Top Ten Web Hacking Techniques (2010)


Published on

video demos:

Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.

The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding

Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Top Ten Web Hacking Techniques (2010)

  1. 1. top tenWeb Hackingtechniques 2010 Jeremiah Grossman Founder & Chief Technology Officer Webcast 03.17.2011 © 2011 WhiteHat Security, Inc.
  2. 2. Jeremiah Grossman• WhiteHat Security Founder & CTO• Technology R&D and industry evangelist• InfoWorlds CTO Top 25 for 2007• Co-founder of the Web Application Security Consortium• Co-author: Cross-Site Scripting Attacks• Former Yahoo! information security officer © 2010 WhiteHat Security, Inc. | Page 2
  3. 3. 400+ enterprise customers •Start-ups to Fortune 500Flagship offering “WhiteHat Sentinel Service” •1000’s of assessments performed annuallyRecognized leader in website security •Quoted thousands of times by the mainstream press 4
  4. 4. About the Top Ten“Every year the Web security community produces a stunningamount of new hacking techniques published in various whitepapers, blog posts, magazine articles, mailing list emails, etc. Withinthe thousands of pages are the latest ways to attack websites, Webbrowsers, Web proxies, and so on. Beyond individual vulnerabilityinstances with CVE numbers or system compromises, were talkingabout brand new and creative methods of Web-based attack.” 5
  5. 5. New Techniques 2009 (80) Creating a rogue CA certificate 2008 (70) GIFAR (GIF + JAR) 2007 (83) XSS Vulnerabilities in Common Shockwave Flash Files 2006 (65) Web Browser Intranet Hacking / Port Scanning 6
  6. 6. 2010 69 new techniques1) Padding Oracle Crypto Attack2) Evercookie3) Hacking Auto-Complete4) Attacking HTTPS with Cache Injection5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution6) Universal XSS in IE87) HTTP POST DoS8) JavaSnoop9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning10) Java Applet DNS Rebinding 7
  7. 7. Bypassing CSRF with Clickjackingand HTTP Parameter Pollution 5Clickjacking is when an attacker invisibly hovers an object(button, link, etc.) below a users mouse. When the userclicks on something they visually see, theyre insteadreally clicking on something the attacker wanted them to.HTTP Parameter Pollution is where an attacker submitsmultiple input parameters (query string, post data,cookies, etc.) with the same name. Upon receiptapplications may react in unexpected ways and open upavenues of server-side and client-side exploitation. Bycleverly leveraging these two former Top Ten attacks,CSRF attacks can be carried out against a user evenwhen recommended token defenses are in use. Lavakumar Kuppan (@lavakumark) 8
  8. 8. Clickjacking (Top Ten 2009)Think of any button – image, link, form, etc. – on any website – that can appearbetween the Web browser walls. This includes wire transfer on banks, DSL routerbuttons, Digg buttons, CPC advertising banners, Netflix queue.Next consider that an attacker can invisibly hover these buttons below the usersmouse, so that when a user clicks on something they visually see, theyre actuallyclicking on something the attacker wants them to.What could the bad guy do with that ability? 9
  9. 9. Hover Invisible IFRAMEs HTML, CSS, and JavaScript may size, follow the mouse and make transparent third- party IFRAME content.<iframe src="http://victim/page.html" scrolling="no" frameborder="0" style="opacity:.1;filter: alpha(opacity=.1); -moz-opacity 1.0;">!</iframe> 10
  10. 10. HTTP Parameter Pollution (HPP) - Top Ten 2009If an attacker submit multiple input parameters (query string, post data, cookies,etc.) of the same name, the application may react in unexpected ways and openup new avenues of server-side and client-side exploitation. GET /foo?par1=val1&par1=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* POST /foo HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* par1=val1&par1=val2 POST /index.aspx?par1=val1&par1=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Cookie: par1=val3; par1=val4 Content-Length: 19 par1=val5&par1=val6 11
  11. 11. Bizarre behavior 12
  12. 12. 13
  13. 13. 14
  14. 14. 15
  15. 15. Simple parameter injection void private executeBackendRequest(HTTPRequest request) { String amount=request.getParameter("amount"); String beneficiary=request.getParameter("recipient"); HttpRequest("","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary); } Malicious URL: Translates to: action=transfer&amount=1000&recipient=Jeremiah&action=withdrawIt is possible the attack could work if proper authorization controls are not in place andthe application uses the last occurrence of the action parameter (IBM Lotus Domino,PHP / Apache, etc.) 16
  16. 16. Example Scenariohttp://example/updateEmail.jspClient-Side<form method="POST"><input type="text" name="email" value=””></input><input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/></form>Server-Sideif (req.parameter("email").isSet() && req.parameter("csrf-token").isValid()) { // process the form and update the email ID} else { // display an empty form to the user (CSRF token included)} 17
  17. 17. Bringing it all together <iframe src=”http://example/updateEmail.jsp?”> HTTP request via user submitted form via Clickjacking. The form was not filled out by the victim, meaning the email parameter in the POST body is blank. Now the QueryString contains the attacker entered value for the ‘email’ parameter. POST /updateEmail.jsp? HTTP/1.1 Host: email=&csrf-token=a0a0a0a0a0 When the server side JSP code calls req.parameter("email"), the value that is returned is the one in the QueryString (HPP first occurrence) and not the POST body. Since this value can be controlled by the attacker, he can trick the victim in to updating his account with the attacker’s mail ID. 18
  18. 18. Attacking HTTPS with Cache Injection 4No matter what type of encryption is used to defend anetwork, sooner or later the password, key, or certificateneeds to be stored. If an attacker is able to tamper withthe storage mechanism, even the strongest encryptionmechanism can fail. The researchers demonstrated howto attack storage mechanisms by tampering with SSLsession and break into Wifi networks using WPA. Theyalso showed how to exploit SSL warning inconsistenciesand caching mechanisms to trick the user into accepting abad certs and steal their username & password.Elie Bursztein (@ELIE), Baptiste Gourdin(@bapt1ste), Dan Boneh 19
  19. 19. RFC1918 Caching Security - (Top Ten 2009)Public Wifi HTTP Internet Airpwn Victims coffee shops, airplanes, corp guest networks Bad Guy • Victim(s) located on a RFC 1918 network with a Bad Guy • Bad Guy may take the opportunity to read victim’s Web mail, steal creds, etc. • Bad Guy man-in-the-middles HTTP (Airpwn) to inject IFRAMEs to RFC-1918 IPs • MitM IFRAMEs to include JavaScript malware (BeEF). Or ... • Inject JavaScript malware into popular Web widget URLs. (Ad servers, counters, etc.) • Cache content in the browser for a really long time, beyond current session!
  20. 20. Situation• 43% of the Alexa top 100,000 use external javascript libraries• Injecting a malicious javascript library into the browser cache allows the attacker to compromise a website protected by SSL• The malicious library stays in the cache until the user clears it. Moving to a “safe” location doesn’t help 21
  21. 21. Impact• One poisoned injection leads to multiple breaches• Multiples websites share the same external library such as Google Analytics• Injecting a malicious version of one of these shared libraries allows the attacker to target all the websites that use it 22
  22. 22. Browser Defense -- sort of• The only defense against cache injection is the SSL warning displayed by the browser when a bad certificate is supplied• Corner cases that allows an attacker to alter the way SSL certificate warning are displayed• These alterations make caching attack efficient as the user is more likely to click through the tampered warning 23
  23. 23. Video Demo• The following demos show how caching injection attacks works against Internet Explorer 8 and Firefox 3.6• These demos were done in real time against real sites with their real certificates 24
  24. 24. Hacking Auto-Complete 3This research encompasses a set of techniques where amalicious website may surreptitiously obtain their visitorsnames, job title, workplace, physical address, telephonenumber, email addresses, usernames, passwords, searchterms, social security numbers, credit card numbers, andon and on by simulating JavaScript keystroke events inWeb browsers HTML form auto-complete / autofillfunctionality.Jeremiah Grossman (@jeremiahg) 25
  25. 25. I want to know your name, whoyou work for, where you live, youremail address, etc.Right at the moment you a visit a website. Even if you’ve neverbeen there before, let alone entered information. 26
  26. 26. Safari Address Book Autofill (enabled by default) <form> <input type="text" name="name"> <input type="text" name="company"> <input type="text" name="city"> <input type="text" name="state"> <input type="text" name="country"> <input type="text" name="email"> </form> 27
  27. 27. Address Card Autofill works even whenyou’ve NEVER entered personal data onANY WEBSITE. 28
  28. 28. Demovar event = document.createEvent(TextEvent);event.initTextEvent(textInput, 1, 1, null, char);input.value = ""; Step 1) Dynamically createinput.selectionStart = 0; input fields with the pre-setinput.selectionEnd = 0; attribute names.input.focus();input.dispatchEvent(event);! Step 2) Cycle through the! alphabet initiating text eventssetTimeout(function() { until a form value populates. if (input.value.length > 1) { // capture the value; Step 3) Profit! -- Steal data } with JavaScript.}, 500); *transparency is even more fun!* Safari v4 / v5 29
  29. 29. Internet Explorer 8 = SAFE 30
  30. 30. AutoComplete: User-supplied form values are shared acrossdifferent websites by attribute “name”. For example, emailaddresses entered into a field on website A populates the autofill forthe same field name on website B, C, D, etc. <input type="text" name="email"> 31
  31. 31. DEMO - Down, Down, Enter// hit down arrow an incrementing number of times.// separate with time to allow the GUI to keep pacefor (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button}! !time += 15; // time paddingkeyStroke(this, 13, time); // enter button// initiate keystroke on a given objectfunction keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);} // end keyStroke Security Basis, and an Internet Explorer data stealer Andrea Giammarchi, Ajaxian Staff 32
  32. 32. Search termsCredit card numbers and CCVsAliasesContact informationAnswers to secret questionsUsernamesEmail addresses... 33
  33. 33. AutoComplete is NOT enabled by default, but InternetExplorer asks if the user if they would like to enablethe feature after filling out a non-password form. 34
  34. 34. Have the email address, but need the password 35
  35. 35. Saving Passwords Many Web Browsers have “password managers,” which provide a convenient way to save passwords on a “per website” basis. <form method="post" action="/"> E-Mail: <input type="text" name="email"><br /> Password: <input type="password" name="pass"><br /> <input type="submit" value="Login"> </form> 36
  36. 36. If a website with a saved password is vulnerable to XSS, thepayload can dynamically create login forms, which executes thebrowser’s password auto-complete feature. Since the payload ison the same domain the username / password can be stolen.function stealCreds() { var string = "E-Mail: " + document.getElementById("u").value; string += "nPassword: " + document.getElementById("p").value; return string;}document.write(<form method="post" action="/">E-Mail: <inputid="u" type="text" name="email" value=""><br>Password: <inputid="p" type="password" name="password" value=""></form>);setTimeout(alert(stealCreds()), 2000); * * DEMO 37
  37. 37. What to do...Disable Auto-Complete in the Web browserRemove persistent data(History, Form Data, Cookies, LocalStorage, etc.)NoScript (Firefox Extension), 1Password, etc.<form autocomplete="off"><input type="text" autocomplete="off" /> 38
  38. 38. Evercookie 2Evercookie is a javascript API available that producesextremely persistent cookies in a browser. Its goal is toidentify a client even after theyve removed standardcookies, Flash cookies (Local Shared Objects or LSOs),and others. Evercookie accomplishes this by storing thecookie data in several types of storage mechanisms thatare available on the local browser. Additionally, if evercookiehas found the user has removed any of the types of cookiesin question, it recreates them using each mechanismavailable.Samy Kamkar (@samykamkar) 39
  39. 39. 40
  40. 40. Evercookies1) Standard HTTP Cookies 6) Internet Explorer userData storage2) Flash Cookies (LSOs) 7) Storing cookies in Web cache3) Silverlight Isolated Storage 8) Storing cookies in HTTP ETags4) Storing cookies in RGB values of auto- 9) HTML5 Session Storage generated, force-cached PNGs using HTML5 Canvas tag to read pixels 10) HTML5 Local Storage (cookies) back out 11) HTML5 Global Storage5) Storing cookies in Web History 12) HTML5 Database Storage via SQLite6) caching 41
  41. 41. The API• Persistent cookies via Javascript API• Recreates after deletion• Combines different storage mechanisms• Easy to use!var ec = new evercookie();ec.set(“uniqueid”, “31337”); // set uniqueid = 31337// get our evercookie data backec.get(“uniqueid”, function(val) { alert (“ID is “ + val) } ); 42
  42. 42. PNGs CacheCookie stored in RGB values of auto-generated, force-cached PNGsusing HTML5 Canvas Tag to read pixels back outPixel 0x0 = 0x4f5741 OWAPixel 0x1 = 0x535000 SP0 43
  43. 43. Killing Evercookies (Video) 1) Open a new tab, then close all other windows and tabs. 2) Delete Silverlight Isolated Storage • Go to • Right click the Silverlight application (any app will do) • Silverlight Preferences > Application Storage > Delete all... • Click "Yes" • * Optionally disable "Enable application storage" 3) Delete Flash Local Shared Objects (LSO) • Go got the Flash "Website Storage Settings panel" • Click "Delete all sites" • Click "Confirm" 4) Clear Browsing Data • - Wrench > Tools > Clear Browsing Data... • - Select all options • - Clear data from this period: Everything • - Click "Clear Browsing data" 44
  44. 44. Other Protections• Nevercookie - The evercookie killerFirefox plugin to extend Firefox’s Private Browsing• Use a virtual machine. (On your neighbor’s WiFi Network) 45
  45. 45. Other Worries...• System/browser timing• GPU timing via plugins/accelerators (w/Flash)• MAC address accessible via Java or ActiveX! 46
  46. 46. Padding Oracle Crypto Attack 1In 2002 a powerful side-channel attack, ‘paddingoracle’ (NOT THE DATABASE!), was described targetingAES CBC-mode encryption with PKCS#5 padding. Ifthere is an oracle which on receipt of a ciphertext,decrypts it and replies whether the padding is correct,shows how to use that oracle to decrypt data withoutknowing the encryption key. The new techniques allowattackers to use a ‘padding oracle’ to decrypt and encryptmessages of any length without knowing the secret keyand exploit popular web development frameworksincluding ASP.NET.Juliano Rizzo (@julianor)Thai Duong (@thaidn) 47
  47. 47. Brian Holyfield 48
  48. 48. Padding Oracle Attack BasicsAn application uses a query string parameter to pass an encrypted username,company id, and role id of a user. The parameter is encrypted using CBC mode,and each value uses a unique initialization vector (IV) pre-pended to the ciphertext.When the application is sent an encrypted value, it responds in one of three ways:1)Valid ciphertext, properly padded and valid data (200 OK)2)Invalid ciphertext, improper padding (500 Internal Server Error)3)Valid ciphertext, properly padded and invalid data (200 OK - custom error)User’s name (BRIAN), company id (12), and role id (2). The value, in plaintext, canbe represented as BRIAN;12;2;http://site/app.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6 49
  49. 49. 50
  50. 50. EncryptionDecryption 51
  51. 51. First block of ciphertext pre-pended with an IV of all NULL values.Request: http://site/app.jsp?UID=0000000000000000F851D6CC68FC9537Response: 500 - Internal Server Error 52
  52. 52. Last byte of the initialization vector incremented by one.Request: http://app/home.jsp?UID=0000000000000001F851D6CC68FC9537Response: 500 - Internal Server Error 53
  53. 53. Incrementing the last byte in the IV up to FF will produce a valid padding sequence for asingle byte of padding (0×01). Only one value will produce the correct padding byte andhave different response than the other 255.Request: http://site/app?UID=000000000000003CF851D6CC68FC9537Response: 200 OK If [Intermediary Byte] ^ 0x3C == 0×01, then [Intermediary Byte] == 0x3C ^ 0×01, so [Intermediary Byte] == 0x3D 54
  54. 54. To crack the 7th byte, the 7th and 8th byte must equal 0×02 for valid padding. Since wealready know that the last intermediary value byte is 0x3D, we can update the 8th IV byteto 0x3F (which will produce 0×02) and then focus on brute forcing the 7th byte (startingwith 0×00 and working our way up through 0xFF). 55
  55. 55. Work backwards through the entire block until every byte of the intermediary value iscracked and uncovering the decrypted value one byte at a time. The final byte is crackedusing an IV that produces an entire block of just padding (0×08). "The first stage of the attack takes a few thousand requests, but once it succeeds and the attacker gets the secret keys, its totally stealthy.The cryptographic knowledge required is very basic." - Julian Rizzo 56
  56. 56. <VIDEO>"It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security," -Thai Duong 57
  57. 57. Impact & PreventionVulnerable FrameworksASP.Net, CAPTCHAs, JavaServer Faces, OWASP ESAPI,Ruby On Rails, etc.Prevention•Encrypt-then-MAC (sign) and validate-then-decrypt•Patch! 58
  58. 58. What have we learned?• Encryption attacks took the top spot for the 2nd year in a row.• Web Browser privacy? Web browser security? Not so much.• “Top Ten” attacks from previous years are being improved.• Several attack techniques from previous years are now actively being used maliciously in the wild. 59
  59. 59. Thank You...• Sponsors: OWASP, Black Hat, WhiteHat Security• Panel of Experts: Ed Skoudis, Giorgio Maone, Caleb Sima, Chris Wysopal, Jeff Willams, Charlie Miller, Dan Kaminsky, Steven Christey (Mitre), and Arian Evans• All the security researchers for their contributions• Everyone in the Web Application Security community who assisted Blog: Twitter: Email: 60
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.