Lap Around Web Application
Vulnerabilities
     Walter Wong
     MVP – Visual Developer (Security)
     walter_wws@hotmail...
Top 10 Web Application
vulnerabilities in 2007
     1       • Cross-site Scripting (XSS)
     2       • Injection Flaws
  ...
Agenda

 The foundation of attack
 Advance attack techniques
 Obfuscation
 Automated Testing
Foundation of attack

 Application attack also known as “layer 7
 attack”
 Program is just a set of instruction.
 Develope...
SQL
  Cross-         Injection
   site
 Scripting

               Path
             Traversal




3 basic techniques
SQL Injection
 Build SQL statement using string concatenation
 Attacker change the semantics of SQL query
 Developer prefe...
Scenario #1
Attacker submit specially crafted input when
performing search
SQL Injection
http://www.lowyat.net




Date : 12 June 2008
SQL
  Cross-         Injection
   site
 Scripting

               Path
             Traversal




3 basic techniques
Cross-site Scripting (XSS)
   How it works?
1. Take input from user
2. Fails to validate input
3. Echoes input directly to...
Scenario #2
When developer using

<%# DataBinder.Eval(Container.DataItem,
  “Column1”) %>

to bind data in Datalist.
Cross-Site Scripting (XSS)
SQL
  Cross-         Injection
   site
 Scripting

               Path
             Traversal




3 basic techniques
Path Traversal
    Access files that application not intend to
    access
    To read any files in the system
    Using “d...
Scenario #3
To prevent “Resource cannot be found”, developer
create a page to check whether the picture file it
exist or n...
Path Traversal
Advance Technique

 Utilizing the basic attack techniques
 Able to unveil a lot of privacy information of
 servers
 Exampl...
WMI Attack

 WMI = Windows Management Instrumentation
 WMI is a essential tools for IT Administrator to
 manage the server...
Scenario #4
Attack retrieve the software installed in web
server and uninstall the software.
WMI Attack
Host File Hijacking
  Windows rely on DNS and Host file to resolve
  the target IP address
  Host file location :
  %windi...
Scenario #5
Attacker redirect the traffic for www.abc.com to
different IP address. Imagine a antivirus
application refer t...
Host File Hijacking
Obfuscation
 The default .Net assembly format allow
 developer to disassemble and decompile.
 Obfuscate is a process to re...
Scenario #6
Attacker download the .Net assembly through
Path Traversal attack. He successfully dissemble
and decompile the...
Obfuscator
Automated Testing
 Develop your own testing tools
 Automate your testing process
 Visual Studio Tester Edition have a capa...
The Dark Side……
 Brutal Force attack are using the same
 technique
 It is a common attack to “try” out password
 To preven...
Scenario #7
Develop a simple application to automate the
brutal force attack on wireless router.
Automate the task
Steps to Defense Against Attackers

 Validate both client-side and server-side input
 Duplicated the validation functions ...
Walter_wws@hotmail.com
Resources
  Visit My Blog at
  http://spaces.live.com/walterwws
Resources
  Visit My Pagecast at
  http://www.pageflakes.com/walterw
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be...
Upcoming SlideShare
Loading in...5
×

MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong

686

Published on

A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
686
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
  • If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
  • If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
  • If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
  • If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
  • If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
  • If you would like to host your demo on the Virtual Server, please use the myVPC demo slide, not this slide.
  • MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter Wong

    1. 1. Lap Around Web Application Vulnerabilities Walter Wong MVP – Visual Developer (Security) walter_wws@hotmail.com http://spaces.live.com/walterwws
    2. 2. Top 10 Web Application vulnerabilities in 2007 1 • Cross-site Scripting (XSS) 2 • Injection Flaws 3 • Malicious File Execution 4 • Insecure Direct Object Reference 5 • Cross Site Request Forgery 6 • Information Leakage and Improper Error Handling 7 • Broken Authentication and Session Management 8 • Insecure Cryptographic Storage 9 • Insecure Communications 10 • Failure to Restrict URL Access Source: http://www.owasp.org/index.php/top_10_2007
    3. 3. Agenda The foundation of attack Advance attack techniques Obfuscation Automated Testing
    4. 4. Foundation of attack Application attack also known as “layer 7 attack” Program is just a set of instruction. Developer is the key protector All input is evil (Writing Secure Code by Michael Howard and David LeBlanc)
    5. 5. SQL Cross- Injection site Scripting Path Traversal 3 basic techniques
    6. 6. SQL Injection Build SQL statement using string concatenation Attacker change the semantics of SQL query Developer prefer string concatenation because is easy but they also known the safer method but requires more thought
    7. 7. Scenario #1 Attacker submit specially crafted input when performing search
    8. 8. SQL Injection
    9. 9. http://www.lowyat.net Date : 12 June 2008
    10. 10. SQL Cross- Injection site Scripting Path Traversal 3 basic techniques
    11. 11. Cross-site Scripting (XSS) How it works? 1. Take input from user 2. Fails to validate input 3. Echoes input directly to web page 4. Done!
    12. 12. Scenario #2 When developer using <%# DataBinder.Eval(Container.DataItem, “Column1”) %> to bind data in Datalist.
    13. 13. Cross-Site Scripting (XSS)
    14. 14. SQL Cross- Injection site Scripting Path Traversal 3 basic techniques
    15. 15. Path Traversal Access files that application not intend to access To read any files in the system Using “dot-dot-slash” to backtrack the folder Example: http://app.com/GetImage.aspx?file=....windowsrepairsam
    16. 16. Scenario #3 To prevent “Resource cannot be found”, developer create a page to check whether the picture file it exist or not. If doesn’t exist it will show the generic image.
    17. 17. Path Traversal
    18. 18. Advance Technique Utilizing the basic attack techniques Able to unveil a lot of privacy information of servers Example: WMI Attack Host File Hijacking
    19. 19. WMI Attack WMI = Windows Management Instrumentation WMI is a essential tools for IT Administrator to manage the servers and workstations Damages: Retrieve server’s information Remotely uninstall application
    20. 20. Scenario #4 Attack retrieve the software installed in web server and uninstall the software.
    21. 21. WMI Attack
    22. 22. Host File Hijacking Windows rely on DNS and Host file to resolve the target IP address Host file location : %windir%system32driversetchosts Damages: Corrupt the host file so it can redirect the data to malicious server
    23. 23. Scenario #5 Attacker redirect the traffic for www.abc.com to different IP address. Imagine a antivirus application refer the wrong IP address to download the latest signature file.
    24. 24. Host File Hijacking
    25. 25. Obfuscation The default .Net assembly format allow developer to disassemble and decompile. Obfuscate is a process to rebuilds the .Net assembly into a new format that is impossible to dissemble, decompile and difficult to understand. Prevent competitors and hackers from getting your source code.
    26. 26. Scenario #6 Attacker download the .Net assembly through Path Traversal attack. He successfully dissemble and decompile the assembly. Attacker now able to view all the logic behind the source code.
    27. 27. Obfuscator
    28. 28. Automated Testing Develop your own testing tools Automate your testing process Visual Studio Tester Edition have a capability to do automated testing
    29. 29. The Dark Side…… Brutal Force attack are using the same technique It is a common attack to “try” out password To prevent such attack, identify the source. MAC Address IP Address Login username
    30. 30. Scenario #7 Develop a simple application to automate the brutal force attack on wireless router.
    31. 31. Automate the task
    32. 32. Steps to Defense Against Attackers Validate both client-side and server-side input Duplicated the validation functions in both client-side and server side NO SQL Injection – use Parameter class in .Net NO XSS – Validate Input, Validate Output (VIVO) Obfuscate your code TODAY! Be innovative and creative in testing
    33. 33. Walter_wws@hotmail.com
    34. 34. Resources Visit My Blog at http://spaces.live.com/walterwws
    35. 35. Resources Visit My Pagecast at http://www.pageflakes.com/walterw
    36. 36. © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×