web security attacks and defense
TRANSCRIPT
Web Security● Jose Mato Mariño
3/5/15 - 12:52:45 AM
Who am I?
● Web Developer
● Web security as hobby
● http://josemato.name
● @security4dev
3/5/15 - 12:52:46 AM
Is mandatory know web security to do a web?
● YES, If someone hacks your your server... you, developer, are screwed
– Read logs, …, a lot of logs
– Sometimes is difficult know what was happening
– Web security is easier than computer forensic● Your client
– Angry
– Lost branding and reputation
3/5/15 - 12:52:46 AM
Why cybercriminals want my server ???
● SPAM
● BitCoins
● Phishing
● Botnet
● Ransomware
● Data theft
3/5/15 - 12:52:46 AM
● Online community dedicated to web application security
● Guide practices and recommendations to be considered secure application development
● OWASP TOP 10
3/5/15 - 12:52:46 AM
OWASP TOP 10 – From 2010 to 2013
3/5/15 - 12:52:46 AM
A3 – Cross Site Scripting (XSS)
● Problem: User injects code ( ActiveX, Java, VBScript, Flash, HTML but typically javascript) into webpage
● Attacks:
– Access user session (session hijacking)
– Redirect user to exploit kit (blackhole)
– Defacement. Phishing.
– Network ip + ports scanner● We have 5 contexts to exploit XSS
● There are two types of XSS
3/5/15 - 12:52:46 AM
A3 – XSS Context
● Context (by Ashar Javed @soaj1664ashar):
"Context is an environment where user supplied input or input from other application(s) eventually ends-up or start living"
● Type of contexts:
– HTML context (<title>XXS</title>)
– Attribute context (input value=”XSS”)
– Script context (<script>var a = “<?php echo XSS ?>”</script>)
– URL context (write server variable to src, href, data flash, etc)
– Style context (div style=”XSS” => custom editors)
3/5/15 - 12:52:46 AM
● Reflective
– Code is not store on any database or database repo
– Payload must be on get parameter (discussion)
– User needs to click on a malicious link● Persistent
– Code is store on a persistent store (database)
– When user enter on a hacked page, he will exec the xploit
A3 – XSS Types
3/5/15 - 12:52:46 AM
● http://www.elmundo.es/elmundo/2010/01/04/union_europea/1262610678.html
A3 – Famous XSS “Mr. Bean 'se cuela' en la web oficial de la presidencia española”
3/5/15 - 12:52:47 AM
XSS DEMO I● Check if there is
some XSS
● Get access to user account
3/5/15 - 12:52:47 AM
● Never trust on user input (inbound & outbound)
● Sanitize all inputs
● Enable flag httpOnly on cookies
● Content Security Policy (CSP)
A3 – XSS Mitigation
3/5/15 - 12:52:47 AM
● Access to not allowed resources
● Application fail to check if user is authorized to access to the resource
● Common scenario:
– http://websecurity-demo.local/transcript.php?student=1536
● Attacker see a parameter and know that “1536” is his student id
● Attacker change this student id and get the content of another student
● This parameter could be anywhere (get, post, cookie, …)
A4 – Insecure Direct Object References
3/5/15 - 12:52:47 AM
● Technique to alter queries into engine store through vulnerable application
● Mysql, MSQL, Postgres, LDAP, Access, Oracle, …
● We are going to focus on SQLi in this talk
● Many kind of SQLi
A1 – Injection
3/5/15 - 12:52:47 AM
● Access personal data. Dump database
● Dump local users (/etc/passwd)
● Access organization CMS
● Site infection
– malware propagation
– Click abuse
A1 – SQL Injection Goals
3/5/15 - 12:52:47 AM
● Lilupophilupop SQL Injection Attack Tops 1 Million Infected URLs
– Search SQL Injection on ASP or ColdFusion pages with Microsoft SQL Server
– More than one million url infected
– the attackers used XSS Persistent to redirect users to pages showing fake computer issues to buy a fake AV
● http://threatpost.com/lilupophilupop-sql-injection-attack-tops-1-million-infected-urls-010412/76054
A1 – Famous SQL Injection I
3/5/15 - 12:52:47 AM
● Barr’s claims that he would unmask and extinguish Anonymous proved to be the proverbial last straw on the camel’s back.
● Anonymous find a SQL Injection:
– http://www.hbgaryfederal.com/pages.php?pageNav=2&page=27
● Passwords were hashed but Aaron just used lower case and numbers.
● Access CMS. Social engineer to reset email password and access SSH. (Aaron used same password for many services!)
● http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/
A1 – Famous SQL Injection II
3/5/15 - 12:52:47 AM
● SQL Injection
● Blind SQLi
– We only can use queries that retrieve a boolean value (true or false).
– It's very slow
– Binary search to enhance performance● Time based SQLi
– Based on heavy queries (sleep)
– Very slow
A1 – SQL Injection Types
3/5/15 - 12:52:47 AM
● Database engine has a metadata, catalog, schema or something like that
● This catalog stores all database metainformation (table relations, database exists, columns names with length + datatype, …)
● Is mandatory know the catalog of the vulnerable app to perform a pentesting
A1 – SQL Injection Walkthrough I
3/5/15 - 12:52:47 AM
● Search vulnerability (test app request and check params)
– Number of columns
– Database names● table names
– Column names● Dump or insert data
● Download files
● Upload webshell
A1 – SQL Injection Walkthrough II
3/5/15 - 12:52:47 AM
● MySQL Catalog
– Retrieve databases: SELECT schema_name FROM information_schema.SCHEMATA;
– Retrieve tables from specific database: SELECT table_schema, table_name FROM information_schema.TABLES WHERE table_schema = 'DATABASE';
– Retrieve columns from specific table: SELECT column_name, column_type FROM information_schema.columns WHERE table_name = 'TABLE' AND table_schema = 'DATABASE';
A1 – SQL Injection Walkthrough III
3/5/15 - 12:52:47 AM
A1 – SQL Injection Hacking Time :)
3/5/15 - 12:52:47 AM
Some Question?? THANKS!!
● Jose Mato
– http://josemato.name
– @security4dev
– https://github.com/josemato/
– https://www.linkedin.com/in/josematomarino