Live Hacking

Threats & Countermeasures in Action (SEC411)

Ofer Maor

CTO

Hacktics Ltd.

Agenda

• Introduction to Application Hacking

• Demonstration of Attack Tool

• Common Web Application Attacks &

Countermeasures

• Live Bank Hacking Demo

• Questions & Answers

About Hacktics

• Security Services Company

• Provides wide range of services with focus on the

application security field

• Relies on vast experience in application level

penetration testing and secure development

Hacktics offers unique expertise in the technology and methodology of application security, together with out of the box thinking abilities and a keen understanding of the operational patterns of Hackers.

Introduction to

Application Hacking

Overview

• Today, most organizations create, use and

externalize distributed applications implementing

business processes.

• The increasing numbers of such applications

combined with the improved security in the

infrastructure layer drives hackers to turn to

application attacks.

• According to Gartner, over 75% of attacks today

take place in the application layer.

What Is Application Hacking?

• Taking advantage of application-level

vulnerabilities to attack the site

• Attacks relate to the semantics and meaning of

application messages, such as HTTP requests,

SQL Queries or proprietary requests.

• Differs from infrastructure attacks focusing on

identifying unauthorized services (port

scanning) and abusing known vulnerabilities.

Application vs. Infrastructure

• Not easily replicated (no script kiddies!), though

still easily exploitable

• Target the organization’s core business

operations rather than technology

• Allows launching direct attacks rather than

needing to break several circles of defense

• Used by attackers with specific agenda

(criminals, industrial espionage, etc.).

Vulnerabilities Mitigation

• No prepared patch to easily deploy

• Fixing the vulnerability requires recoding, turning

it into a costly procedure

• Design Mistake Fix Cost Increase (Gartner):

– 1x – During Design

– 6.5x – During Development

– 15x – During Testing

– 100x – After Deployment to Production

- DRAFT -

Technical vs. Logical

• Technical flaws relate to the specific technical

implementation of the application

• Logical flaws relate to the way business

processes were developed, unrelated to the

development infrastructure

• New security features added to development

infrastructure help decrease the number of

technical flaws, whereas logical flaws are still a

prominent problem

Web Application

Penetration Tool

Application Hacking Techniques

• Applications expect the client to behave in a

certain predefined manner (only user controlled

data is validated)

• The client, however, can be easily controlled by

the malicious user (attacker)

• Easily done using friendly GUI based tools

– Interactive Interception Proxies

– Browser Plug-ins

– etc.

Interception Proxy Demo

Common Web Application

Attacks & Countermeasures

(With Live Demo!)

Topics

• Reconnaissance (Active/Passive)

• Parameter Tampering

• Session Hijacking

• Scripts Injection

• Cross Site Scripting

• Flow Bypassing (Forceful Browsing)

• SQL Injection

Passive Reconnaissance

• Understanding the Application

• Requests Monitoring

• Structure & Flow Mapping

• Searching Code for Comments

• Identifying Development Infrastructure

• Retrieving Internet Resources

• Google Hacking

Active/Malicious Reconnaissance

• Generate Exceptions & Errors

• Unreferenced URLs

– Default Components

– Administrative Interfaces

– Configuration/Log Files

• Source Code Disclosure

– Known Vulnerabilities

– Backup/Old Files

– File Access Components

Active/Malicious Reconnaissance

• Result of Failing Key Secure Design Principles:

– Input Validation

– Exception Management

• Mitigation:

– Properly handle all exceptions

– Disable detailed error messages, if present

– Avoid storing any redundant files/information on

production machines

Parameter Tampering

• Overview

– The basic, most simple form of application level

attack

– Is targeted directly at the business logic of the application

– Often does not require much knowledge of application

attacks and can be achieved with no tools

Parameter Tampering

• The Problem

– Attackers may alter the value of parameters sent from the browser which were assumed by the developers to

remain as is

• Potential Damage

– Attacker may gain access to unauthorized data,

commit unauthorized transactions, go out of normal value boundaries, etc.

Parameter Tampering

• Result of Failing Key Secure Design Principles:

– Input Validation

– Authentication

– Authorization

– Session Management

• Mitigation:

– Never trust user submitted data

– Check authenticity and authorization for every

operation performed.

Session Hijacking

• Overview

– Session Hijacking is an attack in which the attacker successfully takes control over a user’s session, after

obtaining a valid session identifier

• Potential Damage

– Through this attack the attacker is able to gain

access to the system as if the attacker was authenticated to it, without ever knowing the

authentication credentials of the attacked user

Session HijackingHacker’s request was accepted

as it contained a valid cookie

Session Hijacking

• Result of Failing Key Secure Design Principles:

– Proper Session Management

– Input Validation

• Mitigation:

– Always use a reliable session management

mechanism (such as the one in ASP/ASP.Net)

– Protect your site from script attacks…

Scripts Injection

• Overview

– A way to perform script-based attacks without being limited by browser security

– The attacker takes advantage of a component in the

system which displays to users information previously inserted by other users

– The attacker embeds a script into the input, which is

then executed on the browsers of other users

The script, now from the web

site’s domain, was now able to

access sensitive information

and send it to the attacker

Scripts Injection

Scripts Injection

• The Problem

– No input validation takes place when data is received

– No output sanitation is performed when data is sent back to other users

• Potential Damage

– Cookie Theft � Session Hijacking (Simple Exploit)

– Taking over entire browsing session (viewing users data and performing operations on their behalf)

– Improved Phishing Attacks

Cross Site Scripting (XSS)

• Overview

– Similar to Scripts Injection, Cross Site Scripting takes advantage of the same principal of making the remote

server send the malicious script to the client

– Unlike with Scripts Injection, however, the client is part of the attack process, as the script itself is not

permanently stored on the remote system

– The key elements of the problem, as well as the potential damage and mitigation are identical to those

of the scripts injection attack.

The script, sent by the attacked client to the

server was then received again by the client,

now with the proper security context, and

was able to send the cookie to the attacker

Cross Site Scripting (XSS)

A Search page:

<HTML><TITLE>Search Results</TITLE><BODY>

<%

SearchTerm = Request.QueryString(“SearchStr”)

‘ Querying DB Based on the Search Term

If SearchRS.EOF Then ‘Search yielded no results

Response.Write(“No results found for “)

Response.Write(SearchTerm)

Else

‘ Display all records

End If

%>

</BODY></HTML>

XSS Code Example

<HTML><TITLE>Search Results</TITLE><BODY>

No results found for XXX

</BODY></HTML>

XSS Code ExampleWith input string XXX, the result is:

<HTML><TITLE>Search Results</TITLE><BODY>

No results found for <SCRIPT>Alert(‘Test’)</SCRIPT>

</BODY></HTML>

XSS Code ExampleHowever, with a script injected, the result is:

Scripts Injection/XSS

• Result of Failing Key Secure Design Principles:

– Input Validation

– Output Sanitation

• Mitigation:

– The “Quick and Dirty” way – prevent users from

inserting HTML meta characters such as <, >, ;, etc.

– Better yet, perform HTML encoding of all non alphanumeric characters, such as:

• < � &lt;

• > � &gt;

• “ � &quot;

• etc.

Flow Bypassing

• Overview

– Common Logical Attack (Using Forceful Browsing Techniques)

– Useful against step-based applications such as

wizards or redirection-based applications

– Allows attackers to overcome specific authentication or authorization mechanisms

Flow Bypassing

• The Problem

– Specific operations which require more than one request to be completed to not properly enforce the

flow of the operation

• Potential Damage

– Attacker can use this to overcome specific requests in

the flow that relate to security, allowing

• Authentication Circumvention

• Authorization Circumvention

• Operation Validity Verification

• etc.

Flow Bypassing

• Result of Failing Key Secure Design Principles:

– Authentication

– Authorization

– Session Management

• Mitigation:

– Enforce flow of multi-step operations

– Rely on session for storing flow information

– Reverify authorization when committing the operation

SQL Injection

• Overview

– Most powerful web application attack – targeting the data itself

– Takes advantage of common usage of Dynamic SQL

Queries

– Allows an attacker to maliciously modify the query sent by the application to the server

SQL Injection

• The Problem

– When using Dynamic SQL, the syntax and parameters are concatenated together, thus allowing injection of

SQL syntax through parameters

• Potential Damage

– Access of Unauthorized Data

– Data Alteration

– Server Takeover

– Denial of Service (Server Availability/Data Destruction)

– More…

SQL Injection – Code Sample I

…SqlStr = "SELECT UserID FROM Users WHERE Username = '" & Request.QueryString("User") & "' AND Password = '" & Request.QueryString("Pass") & "'"

Set MyConn = Server.CreateObject(“ADODB.Connection”)MyConn.Open “my_conn”, “dbuser”, “dbpass”

Set AuthRS = Server.CreateObject(“ADODB.Recordset”)AuthRS.Open SqlStr, MyConn

If LoginRS.EOF ThenResponse.Write("Invalid Login")

Else‘ Perform Authenticated Code…

End If…

Login Page Code:

SQL Injection – Code Sample I– When normal users log in, the following query is

created:

– However, an attacker can type in x’ OR ‘1’=‘1 as

the password, yielding the following query:

– Returning a non empty record set, the attacker is logged on

SELECT * FROM Users WHERE Username = ‘HackHackHackHack’AND Password = ‘TicsTicsTicsTics’

SELECT * FROM Users WHERE Username = ‘HackHackHackHack’AND Password = ‘XXXX’’’’ OROROROR ‘‘‘‘1111’’’’====‘‘‘‘1111’

SQL Injection – Code Sample II

Data Retrieval Code:

…SqlStr = "SELECT * FROM Packages WHERE Desc LIKE " &

"'%" & Request.QueryString("SearchStr") & "%'"

Set MyConn = Server.CreateObject(“ADODB.Connection”)MyConn.Open “my_conn”, “dbuser”, “dbpass”

Set PkgsRS = Server.CreateObject(“ADODB.Recordset”)Pkgs.Open SqlStr, MyConn

If LoginRS.EOF ThenResponse.Write(“No Packages Match Search.”)

Else‘ Display all vacation packages information

End If…

SQL Injection – Code Sample II– With a normal search, the query received is:

– The attacker, however, can add a UNION SELECT statement to the parameter, turning the

query into the following one:

SELECT * FROM Products WHERE ProdDesc LIKE ‘%IosIosIosIos%’

SELECT * FROM Products WHERE ProdDesc LIKE ‘%XXXXXXXXXXXX’’’’ UNIONUNIONUNIONUNION

SELECTSELECTSELECTSELECT Username, PasswordUsername, PasswordUsername, PasswordUsername, PasswordFROMFROMFROMFROM Users Users Users Users --------%’

SQL Injection

• Result of Failing Key Secure Design Principles:

– Input Validation

– Authorization

– Cryptography

– Sensitive Data Access Limitations

• Mitigation:

– The “Quick and Dirty” way – perform input validation to

remove meta character, and turn every single quote into double quote

– Better yet, avoid using dynamic SQL.

User Parameterized Queries instead

SQL Injection

…// Defining the Query with @PkgID as its parameterString StrQry = “SELECT * FROM Packages Where PkgID = @PkgID”;

// Creating the connection and the SQL CommandSqlConnection MyConn = new SqlConnection(ConnectionString);SqlCommand MyQry = new SqlCommand(StrQry, MyConn);

// Creating and setting the parameterMyQry.Parameters.Add(new SqlParameter(“@PkgID”, SqlDbType.Int));MyQry.Parameters[“@PkgID”].Value = Request.QueryString[“PkgID”];

// And ExecuteMyConn.Open();SqlDataReader SqlDR = MyCmd.ExecuteReader();…

Using Parameterized Queries in C#

skating- Ice CenterRockefeller

אחד המקו מות היפים

יורקי הניובחורף

Volare

147 West 4th StreetNew York, New York

10012-1010

מסעדה איטלקית קטנה ונה דרת

Thank You!Thank You!

For Additional Information:

Email:

Web: www.hacktics.com