One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1654673 |
| Date de publication | 2020-04-14 16:30:00 (vue: 2020-04-14 18:01:22) |
| Titre | Slack phishing attacks using webhooks |
| Texte |
Background
Slack is a cloud-based messaging platform that is commonly used in workplace communications. It is feature-rich, offering additional functionality such as video calling and screen sharing in addition to a marketplace containing thousands of third-party applications and add-ons.
Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body, and a destination channel, you can send a message to any webhook that you know the URL for in any workspace, regardless of membership. Webhooks take the format of https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX.
Generally, Slack webhooks are considered a low risk integration due to the following assumptions:
Webhook configuration requires selection of a target channel, reducing the scope of abuse to a single channel.
The unique webhook URL is secret.
The webhook only accepts data, and thus alone cannot expose sensitive data to third parties.
A deeper dive into webhooks shows that this is not entirely accurate.
First, a channel override allows you to override the previously specified webhook target channel by adding the “channel” key to your JSON payload. If you gain access to a webhook for one channel, you can use it in others. Considering sending to #general, #engineering, and other default or common channels to target a wider audience.
In some cases, this can also override channel posting permissions (such as admin-only posting).
Slack documentation suggests that allowed target channels are based on the original creator of the webhook: “posting_to_general_channel_denied is thrown when an incoming webhook attempts to post to the "#general" channel for a workspace where posting to that channel is 1) restricted and 2) the creator of the same incoming webhook is not authorized to post there. You'll receive this error with a HTTP 403.”
So if you can find a webhook created by an admin - congrats, you can post to admin channels!
A quick search on Github shows 130,989 public code results containing Slack webhook URLs, with a majority containing the full unique webhook value.
The last assumption is true - webhooks can only accept data. That’s where we get creative.
Slack webhook phishing with Slack apps
The process itself is fairly simple:
Discover leaked webhooks
Create a Slack app and allow public installation of the app
Send malicious messages to discovered hooks
Track workspaces that install the malicious app
Use the app to exfiltrate data from workspaces that install it
Discovery
As mentioned earlier, Github is a good start for scraping publicly committed webhook data.
App creation
First, create an app. You will also need a web server to handle the OAuth flow.
Slack apps don’t require OAuth, but in this case we will be using the Slack API to access data in workspaces where the malicious app is installed. When the user attempts to install the application, they must approve the requested OAuth scopes. Their approval is sent |
| Envoyé | Oui |
| Condensat | #engineering #general def 'access 'authorization': 'bearer “posting “setup “webhook though we 1234 130 17653672481 19874698323 2018 4/9/20: 403 846020497941 989 : : # @app a0krd7hc3 able about above abuse accept accepts access accurate across action actions actually add added adding addition additional admin administrator administrators admins after alert all allow allowed allowing allows alone also analytics and/or announcement any anywhere api app app’s application applications approval approvals approve approving apps are args asserts associated assuming assumption assumptions: attack attacks attempts audience audit auth authed authorization authorized avoid aware awareness background based basename basic been before behalf best blog body bot but call calling calls can cannot capped case cases ccpa certain channel channels chat chat:write chat:write:user chose claiming clear clicking client cloud code code code=302 code=auth com com/apps/ com/client com/oauth/v2/authorize com/services/redacted/redacted/redacted com/services/t00000000/b00000000/xxxxxxxxxxxxxxxxxxxxxxxx commands committed common commonly communications companies comply compromise compromising configuration configuration” congrats consider considered considering containing content context convincing could covered create created creation creative creator credential credentials curl data deeper def default defense defined denied depends destination detecting detection developer diligence direct directed directly directory discover discovered discovery display distribution dive documentation domain don’t download due e12345678 each earlier empty enterprise entirely entity environments error error: establish event example except exchanging exfiltrate exfiltration expanded explicitly export exports expose exposed extra f: fairly feature features file filename files files:read find first flask flow follow following format found here free frequency from full functionality further gain gdpr general generally generate get github give good google gsuite guide to handle handling handshake has have headers= help here hidden high hooks http https://api https://app https://hooks https://slack id=834500968371 id=client identifiers identity implement implementation implemented importance improved include: including incoming ingesting initially install installation installed installing instructions” integration interacted interaction interest interested invalidate involve issue items itself json key know last layer lead leaked least less like limited link list local log long looking low majority malicious manage manual many marketplace may member membership mentioned message message: messages messaging method methods= might mitigation mitigations monitored more mostly moved multi multiple must name need needs nested new none not note number oauth offering official once one ones only only/admin ons open opt option order original other others override oversight own owners page paired pane params parse part participating parties party path payload payload: payload= pdfzkvetue8sk7oocbrzbqgy peers period permission permissions permitting personal perspectival phishing platform point points post posting postmessage practices for previous previously print prior private privilege procedures process profile propagation proper protect provide public publicly python quick read receive recommend recommendations recommended redirect reducing regardless regulations remain request request requested requester requests require required requires requiring response restricted result results retrieve retrieves return returned review review this reviewed revoked rich risk route safe safely same scenario scope scope=files:read&client scopes scrape scraping screen search secret secret=client secrets secure security see selection send sending sensitive sent separate server service set setting shareable shared sharing short should show |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.