Black Hat New Orleans

Windows Security 2002

“Web Application Security and Arsenal”

Presenter: Jeremiah Grossman

Copyright 2002 WhiteHat Security All Rights Reserved

Topics

•Web Application Security Landscape

•Why is Web Application Security Important

•Common Web Application Security Mistakes

•Web Application Attack Methodologies

Web Application Security Landscape

Entertainment

Message BoardsWebMail

Guest BooksVoting Polls

E-Commerce

ShoppingAuctionsBanking

Stock Trading

Just Plain Crazy

PrintersPDA’s

Cell PhonesSystem

Configuration.NET/Passport

Web Application The Simple Definition

A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent.

Web Application The “EASIER” Definition

If it runs on port 80 or port 443, then is probably a web application.

Why is Web Application Security Important?

Easiest way to compromise hosts, networks and

users. Widely deployed. No Logs! (POST Request payload) Incredibly hard to defend against or detect. Most don’t think of locking down web applications. Intrusion detection is a joke. Firewall? What firewall? I don’t see no firewall… Encrypted transport layer does nothing.

How much easier can it get!? Unicode.

Common Web Application Security Mistakes

Trusting Client-Side Data

Unescaped Special Characters

HTML Output Character Filtering

SUID

ActiveX/JavaScript Authentication

Lack of User Authentication before performing critical task.

Trusting Client-Side Data

DO NOT TRUST DO NOT TRUST CLIENT-SIDE DATA!!!CLIENT-SIDE DATA!!!Trusting client-side data is #1 cause of

vulnerabilities.

Identify all input parameters that trust client-side data.

Unescaped Special Characters

The Level of Trust :

Searches/Queries/Templates

Path:

http://foo.com/cgi?val=string&file=/html/name.db

Or better yet…

http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd

Unescaped Special Characters

! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . > <

Check for:Unescaped special characters

within input strings

HTML Character Filtering

Proper handling of special characters

> => &gt;< => &lt;

" => &quot;& => &amp;

Null characters should all be removed. %00

More mistakes…

SUID (Does a web application really need root?)

Authentication mechanisms using technologies suchas JavaScript or ActiveX.

Lack of re-authenticating the user before issuing newpasswords or performing critical tasks.

Hosting of uncontrolled data on a protected domain.

WhiteHat Arsenal

GUI Web-Based Interface Session Based Discovery Utilities Active Assessment Encoding/Decoding Reporting

Web Application Penetration Methodologies

Information Gathering & Discovery

Input/Output Client-Side Data Manipulation

Information Gathering & Discovery

•Spidering /Site Map

•Identifiable Characteristics

•Error and Response Codes

•File / Application Enumeration

Spidering

Spidering/Site Crawling

Site Map Service Map Documentation Hidden Services CGI's and Forms Email addresses

Identifiable Characteristics

Comment LinesURL ExtensionsMeta TagsCookiesClient-Side scripting languages

Enormous wealth of information about process flows, debug command, system types and

configurations.

Error and Response Codes

HTTP Response HeadersServer: IBM/Apache 1.3.19

Cookie Characteristics

Error MessagesException Messages (Java / SQL)

404 Error Pages

Failed Login

Locked Account

Database or file non-existent

File/Application Enumeration

Commonly referred to as “forced browsing” or “CGI Scanning”.

File/Application Enumeration

Sample FilesTemplate DirectoriesTemp or Backup files

Hidden FilesVulnerable CGIs

Common Directories

Common Log Files

Common Backup Files

Input/Output Client-Side Data Manipulation

URL Manipulation CGI Parameter Tampering HTTP Client-Header Injection

Filter/Intrusion Detection Evasion

Protocol/Method Manipulation

Overflows

Input Manipulation Parameter Tampering

"Twiddling Bits."

•Cross-Site Scripting•Filter-Bypass Manipulation•OS Commands•Meta Characters•Path/Directory Traversal•Hidden Form Field Manipulation•HTTP Headers

Cross-Site ScriptingBad name given to a dangerous security issue

Attack targets the user of the system rather than the system itself.

Outside client-side languages executing within the users web environment with the same level of privilege as the hosted site.

Client-Side Scripting Languages

DHTML (HTML, XHTML, HTML x.0)Opens all the doors.

JavaScript (1.x) Browser/DOM ManipulationJava (Applets) Malicious AppletsVBScript Browser/DOM ManipulationFlash Dangerous Third-Party InteractivityActiveX Let me count the ways…XML/XSL Another Door OpenerCSS Browser/DOM Manipulation

The Scenarios

Trick a user to re-login to a spoofed page

Compromise authentication credentials

Load dangerous of malicious ActiveX

Re-Direct a user or ALL users

Crash the machine or the browser

CSS Danger“The Remote Launch Pad.”

Successfully CSS a user via a protected domain.

Utilizing a Client-Side utility (JavaScript, ActiveX,VBScript, etc.), exploit a browser hole to downloada trojan/virus.

User is unknowingly infected/compromised withina single HTTP page load.

ActiveX Netcat Anyone?

2 Types of CSS

Click on a link to activate

<A HREF=“http://www.evil_javascript_link”>Click Here</A>

Auto-Execute by viewing HTML

<SCRIPT>run evil JavaScript</SCRIPT>

Dangerous HTML“HTML Bad”

<APPLET> Malicious Java Applications<BODY> Altering HTML Page Characteristics<EMBED> Embedding Third-Party Applications (Flash, etc.)<FRAME> Directly calling in other uncontrolled HTML<FRAMESET> Directly calling in other uncontrolled HTML<HTML> Altering HTML Page Characteristics<IFRAME> Directly calling in other uncontrolled HTML<IMG> SCRing Protocol attacks and other abuses<LAYER> Directly calling in other uncontrolled HTML<ILAYER> Directly calling in other uncontrolled HTML<META> META Refreshes. (Client-Redirects)<OBJECT>ActiveX (Nuff Said)<SCRIPT> JavaScript/VBScript Loading<STYLE> Style Sheet and Scripting Alterations

Dangerous Attributes“Attributes Bad”

ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes)

STYLESRC

HREFTYPE

Power of the Dots and Slashespiping input to the command line.

Path Directory Traversal

http://foo.com/app.cgi?directory=/path/to/data

DotDot Slash:

http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd

Dot Slash:

http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd

Double DotDot Slash:

http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd

More Filter Bypassing

Method Alteration (HEAD, PUT, POST, GET, ect.)

URL Encodehttp://www.foo.com/cgi?value=%46%72%68%86

Null Charactershttp://www.foo.com/cgi?value=file%00.html

More…Alternate Case, Unicode, String Length, Multi-Slash, etc.

Authentication & Session Management

Brute/Reverse Force

Session Hi-Jacking

Session Replay

Session Forgoing

Page Sequencing

Reporting

XML/HTML Based

Manual Hack Attack Log w/ Descriptor

Common Directory Force Browsing

Common Log File Force Browsing

Backup File Force Browsing

Spider Log

Spider XML Log

Attempts XML Log

A few quick things to help secure a web application.

Do Not Trust Client-Side Data Escape and filter all input/output data Set-up parameter and request method allow lists. Don’t use what your not expecting to receive.

Thank You!

Questions?

Jeremiah Grossmanjeremiah@whitehatsec.com

WhiteHat Security

All presentation updates will be available on

www.whitehatsec.com

and

community.whitehatsec.com