steve kosten - exploiting common web application vulnerabilities
TRANSCRIPT
![Page 1: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/1.jpg)
Exploiting and Defending:Common Web Application
Vulnerabilities
![Page 2: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/2.jpg)
©2016 – Cypress Data Defense, LLC
Senior Security ConsultantSANS Instructor Denver OWASP Chapter LeadCertifications
CISSP, GWAPT, GSSP-Java, CISM
Contact [email protected]@skosten
Introduction: Steve Kosten
![Page 3: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/3.jpg)
©2016 – Cypress Data Defense, LLC
IntroductionA1: InjectionA3: Cross-Site Scripting (XSS)A8: Cross-Site Request Forgery (CSRF)
Agenda
![Page 4: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/4.jpg)
©2016 – Cypress Data Defense, LLC
Using real attack toolsIllegal to attack targets without written contractual consentObey all state and federal lawsCypress Data Defense assumes no liability
Disclaimer
![Page 5: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/5.jpg)
©2016 – Cypress Data Defense, LLC
A1: Injection
![Page 6: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/6.jpg)
©2016 – Cypress Data Defense, LLC
Text-based attacks that exploit the syntax of the targeted interpreter.Almost any source of data can be an injection vector, including internal sources. Injection flaws occur when an application sends untrusted data to an interpreter.
A1: Injection
![Page 7: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/7.jpg)
©2016 – Cypress Data Defense, LLC
A1: SQL Injection
![Page 8: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/8.jpg)
©2016 – Cypress Data Defense, LLC
XKCD
![Page 9: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/9.jpg)
©2016 – Cypress Data Defense, LLC
110 million customer recordsEmail, Mailing addresses, other Personally Identifiable Information (PII)
In The News (Target)
![Page 10: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/10.jpg)
©2016 – Cypress Data Defense, LLC
50 million customer recordsEmail, DOB, Password Hashes, Challenge Questions & Answers
In The News (Living Social)
![Page 11: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/11.jpg)
©2016 – Cypress Data Defense, LLC
130 million credit card numbers$200 million loss
In The News (Heartland)
![Page 12: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/12.jpg)
©2016 – Cypress Data Defense, LLC
Command Injection
Inline SQL
A1: Example (1)
rs = statement.executeQuery("Select EmployeeId, LastName, FirstName, PhoneNumber " +"From Employees " +"Where EmployeeId = " + request.getParameter("employeeId"))
Runtime.getRuntime().exec(String.format("myTestProcess.exe %s", request.getParameter("employeeId")))
![Page 13: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/13.jpg)
©2016 – Cypress Data Defense, LLC
sqlmap DEMOhttp://sqlmap.org/ Written in Python
Exploitation DEMO
![Page 14: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/14.jpg)
©2016 – Cypress Data Defense, LLC
Parameterized QueriesA1: Solution
![Page 15: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/15.jpg)
©2016 – Cypress Data Defense, LLC
XSS
Cross-Site Scripting
![Page 16: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/16.jpg)
©2016 – Cypress Data Defense, LLC
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper encoding.
Execute scripts in the victim’s browserHijack user sessionsDeface web sitesRedirect the user to malicious sites.
A3: Cross-Site Scripting (XSS)
![Page 17: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/17.jpg)
©2016 – Cypress Data Defense, LLC
In The News (Sears)
![Page 18: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/18.jpg)
©2016 – Cypress Data Defense, LLC
Site defaced to contain flashing images designed to cause seizures Some victims required hospital care
In The News (EF)
![Page 19: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/19.jpg)
©2016 – Cypress Data Defense, LLC
Primaries web site had XSS in the blog pagesPayloads injected to redirect users to Hillary Clinton’s election web site
In The News (Obama)
![Page 20: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/20.jpg)
©2016 – Cypress Data Defense, LLC
HTML Context
URL Context
JavaScript Context
Reflected Example
<td><%= request.getParameter("Name") %></td>
<a href='<%= String.format("details.aspx?id=%s", request.getParameter("Name")) %>'></a>
<a href='<%= String.format("javascript:redirect ('{%s}')", request.getParameter("Name")) %>'>View</a>
![Page 21: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/21.jpg)
©2016 – Cypress Data Defense, LLC
Browser Exploitation Framework (BeEF)http://beefproject.com/Written in Ruby
Exploitation DEMO
![Page 22: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/22.jpg)
©2016 – Cypress Data Defense, LLC
Encoding, encoding, encodingValidation is not the solution
Contexts to considerHtml, Url, JavaScriptHtmlAttribute, Css, Xml, XmlAttribute
Mitigations
![Page 23: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/23.jpg)
©2016 – Cypress Data Defense, LLC
Recommended encoding librariesOWASP Java Encoder
HTTP Security HeadersSourceClear Headlines
X-XSS-ProtectionContent-Security-Policy (CSP)
Mitigations (2)
![Page 24: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/24.jpg)
©2016 – Cypress Data Defense, LLC
CSRF
Cross Site Request Forgery
![Page 25: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/25.jpg)
©2016 – Cypress Data Defense, LLC
Researcher earns $10,000 bug bountyCSRF vulnerability allowing attackers to:
Add payment methodsModify email addressesChange security questionsAdd privileged users
In The News
![Page 26: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/26.jpg)
©2016 – Cypress Data Defense, LLC
Admin console vulnerable to CSRF allowing attackers to perform the following:
Modify automatic renewalsEdit zone filesName server management
In The News (GoDaddy)
![Page 27: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/27.jpg)
©2016 – Cypress Data Defense, LLC
• 2012: Multiple manufacturers• 4.5 Million Routers Compromised in Brazil
In The News
![Page 28: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/28.jpg)
©2016 – Cypress Data Defense, LLC
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information.
Audit logs will show the user made the transaction User has no knowledge of the transaction
Cross-Site Request Forgery
![Page 29: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/29.jpg)
©2016 – Cypress Data Defense, LLC
Multiple Authenticated Sessions
Cross-Site Request Forgery (CSRF) Example
![Page 30: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/30.jpg)
©2016 – Cypress Data Defense, LLC
Payload on attack page
Cross-Site Request Forgery (CSRF) Example (2)
<form id="csrfForm" action="http://localhost:8080/csrf/content/vulnerable/changepassword" method="POST" >
<input type="hidden" name="newPassword" value="StorageRoomB" />
<input type="hidden" name="confirmPassword" value="StorageRoomB" />
</form>
![Page 31: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/31.jpg)
©2016 – Cypress Data Defense, LLC
Request triggered from authenticated session
Cross-Site Request Forgery (CSRF) Example (3)
POST /csrf/content/vulnerable/changepassword HTTP/1.1Host: localhost:8080Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2Content-Type: application/x-www-form-urlencodedContent-Length: 53
newPassword=StorageRoomB&confirmPassword=StorageRoomB
![Page 32: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/32.jpg)
©2016 – Cypress Data Defense, LLC
200 Response from web site
Cross-Site Request Forgery (CSRF) Example (4)
HTTP/1.1 200 OK
<div class="alert alert-dismissable alert-success"><span>Your password was successfully changed.</span>
</div>
![Page 33: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/33.jpg)
©2016 – Cypress Data Defense, LLC
Simple Javascript Post
Exploitation DEMO
![Page 34: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/34.jpg)
©2016 – Cypress Data Defense, LLC
CSRF MitigationsRandom nonce for each requestAnti-Forgery TokensCSRF Guard (OWASP Project)
Mitigations
![Page 35: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/35.jpg)
©2016 – Cypress Data Defense, LLC
Payload with incorrect csrf token
Cross-Site Request Forgery (CSRF) Solution (1)
<form id="csrfForm" action="http://localhost:8080/csrf/content/vulnerable/changepassword" method="POST" >
<input type="hidden" name="newPassword" value="StorageRoomB" />
<input type="hidden" name="confirmPassword" value="StorageRoomB" />
<input type="hidden" name="_csrf"
value="103ae2a3-d4d6-46e9-8ba6-92188ff998c2" />
</form>
![Page 36: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/36.jpg)
©2016 – Cypress Data Defense, LLC
Request with invalid token submitted
Cross-Site Request Forgery (CSRF) Solution (2)
POST /csrf/content/vulnerable/changepassword HTTP/1.1Host: localhost:8080Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2Content-Type: application/x-www-form-urlencodedContent-Length: 53
newPassword=StorageRoomB&confirmPassword=StorageRoomB&_csrf=103ae2a3-d4d6-46e9-8ba6-92188ff998c2
![Page 37: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/37.jpg)
©2016 – Cypress Data Defense, LLC
403 response from web site
Cross-Site Request Forgery (CSRF) Example (3)
HTTP/1.1 403 Forbidden
<div class="alert alert-dismissable alert-danger"><span>java.lang.NullPointerException</span>
</div>
![Page 38: Steve Kosten - Exploiting common web application vulnerabilities](https://reader035.vdocuments.mx/reader035/viewer/2022070513/5885e84b1a28ab906d8b77e9/html5/thumbnails/38.jpg)
©2016 – Cypress Data Defense, LLC
Questions?Contact Info
SteveTwitter: @skostenEmail: [email protected]
Thanks for attending!