Discovering Hidden Treasures: Extracting Secrets from Blazor Apps!

00:00

in today's video we are going to be

00:01

looking at a vulnerability that I

00:03

discovered in Blazer applications not

00:05

only are we going to be looking at it

00:07

I'm going to show you why it works how

00:08

it works and how to use the nucle

00:11

template that I released for this issue

00:13

a few months ago I was working on a

00:15

pentest for a client and one of the

00:17

applications they had was built on

00:19

Blazer Blazer is a framework written by

00:21

Microsoft that basically takes all of

00:22

your code and compiles it down into a

00:24

wasm or a web assembly file that is then

00:27

delivered to the client and the

00:29

application e compiles on the Fly and

00:31

run there are two ways that Blazer apps

00:33

are built the first one more secure is

00:36

it is run on the server end and

00:39

basically the client doesn't see all the

00:40

data it all gets run in the server um it

00:43

takes up a lot more resources for that

00:46

application but it is a lot more secure

00:48

I haven't found any issues with that yet

00:50

the one I'm talking about is the client

00:52

side where the wasm is delivered

00:54

directly through the browser and then

00:56

the browser runs all the software that

00:58

it needs and then de compil it and then

01:01

basically you have your application the

01:02

Blazer app is a bootloader in the form

01:05

of a Json file and it's uh blazer.

01:09

bootstrap.js inside that Json file is a

01:11

bunch of instructions some of which are

01:14

the DLS or dynamic link libraries that

01:17

it also has to download now if you have

01:19

watched my video about deleting your

01:22

temporary cach if you're doing PS you'll

01:24

you'll actually see this in action but

01:26

these DLS are also downloaded through

01:29

the browser to the client and it's kept

01:31

in the local storage you can actually

01:33

look into those dlls and you will find

01:36

Bunches of information one of the things

01:38

that I've noticed is that sometimes

01:40

developers don't understand that you can

01:43

extract these files directly out and

01:45

start to look into them and some of

01:48

these uh developers put all of these

01:50

nice juicy secrets in so there's lots of

01:52

you know database configurations there's

01:54

passwords all sorts of things that they

01:57

think you won't be able to see because

01:58

it's compiled down into asn't I

02:00

basically started digging around in

02:01

these DLS found these config issues and

02:05

that allowed me to extract out really

02:07

sensitive information and allowed me to

02:08

go on and compromise some other services

02:11

now 99% of the time you will find these

02:13

files and they will be benign they will

02:15

just be framework files but do look

02:17

around and see if you can find these

02:19

interesting custom files that the

02:22

developers are making so in order to

02:24

make this more interesting and quick um

02:27

I quickly wrote a nuclei template to do

02:30

this for me right and it basically looks

02:32

for these uh Json files pulls out the

02:34

dlls so I can tell if they're framework

02:37

ones or custom ones you're probably

02:39

thinking you can go away and use this

02:40

nucle template to make loads of money on

02:42

bug bounties well sorry but we've

02:44

already done that my friends death

02:46

pirate zish and mate and myself we spend

02:50

a lot of time scanning through every

02:52

single bug Bounty domain that we could

02:53

get our hands- on including some private

02:55

by Bounty ones um just to check using

02:57

this new CL template if there's any

02:59

vulnerab abilities out there and sorry

03:02

to say you're probably not going to find

03:04

any in any bug bount programs for a

03:06

while at least until someone else makes

03:08

the next application so don't waste your

03:11

your time too much I decided though that

03:13

we need to look at this from a different

03:15

way to make sure that we've covered

03:16

everything so around Christmas time last

03:19

year um senta um released a huge list of

03:24

Life domains and how we built that

03:25

domain list was we took the 15 million

03:29

most popular domains on the internet and

03:31

we scann them all and basically we found

03:34

all the live ones and that live list was

03:36

about 10 million domains so I took that

03:39

10 million domain list and I used my

03:42

nuite template to search through there

03:44

so out of the 10 million domains are out

03:46

there there was probably about 700 I

03:49

think we found of Blazer in the client

03:52

side configuration we discovered that

03:54

none of those domains had an active bug

03:57

battery program unfortunately there's no

03:58

way to mass tell loads of people there

04:00

are issues with these things so we are

04:02

working through them slowly one by one

04:04

contacting them and saying look here's

04:06

an issue it's a working progress if you

04:08

are going to go and use this nuclear

04:10

template that I've released please do

04:12

use it for decent honest security work

04:15

we want to make the world a better place

04:17

a more secure place don't use it for

04:19

malicious reasons you know it's not why

04:21

we build these tools it's to make things

04:24

better