logo

When TLS Hacks You

Conference:  BlackHat USA 2020

2020-08-05

Summary

TLS features intended to make it fast have also made it useful as an attack vector, particularly for Server-Side Request Forgery (SSRF). The talk presents a novel, cross-platform way of leveraging TLS to target internal services and provides recommendations for defense.
  • TLS can be used as an attack vector for SSRF due to its flexibility and support for modern TLS
  • Attack scenarios can be gradually expanded to real-world examples
  • Recommendations for defense include running outbound requests through a proxy and reconsidering infrastructure decisions
The speaker demonstrated how a request to an HTTPS URL can affect Memcached, causing an entry to appear after a redirect. This shows the potential usefulness of TLS as an attack vector for SSRF.

Abstract

Lots of people try to attack the security of TLS. But, what if we use TLS to attack other things? It's a huge standard, and it turns out that features intended to make TLS fast have also made it useful as an attack vector.Among other things, these features provide a lot of flexibility for Server-Side Request Forgery (SSRF). While past work using HTTPS URLs in SSRF has relied upon platform-specific bugs such as SNI injection, we can go further. In this talk, I present a novel, cross-platform way of leveraging TLS to target internal services.Uniquely, these attacks are more effective the more comprehensively a platform supports modern TLS, so won't go away with library upgrades. It is also unlikely that the TLS spec will change overnight at the whim of a random security researcher. Instead, we need to walk through scenarios and dispel common assumptions so the audience can make informed code and infrastructure decisions. Of course, the best way to do so is with demos!

Materials:

Tags: