Embed Size (px)
Citation preview
Jeroen van Beek
1
Why bother? Causes of data breaches OWASP◦ Top ten attacks
Now what? Do it yourself Questions?
2
In many cases the web application stores:◦ Credit card details◦ Personal information◦ Passwords that also might be used elsewhere
Media likes hacks◦ You company doesn’t…
Governments want to enforce data protection◦ NL: Meldplicht Datalekken◦ EU: General Data Protection Regulation a.k.a. GDPR
3
Your companydoesn’t like that
4
GDPR◦ Enforceable starting 25 May 2018◦ Goal is to give control back to citizens and
residents over their personal data◦ Fines: Lower level Up to €10 million, or 2% of the worldwide annual revenue
of the prior financial year, whichever is higher
Upper level: Up to €20 million, or 4% of the worldwide annual revenue
of the prior financial year, whichever is higher
5
In many cases caused by technical issues:◦ Poor/no input filtering◦ Outdated software with known weaknesses◦ Weak passwords
Non-techies are creating technical solutions:◦ Click and play enterprise website◦ Not aware of security issues
Techies are also no always aware◦ What about you?
In many cases the issues are quite easy to solve◦ If you know what to do…
6
The same issues keep on coming back◦ People make the same mistakes over and over again…
Open Web Application Security Project (OWASP):◦ Free and open◦ Top ten project Documents the 10 most critical webapp security flaws https://www.owasp.org/index.php/Category:OWASP_Top
_Ten_Project Latest version: 2017
◦ Documents solutions For all popular webapp environments
7
8
Key items are not logged◦ Successful and failed logons◦ Application errors
Not all interfaces monitored◦ E.g. API forgotten
Insecure storage of logs◦ Use write-only and / or non-local storage
No follow-up◦ Logs never checked…
9
Keep your software up-to-date◦ Patching doesn’t stop at operating system level! Database Web server Third party libraries …
Lots of automated tools available◦ Mapping: nmap, …◦ Scanning: OpenVAS, Nessus, Nexpose, …◦ Exploiting: Metasploit, …◦ Script kiddies can and will do this!
10
Serialization◦ The process of turning an object in memory into a stream of bytes
that can be stored or transmitted.◦ $array = array("a" => 1, "b" => 2, "c" => array("a" => 1, "b" => 2)); a:3:{s:1:"a";i:1;s:1:"b";i:2;s:1:"c";a:2:{s:1:"a";i:1;s:1:"b";i:2;}}
Deserialization◦ The reverse process, turning a stream of bytes into an object in
memory.
Issues◦ Parsers are complex and prone to errors◦ User data in a web app is untrusted◦ Doing something wrong might mean (remote) code execution
12
Vulnerable PyYAML example:import yaml
with open(‘evil.yml') as yaml_file:
contents = yaml.load(yaml_file)
print(contents['foo’])
Exploit:foo: !!python/object/apply:subprocess.check_output[‘whoami’]
Known danger:◦ “Warning: It is not safe to call yaml.load with any data
received from an untrusted source! yaml.load is as powerful as pickle.load and so may call any Python function. Check the yaml.safe_load function though.”
◦ https://searchcode.com/?q=yaml.load…
13
Exploits developed for deserialization libraries of popular frameworks:◦ Apache Commons Collections (3.x and 4.x)◦ Spring Beans/Core (4.x)◦ Groovy (2.3.x)◦ JRE <= 1.7u21
Other parsers might also be vulnerable Resources:◦ https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
◦ http://frohoff.github.io/owaspsd-deserialize-my-shorts/
◦ https://github.com/frohoff/ysoserial
◦ https://github.com/NetSPI/JavaSerialKiller
14
Cross Site Scripting◦ Execute scripts in the victim’s browser Hijack user sessions Deface web sites Insert hostile content Conduct phishing attacks Take over the user’s browser using scripting malware
◦ In most cases Javascript based Also applicable to other scripting languages
15
Two types:◦ Reflective: Code injected by e.g. sending phishing email victim.com/get.php?id=<script>alert(123)</script>
E.g. one phishing email per attack◦ Stored: Evil code is e.g. stored in the database, logs Store <script>alert(123)</script> in DB record for
welcome message of CMS
Store once, run for all users◦ Interesting goals for an attacker: Session hijacking (stealing cookies) Privilege escalation (account upgrade by targeting admins)
16
Advanced tools are out there to abuse flaws◦ Tunnel traffic using XSS https://github.com/portcullislabs/xssshell-xsstunnell
17
Out of the box installs◦ Next, next, next, finish
Find it using Google:◦ Web front-end for Oracle intitle:iSQL intitle:Release inurl:isqlplus
◦ Indexing of sensitive information intitle:"Index of" .mysql_history filetype:pdf paspoortnummer koopcontract filetype:sql "phpMyAdmin SQL Dump”
◦ Many many useful Google Dorks online https://www.exploit-db.com/google-hacking-
database/
18
Default passwords◦ http://www.defaultpassword.com/
19
iPhone botnet◦ Default SSH password after jailbreak
Routers
20
User can access andmodify object values
Example:◦ Login using your credentials◦ Link refers to
http://app/details?userid=1
◦ Script download of all files userid=[1-9999]
Hashing doesn’t help
21
Server side authorization checks are not performed for all functionality
Attacks:◦ Escalate from anonymous user to authenticated user◦ Escalate from authenticated user to admin
Examples:◦ If /users/user1/admin/ exists, it might be worth
checking if /users/userN/admin/ also exists
Difficult to identify with automated tools
22
Hidden and unchecked parameter:◦ Add to POST data when updating a user: &ctl00%24ContentPlaceHolder1%24dvUser%24cbxUserAdmin=on
23
Problem can also occur with ‘secret’ files:
24
Untrusted XML input is parsed Attacker includes evil entities in XML
XML parser processes evil entities Examples:◦ Local files: <!ENTITY xxe SYSTEM "file:///etc/shadow" >]>◦ URLs: <!ENTITY xxe SYSTEM "https://intranet.lan/secret" >]>◦ DoS: <!ENTITY xxe SYSTEM "file:///dev/random" >]>
25
Blind out of band attacks are possible as well:
26
Secure transport: Sending sensitive information over an
unencrypted link◦ No encryption / obfuscation◦ Weak encryption◦ Downgrade attacks
Check for no encryption / obfuscation◦ Sniff data
GET http://target/INSTALL.pgsql.txt HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0
Host: target
Proxy-Authorization: Basic YWQxxxxxxxxxxxxxxxxxxxxxxxx=
27
Secure transport: Weak transport encryption◦ Protocol issues Known flaws is SSLv2,3 / TLSv1.0 SSLv3 and TLSv1.0 still enabled in
many cases (e.g. non-www)
◦ Ciphers E.g. DES, RC4, 3DES based Weak ciphers can be cracked
◦ Weak algorithms E.g. MD5, SHA-1
28
Used in ‘Flame’ malware◦ Signed Windows Updates!◦ Linked to Equation Group / NSA◦ Most targets in the Middle East
29
Secure transport: Downgrade attacks◦ Strip SSL layer: sslstrip http://www.blackhat.com/presentations/bh-dc-
09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
https://moxie.org/software/sslstrip/
◦ Hijack e.g. Facebook and Twitter sessions: Firesheep https://github.com/codebutler/firesheep
Worked since not all pages were using https
31
Secure storage: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms
(MD5, SHA-1, RC3, RC4, …) Hard coded keys, and storing keys in
unprotected environments
32
Real-life example
33
same passwords
<password>1<password>2…
different lengthpasswords
How to decode the passwords?◦ Create your own account◦ Password = ‘aaaaaaaa’ Store password hash, e.g. \01\02\03\04\05\06\07\08
◦ Password = ‘bbbbbbbb’ Store password hash, e.g. \02\03\04\05\06\07\08\09
◦ Etc.◦ Find the link password ↔ hash◦ Write a decoder
for (i = 0; i < in.length(); i++)
print (alfabet(in.position(i) + i))
◦ Decode all passwords◦ Dump sensitive information
34
35
36
No rate limiting and lock-out◦ Brute force usernames and passwords
Inadequate password policy◦ Pass = username, password, welcome01
Predictable / low entropy session IDs◦ Weak implementations typically use: Sequential numbers Hashes of sequential numbers Time elapsed since starting of server / service
◦ Attacker can: Disconnect all users Hijack existing sessions
37
Not invalidating session IDs◦ Or: never expires
Weak enrollment and recovery processes◦ Not so secret questions◦ Protect master secrets with PIN / PUK + no lock-out
https://www.os3.nl/_media/2016-2017/ot-report-digidentity.pdf◦ Enroll 2FA with password only
38
Logical flaws◦ Intel Management Engine (ME / AMT) Low level access to system (KVM) On, even if your PC is switched off Uses webserver(…) Password check: strncmp (computed_value, user_value, len(user_value))
What’s wrong?
user_value = ‘’ strcomp(‘anything’, ‘’, 0) Nothing matches nothing (length 0): login successful…
39
SQL-injection Also applicable for other languages User input is directly used in a query◦ Manipulation of database query◦ User input ‘search’ = jeroen◦ Backend uses select details from users where name=‘jeroen’◦ Attacker input ‘search’ = jeroen’ or 1=1--◦ Backend uses select details from users where name=‘jeroen’ or 1=1 This is always true: display all records
40
41
42
Advanced tools are out there to abuse flaws◦ Database (bulk) download◦ OS File upload◦ OS File download◦ OS command execution◦ …
sqlmap◦ https://github.com/sqlmapproject/sqlmap◦ Tunnel an SQL-injection based OS-shell over http!
43
Detection:◦ Detection of well-known attacks using IDS◦ Check web server logs◦ Check network flows◦ Difficult to detect all attacks!
Prevention:◦ Use good practices https://www.owasp.org/index.php/OWASP_Guide_Project
◦ Review and/or test the application before going live Source code review
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
Penetration test https://www.owasp.org/index.php/OWASP_Testing_Project
https://www.owasp.org/index.php/Appendix_A:_Testing_Tools
44
Hacking is not allowed◦ “Wet Computer Criminaliteit”◦ Testing without breaking in is also not allowed
If you want to test your (organization’s) apps:◦ Use a letter of authorization Document the type of activities you will be performing Document the IPs that will be tested Signed by the system’s owner
45
Hands on hacking environment◦ Ten web based levels◦ Six platform based levels◦ In each level you can find a password Password gives access to the next level
◦ You need to exploit a weakness to get the password◦ Most OWASP top ten issues are included◦ We’ll show hints on the screen to help you If needed ;)
Work in teams We explicitly allow you to hack the system :)
46
More hands on hacking:◦ Books http://www.webhackingexposed.com/
◦ Certifications https://www.eccouncil.org/programs/certified-
ethical-hacker-ceh/ https://www.offensive-security.com/information-
security-certifications/oscp-offensive-security-certified-professional/
https://www.giac.org/
47
J.C.vanBeek uva.nl
48
