renaud bido & mohammad shams - hijacking web servers & clients

Hijacking Web Servers & Clients

New generation threats and mitigation

Renaud Bidou - CTOMohammad ShAms – Director, ME

Operations

)Deny All -) Securing and Optimizing your Applications

DenyAll & RECRO-NET

French WAF vendor pioneer since 2001

Headquarter – Paris

More than 200+ large clients all over the World- 40% of EurostoXX 50- 35% CAC40

Partnership with major players- RECRO-NET (Middle-East, Central Europe)- HP (Iberia, South America)- British Telecom, Orange Business Services (Western Europe, North America,

APAC)

Recently listed as prime European WAF player by Forrester “Web Application Firewall : 2010 And Beyond’’ - Chenxi Wang – februrary 2010


DenyAll WorldWide

DIRF – SOCIETE GENERALE – EGE - CNSS – etc.

DIRF – SOCIETE GENERALE – EGE - CNSS – etc.

SOCIETE GENERALE

SOCIETE GENERALE

ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc.

ANSI, ZITOUNA BANK – MINISTERE INTERIEUR - etc.

SOCIETE GENERALE, etc.


SH&Co, etc.SH&Co, etc.

BNPP, etc.BNPP, etc.



ACCOR - SOCIETE GENERALE - AREVA – etc.

ACCOR - SOCIETE GENERALE - AREVA – etc.

Accor, etc.Accor, etc.

BNP PARIBAS INSURANCE - ACCOR – etc.

BNP PARIBAS INSURANCE - ACCOR – etc.

BNPP Insurance, etc.

BNPP Insurance, etc.

BNPP Insurance, etc.BNPP Insurance, etc.

BNPP Insurance, etc.BNPP Insurance, etc.

BNPP, etc.BNPP, etc.

IP LIMITED, etc.IP LIMITED, etc.

SOCIETE GENERALE LUX – EBRC - CACEIS – etc.

SOCIETE GENERALE LUX – EBRC - CACEIS – etc.

DANSKE BANK – KOPENHAGEN-FUR – etc.DANSKE BANK – KOPENHAGEN-FUR – etc.

AKTIA BANK, etc.

AKTIA BANK, etc.

SENTOR – SVERIGE – etc

SENTOR – SVERIGE – etc

TOYOTA BANK – etc.TOYOTA BANK – etc.SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc.

SITEL FRIBOURG - BNP PARIBAS CH - TOTAL SA – SOCIETE GENERALE PB – STIHL – IWB – etc.

GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc.

GROUPAMA – TDN – BT – IB SALUT – SATEC CANTABRIA – JUNTA DE EXTREMADURA – etc.

ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc.

ARAG-IT – BASF-IT – ARAGO – UNIONINVEST – BROSE – BSH – ENDRESS-HAUSER – NETCONSULT – HELMICH – STADTWERKE – INVIK-BANK – JULIUS-BAR-BANK – MARKANT – BIT – STIHL – TECHEM – THURINGER – ATOS WORLDLINE – etc.

BNP PARIBAS UK - ARVAL UK – etc..BNP PARIBAS UK - ARVAL UK – etc..

LA POSTE – DZ BANK – PETERCAM -etc

LA POSTE – DZ BANK – PETERCAM -etc

INPS, etcINPS, etc


ThreatsOverview


Why Application Security ?

75% of all attacks are directed to the Web applications layer2/3 of all Web applications are vulnerable

In the first half 2010 web application vulnerabilities have reached 50 per cent of all code flaws reported.

Most web site owners fail to scan effectively for the common flaws.Application patching is much slower than Operating System patching.


Web Attacks Targets & Impacts

Information LeakCredentials Theft

Identity TheftAuthorization Abuses

Transaction Compromise

DefacementMalware PlantingSession HijackingDenial of Service

BouncePassword GuessRemote Control

Data TheftData CorruptionData Deletion

Remote ControlPersistent Injections

Processes CorruptionData InterceptionDenial of Service

Client Web Server Database Server Application Servers / Web Services


Hijacking Servers & Clients

Information LeakCredentials Theft

Identity TheftAuthorization Abuses

Transaction Compromise

DefacementMalware PlantingSession Hijacking

Denial of ServiceBounce

Password GuessRemote Control

Data TheftData CorruptionData Deletion

Remote ControlPersistent Injections

Processes CorruptionData InterceptionDenial of Service

Client Web Server Database Server Application Servers / Web Services


ThreatsKeyloggers


What is a keylogger

Program reporting every keystroke– Can be stored on a file– Can be sent over the network

Recent Keyloggers add many more features– Window names and field values– Mouse activity reports– Screenshots and “video”-like records

Operating from the compromised computer– Encryption is inefficient– No detection possible from the server-side– Applications can be seamlessly compromised


Example : A simple keylogger

Really simple– ~100 lines (including comments)– Based on common windows techniques

• SetWindowsHookEx(WH_KEYBOARD_LL,…)

– Public• Code at : http://batcheur.tuxfamily.org/?p=16

Really efficient– Runs fine on windows 7 (with UAC)– Undetected by anti-viruses


ThreatsBrowsers Compromise


Code Injection

Makes a process execute arbitrary code– This process may be your browser

Most common techniques– SetWindowsHookEx

• Seen before, undetected

– CreateRemoteThreadEx & (LoadLibrary | WriteProcessMemory)• The most basic, detected and blocked

– SetThreadContext • Relies on the DebugActiveProcess API• Undetected, requires debug rights

Widely documented… and used.


Browser Internals

NTDLL.DLL

KERNEL32.DLL USER32.DLL

WININET.DLL

URLMON.DLL

MSHTML.DLL

SHDOCVW.DLL BROWSEUI.DLL

IEXPLORE.EXETab 1 Tab n

IE user interfaceBars, menus etc.

Browser ControlNavigation, historyExposes ActiveX interface

Rendering

MIME handlingCode downloadSecurity

IP HandlerHTTP & FTP

Windows UIHandles components

Base APICalls NTDLL API

Native APIOS user-mode components

~200.000 function calls at IE launchYou cannot monitor everything


Browser Attack Surface

WININET.DLL

URLMON.DLL

MSHTML.DLL

SHDOCVW.DLL BROWSEUI.DLL

IEXPLORE.EXETab 1 Tab n

Control navigation

Control display

Alter security policy

Communicate…


An example

Legitimate action– Bank client JV (account 5204320422040001)– Transfer 100 $ to bank client JM

(5204320422040003)

Malware injected into the browser– Modifies content– Founds transferred to bank user JC

(5204320422040005)


ThreatsServers Compromise


What is Cross-Site Scripting

Client-Side executed code injection– A variant of HTML injections– Based on Javascript code execution

Two possible vectors– Volatile XSS: generated through a malicious link– Persistent XSS: malicious code is stored on the server

Oldy but goody– In the wild for more than 10 years– Improved together with browser & Javascript capabilties


Impacts of XSS

Full control of compromised browser through Javascript– Cookie theft– Information gathering regarding the client browser– Redirection to alternate/concurrent/malicious site– Portscan from the client– Proxy on client’s network– Flashmob DDoS

Exploitation of Javascript capabilities– Propagation thanks to Javascript web transactions

capabilities– Dynamic/Polymorphic code generation


Dangers of XSS

Hard to detect– Volatile XSS can only be detected through log file analysis– Persitent XSS tracking getting more complicated with

polymorphic code– Numerous advanced Javascript obfuscation techniques

More and more powerful– Complete control of remote browsers– Networking operations (see CSRF)– Next generation of botnets– Considered as the buffer overflow of the beginning of teh 21st

century

Unrecognized– Most people think XSS is limited to cookie theft– Bang. You’re dead.


101 XSS exploitation

Usual PoC– Inject <script>alert(‘XSS’)</script>– Volatile and harmless XSS– Used in most pentest– Generates a popup in the « compromised » browser


Real XSS Exploitation Method

Up to 4 players game– The Hacker : the very bad guy– The Goat : XSS vulnerable website– The Victim : innocent user which browser will be compromised– The Relay : a compromised or malicious website (optional)

3 players games rules1. The Hacker finds an XSS vulnerability on The Goat and exploits

it– Designs a script which will be executed on The Victim

2. The Victim goes to the compromised page in The Goat– Via malicious link (volatile)– Directly on the page (persistent)

3. The script is executed by The Victim– Script may enforce the connection to The Relay to send back

information


4 players game schema

1. Hacker compromises Relay

2. Hacker exploits XSS vulnerability

3. Victim goes on compromised page

4. Malicious Javascript is loaded on Victim

6. Victim sends information to Relay

7. Information sent back to Hacker

5. Victim executes Javascript

8. Relay sends new commands to Victim


PoC – The XSS Popup

Command sent to the client:– alert(« Gotcha »)


Portscan

A Javascript Porstcanner is loaded in an invisible iFrame Victim performs the scan Results are sent through a request

– Made in the invisible iFrame– Collected on the malicious server

Victims sees nothing Portscan victim doesn’t have any clue regarding the real

attacker


Redirection

The victim is silently redirected to another web page Could be a similar page

– Used to steal authentication credentials Could be a competitve

– Made in the invisible iFrame– Collected on the malicious server

Victims sees nothing Portscan victim doesn’t have any clue regarding the real

attacker


Thank you for your valuable time

Q&A


(Distributor for Middle East & SE Europe )2702A Business Central TowersDubai Internet City,PO. Box: 503012 Dubai, United Arab EmiratesTel: 04-3754306E-mail: [email protected]

renaud bido & mohammad shams - hijacking web servers & clients

Technology

societe generale ansi

web applications layer

bnpp insurance

web site owners

bank markant

aktia bank

toyota bank

application patching