top ten web hacking techniques (2010)
DESCRIPTION
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users. The top attacks in 2010 include: • 'Padding Oracle' Crypto Attack • Evercookie • Hacking Auto-Complete • Attacking HTTPS with Cache Injection • Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution • Universal XSS in IE8 • HTTP POST DoS • JavaSnoop • CSS History Hack In Firefox Without JavaScript for Intranet Portscanning • Java Applet DNS Rebinding Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.TRANSCRIPT
Jeremiah GrossmanFounder & Chief Technology Officer
Webcast03.17.2011
© 2011 WhiteHat Security, Inc.
Web Hacking2010
top ten
techniques
© 2010 WhiteHat Security, Inc. | Page
Jeremiah Grossman• WhiteHat Security Founder & CTO
• Technology R&D and industry evangelist
• InfoWorld's CTO Top 25 for 2007
• Co-founder of the Web Application Security Consortium
• Co-author: Cross-Site Scripting Attacks
• Former Yahoo! information security officer
2
4
400+ enterprise customers •Start-ups to Fortune 500
Flagship offering “WhiteHat Sentinel Service”•1000’s of assessments performed annually
Recognized leader in website security•Quoted thousands of times by the mainstream press
5
“Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about brand new and creative methods of Web-based attack.”
About the Top Ten
6
New Techniques2009 (80)
Creating a rogue CA certificate
2008 (70)GIFAR (GIF + JAR)
2007 (83)XSS Vulnerabilities in Common Shockwave Flash Files
2006 (65)Web Browser Intranet Hacking / Port Scanning
69 new techniques2010
http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html
1) 'Padding Oracle' Crypto Attack2) Evercookie3) Hacking Auto-Complete4) Attacking HTTPS with Cache Injection5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution6) Universal XSS in IE87) HTTP POST DoS8) JavaSnoop9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning10) Java Applet DNS Rebinding
7
Clickjacking is when an attacker invisibly hovers an object (button, link, etc.) below a user's mouse. When the user clicks on something they visually see, they're instead really clicking on something the attacker wanted them to. HTTP Parameter Pollution is where an attacker submits multiple input parameters (query string, post data, cookies, etc.) with the same name. Upon receipt applications may react in unexpected ways and open up avenues of server-side and client-side exploitation. By cleverly leveraging these two former Top Ten attacks, CSRF attacks can be carried out against a user even when recommended token defenses are in use.
Bypassing CSRF with Clickjacking and HTTP Parameter Pollution
8
2
5http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
Lavakumar Kuppan (@lavakumark)
9
Think of any button – image, link, form, etc. – on any website – that can appear between the Web browser walls. This includes wire transfer on banks, DSL router buttons, Digg buttons, CPC advertising banners, Netflix queue.
Next consider that an attacker can invisibly hover these buttons below the user's mouse, so that when a user clicks on something they visually see, they're actually clicking on something the attacker wants them to.
What could the bad guy do with that ability?
Clickjacking (Top Ten 2009)
<iframe src="http://victim/page.html" scrolling="no"frameborder="0" style="opacity:.1;filter: alpha(opacity=.1); -moz-opacity 1.0;">!
</iframe>
HTML, CSS, and JavaScript may size, follow the mouse and make transparent third-party IFRAME content.
Hover Invisible IFRAMEs
10
11
If an attacker submit multiple input parameters (query string, post data, cookies, etc.) of the same name, the application may react in unexpected ways and open up new avenues of server-side and client-side exploitation.
HTTP Parameter Pollution (HPP) - Top Ten 2009
GET /foo?par1=val1&par1=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */*
POST /foo HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */*
par1=val1&par1=val2
POST /index.aspx?par1=val1&par1=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Cookie: par1=val3; par1=val4Content-Length: 19
par1=val5&par1=val6
Bizarre behavior
12
13
14
15
void private executeBackendRequest(HTTPRequest request) { String amount=request.getParameter("amount"); String beneficiary=request.getParameter("recipient");
HttpRequest("http://backend.com/servlet/actions","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary);}
Malicious URL:http://target.com/page?amount=1000&recipient=Jeremiah%26action%3dwithdraw
Translates to:action=transfer&amount=1000&recipient=Jeremiah&action=withdraw
It is possible the attack could work if proper authorization controls are not in place and the application uses the last occurrence of the action parameter (IBM Lotus Domino, PHP / Apache, etc.)
Simple parameter injection
16
17
Example Scenariohttp://example/updateEmail.jsp
Client-Side<form method="POST"><input type="text" name="email" value=””></input><input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/></form>
Server-Sideif (req.parameter("email").isSet() && req.parameter("csrf-token").isValid()) { // process the form and update the email ID} else { // display an empty form to the user (CSRF token included)}
18
Bringing it all together<iframe src=”http://example/[email protected]”>
HTTP request via user submitted form via Clickjacking. The form was not filled out by the victim, meaning the email parameter in the POST body is blank. Now the QueryString contains the attacker entered value for the ‘email’ parameter.
POST /[email protected] HTTP/1.1Host: www.example.com
email=&csrf-token=a0a0a0a0a0
When the server side JSP code calls req.parameter("email"), the value that is returned is the one in the QueryString (HPP first occurrence) and not the POST body. Since this value can be controlled by the attacker, he can trick the victim in to updating his account with the attacker’s mail ID.
No matter what type of encryption is used to defend a network, sooner or later the password, key, or certificate needs to be stored. If an attacker is able to tamper with the storage mechanism, even the strongest encryption mechanism can fail. The researchers demonstrated how to attack storage mechanisms by tampering with SSL session and break into Wifi networks using WPA. They also showed how to exploit SSL warning inconsistencies and caching mechanisms to trick the user into accepting a bad certs and steal their username & password.
Attacking HTTPS with Cache Injection
19
24
http://www.youtube.com/watch?v=bt0Qh9c59_chttp://elie.im/talks/bad-memories
Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh
Public Wifi
Victims
Bad Guycoffee shops, airplanes, corp guest networks
Internet
http://www.bindshell.net/tools/beef/http://airpwn.sourceforge.net/Airpwn.html
HTTP
Airpwn
• Victim(s) located on a RFC 1918 network with a Bad Guy• Bad Guy may take the opportunity to read victim’s Web mail, steal creds, etc.• Bad Guy man-in-the-middles HTTP (Airpwn) to inject IFRAMEs to RFC-1918 IPs• MitM IFRAMEs to include JavaScript malware (BeEF). Or ...• Inject JavaScript malware into popular Web widget URLs. (Ad servers, counters, etc.)• Cache content in the browser for a really long time, beyond current session!
RFC1918 Caching Security - (Top Ten 2009)
21
Situation•43% of the Alexa top 100,000 use external javascript libraries
• Injecting a malicious javascript library into the browser cache allows the attacker to compromise a website protected by SSL
•The malicious library stays in the cache until the user clears it. Moving to a “safe” location doesn’t help
22
Impact•One poisoned injection leads to multiple breaches
•Multiples websites share the same external library such as Google Analytics
• Injecting a malicious version of one of these shared libraries allows the attacker to target all the websites that use it
23
Browser Defense -- sort of•The only defense against cache injection is the SSL warning displayed by the browser when a bad certificate is supplied
•Corner cases that allows an attacker to alter the way SSL certificate warning are displayed
•These alterations make caching attack efficient as the user is more likely to click through the tampered warning
24
Video Demo•The following demos show how caching injection attacks works against Internet Explorer 8 and Firefox 3.6
•These demos were done in real time against real sites with their real certificates
This research encompasses a set of techniques where a malicious website may surreptitiously obtain their visitors names, job title, workplace, physical address, telephone number, email addresses, usernames, passwords, search terms, social security numbers, credit card numbers, and on and on by simulating JavaScript keystroke events in Web browsers HTML form auto-complete / autofill functionality.
Hacking Auto-Complete
25
23
http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.htmlhttp://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.htmlhttp://jeremiahgrossman.blogspot.com/2010/09/safari-autofill-hack-lives.htmlhttp://jeremiahgrossman.blogspot.com/2010/07/in-firefox-we-cant-read-auto-complete.html
Jeremiah Grossman (@jeremiahg)
I want to know your name, who you work for, where you live, your email address, etc.Right at the moment you a visit a website. Even if you’ve never been there before, let alone entered information.
26
Safari Address Book Autofill (enabled by default)
<form><input type="text" name="name"><input type="text" name="company"><input type="text" name="city"><input type="text" name="state"><input type="text" name="country"><input type="text" name="email"></form>
27
Address Card Autofill works even when you’ve NEVER entered personal data on ANY WEBSITE.
28
29
Demo
Step 1) Dynamically create input fields with the pre-set attribute names.
Step 2) Cycle through the alphabet initiating text events until a form value populates.
Step 3) Profit! -- Steal data with JavaScript.
var event = document.createEvent('TextEvent');event.initTextEvent('textInput', 1, 1, null, char);
input.value = "";input.selectionStart = 0;input.selectionEnd = 0;input.focus();input.dispatchEvent(event);!!setTimeout(function() { if (input.value.length > 1) { // capture the value; }}, 500);
Safari v4 / v5
*transparency is even more fun!*
Internet Explorer 8 = SAFE
30
AutoComplete: User-supplied form values are shared across different websites by attribute “name”. For example, email addresses entered into a field on website A populates the autofill for the same field name on website B, C, D, etc.
<input type="text" name="email">
31
// hit down arrow an incrementing number of times.// separate with time to allow the GUI to keep pacefor (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button}! !time += 15; // time paddingkeyStroke(this, 13, time); // enter button
// initiate keystroke on a given objectfunction keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);} // end keyStroke
Security Basis, and an Internet Explorer data stealerhttp://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.htmlAndrea Giammarchi, Ajaxian Staff
DEMO - Down, Down, Enter
32
Search termsCredit card numbers and CCVsAliasesContact informationAnswers to secret questionsUsernamesEmail addresses...
33
AutoComplete is NOT enabled by default, but Internet Explorer asks if the user if they would like to enable the feature after filling out a non-password form.
34
Have the email address, but need the password
35
Many Web Browsers have “password managers,” which provide a convenient way to save passwords on a “per website” basis.
<form method="post" action="/">E-Mail: <input type="text" name="email"><br />Password: <input type="password" name="pass"><br /><input type="submit" value="Login"></form>
Saving Passwords
36
function stealCreds() { var string = "E-Mail: " + document.getElementById("u").value; string += "\nPassword: " + document.getElementById("p").value; return string;}document.write('<form method="post" action="/">E-Mail: <input id="u" type="text" name="email" value=""><br>Password: <input id="p" type="password" name="password" value=""></form>');
setTimeout('alert(stealCreds())', 2000);
If a website with a saved password is vulnerable to XSS, the payload can dynamically create login forms, which executes the browser’s password auto-complete feature. Since the payload is on the same domain the username / password can be stolen.
DEMO**37
Disable Auto-Complete in the Web browser
Remove persistent data (History, Form Data, Cookies, LocalStorage, etc.)
NoScript (Firefox Extension), 1Password, etc.
<form autocomplete="off"><input type="text" autocomplete="off" />
What to do...
38
http://samy.pl/evercookie/
Samy Kamkar (@samykamkar)
Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.
Evercookie
39
22
40
41
1) Standard HTTP Cookies
2) Flash Cookies (LSOs)
3) Silverlight Isolated Storage
4) Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
5) Storing cookies in Web History
6)window.name caching
Evercookies6) Internet Explorer userData storage
7) Storing cookies in Web cache
8) Storing cookies in HTTP ETags
9) HTML5 Session Storage
10) HTML5 Local Storage
11) HTML5 Global Storage
12) HTML5 Database Storage via SQLite
42
• Persistent cookies via Javascript API
• Recreates after deletion
• Combines different storage mechanisms
• Easy to use!
The API
var ec = new evercookie();
ec.set(“uniqueid”, “31337”); // set uniqueid = 31337
// get our evercookie data backec.get(“uniqueid”, function(val) { alert (“ID is “ + val) } );
43
PNGs CacheCookie stored in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas Tag to read pixels back out
Pixel 0x0 = 0x4f5741 OWAPixel 0x1 = 0x535000 SP\0
44
Killing Evercookies (Video)1) Open a new tab, then close all other windows and tabs.2) Delete Silverlight Isolated Storage• Go to http://www.silverlight.net/• Right click the Silverlight application (any app will do)• Silverlight Preferences > Application Storage > Delete all...• Click "Yes"• * Optionally disable "Enable application storage"3) Delete Flash Local Shared Objects (LSO)• Go got the Flash "Website Storage Settings panel"• Click "Delete all sites"• Click "Confirm"4) Clear Browsing Data• - Wrench > Tools > Clear Browsing Data...• - Select all options• - Clear data from this period: Everything• - Click "Clear Browsing data"
http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.htmlhttp://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html
45
Other Protections
•Nevercookie - The evercookie killer
Firefox plugin to extend Firefox’s Private Browsinghttp://nevercookie.anonymizer.com/
•Use a virtual machine. (On your neighbor’s WiFi Network)
46
Other Worries...•System/browser timing
•GPU timing via plugins/accelerators (w/Flash)
•MAC address accessible via Java or ActiveX!
In 2002 a powerful side-channel attack, ‘padding oracle’ (NOT THE DATABASE!), was described targeting AES CBC-mode encryption with PKCS#5 padding. If there is an oracle which on receipt of a ciphertext, decrypts it and replies whether the padding is correct, shows how to use that oracle to decrypt data without knowing the encryption key. The new techniques allow attackers to use a ‘padding oracle’ to decrypt and encrypt messages of any length without knowing the secret key and exploit popular web development frameworks including ASP.NET.
'Padding Oracle' Crypto Attack
47
2
http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdfhttp://netifera.com/research/http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/http://www.youtube.com/watch?v=yghiC_U2RaMhttp://threatpost.com/en_us/blogs/padding-oracle-crypto-attack-affects-millions-aspnet-apps-091310
Juliano Rizzo (@julianor)Thai Duong (@thaidn)
1
48
Brian Holyfieldhttp://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
49
An application uses a query string parameter to pass an encrypted username, company id, and role id of a user. The parameter is encrypted using CBC mode, and each value uses a unique initialization vector (IV) pre-pended to the ciphertext. When the application is sent an encrypted value, it responds in one of three ways:
1)Valid ciphertext, properly padded and valid data (200 OK)2)Invalid ciphertext, improper padding (500 Internal Server Error)3)Valid ciphertext, properly padded and invalid data (200 OK - custom error)
Padding Oracle Attack Basics
User’s name (BRIAN), company id (12), and role id (2). The value, in plaintext, can be represented as BRIAN;12;2;
http://site/app.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
50
51
Encryption
Decryption
52
First block of ciphertext pre-pended with an IV of all NULL values.
Request: http://site/app.jsp?UID=0000000000000000F851D6CC68FC9537Response: 500 - Internal Server Error
53
Last byte of the initialization vector incremented by one.
Request: http://app/home.jsp?UID=0000000000000001F851D6CC68FC9537Response: 500 - Internal Server Error
54
Incrementing the last byte in the IV up to FF will produce a valid padding sequence for a single byte of padding (0×01). Only one value will produce the correct padding byte and have different response than the other 255.
Request: http://site/app?UID=000000000000003CF851D6CC68FC9537Response: 200 OK
If [Intermediary Byte] ^ 0x3C == 0×01,then [Intermediary Byte] == 0x3C ^ 0×01,so [Intermediary Byte] == 0x3D
55
To crack the 7th byte, the 7th and 8th byte must equal 0×02 for valid padding. Since we already know that the last intermediary value byte is 0x3D, we can update the 8th IV byte to 0x3F (which will produce 0×02) and then focus on brute forcing the 7th byte (starting with 0×00 and working our way up through 0xFF).
56
"The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally
stealthy.The cryptographic knowledge required is very basic." - Julian Rizzo
Work backwards through the entire block until every byte of the intermediary value is cracked and uncovering the decrypted value one byte at a time. The final byte is cracked using an IV that produces an entire block of just padding (0×08).
57
<VIDEO>
"It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security,"
-Thai Duong
58
Vulnerable FrameworksASP.Net, CAPTCHAs, JavaServer Faces, OWASP ESAPI, Ruby On Rails, etc.
Prevention•Encrypt-then-MAC (sign) and validate-then-decrypt•Patch!
Impact & Prevention
59
•Encryption attacks took the top spot for the 2nd year in a row.
•Web Browser privacy? Web browser security? Not so much.
• “Top Ten” attacks from previous years are being improved.
•Several attack techniques from previous years are now actively being used maliciously in the wild.
What have we learned?
60
Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]
Thank You...•Sponsors: OWASP, Black Hat, WhiteHat
Security•Panel of Experts: Ed Skoudis, Giorgio
Maone, Caleb Sima, Chris Wysopal, Jeff Willams, Charlie Miller, Dan Kaminsky, Steven Christey (Mitre), and Arian Evans
•All the security researchers for their contributions
•Everyone in the Web Application Security community who assisted