WhiteHat Security
“Web Application Security”
and
“Presenting”
Windows Security 2002
BlackHat New Orleans
Jeremiah Grossman
[email protected]
Topics
Web
Application Security Landscape
Why
is Web Application Security Important
Common
Web
Web Application Security Mistakes
Application Attack Methodologies
Web Application Security
Landscape
E-Commerce
Just Plain Crazy
Shopping
Auctions
Banking
Stock Trading
Printers
PDA’s
Cell Phones
System Configuration
.NET/Passport
Entertainment
Message Boards
WebMail
Guest Books
Voting Polls
Web Application
The Simple Definition
A web application or web service is a
software application that is accessible
using a web browser or HTTP(s) user
agent.
Web Application
The “EASIER” Definition
If it runs on port 80 or port 443, then
is probably a web application.
Why is Web Application
Security Important?








Easiest way to compromise hosts, networks and users.
Widely deployed.
No Logs! (POST Request payload)
Incredibly hard to defend against or detect.
Most don’t think of locking down web applications.
Intrusion detection is a joke.
Firewall? What firewall? I don’t see no firewall…
Encrypted transport layer does nothing.
How much easier can it get!? Unicode.
Common Web Application
Security Mistakes
Trusting Client-Side Data
Unescaped Special Characters
HTML Output Character Filtering
SUID
ActiveX/JavaScript Authentication
Lack of User Authentication before performing critical task.
Trusting Client-Side Data
DO NOT TRUST
CLIENT-SIDE DATA!!!
Trusting client-side data is #1 cause of
vulnerabilities.
Identify all input parameters that
trust client-side data.
Unescaped Special
Characters
The Level of Trust :
Searches/Queries/Templates
Path:
http://foo.com/cgi?val=string&file=/html/name.db
Or better yet…
http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd
Unescaped Special
Characters
! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . > <
Check for:
Unescaped special characters
within input strings
HTML Character Filtering
Proper handling of special characters
>
<
"
&
=>
=>
=>
=>
&gt;
&lt;
&quot;
&amp;
Null characters should all be removed. %00
More mistakes…
SUID (Does a web application really need root?)
Authentication mechanisms using technologies such
as JavaScript or ActiveX.
Lack of re-authenticating the user before issuing new
passwords or performing critical tasks.
Hosting of uncontrolled data on a protected domain.
WhiteHat Arsenal






GUI Web-Based Interface
Session Based
Discovery Utilities
Active Assessment
Encoding/Decoding
Reporting
Web Application Penetration
Methodologies
Information Gathering & Discovery
Input/Output Client-Side Data Manipulation
Information Gathering &
Discovery
 Spidering /Site Map
 Identifiable Characteristics
 Error and Response Codes
 File / Application Enumeration
Spidering
Spidering/Site Crawling

Site Map

Service Map

Documentation

Hidden Services
CGI's and Forms
Email addresses


Identifiable Characteristics
Comment Lines
URL Extensions
Meta Tags
Cookies
Client-Side scripting languages
Enormous wealth of information about process flows,
debug command, system types and configurations.
Error and Response Codes
HTTP Response Headers
Server: IBM/Apache 1.3.19
Cookie Characteristics
Error Messages
Exception Messages (Java / SQL)
404 Error Pages
Failed Login
Locked Account
Database or file non-existent
File/Application Enumeration
Commonly referred to as “forced browsing” or “CGI Scanning”.
File/Application Enumeration
Sample Files
Template Directories
Temp or Backup files
Hidden Files
Vulnerable CGIs
Common Directories
Common Log Files
Common Backup Files
Input/Output Client-Side Data
Manipulation
URL Manipulation CGI Parameter Tampering
HTTP Client-Header Injection
Filter/Intrusion Detection Evasion
Protocol/Method Manipulation
Overflows
Input Manipulation Parameter
Tampering
"Twiddling Bits."
Cross-Site Scripting
"Filter-Bypass Manipulation
"OS Commands
"Meta Characters
"Path/Directory Traversal
"Hidden Form Field Manipulation
"HTTP Headers
"
Cross-Site Scripting
Bad name given to a dangerous security issue
Attack targets the user of the system rather than the system
itself.
Outside client-side languages executing within the users web
environment with the same level of privilege as the hosted site.
Client-Side Scripting
Languages
DHTML (HTML, XHTML, HTML x.0)
Opens all the doors.
JavaScript (1.x)
"Java (Applets)
"VBScript
"Flash
"ActiveX
"XML/XSL
"CSS
"
Browser/DOM Manipulation
Malicious Applets
Browser/DOM Manipulation
Dangerous Third-Party Interactivity
Let me count the ways…
Another Door Opener
Browser/DOM Manipulation
The Scenarios
"
Trick a user to re-login to a spoofed page
"
Compromise authentication credentials
"
Load dangerous of malicious ActiveX
"
Re-Direct a user or ALL users
"
Crash the machine or the browser
CSS Danger
“The Remote Launch Pad.”
"
Successfully CSS a user via a protected domain.
Utilizing a Client-Side utility (JavaScript, ActiveX,
"VBScript, etc.), exploit a browser hole to download
"a trojan/virus.
"
User is unknowingly infected/compromised within
"a single HTTP page load.
"
"
ActiveX Netcat Anyone?
2 Types of CSS

Click on a link to activate
<A HREF=“http://www.evil_javascript_link”>
Click Here
</A>

Auto-Execute by viewing HTML
<SCRIPT>run evil JavaScript</SCRIPT>
Dangerous HTML
“HTML Bad”
<APPLET>
"<BODY>
"<EMBED>
"<FRAME>
"<FRAMESET>
"<HTML>
"<IFRAME>
"<IMG>
"<LAYER>
"<ILAYER>
"<META>
"<OBJECT>
"<SCRIPT>
"<STYLE>
"
Malicious Java Applications
Altering HTML Page Characteristics
Embedding Third-Party Applications (Flash, etc.)
Directly calling in other uncontrolled HTML
Directly calling in other uncontrolled HTML
Altering HTML Page Characteristics
Directly calling in other uncontrolled HTML
SCRing Protocol attacks and other abuses
Directly calling in other uncontrolled HTML
Directly calling in other uncontrolled HTML
META Refreshes. (Client-Redirects)
ActiveX (Nuff Said)
JavaScript/VBScript Loading
Style Sheet and Scripting Alterations
Dangerous Attributes
“Attributes Bad”
ATTRIBUTE DANGER LIST
"(Any HTML Tag that has these attributes)
"
"
"
"
"
STYLE
SRC
HREF
TYPE
Power of the Dots and
Slashes
piping input to the command line.
"
Path Directory Traversal
"
http://foo.com/app.cgi?directory=/path/to/data
"
DotDot Slash:
"
http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd
"
Dot Slash:
"
http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd
"
Double DotDot Slash:
"
http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd
More Filter Bypassing
"
Method Alteration
(HEAD, PUT, POST, GET, ect.)
URL Encode
"http://www.foo.com/cgi?value=%46%72%68%86
"
Null Characters
"http://www.foo.com/cgi?value=file%00.html
"
More…
"Alternate Case, Unicode, String Length, Multi-Slash, etc.
"
More Filter Bypassing
"
Method Alteration
(HEAD, PUT, POST, GET, ect.)
URL Encode
"http://www.foo.com/cgi?value=%46%72%68%86
"
Null Characters
"http://www.foo.com/cgi?value=file%00.html
"
More…
"Alternate Case, Unicode, String Length, Multi-Slash, etc.
"
Authentication & Session
Management
Brute/Reverse Force
Session Hi-Jacking
Session Replay
Session Forgoing
Page Sequencing
Reporting
XML/HTML Based
Manual Hack Attack Log w/ Descriptor
Common Directory Force Browsing
Common Log File Force Browsing
Backup File Force Browsing
Spider Log
Spider XML Log
Attempts XML Log
A few quick things to help
secure a web application.

Do Not Trust Client-Side Data

Escape and filter all input/output data

Set-up parameter and request method allow lists. Don’t
use what your not expecting to receive.
Thank You!
BlackHat and Attendees
Questions?
Jeremiah Grossman
[email protected]
WhiteHat Security
All presentation updates will be available on
www.whitehatsec.com
and
community.whitehatsec.com
Descargar

Document