Secure Programming And Common Errors Part II

977 views

Published on

- Discuss other important attack vectors, not limited to Web Applications
- Practical screen-casts that show how attackers exploit common flows
- Understand the impact of these threats on your privacy, data and identity

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
977
On SlideShare
0
From Embeds
0
Number of Embeds
108
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure Programming And Common Errors Part II

  1. 1. Secure Programming and! Common Errors! PART II brought to you by Michele “AntiSnatchOr” Orrù and Integrating Web LTD Computer System Security course lead by Prof. Ozalp Babaoglu 9 December 2009 1

  2. 2. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Who am I?   irector and CSO of Integrating Web LTD D   achelor Degree in Internet Sciences B   ndependent Security Researcher I   wner of http://antisnatchor.com security O advisory blog Who am I?   EE developer
 J 2 of 25
  3. 3. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Seminar outline (part II)   iscuss other important attack vectors, D Seminar outline (part II) not limited to Web Applications   ractical screen-casts that show how P attackers exploit common flows   nderstand the impact of these threats U on your privacy, data and identity 3 of 25
  4. 4. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 What we will discuss:  CWE-22: Path Traversal + screen-cast  CWE-89: Failure to Preserve SQL Query Structure What we will discuss (SQL injection) + screen-cast  CWE-79: Failure to Preserve Web Page Structure (XSS) + 2 screen-cast  Appendix: do you think HTTPS is secure? Not completely true… 4 of 25
  5. 5. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Path Traversal   Many applications read from or write to a file system parsing user supplied parameters that CWE-22: Path Traversal specify the file or the operation   If these user supplied parameters are not validated (and the application is not chrooted/ jailed), then an attacker can manipulate them to read/write sensitive information/files on the OS. 5 of 25
  6. 6. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: Example! www.essedi.it   Credits: antisnatchor CWE-22: www.essedi.it   Path traversal vulnerability on ONERROR parameter   The HTML file requested as a value of ONERROR, can be manipulated to retrieve non-IIS owned files 6 of 25
  7. 7. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-22: www.essedi.it Screen-Cast! www.essedi.it 7 of 25
  8. 8. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

   SANS/MITRE: h$p://cwe.mitre.org/data/defini1ons/22.html
   OWASP: h$p://www.owasp.org/index.php/Path_Traversal
 CWE-22: Links   Good hacker: h$p://kuza55.blogspot.com/2008/07/cookie‐path‐ traversal.html
   PHP security guru: h$p://www.suspekt.org/2008/12/05/php‐527‐ and‐ziparchiveextrac$o/

 8 of 25
  9. 9. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: ! SQL Injection   If attackers can influence the SQL that you use to communicate with your database, then they CWE-89: SQL Injection can do nasty things for fun and profit   Thanks to Bernardo for SQLmap   http://sqlmap.sourceforge.net   Open source, written in python   Full database manipulation with MySQL, Oracle, PostgreSQL and Microsoft SQL Server   Metasploit plugin to exploit MS09-004 (M. SQL Server 2000/2005 heap based buffer overflow) 9 of 25
  10. 10. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89:Example! www.dm.unibo.it Credits: antisnatchor CWE-89: www.dm.unibo.it     Confirmed unescaped numeric injection on GET parameter “anno” (patched from many months)   We were able to obtain details about the application stack: Apache 2.2.3, PHP 5.2.0, MySQL >= 5.0   For demonstration we retrieved the exact name of the database name to which the web app is bounded: dipartimento 10 of 25
  11. 11. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-89: www.dm.unibo.it Screen-Cast! www.dm.unibo.it 11 of 25
  12. 12. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1
  h$p://www.amazon.com/Database‐Hackers‐Handbook‐Defending‐Servers/dp/ 0764578014/ref=sr_1_2?ie=UTF8&s=books&qid=1260281547&sr=8‐2
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3

 CWE-89: Links   SQLmap author:  h$p://www.slideshare.net/inquis/sql‐injec1on‐not‐only‐and‐11
 12 of 25
  13. 13. CWE-79: The Plague of Cross Site Scripting h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Cross Site Scripting   When a page with our malicious code is accessed by other users, their browsers will execute our scripts on their contexts   Really difficult to create a powerful anti-XSS filter:   Multiple data encoding handling   Data truncation handling   New vectors (CSS, JSON, XUL) 13 of 25
  14. 14. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Example! 1. KonaKart   Credits: antisnatchor   KonaKart is a free Java based web application to manage e-commerce websites CWE-79: KonaKart (www.konakart.com)   Stored XSS has been found and verified in the backend   More info here: h$p://an1snatchor.com/2008/12/22/konakart‐2260‐responsible‐disclosure/

   Let see how we can exploit them 14 of 25
  15. 15. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! KonaKart CWE-79: KonaKart 15 of 25
  16. 16. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 CWE-79: Examples! 2. WMSmonitor   Credits: antisnatchor CWE-79: WMSmonitor   Internal Penetration Test at INFN (National Institute of Nuclear Physics)   Workload Management System (distribute job execution between multiple Computing Elements on a Grid infrastructure) monitor   Some serious flows have been identified   Unsecure handling of X.509 client certificates   Reflected XSS   TRACE method enabled   Let see how can we take full control of the victim browser 16 of 25
  17. 17. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! CWE-79: WMSmonitor WMSmonitor 17 of 25
  18. 18. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Wade Alcorn’s works:   BeEF: h$p://www.bindshell.net/tools/beef/

   Inter-Protocol Exploitation: h$p://www.bindshell.net/papers/ipe
   The Advanced Cross-Site Scripting Virus: h$p:// www.bindshell.net/papers/axssv
   Rsnake works:   XSS cheat sheet: h$p://ha.ckers.org/xss.html
 CWE-79: Links   XSS worm context: h$p://ha.ckers.org/blog/20080106/diminu1ve‐ xss‐worm‐contest‐drama‐and‐status‐update/


   AntiSnatcOr works research:   Advisories on SecurityFocus: h$p://an1snatchor.com/2009/10/14/finally‐on‐bugtraq/
 18 of 25
  19. 19. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Good books:  h$p://www.amazon.co.uk/Web‐Applica1on‐Hackers‐Handbook‐Discovering/dp/ 0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1260264977&sr=8‐1

  h$p://www.amazon.com/XSS‐A$acks‐Scrip1ng‐Exploits‐Defense/dp/1597491543/ ref=sr_1_4?ie=UTF8&s=books&qid=1260281547&sr=8‐4
  h$p://www.amazon.com/Web‐Security‐Tes1ng‐Cookbook‐Systema1c/dp/ 0596514832/ref=sr_1_3?ie=UTF8&s=books&qid=1260281547&sr=8‐3


 CWE-79: Links 19 of 25
  20. 20. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   SSL/TLS are cryptographically secure (RSA/DSA/ Symmetric Encryption)   But they have well known limitations and security flows   They all suffer from MITM attacks and network protocol manipulation   Some aspects such as OSCP and different implementations (OpenSSL, Mozilla NSS) are flowed 20 of 25
  21. 21. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Latest research of Moxie Marlinspike (http://www.thoughtcrime.org)   Sslstrip: It transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.   We can use as the old certificate injection method: ARP-spoofing + traffic redirection + sniffing   Eventually altering BGP routing tables on routers, for remote sniffing 21 of 25
  22. 22. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Appendix: do you think HTTPS is secure? Appendix: HTTPS insecurity   Old exploit method (still useful)   MITM and fake certificate injection   ARP spoofing   IP forwarding   Sniffing   webmitm   Cons: the victim will see that the certificate is not valid (BTW, almost all of you don’t take care to Firefox’s alerts on certificates problems)   Press OK  … That’s FINE 22 of 25
  23. 23. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Screen-Cast! Appendix: HTTPS insecurity Fake certificate injection 23 of 25
  24. 24. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Links   Vimeo screencasts:  h$p://www.vimeo.com/6149119
  h$p://www.thoughtcrime.org/so]ware/sslstrip/video/sslstrip.mov

   Papers: Appendix: Links  OCSP: h$p://www.thoughtcrime.org/papers/ocsp‐a$ack.pdf
  Null-byte: h$p://www.thoughtcrime.org/papers/null‐prefix‐a$acks.pdf
  Fake-cert: h$p://an1snatchor.com/works/sniffing‐ssl‐tls‐connec1ons‐through‐fake‐ cer1ficate‐injec1on/
 24 of 25
  25. 25. h$p://www.integra1ngweb.com
 h$p://an1snatchor.com
 Thanks for your ! attention! Questions? 25 of 25

×