are just some

of them that I that I've witnessed and

looking at them from a you know blank

perspective not knowing the company that

you're targeting you need to like figure

out what type of uh like hea it's

actually being used for the correlation

one one way to look at it is looking at

respon

they might serve you a unique

correlation ID just because you made a

request another one is like you can see

it in in the access control headers so

you can see like okay we allow these

certain headers and one of them being

the the or in this case transaction ID

but they could be Nam that's typically

in those scenarios where you're dealing

with a cross origin API oh yeah

absolutely yeah and so so these access

low headers are perfect for like

understanding what type of headers do

they actually need to work from the

frontend side or client side that's

solid yeah yeah another one is like this

is the perfect thing like as soon as you

see reflection especially when you don't

have like a validated format in this

case like whatever H this is like gold

okay H and it it doesn't necessarily

mean that you will hit gold on every

single request it means that this will

follow at some you know if you find some