web application hacking
DESCRIPTION
Presentation by Haroon Meer at ReCon in 2005. This presentation is about web application security. Various web application attacks like XSS, SQLi and directory traversal are discussed. The wikto and crowbar tools developed by sensepost are also discussed.TRANSCRIPT
Hack
ing
Web
Ap
plica
tion
s
• Why its still a walk in the park!
Agen
da • about SensePost
• why do we care about web-apps ?• so what exactly is….• testing && test automation• its all fixed with Web-Services… (or
not..)• the road ahead ?• questions ?
ab
out u
s
• about SensePost– small independent Info. Sec company– > 50% of our business international– Fairly well published
• Security Focus• BlackHat• RSA• Books (Special Ops, Nessus, STC, ANS..)
• about me– joined SensePost in 2001– have not slept since…– across the board fiddler & coffee drinker
Why d
o w
e ca
re a
bout w
eb a
pp
s?
“Cool shellcode gets you the chicks”but we like web apps because…
• ubiquity• if the company you are targeting is big
enough, they have (at least one)• they are everywhere because:
– So easy to do– So easy to do (badly/wrong/insecurely)
• exposed by their nature• rapid deployment• complex business logic point n click• actually tricksy to do it right…
So w
hat e
xactly
is a.... ?
Directory Traversal Attacks:
• As simple as it gets..
open(fHandle, "$user_input")open(fHandle, "results.txt")open(fHandle, "../../../../../../../../../etc/passwd") ?
• Who would be so stupid ? *cough*
root : Sanitization problem.: $user_input (shoulda been 8.3 filename): white-listing VS. blacklisting
http://victim2k/showcode.asp
So w
hat e
xactly
is a.... ?
Canonicalization
• Clearly a big word!• simply? simplification..
deny access to c:\stuff\secretpermit access to c:\stuff\public???? access to c:\stuff\public\..\secret
http://victim2k/showcode.asp
• Do people still make this mistake? *cough*
So w
hat e
xactly
is.... ?
Information Disclosure
• Is it a big deal?• <…>• Production code should not fail verbosely..
– e.printStackTrace();– CGI::fatalsToBrowser;
{mnemonix + "Web Application Disassembly with ODBC Error Messages"}
So w
hat e
xactly
is.... ?
Information Disclosure
• Is it a big deal?• <…>• Production code should not fail verbosely..
– e.printStackTrace();– CGI::fatalsToBrowser;
{mnemonix + "Web Application Disassembly with ODBC Error Messages"}
So w
hat e
xactly
is.... ?
Command Execution
• Simplest example: <http://netcheck>• Root cause: Still just sanitization
• pops up in the weirdest places..
• <.mailto:?.>• [hackrack + login page!!!]• [lets re-look at that directory traversal
problem? :>]
So w
hat e
xactly
is.... ?
Command Execution
• Simplest example: http://netcheck• Root cause: Still just sanitization
• pops up in the weirdest places..
• <.mailto:?.>• [hackrack + login page!!!]• [lets re-look at that directory
traversal problem? :>]
So w
hat e
xactly
is.... ?
Command Execution
• Simplest example: http://netcheck• Root cause: Still just sanitization
• pops up in the weirdest places..
• <.mailto:?.>• [hackrack + login page!!!]• [lets re-look at that directory
traversal problem? :>]
So w
hat e
xactly
is.... ?
Parameter Passing
• An old favorite..• Typical example?• <…>
• Even bigger problem when multiple parties are involved..
<html>
<form method="POST" action="http://www.book.com/cgi-bin/buy.cgi">
<input type="text" name="quantity" size="3">
<INPUT TYPE="hidden" NAME="TOTAL_PRICE" VALUE="$500">
<input type="submit" value="Submit" name="submit">
</form>
</html>
<html>
<form method="POST" action="http://www.book.com/cgi-bin/buy.cgi">
<input type="text" name="quantity" size="3">
<INPUT TYPE="hidden" NAME="TOTAL_PRICE" VALUE="$500">
<input type="submit" value="Submit" name="submit">
</form>
</html>
So w
hat e
xactly
is.... ?
Parameter Passing
• An old favorite..• Typical example?• <…>
• Even bigger problem when multiple parties are involved..
So w
hat e
xactly
is.... ?
SQL Injection
• everybody loves OR 1=1Basic problem *yawn* sanitization
• SELECT * FROM FOO WHERE NAME='BAR'• SELECT * FROM FOO WHERE NAME='BAR' AND
blah, blah, blah
http://sql
• It gets worse ?– xp_cmdshell..– old security architecture books!– crown jewels?
• How far do you want to take it today ?(dns tunnels / sing?)
So w
hat e
xactly
is.... ?
Cross Site Scripting
• Isnt that just lame ?• Yes:
– because it requires interaction– because it kills the signal to noise ratio
on mail lists• No:
– because if your banking app is vuln...
• Overview: <…>
So w
hat e
xactly
is.... ?
Attacker Sends link to Victim(or convinces him to click on one)
Link takes user to web-site
Response contains evil/malformed data that will execute in the users browser
Script executes in context of victim web-site
So w
hat e
xactly
is.... ?
State-Tracking
• Always working off the back foot..• tokens• a whole new can of worms...• being tracked consistently across the
app?• token predictability ? <…>• token theft ? <xss gets teeth?>
So w
hat e
xactly
is.... ?
State-Tracking
• Always working off the back foot..• tokens• a whole new can of worms...• being tracked consistently across the
app?• token predictability ? <…>• token theft ? <xss gets teeth?>
Test A
uto
matio
n
• Evolution from everyone's Perl scripts to a few:– webproxy, Scarab, Paros
• Still manual, still resource intensive..
• Attempts at automation..– How do they spider without logout ?– Delete Customer buttons?– Calendar / halting problems ?– Authentication vs. Authorization
Test A
uto
matio
n
Some tools we use (and give away ;>)
Wikto:• Do we need another cgi scanner ?• depends.. is 200 == 404 ?
• GET /Scripts/showcode.asp• wikto sends 2 requests:
– [a] GET /Scripts/moomoomoo.asp– [b] GET /Scripts/showcode.asp
• compare contents and then report..
{now with netsquare integration ;>}
Test A
uto
matio
n
Some tools we use (and give away ;>)
E-or:
• Manually mirror, and selectively fuzz• sendraw != MSIE• snapshots + text compare (broken again :()• spend time on the real analysis• <..>
• Crowbar...• <..>
• Todo...
Test A
uto
matio
n
Some tools we use (and give away ;>)
E-or:
• Manually mirror, and selectively fuzz• sendraw != MSIE• snapshots + text compare (broken again :()• spend time on the real analysis• <..>
• Crowbar...• <..>
• Todo...
Finally
…
WebServices && The Future
• Same old, same old?• Where are we focusing our efforts?
(token bfs?)• MS + ASP.Net• Education!• Still going to be around for a while..
Crowbar – BETA!
Application level
E-Or – the process
• User walks the target application • Proxy writes requests and responses to file• User reads file, configures which actions and variables to fuzz• User configured state information such as Cookies in HTTP headers• Each action and variable is fuzzed using IE as a rendering tool• Screenshots of each reply is taken, rendered text is saved from browser• User can now watch the responses as a “movie”, pausing anywhere• User can reply the request